Master-slave in time-triggered authentication

When using this master-slave approach in a system application where messages are broadcast at regular intervals, each execution of the three phases can be overlapped. Each slave node that is broadcasting a message value during a message round (and also receives messages from the pre- vious round) can also include the MAC tag for the previous round in their transmission. This halves the number of transmissions by any slave nodes needed for verifying a round of message values (Figure 5.2). Thus, a slave node transmits only two truncated MAC tags in a data payload. The first MAC tag authenticates its current value to the master node. The second MAC tag is computed over the values observed on the network in the previous round.

Comparisons to other multicast authentication techniques 101

Figure 5.2. Master-slave used in time-triggered authentication. Each packet contains two MAC tags. The first authenticates the current broadcast value to the master node. The second tag is

used to verify the master's hash from the previous message round.

Slave nodes truncate the MAC tags to a few bits based on required per-packet assurance. The master truncates each of the MAC tags and resulting hash it computes based on the same re- quired per-packet assurance. The approach is only as secure as the MAC or hash with the fewest bits; all MACs and the hash for each execution of the three phases of this approach should be the same number of bits. If the MAC tag produced by the sender in phase one is smaller than the master's hash, the attacker could potentially guess that MAC tag more easily than the master's hash to inject a forged message value from that sender. Similarly, if the master's hash in phase two has fewer bits than the sender's MAC tag in phase one, then an attacker could inject a forged value from a sender and attempt to spoof the master's hash instead.

When creating a message schedule (or defining broadcast periods for message types), the master node should be scheduled to broadcast its attestation message sufficiently quickly to al- low verification of individual samples for each message type. Thus, the master node broadcast period should be less than or equal to that of the message type with the shortest period being broadcast on the network. Further, the master node should be scheduled to authenticate messages to slave node receivers that are able to promptly broadcast their tag so that other receivers can

Comparisons to other multicast authentication techniques 102 confirm the master's hash. Receivers cannot verify the hash until all receivers of the master's hash have released their tags.

5.3.6 Discussion

This approach has two primary advantages. First, authenticating via a master or base station node is very efficient in terms of bandwidth on a broadcast bus in comparison to all nodes broadcast- ing multicast authenticators. Having one node authenticate messages from all nodes requires a single broadcast authenticator. In this approach based on hash tree broadcast authentication, slave nodes only transmit two MAC tags, each of which can be truncated.

Using hash tree broadcast authentication also has the advantage of distributing the authentica- tion bits of the master's attestation amongst the slave node transmissions instead of only placing them in a transmission from the master node. If the master node used another multicast authenti- cation mechanism (e.g., OMPR or TESLA to send the master's attestation), it might have to in- troduce extra packets to broadcast the authenticator. Since the master's authenticator should be broadcast at same frequency as the fastest message types, adding additional packets from the master would significantly increase bandwidth costs (each packet in CAN uses a minimum over- head of 90 bits per packet). Using hash tree broadcast authentication, the master only needs to send a single hash.

Using a trusted master node also introduces several disadvantages, regardless of the broadcast authentication mechanism used. First, the master node is a single point of failure. If the master suffers a permanent failure, no authentication can be performed. Second, this approach has high fragility, being very sensitive to packet losses.

Comparisons to other multicast authentication techniques 103 Using a trusted master also allows an attacker to attempt two guesses to forge an authentica- tor. First, the attacker can attempt to forge the tag for the master in phase one. Second, if the master's message indicates that one of the tags was invalid, the attacker can attempt to forge the master's broadcast authenticator. If the probability of successful forgery on either authenticator is 2-b, where each authenticator is truncated to b bits, then the probability of successful per-packet forgery is given by equation (4). This is the same probability as forgery attempts on secondary confirmations in validity voting (Section 4.9).

 2

2

1 2



Using an approach based on hash tree broadcast authentication exacerbates the impact of node failure. If a single receiving node suffers a failure, that node might not transmit the MAC tag that would allow the rest of the network to verify the master's hash value. A single failed node might prevent all authentication. Chapter 8 describes approaches to improve tolerance to node failures. Similar approaches could be used in conjunction with master-slave.

This multicast authentication approach may not be suitable for networks with a large number of silent receivers that would otherwise never transmit; each of those receivers must now trans- mit a message on the network to participate in verifying the master's hash. This would signifi- cantly increase bandwidth requirements for authentication. For those types of networks, this mas- ter-slave approach using hash tree broadcast authentication should not be used. The master node can authenticate the messages from the previous round using another mechanism such as TES- LA.

Comparisons to other multicast authentication techniques 104 Node compromise is only a concern for this approach if the attacker gains control over the master node. If the master node is compromised, the attacker can forge any message desired. Compromised slave nodes can only forge messages they already are expected to send.

Lastly, there is a potential security vulnerability when authenticating all messages through a trusted master in conjunction with time-triggered authentication. In time-triggered authentica- tion, packet losses are considered non-malicious; invalid packets are considered malicious. As described in section 5.3.4, the master explicitly attests to the validity of the messages transmitted in phase one of this approach. The attack is executed as follows:

1. During phase one, the attacker selects a message type to attempt to spoof and attempts to guess the authenticator attached on a sample. Because we use few authentication bits, there is a moderate probability of successful forgery per packet.

2. In phase two, the attacker intercepts and observes the master's message. If it indicates no forgery attempts, the attacker knows they guessed the MAC tag correctly during phase one. If otherwise, the attacker drops the master's packet.

3. The attacker then repeats steps one and two until a sufficient number of forgeries have been successful to induce a system failure.

While this attack might technically allow an attacker to successfully forge many message samples over time, the attacker is forced to drop many messages from the master. Even with sin- gle bit tags, the attacker will drop about every other (50 percent) messages from the master on average. If tags are four bits, the attacker is forced to drop about fifteen out of sixteen (93.75 percent) messages from the master. With more bits the percentage of dropped packets is even higher. Since at most two tags per packet are needed, system designers are likely to use relatively large tags for a high per-packet assurance. With so many dropped packets, a receiver is likely to

Comparisons to other multicast authentication techniques 105 assume the network has suffered a blackout and take an appropriate safe action, precluding an attack from achieving the desired effect. If this attack is a concern, the validity bit in the master's attestation message can be omitted. The receiver then always computes the MAC tag in phase three over the messages observed during phase one, assuming none have been tampered with. Thus, an attacker cannot watch a master's messages to see if they successfully guessed the MAC tag, and the verification in phase three will only be successful if the master and slave nodes ob- served the same messages during phase one.