The present invention relates to a communication system and a communication device and, in particular, relates to the communication system and the communication device which are favorably utilized in communication that part of a message authentication code (MAC) is included in a communication packet over a network.
In various fields represented by, for example, the field of vehicle control systems, the importance of security and the needs for security are increased. In order to cope with the above-mentioned circumstances, in the field of embedded devices, the situation that a target product itself is physically attacked frequently occurs and therefore there is a tendency that security functions are concentrated on a hardware security module (HSM) which is high in tamper resistance.
The vehicle control system is configured by a plurality of electronic control units (ECUs) which are coupled to an on-vehicle network, such as, for example, a CAN (Controller Area Network) and so forth. In attacks on such a vehicle control system as mentioned above, leakage of messages which are exchanged over the CAN, tampering of the messages, distribution of a false message and so forth are included. In order to avoid the above-mentioned attacks, a technique of adding information for certificating the validity of a CAN packet to a CAN packet in communication between the ECUs and so forth is proposed.
In Japanese Unexamined Patent Application Publication No. 2013-98719, a technology of performing message authentication using the message authentication code (MAC) without changing the CAN protocol is disclosed. In each ECU which is coupled to the CAN, a frequency that the messages have been transmitted is counted for every CAN ID. The ECU which has transmitted the message generates one MAC from a data field and the CAN ID of a main message and a counted value corresponding to the CAN ID and transmits the generated MAC as one MAC message. The ECU which has received the main message generates another MAC from the data field and the CAN ID included in the main message and the counted value corresponding to the CAN ID, compares the generated MAC with the MAC included in the MAC message and thereby verifies the validity of the main message.
In “Protection of On-Vehicle Control System by Secure Boot+Authentication” written by Takahiro Takemori, Seiichiroh Mizoguchi, Hideaki Kawabata and Ayumu Kubota, in Research Report of Information Processing Society of Japan, Intelligent Transportation Systems and Smart Community (ITS), 2014-ITS-58, Information Processing Society of Japan, Sep. 12, 2014, a CAN packet authentication technology that the technology described in Japanese Unexamined Patent Application Publication No. 2013-98719 has been improved is disclosed. Since there is a limitation on the size of the CAN packet, only some bits in the calculated MAC value is included in the CAN packet. In the transmission side ECU, high-order L-1-n bits of a value of a transmission packet counter are used for calculation of the MAC value, and low-order n bits of the value of the transmission packet counter are used to indicate the position of a frame of some bits (Xs bits) to be extracted from the calculated MAC value. That is, in the transmission side ECU, the MAC value is calculated from the main message, secret information which is shared between the transmission side and the reception side and the high-order L-1-n bits of the value of the transmission packet counter, the Xs bits at the frame position which is designated by the low-order n bits of the value of the transmission packet counter are extracted from that MAC value and thereby the CAN packet is configured by adding the Xs bits so extracted to the main message. In the reception side ECU, the high-order L-1-n bits of a value of a reception packet counter which are the same as those of the transmission side ECU are used for calculation of the MAC value, and the low-order n bits thereof are used in order to indicate the position of the frame of some bits (Xr bits) to be extracted from the calculated MAC value. That is, in the reception side ECU, the MAC value is calculated from the main message in the received CAN packet, the secret information which is shared with the transmission side and the high-order L-1-n bits of the value of the reception packet counter and the Xr bits at the frame position designated by the low-order n bits of the value of the reception packet counter are extracted from the MAC value so calculated. The Xs bits of the MAC value in the received CAN packet are compared with the Xr bits in the MAC value that the reception side ECU itself has calculated, and when both of the Xs bits mutually match, it is authenticated that the received CAN packet is valid.