The invention relates to a method and a corresponding apparatus for securing access to a network, particularly to a local area network (LAN).
Vehicles (e.g. automobiles, trucks and/or motorcycles) typically have a communication system using one or more bus systems for exchanging information between different controllers of a vehicle. The one or more bus systems may particularly comprise an Ethernet network. An Ethernet network can be used by controllers of the vehicle (e.g. cameras) to exchange relatively large volumes of data.
One or more of the controllers connected to an Ethernet network of the vehicle (also referred to as Ethernet controllers) may be arranged in the vehicle such that they are relatively simple for an attacker, such as a hacker, to access. These controllers could be used by an unauthorized party to gain access to the communication system of the vehicle (e.g. by replacing a controller or by introducing an intermediate computer for a so-called man-in-the-middle attack).
In order to prevent this, authentication according to the IEEE 802.1X standard can be effected in the Ethernet network of the vehicle. However, it has been found that even authentication according to the IEEE 802.1X standard cannot completely rule out man-in-the-middle attacks.
Therefore, the present document is concerned with the technical problem of securing access to an Ethernet network of a vehicle such that access by unauthorized parties (including by means of a man-in-the-middle attack) can be avoided in a cost-efficient manner.
According to one aspect, a method for controlling access by a supplicant to an Ethernet network via an authenticator is described. The Ethernet network can be part of a communication system of a vehicle. In this case, the supplicant and/or the authenticator may each be a controller of the vehicle. The authenticator can be an Ethernet switch for controlling access to the Ethernet network.
The method comprises authentication of the supplicant with the authenticator using an authentication protocol. The authentication protocol can include Ethernet port based access control according to the IEEE 802.1X standard. Furthermore, the authentication of the supplicant can include the sending of an Extensible Authentication Protocol (EAP) message.
The method further comprises determination of a delay in a message between the supplicant and the authenticator. For this purpose, the method can include synchronization of a time of the supplicant and a time of the authenticator, using a time synchronization protocol. Examples of the time synchronization protocol are the IEEE 802.AS standard and/or the Precision Time Protocol (PTP). Synchronization of the times of the supplicant and the authenticator can ensure that the delay in the message can be determined in a precise manner.
Furthermore, the determination of the delay in a message can include assignment of a random identifier to the message for which the delay is ascertained. As such, it is possible to ensure that the message can be identified unequivocally by the supplicant and/or by the authenticator, and hence the delay in the message can be determined in a reliable manner.
The method further comprises control of access by the supplicant to the Ethernet network on the basis of the effected authentication and the ascertained delay. By taking account of the delay in a message for access control, man-in-the-middle attacks can be reliably ruled out, since such attacks typically result in a significant extension to the delay of messages.
A line between supplicant and authenticator can have a length that is equal to or less than a predefined length threshold value. This is the case particularly in vehicles in which the length of connecting lines between two controllers (i.e. between the supplicant and the authenticator) are typically prescribed by the dimensions of the vehicle. The control of access can then include checking whether the determined delay is equal to or less than a predefined delay threshold value. It is therefore possible to determine, in a simple and cost-efficient manner, whether there is a man-in-the-middle attack, in the case of which the delay in a message interchanged between the supplicant and the authenticator would be above the predefined delay threshold value.
The predefined delay threshold value can be determined by computer, e.g. on the basis of a known length of the connecting line between supplicant and authenticator. Alternatively or additionally, the predefined delay threshold value can be determined experimentally (e.g. in a secure environment prior to delivery of a vehicle).
The Ethernet network can comprise a full duplex connecting line between supplicant and authenticator. In other words, a message between supplicant and authenticator can be interchanged via a full duplex Ethernet bus. The use of a full duplex connecting line is advantageous because, in such a case, performance of a man-in-the-middle attack requires the introduction of an intermediate computer and/or physical breakage of the connecting line. These steps significantly increase the delay in messages between supplicant and authenticator. Consequently, the use of full duplex connecting lines facilitates detection of a man-in-the-middle attack on the basis of the delay in a message.
According to a further aspect, a controller for a vehicle is described. The controller can have the function of a supplicant that asks for or requests access to an Ethernet network of the vehicles. The controller is set up to authenticate itself with an authenticator of the Ethernet network of the vehicle, using an authentication protocol. Furthermore, the controller may be set up to determine a delay in a message between the controller and the authenticator. For this purpose, the controller may be set up to send a message with a random identifier to the authenticator. Furthermore, the controller is set up to take the effected authentication and to take the determined delay as a basis for gaining access to the Ethernet network.
According to a further aspect, a component for an Ethernet network of a vehicle is described. The component can include e.g. a controller of the vehicle. The component can have the function of an authenticator for the Ethernet network. For this purpose, the component can be an Ethernet switch.
The component is set up to authenticate a supplicant that requests access to the Ethernet network, using an authentication protocol. Additionally, the component is set up to determine a delay in a message between the supplicant and the component. Furthermore, the component is set up to control access by the supplicant to the Ethernet network on the basis of the effected authentication and on the basis of the determined delay.
According to a further aspect, a vehicle (e.g. an automobile, a truck or a motorcycle) is described that includes a controller, described herein, and/or a component of an Ethernet network, which component is described herein.
According to a further aspect, a software (SW) program is described. The SW program can be set up to be executed on a processor (e.g. on a controller) and thereby to perform the method described herein.
According to a further aspect, a storage medium is described. The storage medium can include an SW program that is set up to be executed on a processor and thereby to perform the method described herein.
It should be noted that the methods, apparatuses and systems described in this document can be used either on their own or in combination with other methods, apparatuses and systems described in this document. Furthermore, any aspects of the methods, apparatuses and systems described in this document can be combined with one another in a variety of ways.
Other objects, advantages and novel features of the present invention will become apparent from the following detailed description of one or more preferred embodiments when considered in conjunction with the accompanying drawings.