基于服务的多域电子电气架构安全访问控制

doi:10.19562/j.chinasae.qcgc.2023.09.011

Abstract

Abstract:

Under the service-oriented multi-domain electrical and electronic architecture， a large number of heterogeneous services are deployed in the vehicle for purposes such as autonomous driving， safety， comfort， and remote diagnosis. With the increasing interaction with the outside world， there are incremental security risks in the in-vehicle network. In this paper， a secure access control mechanism is proposed to prevent unauthenticated and unauthorized access requests to the in-vehicle domain controllers. Firstly， an access control architecture for attribute-based access control is proposed based on the analysis of security requirements of intelligent connected vehicle， which supports not only fine-grained and flexible authorization but also online permission detection based on per-stream filtering and policing. Secondly， a formal access control model is given in terms of a five-tuple， which mathematically describes the subject， object， policy and request， and proposes a hash-based policy evaluation engine. Finally， the secure access sequence guarantees confidentiality， integrity and availability of the access control process through session establishment and secure communication.

Key words: access control, SOME/IP, multi-domain EEA, security protocol

Zhenyu Yang,Feng Luo,Zitong Wang,Yi Ren,Xiaoxian Zhang. Security Access Control for Service-Oriented Multi-domain Electrical and Electronic Architecture[J].Automotive Engineering, 2023, 45(9): 1626-1636.

Figures/Tables 12

符号	含义
$E E C C$	基于 $E C C 256$ 的非对称加密算法
$K_C u r r e n t$	当前会话秘钥
$K u p d a t e$	更新的会话秘钥
$C e r t R$	根证书
$C e r t A, C e r t G$	域控制器A与认证中心G的证书，由根证书签发
N	一次随机数
$p k A$ ， $? p k G, p k R$	区域控制器A，认证中心G和根证书里的存放的公钥
$s k A$ ， $s k G$	域控制器A与认证中心G中对应公钥的私钥
IV	初始化向量
$E n c k e y$	加密后的会话秘钥
PPS_Count	PPS上升沿计数

References 14

1	LEE Y S， KIM J H， JEON J W. Flexray and ethernet AVB synchronization for high QoS automotive gateway ［J］. IEEE Transactions on Vehicular Technology， 2017， 66（7）： 5737-5751.
2	HASHEM EIZA M， NI Q. Driving with sharks： rethinking connected vehicles with vehicle cybersecurity ［J］. IEEE Vehicular Technology Magazine， 2017， 12（2）： 45-51.
3	HWANG M S， SUN T H， LEE C C J J O C， et al. Achieving dynamic data guarantee and data confidentiality of public auditing in cloud storage service ［J］. Journal of Circuits， Systems and Computers， 2016， 26（5）： 1750072.
4	HU V C， KUHN D R， FERRAIOLO D F， et al. Attribute-based access control ［J］. IEEE Computer， 2015， 48（2）： 85-88.
5	ZRELLI S， MIYAJI A， SHINODA Y， et al. Security and access control for vehicular communications［C］. Proceedings of the 2008 IEEE International Conference on Wireless and Mobile Computing， Networking and Communications， F， 2008.
6	SUBKE P， MOSHREF M， VACH A， et al. Measures to prevent unauthorized access to the in-vehicle e/e system， due to the security vulnerability of a remote diagnostic tester ［J］. SAE International Journal of Passenger Cars， 2017， 10（2）.
7	HABIB M A， AHMAD M， JABBAR S， et al. Security and privacy based access control model for internet of connected vehicles ［J］. Future Generation Computer Systems，2019， 97： 687-696.
8	LEE S， CHUNG B， CHOI J， et al. Design and implementation on the access control scheme against V2N connected car attacks［J］. Advanced Multimedia and Ubiquitous Engineering， 2019，518：705-710.
9	WANG K， LIU N， XIU J， et al. Research on multi domain based access control in intelligent connected vehicle ［M］. Springer International Publishing， 2019： 401-407.
10	KIM D K， SONG E， YU H. Introducing attribute-based access control to AUTOSAR ［C］. SAE Paper 2016-01-0069.
11	LI R， HAITAO Z， YUN L， et al. An efficient access control framework for service-oriented architecture of vehicle ［C］. 2021 18th International Computer Conference on Wavelet Active Media Technology and Information Processing （ICCWAMTIP）.
12	LUO F， HOU S. Cyberattacks and countermeasures for intelligent and connected vehicles ［J］. SAE International Journal of Passenger Cars， 2019， 12（1）： 55-66.
13	ZELLE D， KRAUß C， STRAUß H， et al. On using TLS to secure in-vehicle networks［C］. Proceedings of the 12th International Conference on Availability， Reliability and Security Security Reggio Calabria Italy 2017.
14	IORIO M， REINERI M， RISSO F， et al. Securing SOME/IP for in-vehicle service protection ［J］. IEEE Transactions on Vehicular Technology， 2020， 69（11）： 13450-13466.

符号	类型	含义
event begin_dcu_auth	事件	域控制器认证开始
event end_dcu_auth	事件	域控制器认证结束
event begin_center_auth	事件	认证中心认证开始
event end_center_auth	事件	认证中心认证结束
query attacker（new K_Current）	询问	证明当前会话秘钥的保密性
query attacker（new msg）	询问	证明安全通信过程明文的保密性
Query inj-event（end_dcu_auth） ==> inj-event（begin_dcu_auth）.	询问	证明域控制器的身份可认证性
Query inj-event（end_center_auth） ==> inj-event（begin_center_auth）.	询问	证明认证中心的身份可认证性

流程耗时	WolfSSL实现	HSM实现	文献［13］
会话建立	829.387 4 ms	89.508 2 ms	1 298.7/2 169.5 ms
安全通信（512 B/64 B）	2.611/0.384 ms	27.648/5.096 μs	2.952/0.441 ms
秘钥更新	0.390 ms	11.779 μs
策略评估	1.7 ms	4.180 μs
在线检测

Security Access Control for Service-Oriented Multi-domain Electrical and Electronic Architecture

RichHTML

PDF (PC)

Like

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 12

References 14

Related Articles 1

Metrics

Comments

Recommended 10

参数
匹配流过滤器的报文数量
通过流门控的报文数量
未通过流门控的报文数量
被流量计丢弃的报文数量
通过最大服务数据单元过滤的报文数量
未通过最大服务数据单元过滤的报文数量