TY - GEN
T1 - Gatekeeper
T2 - 17th ACM ASIA Conference on Computer and Communications Security 2022, ASIA CCS 2022
AU - Hu, Shengtuo
AU - Zhang, Qingzhao
AU - Weimerskirch, André
AU - Mao, Z. Morley
N1 - Publisher Copyright:
© 2022 ACM.
PY - 2022/5/30
Y1 - 2022/5/30
N2 - Automotive Ethernet is considered to be the next-generation in-vehicle network, because of its high bandwidth, high throughput, and low cost characteristics. However, no common standard has been established for the security protocol of Automotive Ethernet. While there are a few candidates, including MACsec, IPsec, and TLS, there is no widely favored candidate. Most importantly, existing candidates cannot fully satisfy the requirements of in-vehicle communication, specifically source authentication for broadcast/multicast communication. In this paper, we conduct a comprehensive analysis in both security and performance of existing security protocol candidates and identify source authentication and Denial-of-Service (DoS) prevention as two essential but missing properties in these candidates. We propose Gatekeeper, a gateway-based broadcast authentication protocol to ensure source authentication. In general, Gatekeeper introduces an on-path authenticator, which co-locates with the in-vehicle gateway or domain controllers and helps receivers to verify the sender's identity. To defend against DoS threats, we further integrate the time-lock puzzle with Gatekeeper to slow down malicious traffic. Our performance evaluation results show that Gatekeeper only results in 0.03 ms latency overhead for CAN data transmission and outperforms TESLA on both CAN and LiDAR transmission scenarios, highlighting the effectiveness and efficiency of Gatekeeper.
AB - Automotive Ethernet is considered to be the next-generation in-vehicle network, because of its high bandwidth, high throughput, and low cost characteristics. However, no common standard has been established for the security protocol of Automotive Ethernet. While there are a few candidates, including MACsec, IPsec, and TLS, there is no widely favored candidate. Most importantly, existing candidates cannot fully satisfy the requirements of in-vehicle communication, specifically source authentication for broadcast/multicast communication. In this paper, we conduct a comprehensive analysis in both security and performance of existing security protocol candidates and identify source authentication and Denial-of-Service (DoS) prevention as two essential but missing properties in these candidates. We propose Gatekeeper, a gateway-based broadcast authentication protocol to ensure source authentication. In general, Gatekeeper introduces an on-path authenticator, which co-locates with the in-vehicle gateway or domain controllers and helps receivers to verify the sender's identity. To defend against DoS threats, we further integrate the time-lock puzzle with Gatekeeper to slow down malicious traffic. Our performance evaluation results show that Gatekeeper only results in 0.03 ms latency overhead for CAN data transmission and outperforms TESLA on both CAN and LiDAR transmission scenarios, highlighting the effectiveness and efficiency of Gatekeeper.
KW - automotive ethernet
KW - in-vehicle security
KW - source authentication
UR - https://www.scopus.com/pages/publications/85133175128
UR - https://www.scopus.com/pages/publications/85133175128#tab=citedBy
U2 - 10.1145/3488932.3517396
DO - 10.1145/3488932.3517396
M3 - Conference contribution
AN - SCOPUS:85133175128
T3 - ASIA CCS 2022 - Proceedings of the 2022 ACM Asia Conference on Computer and Communications Security
SP - 494
EP - 507
BT - ASIA CCS 2022 - Proceedings of the 2022 ACM Asia Conference on Computer and Communications Security
PB - Association for Computing Machinery, Inc
Y2 - 30 May 2022 through 3 June 2022
ER -