A trusted CAN communication method and system based on double-channel and closed-loop encryption and decryption
By dividing the CAN bus into channels and implementing closed-loop encryption/decryption and dynamic priority management, the security and privacy protection issues of traditional CAN communication systems are solved, achieving efficient data transmission and attack protection.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- LUOWEI TECH (HANGZHOU) CO LTD
- Filing Date
- 2025-05-06
- Publication Date
- 2026-06-19
Smart Images

Figure CN120455196B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of data communication technology, specifically to a trusted CAN communication method and system based on dual-channel and closed-loop encryption and decryption. Background Technology
[0002] With the rapid development of the Internet of Things (IoT) and automation technologies, the CAN bus, as a highly efficient and reliable serial communication protocol, is widely used in automotive, industrial control, aerospace, and other fields. Traditional CAN communication systems do not specifically consider encryption and authentication mechanisms during data transmission, making them vulnerable to malicious attacks and data tampering. As the automotive and industrial control sectors gradually move towards intelligence and networking, the CAN bus faces more network attack risks, including but not limited to replay attacks, spoofing attacks, and data tampering. To improve the security of CAN networks, designing a secure communication method that can prevent unauthorized device access and ensure the confidentiality and integrity of the communication process is particularly important.
[0003] In the existing CAN bus, all devices communicate through a shared physical bus, and all devices can access every CAN message. The lack of effective encryption and isolation mechanisms makes communication between devices vulnerable to unauthorized access or tampering in certain scenarios. Furthermore, because the CAN protocol uses a broadcast method, all devices can see all messages sent on the bus, leading to security and privacy vulnerabilities.
[0004] Therefore, how to improve the security, reliability, and flexibility of CAN communication by combining encryption technology, decentralized management, dynamic priority mechanism, and message validity detection on the basis of traditional CAN bus communication has become a key issue that urgently needs to be addressed. Summary of the Invention
[0005] Based on the shortcomings of the prior art described above, the purpose of this invention is to provide a reliable CAN communication method and system based on dual-channel and closed-loop encryption and decryption to solve the above-mentioned technical problems.
[0006] To achieve the above objectives, the present invention provides the following technical solution: a trusted CAN communication method based on dual-channel and closed-loop encryption / decryption, comprising:
[0007] On the same physical CAN bus, the communication logic is divided into a negotiation communication channel and a transmission communication channel. The negotiation communication channel transmits broadcast messages based on the group identifier ID, and the transmission communication channel transmits user messages based on the valid device ID.
[0008] Device legitimacy is verified based on broadcast messages received through the negotiation communication channel, and a list of trusted devices is dynamically managed to enable access and isolation of communication nodes.
[0009] The trusted CAN device sends a self-decryptable broadcast message through a negotiation communication channel. The broadcast message contains decryption information for decrypting the next user message. Based on the obtained decryption information, a one-time codebook is generated, the user data is encrypted, the user message is constructed, and then it is sent through the transmission communication channel.
[0010] The receiving device decrypts and verifies the user message based on the decryption information. If the verification passes, the message is considered valid; otherwise, it is discarded.
[0011] In response to device ID conflicts, trusted CAN devices perform dynamic priority management based on preset priorities and valid ID reselection strategies.
[0012] During message transmission, message reliability transmission detection is performed. When abnormal transmission of broadcast messages and user messages is detected, or the number of decryption failures exceeds the threshold, an exception is triggered and reported to the application layer system.
[0013] The present invention is further configured such that the negotiation logic communication channel uses a preset group ID as the CAN message ID to transmit negotiation information; and the transmission logic communication channel uses a valid device ID as the CAN message ID to transmit application layer data information.
[0014] Broadcast messages and user messages are logic layer messages. Broadcast messages are transmitted on the negotiation logic communication channel, while user messages are transmitted on the transmission logic communication channel.
[0015] The present invention is further configured such that the user message includes message metadata, decrypted value type, decrypted value, sequence number, message length, padding length, data, data padding, and data verification;
[0016] Broadcast messages include the message decryption information, serial number, device ID, function, message length, padding length, user message decryption related information, value, data padding, and data verification; the message decryption information includes the decryption value type and decryption value.
[0017] The present invention further specifies that both broadcast messages and user messages are in encrypted format, and the message structure carries decryption information for the next user message. The decryption information includes a decryption value type and a decryption value; the decryption value type includes a random value type and an offset value type.
[0018] When the value is of random type, the receiver uses the random value as a seed and combines it with a preset symmetric key to input a scrambling generation algorithm to generate the current one-time password book;
[0019] When it is an offset value type, the receiver generates the current one-time password book based on the offset value, according to the password book used in the previous decrypted user message.
[0020] The encryption process is as follows: the original data, excluding the data verification field, is input into the scrambling algorithm and XORed with the one-time password book to obtain the ciphertext data;
[0021] The decryption process is as follows: The receiver constructs a one-time codebook according to the decryption method indicated in the current message, performs an XOR scrambling operation with the ciphertext data to restore the original data, and then performs a data verification to check the legality of the restored result. If the verification fails, the message is discarded.
[0022] The present invention is further configured such that, after startup, the trusted CAN device continuously listens to the negotiation communication channel in whitelist listening mode by default, and only receives the transmission communication channel messages of the authenticated device ID.
[0023] Device authentication is based on broadcast messages. If a trusted CAN device successfully receives a legitimate broadcast message on the negotiation communication channel and passes the decryption and verification, the valid device ID is extracted and added to the local listening whitelist.
[0024] The certified device enters the lifecycle management process, and the device information record includes: the current decryption information, the sequence value of the latest broadcast message, the unique sequence identifier of the device, and the latest activity timestamp;
[0025] If the same device ID and unique sequence identifier are subsequently received, but the broadcast sequence number is not incrementing, it is determined to be an illegal message or network anomaly, and authentication fails. If the unique sequence identifier is different, the device status is updated and it is considered a device priority adjustment. Before the priority adjustment, a broadcast message is sent to confirm, and the device priority is adjusted after the confirmation message is received. This is to prevent CAN message replay attacks.
[0026] The latest activity timestamp is automatically refreshed each time a legitimate message is successfully received from the device. If the device has no activity within the set time, it is considered offline, and its information will be removed from the whitelist and the listening will be terminated.
[0027] If the number of illegal messages received from a device exceeds the threshold within a set time, the valid device ID of that device will be removed from the whitelist, and a broadcast will be made to notify it to re-authenticate or adjust its priority. Illegal messages include messages of decryption failure or verification failure.
[0028] The present invention is further configured such that dynamic priority management includes:
[0029] Each trusted CAN device is configured with a preset device ID and a valid device ID. Under no conflict conditions, the valid device ID and the preset device ID are the same.
[0030] When a device ID conflict is detected, or when a priority management notification is received in a broadcast message from another device, the priority of the current valid device ID is reduced by one level, that is, the value of the current valid device ID plus one is used as the new valid device ID;
[0031] After setting a new valid device ID, the relevant devices are notified via broadcast message, triggering priority adjustment and re-authentication for the corresponding devices;
[0032] If a trusted CAN device receives a broadcast message from another device using the same valid ID, but the unique sequence value of the other device is different, then the device that joined the network later has higher priority, and the existing device needs to reselect a valid device ID;
[0033] If any trusted CAN device's currently used valid ID is not equal to the preset ID, and it is not a conflict between devices on the same virtual bus, the device will periodically listen to the channel corresponding to its preset ID. If it confirms that the channel is idle, it will switch back to the preset ID and broadcast a notification to other devices to update the mapping information. If it is a conflict between devices on the same virtual bus, when the corresponding device goes offline, it will switch back to the preset ID and broadcast a notification to other devices to update the mapping information.
[0034] The present invention is further configured such that the method includes an anomaly detection mechanism based on the decryption state of the communication channel, specifically including:
[0035] The trusted CAN device implements an interval monitoring strategy on the negotiation communication channel. If it receives more than a threshold of broadcast messages that fail to decrypt or fail to verify data within a preset time window, it is determined to be a network anomaly or an illegal device attack. This triggers an abnormal event, reports it to the upper-layer application system, and starts the trusted CAN device to implement the interval monitoring strategy on the negotiation communication channel until the channel returns to normal, at which point a continuous monitoring strategy is adopted.
[0036] The trusted CAN device continuously monitors the status of the transmission communication channel. If the number of decryption failures of user messages received within a preset time window exceeds a preset threshold, it is determined that there is a data conflict or illegal message injection behavior, and the device priority management process is triggered.
[0037] If the number of times device priority management operations are triggered within a continuous time period exceeds the total number of trusted devices in the current virtual CAN bus, the network is determined to be under continuous attack, and a high-priority security alarm signal is sent to the upper-layer application system.
[0038] The present invention is further configured such that the method includes a user message reliable transmission detection mechanism for detecting whether a message is completely received and processed in a timely manner on the virtual CAN bus, including:
[0039] Passive detection mechanism: When a trusted CAN device receives a user message from a specific trusted CAN device, if the message sequence number is not continuously increasing, it is determined that there is a risk of message loss. The device will randomly delay for a specified time and then send a broadcast message through the negotiation communication channel to prompt the sender. If the same abnormal report is received from other devices during the delay period, the current abnormal prompt broadcast will be automatically canceled to reduce broadcast conflicts.
[0040] Active detection mechanism: When the application layer designates certain user messages as messages requiring acknowledgment, the trusted CAN device adds its message ID to the reliable transmission list and requires all receivers to return acknowledgment information via broadcast within a specified time; if the number of acknowledgment responses is less than the number of current virtual CAN bus members recorded in the device management, it is considered that a message has been lost.
[0041] When any mechanism detects an anomaly in message transmission, the detection device will trigger a report to the upper-layer application system, which can then choose to retransmit, alarm, or fault tolerance compensation based on the application scenario strategy.
[0042] The present invention is further configured such that the method constructs multiple virtual CAN buses through encryption mechanisms and device management mechanisms, including:
[0043] The physical CAN bus is logically divided into multiple virtual CAN buses. Each virtual CAN bus consists of trusted CAN devices with the same preset group identifier ID and symmetric key.
[0044] The communication channels within the virtual CAN bus are isolated from other virtual CAN buses, allowing member devices to negotiate communication and data transmission only based on the same group ID and key;
[0045] The priority relationship of devices within each virtual CAN bus is uniformly sorted by preset device ID. When there is no conflict, the effective ID of the device is equal to its preset ID, thus maintaining communication consistency and arbitration priority.
[0046] Device priority management and device monitoring lists between different virtual CAN buses do not interfere with each other, avoiding cross-logical interference caused by ID conflicts, thereby realizing the dynamic separation and independent operation of virtual CAN buses.
[0047] This invention also provides a trusted CAN communication system based on dual-channel and closed-loop encryption / decryption, used to implement the aforementioned trusted CAN communication method based on dual-channel and closed-loop encryption / decryption, comprising:
[0048] Channel partitioning module: On the same physical CAN bus, the communication logic is divided into negotiation communication channel and transmission communication channel. The negotiation communication channel transmits broadcast messages based on group identifier ID, and the transmission communication channel transmits user messages based on valid device ID.
[0049] Device management module: Verifies device legitimacy based on broadcast messages received through the negotiation communication channel, dynamically manages the list of trusted devices, and enables the access and isolation of communication nodes;
[0050] Transmission module: The trusted CAN device sends a self-decryptable broadcast message through the negotiation communication channel. The broadcast message contains decryption information for decrypting the next user message. Based on the obtained decryption information, a one-time codebook is generated. The user data is encrypted to construct the user message, which is then sent through the transmission communication channel.
[0051] Verification module: The receiving device decrypts and verifies the user message based on the decryption information. If the verification passes, the message is considered valid; otherwise, it is discarded.
[0052] Priority Management Module: In response to device ID conflicts, trusted CAN devices perform dynamic priority management based on preset priorities and valid ID reselection strategies;
[0053] Anomaly detection module: When transmitting messages, it performs message reliability transmission detection. When it detects anomalies in the transmission of broadcast messages and user messages or when the number of decryption failures exceeds the threshold, it triggers an anomaly and reports it to the application layer system.
[0054] This invention provides a trusted CAN communication method and system based on dual-channel and closed-loop encryption / decryption. The method divides the communication logic into a negotiation communication channel and a transmission communication channel on the same physical CAN bus. The negotiation communication channel transmits broadcast messages based on group identifier IDs, while the transmission communication channel transmits user messages based on valid device IDs. Device legitimacy is verified based on the broadcast messages received through the negotiation communication channel, and a trusted device list is dynamically managed to achieve access and isolation of communication nodes. Trusted CAN devices send self-decryptable broadcast messages through the negotiation communication channel. These broadcast messages contain decryption information for decrypting the next user message. A one-time password book is generated based on the obtained decryption information, and user data is encrypted to construct the user message, which is then sent through the transmission communication channel. The receiving device decrypts and verifies the user message based on the decryption information. If the verification passes, the message is considered valid; otherwise, it is discarded. In response to device ID conflicts, the trusted CAN device performs dynamic priority management based on preset priorities and a valid ID reselection strategy. When an abnormal user message transmission is detected or the number of decryption failures exceeds a threshold, an abnormality report or retransmission request is triggered through the broadcast channel. The beneficial effects include:
[0055] 1. Implement logical communication channel division on the physical bus: By dividing the CAN communication logic into negotiation communication channels and transmission communication channels, the control and user data transmission are separated, making the message type clear and the transmission path independent, effectively improving the flexibility of communication scheduling and control.
[0056] 2. Establish a chain-dependent closed-loop encryption and decryption mechanism: By embedding decryption information in user messages and broadcast messages, combined with a one-time password book and scrambling algorithm, the uniqueness and non-replayability of each message ciphertext are achieved, significantly improving data confidentiality, anti-counterfeiting and anti-replay attack capabilities.
[0057] 3. Implement dynamic priority management based on arbitration mechanism: Each device has a preset device ID and a valid device ID. When a conflict occurs, the valid ID is automatically selected and a broadcast notification is broadcast to realize dynamic adjustment of device priority without human intervention, ensuring that messages from high-priority devices are sent first.
[0058] 4. Possesses communication anomaly detection and alarm capabilities: The system continuously monitors the message decryption status of the negotiation and transmission channels, and triggers alarms or processing mechanisms based on decryption failure and illegal behavior detection, thereby enhancing network security protection capabilities and robustness;
[0059] 5. Comprehensive Guarantee of User Message Reliability: By introducing a user message reliability detection mechanism, this invention overcomes the limitation of traditional CAN data link layers, which can only guarantee "at least one node receiving" but cannot confirm "all nodes receiving." Through a dual strategy of passive detection (based on message sequence number continuity analysis) and active detection (based on ACK confirmation feedback), this invention can monitor the complete transmission status of messages within the virtual CAN bus in real time, ensuring that all target trusted nodes successfully receive the message. This significantly improves the integrity of data distribution, avoids application logic errors or control failures caused by message loss, and enhances the communication reliability and robustness of the entire CAN network in mission-critical scenarios.
[0060] The above description is only an overview of the technical solution of this application. In order to better understand the technical means of this application and to implement it in accordance with the contents of the specification, and to make the above and other objects, features and advantages of this application more obvious and understandable, the following are specific embodiments of this application. Attached Figure Description
[0061] To more clearly illustrate the technical solutions in the embodiments of the present invention, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort. In the drawings:
[0062] Figure 1 This is a diagram showing the representation of a CAN / CANFD frame at the data link layer.
[0063] Figure 2 This is a diagram showing the representation of CAN frames for the application layer.
[0064] Figure 3 A flowchart illustrating a trusted CAN communication method based on dual-channel and closed-loop encryption / decryption, as shown in an exemplary embodiment of the present invention;
[0065] Figure 4 A diagram illustrating the representation of a user message as an exemplary embodiment of the present invention;
[0066] Figure 5 A diagram illustrating the representation of a broadcast message as an exemplary embodiment of the present invention;
[0067] Figure 6 A flowchart illustrating an exemplary embodiment of the present invention is shown.
[0068] Figure 7 A flowchart illustrating an exemplary embodiment of the present invention is shown.
[0069] Figure 8 A diagram illustrating a device management mechanism as shown in an exemplary embodiment of the present invention;
[0070] Figure 9 A priority management mechanism diagram illustrating an exemplary embodiment of the present invention;
[0071] Figure 10 This is a schematic diagram illustrating the structure of a trusted CAN communication system based on dual-channel and closed-loop encryption / decryption, as an exemplary embodiment of the present invention. Detailed Implementation
[0072] The embodiments of the present invention will be described below with reference to the accompanying drawings and preferred embodiments. Those skilled in the art can easily understand other advantages and effects of the present invention from the content disclosed in this specification. The present invention can also be implemented or applied through other different specific embodiments, and various details in this specification can also be modified or changed based on different viewpoints and applications without departing from the spirit of the present invention. It should be understood that the preferred embodiments are only for illustrating the present invention and not for limiting the scope of protection of the present invention.
[0073] It should be noted that the illustrations provided in the following embodiments are only schematic representations of the basic concept of the present invention. Therefore, the drawings only show the components related to the present invention and are not drawn according to the actual number, shape and size of the components in the actual implementation. In the actual implementation, the form, quantity and proportion of each component can be arbitrarily changed, and the layout of the components may also be more complex.
[0074] In the following description, numerous details are explored to provide a more thorough explanation of embodiments of the invention. However, it will be apparent to those skilled in the art that embodiments of the invention may be practiced without these specific details. In other embodiments, well-known structures and devices are shown in block diagram form rather than in detail to avoid obscuring embodiments of the invention.
[0075] First, it should be noted that, in order to help understand the principles of this invention, the CAN / CANFD frame format and mapping principle will be introduced first. Please refer to [link / reference needed]. Figure 1 The representation of CAN / CANFD frames at the data link layer. CAN has multiple frame types at the data link layer, but the application layer only focuses on the data frames and remote control frames in CAN / CANFD. Please refer to [link to relevant documentation]. Figure 2 The application layer abstracts CAN frames into the following representations: Extended Identifier: Whether the CAN frame / CANFD frame is an extended frame. If it is an extended frame, the ID is 29 bits; otherwise, the ID is 11 bits. Remote Frame Identifier: Identifies whether the frame is a data transmission frame or a frame requesting transmission. Data Length: Describes the valid transmission data length of the data field. Data: CAN frame length is 0-8 bytes, while CANFD frame length is 0-64 bytes.
[0076] Example 1
[0077] A trusted CAN communication method based on dual-channel and closed-loop encryption / decryption, such as... Figure 3 As shown, it includes:
[0078] On the same physical CAN bus, the communication logic is divided into a negotiation communication channel and a transmission communication channel. The negotiation communication channel transmits broadcast messages based on the group identifier ID, and the transmission communication channel transmits user messages based on the valid device ID.
[0079] Device legitimacy is verified based on broadcast messages received through the negotiation communication channel, and a list of trusted devices is dynamically managed to enable access and isolation of communication nodes.
[0080] The trusted CAN device sends a self-decryptable broadcast message through a negotiation communication channel. The broadcast message contains decryption information for decrypting the next user message. Based on the obtained decryption information, a one-time codebook is generated, the user data is encrypted, the user message is constructed, and then it is sent through the transmission communication channel.
[0081] The receiving device decrypts and verifies the user message based on the decryption information. If the verification passes, the message is considered valid; otherwise, it is discarded.
[0082] In response to device ID conflicts, trusted CAN devices perform dynamic priority management based on preset priorities and valid ID reselection strategies.
[0083] During message transmission, message reliability transmission detection is performed. When abnormal transmission of broadcast messages and user messages is detected, or the number of decryption failures exceeds the threshold, an exception is triggered and reported to the application layer system.
[0084] The present invention is further configured such that the negotiation logic communication channel uses a preset group ID as the CAN message ID to transmit negotiation information; and the transmission logic communication channel uses a valid device ID as the CAN message ID to transmit application layer data information.
[0085] Broadcast messages and user messages are logic layer messages. Broadcast messages are transmitted on the negotiation logic communication channel, while user messages are transmitted on the transmission logic communication channel.
[0086] like Figure 4As shown, the present invention is further configured such that the user message includes message metadata, decrypted value type, decrypted value, sequence number, message length, padding length, data, data padding, and data verification; specifically, data verification is the result generated by using a data verification algorithm with all other components of the user message as data input, except for the data verification itself, and is used for data verification after data decryption. All components of the user message are transmitted encrypted. In the above fields, message metadata refers to the CAN message header in the application frame format; decryption value type represents two types: random value type and offset value type; decryption value is a pure numerical value, the meaning of which is expressed by the decryption value type; sequence number is a cyclically increasing value used for transmission reliability detection mechanisms; message length represents the length of the user message, i.e., the length of the logical layer message in the diagram; padding length is required because the underlying CAN transmission has data alignment requirements; data is the data field in the application layer frame; data padding includes, but is not limited to, padding the data here with random values or hashes; data verification is used to verify the data during logical layer message decryption; packets are composed of identifiers and data, where the identifier consists of a packet identifier, the total number of packets, and the packet sequence number; packet identifier identifies whether the data carries a complete logical layer message, and further... The packet identifier is used not only in user messages but also in broadcast messages. It's worth noting that if a CAN device uses the CANFD format for transmission, it can generally fully carry a broadcast message. However, in the CAN format, only 8 bytes are available for transmission, so a single broadcast message cannot be stored. Broadcast messages must be encrypted and then packetized. The same applies to user messages. In this case, the packet identifier needs to be scrambled using the one-time cipher book corresponding to the message. Total number of packets: If the packet identifier indicates that the data does not carry a complete logical layer message, this field indicates how many packets a complete logical layer message is divided into. Packet sequence number: Similarly, this indicates which packet it is. Data: Carries the complete logical layer message or part of it. The data link layer uses the valid device ID as the CAN message ID, carrying the packet; the rest is configured as CAN data frame format.
[0087] like Figure 5 As shown, the broadcast message includes the message decryption information, serial number, device ID, function, message length, padding length, user message decryption related information, value, data padding, and data verification; the message decryption information includes the decryption value type and decryption value. Specifically, in Figure 5In this context, logical layer messages are broadcast messages, composed of the fields shown in the diagram. Among these fields, the decryption information for this message consists of the decryption value type and the decryption value, consistent with user messages. This is used to decrypt this message; therefore, the decryption value type is always a random value. Note that this field is scrambled with a fixed key; Sequence Number: Because broadcast messages are the communication channel of trusted CAN devices, they use a self-decryption method. The sequence number is a cyclically incrementing field, which, along with the device ID in the message, can resist message replay attacks; Device ID: The valid device ID of the trusted CAN device that sent this broadcast message; Function: Defines different functional uses for broadcast messages and explains the meaning of the values in the broadcast message; Message Length: The length of this broadcast message; Padding Length: The underlying CAN transmission has data alignment requirements, so data alignment is necessary; User Message Decryption Related Information: Consists of the decryption value type and decryption value, consistent with the user message. This is used to decrypt the next user message decryption information to be sent by the trusted CAN device that sent this broadcast message; Value: This field has a variable length, and its specific meaning is defined by the function field; Data Padding: Including but not limited to padding this data with random values or hashes; Data Verification: Used to verify the data during logical layer message decryption; All components of the broadcast message are transmitted encrypted. However, the decryption information of this message is encrypted with a fixed key scrambling code, while the other components are as described in the encryption and decryption mechanism section. Figure 5 In the data link layer, the ID for CAN messages is the group ID; the rest are the same as in user messages.
[0088] like Figure 6 and Figure 7 As shown, the present invention is further configured such that both broadcast messages and user messages are in encrypted format, and the message structure carries decryption information for the next user message. The decryption information includes a decryption value type and a decryption value; the decryption value type includes a random value type and an offset value type.
[0089] When the value is of random type, the receiver uses the random value as a seed and combines it with a preset symmetric key to input a scrambling generation algorithm to generate the current one-time password book;
[0090] When it is an offset value type, the receiver generates the current one-time password book based on the offset value, according to the password book used in the previous decrypted user message.
[0091] The encryption process is as follows: the original data, excluding the data verification field, is input into the scrambling algorithm and XORed with the one-time password book to obtain the ciphertext data;
[0092] The decryption process is as follows: The receiver constructs a one-time codebook according to the decryption method indicated in the current message, performs an XOR scrambling operation with the ciphertext data to restore the original data, and then performs a data verification to check the legality of the restored result. If the verification fails, the message is discarded.
[0093] Specifically, the CAN trusted devices of this invention all use broadcast messages as the start of communication. The broadcast messages are all self-decryptable and carry user message decryption information. The user messages also carry the decryption information of the next user message, thus forming a decryption closed loop. Figure 6 In a broadcast message, the arrow pointing to the box in the middle column indicates that data is input into the corresponding operation in that column, and the box in the middle column indicates the output result of that operation. In a broadcast message, the original data consists of all fields except for the message decryption information and data verification. In a user message, the original data consists of all fields except for data verification.
[0094] Please see Figure 7 Upon receiving a complete encrypted message, the system retrieves the random value from the decryption information. Following the same encryption process, a one-time pseudo-cipherbook is generated. The encrypted data in the message is scrambled with the pseudo-cipherbook to obtain original data to be verified. This original data is then verified against the data verification value in the message using a data verification algorithm. If the verification passes, the message is valid; otherwise, it is invalid and discarded. The decryption information consists of two fields: type and value. The type refers to whether the value is a random value or an offset value. If it is an offset value, the current one-time pseudo-cipherbook is reused when decrypting the next user message sent by the trusted CAN device, simply offsetting it by the corresponding value. If the value is a random value, a new pseudo-cipherbook is generated. This mechanism ensures a dynamic balance between security and efficiency.
[0095] Each trusted CAN device has two logical communication channels: a negotiation channel using the group ID as the CAN message ID, and a transmission channel using the valid device ID as the CAN message ID. Messages transmitted by a trusted CAN device on the negotiation channel are self-decrypting, and their encrypted data carries the decryption information for the next message transmitted on the transmission channel. Similarly, the encrypted data of messages transmitted on the transmission channel carries the decryption information for the next message transmitted on the same channel. Each message uses different decryption information to achieve dynamic encryption.
[0096] like Figure 8 As shown, the present invention is further configured such that, after startup, the trusted CAN device continuously listens to the negotiation communication channel in whitelist listening mode by default, and only receives the transmission communication channel messages of the authenticated device ID.
[0097] Device authentication is based on broadcast messages. If a trusted CAN device successfully receives a legitimate broadcast message on the negotiation communication channel and passes the decryption and verification, the valid device ID is extracted and added to the local listening whitelist.
[0098] The certified device enters the lifecycle management process, and the device information record includes: the current decryption information, the sequence value of the latest broadcast message, the unique sequence identifier of the device, and the latest activity timestamp;
[0099] If the same device ID and unique sequence identifier are subsequently received, but the broadcast sequence number is not incrementing, it is determined to be an illegal message or network anomaly, and authentication fails. If the unique sequence identifier is different, the device status is updated and it is considered a device priority adjustment. Before the priority adjustment, a broadcast message is sent to confirm, and the device priority is adjusted after the confirmation message is received. This is to prevent CAN message replay attacks.
[0100] The latest activity timestamp is automatically refreshed each time a legitimate message is successfully received from the device. If the device has no activity within the set time, it is considered offline, and its information will be removed from the whitelist and the listening will be terminated.
[0101] If the number of illegal messages received from a device exceeds the threshold within a set time, the valid device ID of that device will be removed from the whitelist, and a broadcast will be made to notify it to re-authenticate or adjust its priority. Illegal messages include messages of decryption failure or verification failure.
[0102] Specifically, the main functions of equipment management include equipment certification management, equipment lifecycle management, and equipment priority management;
[0103] Device authentication management involves authenticating and maintaining a monitoring list of trusted devices. The monitoring mechanism for CAN devices during startup is in whitelist mode, and this mode cannot be changed. Trusted CAN devices will always monitor the negotiation communication channel (using a preset group ID as the CAN message ID). The transmission communication channel representing other trusted CAN devices is where the trusted CAN device receives, decodes, and verifies the validity of broadcast messages (representing successful device authentication) on the negotiation communication channel. The device ID (the valid device ID representing the trusted CAN device) in these messages is added to the whitelist, marking the beginning of device lifecycle management. When device lifecycle management determines that a device needs to be deleted, it removes the valid device ID representing that trusted CAN device from the monitoring whitelist.
[0104] Device Lifecycle Management: Device lifecycle management is enabled by adding devices to the listening list as described above in the device authentication management section. Device lifecycle management stores decryption information, the sequence in broadcast messages, a unique sequence value representing a trusted CAN device (carried in the broadcast message), and the latest activity timestamp. The sequence in the broadcast message and the unique sequence value representing a trusted CAN device are used to prevent message replay attacks and manage device priority. When a broadcast message sent by a corresponding CAN device has a sequence value that does not increase regularly and is the same as the unique sequence value of the trusted CAN device, it is considered that an illegal attack exists or there is a problem with the network topology; this is a failure of the legitimacy check. However, if the unique sequence value of the trusted CAN device is different, it is a legitimate message, and the corresponding device information field is updated; this is part of device priority management. The latest activity timestamp is used when a device has not sent any messages for a period of time; if so, the device information is deleted and device authentication management is performed. The latest activity timestamp is refreshed when a message from a corresponding trusted CAN device is received. When more than a threshold of illegal messages (decryption or legitimacy check failures) are received in the transmission communication channel, they will be broadcast to the corresponding trusted CAN device for device priority management, after which the trusted CAN device information is deleted and device authentication management is performed.
[0105] like Figure 9 As shown, the present invention is further configured such that dynamic priority management includes:
[0106] Each trusted CAN device is configured with a preset device ID and a valid device ID. Under no conflict conditions, the valid device ID and the preset device ID are the same.
[0107] When a device ID conflict is detected, or when a priority management notification is received in a broadcast message from another device, the priority of the current valid device ID is reduced by one level, that is, the value of the current valid device ID plus one is used as the new valid device ID;
[0108] After setting a new valid device ID, the relevant devices are notified via broadcast message, triggering priority adjustment and re-authentication for the corresponding devices;
[0109] If a trusted CAN device receives a broadcast message from another device using the same valid ID, but the unique sequence value of the other device is different, the device that joined the network later has higher priority, and the existing device needs to reselect a valid device ID. Furthermore, before reselecting, a confirmation message is sent via broadcast message, and the device ID is reselected only after the confirmation message is received to prevent CAN message replay attacks.
[0110] If any trusted CAN device's currently used valid ID is not equal to the preset ID, and it is not a conflict between devices on the same virtual bus, the device will periodically listen to the channel corresponding to its preset ID. If it confirms that the channel is idle, it will switch back to the preset ID and broadcast a notification to other devices to update the mapping information. If it is a conflict between devices on the same virtual bus, when the corresponding device goes offline, it will switch back to the preset ID and broadcast a notification to other devices to update the mapping information.
[0111] Specifically, device priority management: Here, priority refers to the priority of simultaneously transmitting messages within a CAN network. The smaller the valid device ID value of a trusted CAN device, the higher its priority; this is achieved using the CAN bus arbitration mechanism. A trusted CAN device has two device IDs: valid and preset. When there are no conflicts, the valid ID value equals the preset value; in case of conflicts, the valid device ID will be selected.
[0112] When a trusted CAN device receives a broadcast message from another trusted CAN device notifying it of priority management (i.e., the scenario described in device lifecycle management where a valid device ID is selected), the following steps are taken: Valid Device ID Selection: The trusted CAN device selects an available, idle device ID with a lower priority than the current device based on locally cached information about other trusted CAN devices. If no available ID is found, a device with a priority one level lower will be used as the valid device ID, and a broadcast message will be sent to the corresponding trusted CAN device for device priority management. This process continues, with broadcast messages sent for device listening management. When a trusted CAN device receives a broadcast message from another trusted CAN device using the same valid device ID (determined by a unique sequence value representing the trusted CAN device), it will perform the valid device ID selection as described above. By default, the later trusted CAN device with the same device ID has a higher priority than the existing trusted CAN device.
[0113] Priority management follows two principles: First, in the absence of conflict, the valid device ID equals the preset ID; second, the priority of a later device ID is higher than that of an existing trusted CAN device (i.e., existing trusted CAN devices select the valid device ID). Principle 2 resolves conflicts within the same virtual CAN bus. When an external conflict occurs (i.e., when a trusted CAN device on the same virtual CAN bus as described in the device management description notifies the conflicting CAN device to select the valid device ID),...
[0114] When the valid ID differs from the preset ID and there is an external conflict (which can be determined by checking the trusted CAN valid device ID stored locally), the trusted CAN device will periodically listen to the preset ID channel. If no other device is occupying it, it will switch back to the preset ID for device valid ID selection.
[0115] The present invention is further configured such that the method includes an anomaly detection mechanism based on the decryption state of the communication channel, specifically including:
[0116] The trusted CAN device implements an interval monitoring strategy on the negotiation communication channel. If it receives more than a threshold of broadcast messages that fail to decrypt or fail to verify data within a preset time window, it is determined to be a network anomaly or an illegal device attack. This triggers an abnormal event, reports it to the upper-layer application system, and starts the trusted CAN device to implement the interval monitoring strategy on the negotiation communication channel until the channel returns to normal, at which point a continuous monitoring strategy is adopted.
[0117] The trusted CAN device continuously monitors the status of the transmission communication channel. If the number of decryption failures of user messages received within a preset time window exceeds a preset threshold, it is determined that there is a data conflict or illegal message injection behavior, and the device priority management process is triggered.
[0118] If the number of times device priority management operations are triggered within a continuous time period exceeds the total number of trusted devices in the current virtual CAN bus, the network is determined to be under continuous attack, and a high-priority security alarm signal is sent to the upper-layer application system.
[0119] Specifically, if decryption failures or data verification failures are detected on the negotiation communication channel within a certain period, it indicates a network anomaly or an unauthorized device attacking the network. This will be reported to the upper application layer for handling. The trusted CAN device will intermittently monitor the negotiation communication channel, resuming normal monitoring once the channel is normal. If decryption failures exceed a preset threshold within a certain period on the transmission communication channel, it indicates a data transmission conflict or an unauthorized device. Device priority management will then be implemented. If multiple device priority management actions occur within a certain period (exceeding the current number of devices on the virtual bus), it indicates an unauthorized device attacking the network, and this will be reported to the application layer for handling.
[0120] The present invention is further configured such that the method includes a user message reliable transmission detection mechanism for detecting whether a message is completely received and processed in a timely manner on the virtual CAN bus, including:
[0121] Passive detection mechanism: When a trusted CAN device receives a user message from a specific trusted CAN device, if the message sequence number is not continuously increasing, it is determined that there is a risk of message loss. The device will randomly delay for a specified time and then send a broadcast message through the negotiation communication channel to prompt the sender. If the same abnormal report is received from other devices during the delay period, the current abnormal prompt broadcast will be automatically canceled to reduce broadcast conflicts.
[0122] Active detection mechanism: When the application layer designates certain user messages as messages requiring acknowledgment, the trusted CAN device adds its message ID to the reliable transmission list and requires all receivers to return acknowledgment information via broadcast within a specified time; if the number of acknowledgment responses is less than the number of current virtual CAN bus members recorded in the device management, it is considered that a message has been lost.
[0123] When any mechanism detects an anomaly in message transmission, the detection device will trigger a report to the upper-layer application system, which can then choose to retransmit, alarm, or fault tolerance compensation based on the application scenario strategy.
[0124] Specifically, reliable transmission of user messages depends on the communication quality of the communication channel. When encountering illegal attacks or message loss, reliable transmission of user messages ensures that trusted CAN devices can detect the situation and take appropriate action.
[0125] Because CAN's communication mechanism is broadcast communication and CAN devices are decentralized, when a trusted CAN device detects a message loss, it should report it to the application layer for processing, and make different strategies according to different application scenarios.
[0126] The present invention is further configured such that the method constructs multiple virtual CAN buses through encryption mechanisms and device management mechanisms, including:
[0127] The physical CAN bus is logically divided into multiple virtual CAN buses. Each virtual CAN bus consists of trusted CAN devices with the same preset group identifier ID and symmetric key.
[0128] The communication channels within the virtual CAN bus are isolated from other virtual CAN buses, allowing member devices to negotiate communication and data transmission only based on the same group ID and key;
[0129] The priority relationship of devices within each virtual CAN bus is uniformly sorted by preset device ID. When there is no conflict, the effective ID of the device is equal to its preset ID, thus maintaining communication consistency and arbitration priority.
[0130] Device priority management and device monitoring lists between different virtual CAN buses do not interfere with each other, avoiding cross-logical interference caused by ID conflicts, thereby realizing the dynamic separation and independent operation of virtual CAN buses.
[0131] Specifically, cross-logic interference refers to logical interference caused by different CAN application layer protocols using the same ID. Through the aforementioned encryption techniques and device management, a physical CAN bus can be divided into any number of virtual buses. The preset device IDs in device priority management will maintain the priority order of devices on a unified virtual CAN bus. Priority management in device management ensures that different virtual buses do not interfere with each other, achieving dynamic balance; only trusted CAN devices with the same preset group ID and key are considered to be on the same virtual CAN bus.
[0132] Example 2
[0133] Please see Figure 10 This exemplary trusted CAN communication system based on dual-channel and closed-loop encryption / decryption is used to implement the aforementioned trusted CAN communication method based on dual-channel and closed-loop encryption / decryption, and includes:
[0134] Channel partitioning module: On the same physical CAN bus, the communication logic is divided into negotiation communication channel and transmission communication channel. The negotiation communication channel transmits broadcast messages based on group identifier ID, and the transmission communication channel transmits user messages based on valid device ID.
[0135] Device management module: Verifies device legitimacy based on broadcast messages received through the negotiation communication channel, dynamically manages the list of trusted devices, and enables the access and isolation of communication nodes;
[0136] Transmission module: The trusted CAN device sends a self-decryptable broadcast message through the negotiation communication channel. The broadcast message contains decryption information for decrypting the next user message. Based on the obtained decryption information, a one-time codebook is generated. The user data is encrypted to construct the user message, which is then sent through the transmission communication channel.
[0137] Verification module: The receiving device decrypts and verifies the user message based on the decryption information. If the verification passes, the message is considered valid; otherwise, it is discarded.
[0138] Priority Management Module: In response to device ID conflicts, trusted CAN devices perform dynamic priority management based on preset priorities and valid ID reselection strategies;
[0139] Anomaly detection module: When transmitting messages, it performs message reliability transmission detection. When it detects anomalies in the transmission of broadcast messages and user messages or when the number of decryption failures exceeds the threshold, it triggers an anomaly and reports it to the application layer system.
[0140] It should be noted that the trusted CAN communication system based on dual-channel and closed-loop encryption / decryption provided in the above embodiments and the trusted CAN communication method based on dual-channel and closed-loop encryption / decryption provided in the above embodiments belong to the same concept. The specific operation methods of each module and unit have been described in detail in the method embodiments and will not be repeated here. In practical applications, the trusted CAN communication system based on dual-channel and closed-loop encryption / decryption provided in the above embodiments can be assigned to different functional modules as needed, that is, the internal structure of the system can be divided into different functional modules to complete all or part of the functions described above. This is not a limitation here.
[0141] The above embodiments can be implemented, in whole or in part, by software, hardware, firmware, or any other combination thereof. When implemented using software, the above embodiments can be implemented, in whole or in part, as a computer program product. The computer program product includes one or more computer instructions or computer programs. When the computer instructions or computer programs are loaded or executed on a computer, all or part of the processes or functions described in the embodiments of this application are generated. The computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer instructions can be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another. For example, the computer instructions can be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., infrared, wireless, microwave, etc.) means. The computer-readable storage medium can be any available medium that a computer can access or a data storage device such as a server or data center that includes one or more sets of available media. The available medium can be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium. A semiconductor medium can be a solid-state drive.
[0142] It should be understood that the term "and / or" in this article is merely a description of the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent: A existing alone, A and B existing simultaneously, or B existing alone. A and B can be singular or plural. Additionally, the character " / " in this article generally indicates an "or" relationship between the preceding and following related objects, but it can also represent an "and / or" relationship. Please refer to the context for a more accurate understanding.
[0143] In this application, "at least one" means one or more, and "more than one" means two or more. "At least one of the following" or similar expressions refer to any combination of these items, including any combination of single or multiple items. For example, at least one of a, b, or c can mean: a, b, c, ab, ac, bc, or abc, where a, b, and c can be single or multiple.
[0144] It should be understood that in the various embodiments of this application, the order of the above-mentioned processes does not imply the order of execution. The execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiments of this application.
[0145] Those skilled in the art will recognize that the units and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application.
[0146] Those skilled in the art will understand that, for the sake of convenience and brevity, the specific working processes of the systems, devices, and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here.
[0147] In the several embodiments provided in this application, it should be understood that the disclosed system can be implemented in other ways. For example, the device embodiments described above are merely illustrative. For instance, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some interfaces; the indirect coupling or communication connection between devices or units may be electrical, mechanical, or other forms.
[0148] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.
[0149] In addition, the functional units in the various embodiments of this application can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit.
[0150] If the aforementioned functions are implemented as software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or a portion of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0151] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.
Claims
1. A trusted CAN communication method based on dual channel and closed loop encryption and decryption, characterized in that, include: On the same physical CAN bus, the communication logic is divided into a negotiation communication channel and a transmission communication channel. The negotiation communication channel transmits broadcast messages based on the group identifier ID, and the transmission communication channel transmits user messages based on the valid device ID. Device legitimacy is verified based on broadcast messages received through the negotiation communication channel, and a list of trusted devices is dynamically managed to enable access and isolation of communication nodes. Trusted CAN devices send self-decryptable broadcast messages via a negotiated communication channel. These broadcast messages contain decryption information for decrypting the next user message. A one-time password book is generated based on the obtained decryption information. User data is then encrypted to construct the user message, which is then transmitted via the transmission communication channel. The broadcast message includes the decryption information for this message, serial number, device ID, function, message length, padding length, user message decryption-related information, values, data padding, and data verification. The decryption information for this message includes the decryption value type and the decryption value. The decryption value type is always a random value, scrambled using a fixed key. The receiving device decrypts and verifies the user message based on the decryption information. If the verification passes, the message is considered valid; otherwise, it is discarded. In response to device ID conflicts, trusted CAN devices perform dynamic priority management based on preset priorities and valid ID reselection strategies. During message transmission, message reliability transmission detection is performed. When abnormal transmission of broadcast messages and user messages is detected, or the number of decryption failures exceeds the threshold, an exception is triggered and reported to the application layer system.
2. The trusted CAN communication method based on double channels and closed loop encryption and decryption according to claim 1, characterized in that, The negotiation logic communication channel uses a pre-set group ID as the CAN message ID to transmit negotiation information; the transmission logic communication channel uses the valid device ID as the CAN message ID to transmit application layer data information. Broadcast messages and user messages are logic layer messages. Broadcast messages are transmitted on the negotiation logic communication channel, while user messages are transmitted on the transmission logic communication channel.
3. The trusted CAN communication method based on dual-channel and closed-loop encryption and decryption according to claim 2, characterized in that, User messages include message metadata, decrypted value type, decrypted value, sequence number, message length, padding length, data, data padding, and data validation.
4. The trusted CAN communication method based on dual-channel and closed-loop encryption and decryption of claim 1, wherein, Both broadcast messages and user messages are encrypted. The message structure carries decryption information for the next user message, including the decryption value type and the decryption value itself. The decryption value type includes random value and offset value types. When the value is of random type, the receiver uses the random value as a seed and combines it with a preset symmetric key to input a scrambling generation algorithm to generate the current one-time password book; When it is an offset value type, the receiver generates the current one-time password book based on the offset value, according to the password book used in the previous decrypted user message. The encryption process is as follows: the original data, excluding the data verification field, is input into the scrambling algorithm and XORed with the one-time password book to obtain the ciphertext data; The decryption process is as follows: The receiver constructs a one-time codebook according to the decryption method indicated in the current message, performs an XOR scrambling operation with the ciphertext data to restore the original data, and then performs a data verification to check the legality of the restored result. If the verification fails, the message is discarded.
5. A trusted CAN communication method based on dual-channel and closed-loop encryption / decryption according to claim 1, characterized in that, After startup, trusted CAN devices continuously listen to the negotiation communication channel in whitelist listening mode by default, and only receive transmission communication channel messages from authenticated device IDs. Device authentication is based on broadcast messages. If a trusted CAN device successfully receives a legitimate broadcast message on the negotiation communication channel and passes the decryption and verification, the valid device ID is extracted and added to the local listening whitelist. The certified device enters the lifecycle management process, and the device information record includes: the current decryption information, the sequence value of the latest broadcast message, the unique sequence identifier of the device, and the latest activity timestamp; If the same device ID and unique sequence identifier are subsequently received, but the broadcast sequence number is not incrementing, it is determined to be an illegal message or network anomaly, and authentication fails. If the unique sequence identifier is different, the device status is updated and it is considered a device priority adjustment. Before the priority adjustment, a broadcast message is sent to confirm, and the device priority is adjusted after the confirmation message is received. This is to prevent CAN message replay attacks. The latest activity timestamp is automatically refreshed each time a legitimate message is successfully received from the device. If the device has no activity within the set time, it is considered offline, and its information will be removed from the whitelist and the listening will be terminated. If the number of illegal messages received from a device exceeds the threshold within a set time, the valid device ID of that device will be removed from the whitelist, and a broadcast will be made to notify it to re-authenticate or adjust its priority. Illegal messages include messages of decryption failure or verification failure.
6. The trusted CAN communication method based on dual-channel and closed-loop encryption and decryption of claim 1, wherein, Dynamic priority management includes: Each trusted CAN device is configured with a preset device ID and a valid device ID. Under no conflict conditions, the valid device ID and the preset device ID are the same. When a device ID conflict is detected, or when a priority management notification is received in a broadcast message from another device, the priority of the current valid device ID is reduced by one level, that is, the value of the current valid device ID plus one is used as the new valid device ID; After setting a new valid device ID, the relevant devices are notified via broadcast message, triggering priority adjustment and re-authentication for the corresponding devices; If a trusted CAN device receives a broadcast message from another device using the same valid ID, but the unique sequence value of the other device is different, then the device that joined the network later has higher priority, and the existing device needs to reselect a valid device ID; If any trusted CAN device's currently used valid ID is not equal to the preset ID, and it is not a conflict between devices on the same virtual bus, the device will periodically listen to the channel corresponding to its preset ID. If it confirms that the channel is idle, it will switch back to the preset ID and broadcast a notification to other devices to update the mapping information. If it is a conflict between devices on the same virtual bus, when the corresponding device goes offline, it will switch back to the preset ID and broadcast a notification to other devices to update the mapping information.
7. The trusted CAN communication method based on dual-channel and closed-loop encryption and decryption of claim 1, wherein, The method includes an anomaly detection mechanism based on the decryption status of the communication channel, specifically including: The trusted CAN device implements an interval monitoring strategy on the negotiation communication channel. If it receives more than a threshold of broadcast messages that fail to decrypt or fail to verify data within a preset time window, it is determined to be a network anomaly or an illegal device attack. This triggers an abnormal event, reports it to the upper-layer application system, and starts the trusted CAN device to implement the interval monitoring strategy on the negotiation communication channel until the channel returns to normal, at which point a continuous monitoring strategy is adopted. The trusted CAN device continuously monitors the status of the transmission communication channel. If the number of decryption failures of user messages received within a preset time window exceeds a preset threshold, it is determined that there is a data conflict or illegal message injection behavior, and the device priority management process is triggered. If the number of times device priority management operations are triggered within a continuous time period exceeds the total number of trusted devices in the current virtual CAN bus, the network is determined to be under continuous attack, and a high-priority security alarm signal is sent to the upper-layer application system.
8. A trusted CAN communication method based on dual-channel and closed-loop encryption / decryption according to claim 1, characterized in that, The method includes a user message reliable transmission detection mechanism to detect whether messages are completely received and processed in a timely manner on the virtual CAN bus, including: Passive detection mechanism: When a trusted CAN device receives a user message from a specific trusted CAN device, if the message sequence number is not continuously increasing, it is determined that there is a risk of message loss. The device will randomly delay for a specified time and then send a broadcast message through the negotiation communication channel to prompt the sender. If the same abnormal report is received from other devices during the delay period, the current abnormal prompt broadcast will be automatically canceled to reduce broadcast conflicts. Active detection mechanism: When the application layer designates certain user messages as messages requiring acknowledgment, the trusted CAN device adds its message ID to the reliable transmission list and requires all receivers to return acknowledgment information via broadcast within a specified time; if the number of acknowledgment responses is less than the number of current virtual CAN bus members recorded in the device management, it is considered that a message has been lost. When any mechanism detects an anomaly in message transmission, the detection device will trigger a report to the upper-layer application system, which can then choose to retransmit, alarm, or fault tolerance compensation based on the application scenario strategy.
9. A trusted CAN communication method based on dual-channel and closed-loop encryption and decryption according to claim 1, characterized in that, The method constructs multiple virtual CAN buses through encryption and device management mechanisms, including: The physical CAN bus is logically divided into multiple virtual CAN buses. Each virtual CAN bus consists of trusted CAN devices with the same preset group identifier ID and symmetric key. The communication channels within the virtual CAN bus are isolated from other virtual CAN buses, allowing member devices to negotiate communication and data transmission only based on the same group ID and key; The priority relationship of devices within each virtual CAN bus is uniformly sorted by preset device ID. When there is no conflict, the effective ID of the device is equal to its preset ID, thus maintaining communication consistency and arbitration priority. Device priority management and device monitoring lists between different virtual CAN buses do not interfere with each other, avoiding cross-logical interference caused by ID conflicts, thereby realizing the dynamic separation and independent operation of virtual CAN buses.
10. A trusted CAN communication system based on dual-channel and closed-loop encryption / decryption, used to implement the trusted CAN communication method based on dual-channel and closed-loop encryption / decryption as described in any one of claims 1-9, characterized in that, include: Channel partitioning module: On the same physical CAN bus, the communication logic is divided into negotiation communication channel and transmission communication channel. The negotiation communication channel transmits broadcast messages based on group identifier ID, and the transmission communication channel transmits user messages based on valid device ID. Device management module: Verifies device legitimacy based on broadcast messages received through the negotiation communication channel, dynamically manages the list of trusted devices, and enables the access and isolation of communication nodes; Transmission module: The trusted CAN device sends a self-decryptable broadcast message through the negotiation communication channel. The broadcast message contains decryption information for decrypting the next user message. Based on the obtained decryption information, a one-time codebook is generated. The user data is encrypted to construct the user message, which is then sent through the transmission communication channel. Verification module: The receiving device decrypts and verifies the user message based on the decryption information. If the verification passes, the message is considered valid; otherwise, it is discarded. Priority Management Module: In response to device ID conflicts, trusted CAN devices perform dynamic priority management based on preset priorities and valid ID reselection strategies; Anomaly detection module: When transmitting messages, it performs message reliability transmission detection. When it detects anomalies in the transmission of broadcast messages and user messages or when the number of decryption failures exceeds the threshold, it triggers an anomaly and reports it to the application layer system.