Formal Security Analysis of the MaCAN Protocol

  • Alessandro BruniEmail author
  • Michal Sojka
  • Flemming Nielson
  • Hanne Riis Nielson
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8739)


Embedded real-time network protocols such as the CAN bus cannot rely on off-the-shelf schemes for authentication, because of the bandwidth limitations imposed by the network. As a result, both academia and industry have proposed custom protocols that meet such constraints, with solutions that may be deemed insecure if considered out of context. MaCAN is one such compatible authentication protocol, proposed by Volkswagen Research and a strong candidate for being adopted by the automotive industry.

In this work we formally analyse MaCAN with ProVerif, an automated protocol verifier. Our formal analysis identifies two flaws in the original protocol: one creates unavailability concerns during key establishment, and the other allows re-using authenticated signals for different purposes. We propose and analyse a modification that improves its behaviour while fitting the constraints of CAN bus. Although the revised scheme improves the situation, it is still not completely secure. We argue that the modified protocol makes a good compromise between the desire to secure automotive systems and the limitations of CAN networks.


protocol verification embedded systems Controller Area Network 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Arapinis, M., Ritter, E., Ryan, M.D.: StatVerif: Verification of Stateful Processes. In: 2011 IEEE 24th Computer Security Foundations, pp. 33–47 (2011)Google Scholar
  2. 2.
    Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: Proceedings of the 14th IEEE workshop on Computer Security Foundations, pp. 82–96. IEEE Computer Society (2001)Google Scholar
  3. 3.
    Blanchet, B.: Automatic verification of correspondences for security protocols. Journal of Computer Security 17(4), 363–434 (2009)Google Scholar
  4. 4.
    Blanchet, B., Smyth, B.: Proverif 1.88: Automatic cryptographic protocol verifier, user manual and tutorial (2013)Google Scholar
  5. 5.
    Checkoway, S., McCoy, D., Kantor, B., Anderson, D., Shacham, H., Savage, S., Koscher, K., Czeskis, A., Roesner, F., Kohno, T.: Comprehensive experimental analyses of automotive attack surfaces. In: Proceedings of the 20th USENIX Conference on Security (2011)Google Scholar
  6. 6.
    Davis, R.I., Burns, A., Bril, R.J., Lukkien, J.J.: Controller area network (CAN) schedulability analysis: Refuted, revisited and revised. Real-Time Systems 35(3), 239–272 (2007)CrossRefGoogle Scholar
  7. 7.
    Dworkin, M.J.: SP 800-38B. recommendation for block cipher modes of operation: the CMAC mode for authentication (2005)Google Scholar
  8. 8.
    FlexRay Consortium, et al.: FlexRay communications system-protocol specification. Version, 2(1):198–207 (2005)Google Scholar
  9. 9.
    Robert Bosch GmbH. Road vehicles – Controller area network (CAN) – Part 1: Data link layer and physical signalling (1991)Google Scholar
  10. 10.
    Groza, B., Murvay, S., Van Herrewege, A., Verbauwhede, I.: LiBrA-CAN: a Lightweight Broadcast Authentication protocol for Controller Area Networks (2012)Google Scholar
  11. 11.
    Hartkopp, O., Reuber, C., Schilling, R.: MaCAN - message authenticated CAN. In: Proceedings of the 10th Escar Conference on Embedded Security in Cars (2012)Google Scholar
  12. 12.
    Koscher, K., Czeskis, A., Roesner, F., Patel, S., Kohno, T., Checkoway, S., McCoy, D., Kantor, B., Anderson, D., Shacham, H., Savage, S.: Experimental Security Analysis of a Modern Automobile. In: 2010 IEEE Symposium on Security and Privacy, pp. 447–462 (2010)Google Scholar
  13. 13.
    Hartwich, F.: CAN with Flexible Data-Rate (2005)Google Scholar
  14. 14.
    Lowe, G.: A hierarchy of authentication specifications. In: Proceedings of the 10th Computer Security Foundations Workshop, pp. 31–43. IEEE (1997)Google Scholar
  15. 15.
    Mödersheim, S.A.: Abstraction by set-membership: verifying security protocols and web services with databases. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 351–360. ACM (2010)Google Scholar
  16. 16.
    Schweppe, H., Roudier, Y., Weyl, B., Apvrille, L., Scheuermann, D.: Car2x communication: securing the last meter-a cost-effective approach for ensuring trust in car2x applications using in-vehicle symmetric cryptography. In: Vehicular Technology Conference (VTC Fall), pp. 1–5. IEEE (2011)Google Scholar
  17. 17.
    Van Herrewege, A., Singelee, D., Verbauwhede, I.: CANAuth — a simple, backward compatible broadcast authentication protocol for CAN bus. In: ECRYPT Workshop on Lightweight Cryptography 2011 (2011)Google Scholar
  18. 18.
    Ziermann, T., Wildermann, S., Teich, J.: CAN+: A new backward-compatible Controller Area Network (CAN) protocol with up to 16× higher data rates. In: Design, Automation & Test in Europe Conference & Exhibition, pp. 1088–1093. IEEE (2009)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Alessandro Bruni
    • 1
    Email author
  • Michal Sojka
    • 2
  • Flemming Nielson
    • 1
  • Hanne Riis Nielson
    • 1
  1. 1.Technical University of DenmarkKongens LyngbyDenmark
  2. 2.Czech Technical UniversityPrahaCzech

Personalised recommendations