SAE J 2186-1996 E E Data Link Security《E E数据链接安全》.pdf

1、SAE Technical Standards Board Rules provide that: “This report is published by SAE to advance the state of technical and engineering sciences. The use of this report is entirelyvoluntary, and its applicability and suitability for any particular use, including any patent infringement arising therefro

2、m, is the sole responsibility of the user.”SAE reviews each technical report at least every five years at which time it may be reaffirmed, revised, or cancelled. SAE invites your written comments and suggestions.Copyright 2005 SAE InternationalAll rights reserved. No part of this publication may be

3、reproduced, stored in a retrieval system or transmitted, in any form or by any means, electronic, mechanical, photocopying,recording, or otherwise, without the prior written permission of SAE.TO PLACE A DOCUMENT ORDER: Tel: 877-606-7323 (inside USA and Canada)Tel: 724-776-4970 (outside USA)Fax: 724-

4、776-0790Email: custsvcsae.orgSAE WEB ADDRESS: http:/www.sae.orgSURFACEVEHICLERECOMMENDEDPRACTICEJ2186REAF.JUN2005Issued 1991-09Reaffirmed 2005-06Superseding J2186 OCT1996E/E Data Link SecurityTABLE OF CONTENTS1. Scope . 11.1 Rationale 12. References . 12.1 Applicable Publications. 12.1.1 SAE Publica

5、tion 12.2 Related Publications. 22.2.1 SAE Publications 22.2.2 ISO Publications. 23. Definitions. 24. Technical Requirements . 24.1 Characteristics of Security 24.2 Functional Requirements 31. ScopeThis SAE Recommended Practice establishes a uniform practice for protecting vehicle componentsfrom “un

6、authorized“ access through a vehicle data link connector (DLC). The document defines a securitysystem for motor vehicle and tool manufacturers. It will provide flexibility to tailor systems to the security needsof the vehicle manufacturer. The vehicle modules addressed are those that are capable of

7、having solid statememory contents accessed or altered through the data link connector. Improper memory content alterationcould potentially damage the electronics or other vehicle modules; risk the vehicle compliance to governmentlegislated requirements; or risk the vehicle manufacturers security int

8、erests. This document does not implythat other security measures are not required nor possible.1.1 RationaleThis document has been reaffirmed to comply with the SAE 5-Year Review policy.2. References2.1 Applicable PublicationsThe following publications form a part of this specification to the extent

9、 specifiedherein. Unless otherwise indicated, the latest issue of SAE publications shall apply.2.1.1 SAE PUBLICATIONAvailable from SAE, 400 Commonwealth Drive, Warrendale, PA 15096-0001.SAE J2190Enhanced E/E Diagnostic Test ModesSAE J2186 Reaffirmed JUN2005-2-2.2 Related PublicationsThe following pu

10、blications are provided for information purposes only and are not arequired part of this document.2.2.1 SAE PUBLICATIONSAvailable from SAE, 400 Commonwealth Drive, Warrendale, PA 15096-0001.SAE J1850Class B Data Communication Network InterfaceSAE J1930Terms, Definitions, Abbreviations, and Acronyms2

11、.2.2 ISO PUBLICATIONSAvailable from ANSI, 25 West 43rd Street, New York, NY 10036-8002.ISO 9141-2Road vehiclesDiagnostic systemsCARB requirements for interchange of digitalinformationISO/DIS 14230Road vehiclesDiagnostic systemsKeyword protocol 20003. Definitions3.1 Unsecured FunctionsStandard diagno

12、stic functions that are provided by vehicle manufacturers such asread data parameters, diagnostic trouble codes, etc. These are controlled and protected by the on-vehiclecontroller. The unsecured capability may include reprogramming of selected items for which the reprogrammeris liable.3.2 Secured F

13、unctionsFunctions that require “Unlocking“ the on-vehicle controller to gain access. Typicalfunctions include programming of vehicle emission systems, vehicle theft, and odometer.3.3 SeedThe data value sent from the on-board controller to the access tool.3.4 KeyThe data value sent from the access to

14、ol to the on-board controller.4. Technical RequirementsProvide a method to access secured vehicle controller functions. Provide aprotection method for the seed/key algorithms in the access tool. “Unlocking“ of the controller shall be aprerequisite to access secured on-board controller functions. Thi

15、s permits the product software to protect itselfand the rest of the vehicle control system from unauthorized access. Different on-board functions may beprotected by separate seed/key relationships.This document does not attempt to define capability or information that is secured. The security system

16、 shallnot prevent access to unsecured functions between the external device and the on-board controller.4.1 Characteristics of SecurityThis security technique can be incorporated in any communications protocol.Special commands shall be provided via the DCL to “Unlock“ the on-board controller secured

17、 functions.There shall be three parameters which control the security access of the on-board controller and the securedtool:a. The “Seed“ and “Key“ shall each be a minimum of 2 bytes in length. Selection of the minimum numberof bytes will result in a minimum security level. Use of 4 or more bytes ar

18、e suggested when higherlevels of security are required.The relationship between the “Seed“ and “Key“ is the responsibility of the vehicle manufacturer.Multiple “Seed/Key“ relationships may exist for access to different functions within a controller, orsystems within a vehicle. As an example, refer t

19、o SAE J2190 mode $27.b. The Delay Time (DT) shall be a minimum of 10 s. The vehicle manufacturer may specify an increaseddelay time to suit its specific requirements.SAE J2186 Reaffirmed JUN2005-3-c. The Number of False Access Attempts (NFAA) shall be a maximum of two. The vehicle manufacturermay sp

20、ecify a reduced number of false attempts to suit its specific requirements. When the “Key“received by the controller is not correct, it shall be considered as a false access attempt. If access isrejected for any other reason, it shall not be considered a false access attempt.Disclosure of the “Seed/

21、Key“ relationship shall be limited to those persons as authorized by the vehiclemanufacturer.CAUTIONCare should be taken when selecting the values of all the parameters since their combinationdetermines the robustness of the security for an application or a system.4.2 Functional RequirementsTwo requ

22、est/response communication message pairs (Request #1/Response #1,Request #2/Response #2) shall be used to “Unlock“ the on-board controller. The specific message content isnot specified by this document and is the responsibility of the vehicle manufacturer.a. Step 1The external device shall request a

23、 “seed” from the on-board controller by sending Request#1. The controller shall respond by sending a “Seed“ using Response #1. A seed value of zero shallindicate that the controller is currently unlocked.b. Step 2The external device shall respond by returning a “Key“ number back to the controller us

24、ingRequest #2. The controller shall compare this “Key“ to one internally determined and issue Response#2.If the two numbers agree, then the controller shall enable (“Unlock“) the external devices access to securedcommunication modes. If, upon “NFAA“ attempts, the two keys do not compare (false attem

25、pt), then the controller and the tool shallinsert the “DT“ time delay before allowing further attempts. The “DT“ time delay shall also be required at eachcontroller and tool power-on.The tool shall automatically insert the delay time (DT) prior to requesting a new seed for any reason.Three on-board

26、controller responses shall be decoded by the external device:a. AcceptThe controller has “Unlocked“ its access.b. Invalid KeyThe access attempt was rejected because the key was determined to be invalid by thecontroller. The access attempt was false.c. Process ErrorThe access attempt was rejected for

27、 reasons other than receiving the wrong key. Thisshall not be counted as a false access attempt.Termination of security access, “Locking“ the product, shall result after any of the following conditions:a. Each time the controller is powered up.b. Upon commanding the product to a normal operational m

28、ode.c. Conditions at the vehicle manufacturers discretion.If an attempt is made to communicate with a “Locked“ on-board controller and access a “Secured“ function, thecontroller may return a special response indicating that the controller is “Locked“ and cannot respond asrequested.PREPARED BY THE SAE VEHICLE E/E SYSTEMS DIAGNOSTICS STANDARDS COMMITTEE