Search

CN-122027237-A - Method, system, equipment and product for defending against wrapping attack

CN122027237ACN 122027237 ACN122027237 ACN 122027237ACN-122027237-A

Abstract

The embodiment of the application provides a method, a system, equipment and a product for defending a wraparound attack. The method comprises the steps of obtaining a current freshness value to be transmitted by a sender, comparing the difference value between the current freshness value and a freshness threshold value, using a first key and data to be transmitted and combining the current freshness value to generate a message authentication code if the absolute value of the difference value between the current freshness value and the freshness threshold value is larger than a preset threshold value, using a second key and data to be transmitted and combining the current freshness value to generate the message authentication code if the absolute value of the difference value between the current freshness value and the freshness threshold value is not larger than the preset threshold value, and sending a key switching instruction to a receiver, and sending the message authentication code, the current freshness value and the data to be transmitted to the receiver together. The scheme of the application improves the reliability of defending against the wrapping attack.

Inventors

  • LIU QINGYU

Assignees

  • 亿咖通(湖北)技术有限公司

Dates

Publication Date
20260512
Application Date
20260120

Claims (10)

  1. 1. A method of defending against a wraparound attack, comprising: The sender acquires a current freshness value to be transmitted; comparing the difference between the current freshness value and the freshness threshold value; If the absolute value of the difference between the current freshness value and the freshness threshold is larger than a preset threshold, a first key and data to be transmitted are used for generating a message authentication code by combining the current freshness value; If the absolute value of the difference between the current freshness value and the freshness threshold is not greater than a preset threshold, generating the message authentication code by using a second key and the data to be transmitted and combining the current freshness value, and sending a key switching instruction to a receiver; And sending the message authentication code, the current freshness value and the to-be-transmitted data to a receiver.
  2. 2. The method according to claim 1, wherein the method further comprises: When the receiver responds to the key switching instruction, the first key and the second key are used for verifying the message authentication code respectively, and if any verification is passed, the data to be transmitted is received for subsequent processing.
  3. 3. The method according to claim 2, wherein the method further comprises: if the receiver uses the second key to verify the message authentication code, the receiver does not use the first key to verify the message authentication code.
  4. 4. The method according to claim 2, wherein the method further comprises: before the message authentication code is verified by using the first key and the second key respectively, the sender sends the encrypted second key to the receiver.
  5. 5. The method according to claim 2, wherein the method further comprises: Before verifying the message authentication code using the first key and the second key, respectively, a receiver sequentially extracts the second key from a stored key sequence in response to the key switch instruction.
  6. 6. The method according to any one of claims 1-5, further comprising: The receiver builds a freshness value sliding window, wherein the sliding window is used for marking a freshness value range; And receiving the current freshness value, if the current freshness value is in the range of the sliding window and is not marked or the freshness value is larger than the maximum value of the sliding window, verifying the received message authentication code, if the verification is not passed, triggering the first key to be switched to the second key, and sending the key switching instruction to the sender.
  7. 7. The method of claim 6, wherein the method further comprises: If the current freshness value is smaller than the minimum value of the sliding window, determining that the data to be transmitted is old data; if the current freshness value is in the sliding window and marked, determining that the data to be transmitted is replay data; Discarding the old data and the replay data.
  8. 8. A wrapping attack defending system is characterized by comprising a sender and a receiver; The sender is used for acquiring a current freshness value to be transmitted, comparing the difference value between the current freshness value and a freshness threshold value, if the absolute value of the difference value between the current freshness value and the freshness threshold value is larger than a preset threshold value, using a first secret key and data to be transmitted and combining the current freshness value to generate a message authentication code, if the absolute value of the difference value between the current freshness value and the freshness threshold value is not larger than the preset threshold value, using a second secret key and data to be transmitted and combining the current freshness value to generate the message authentication code, and sending a secret key switching instruction to the receiver; The sender is further configured to send the message authentication code, the current freshness value, and the to-be-transmitted data to the receiver together; the receiver is configured to receive the message authentication code, the current freshness value and the to-be-transmitted data; The receiver is further configured to construct a freshness value sliding window, where the sliding window is used to mark a freshness value range, if the current freshness value is within the sliding window range and is not marked or the freshness value is greater than a maximum value of the sliding window, verify the message authentication code, and if the verification is not passed, trigger the first key to switch to the second key, and send the key switching instruction to the sender; And if the message authentication code passes verification, receiving the data to be transmitted for subsequent processing.
  9. 9. An electronic device is characterized by comprising a memory and a processor; The memory stores computer-executable instructions; The processor executing computer-executable instructions stored in the memory, causing the processor to perform the method of any one of claims 1-7.
  10. 10. A computer program product comprising a computer program which, when executed by a processor, implements the method of any of claims 1-7.

Description

Method, system, equipment and product for defending against wrapping attack Technical Field The present application relates to the field of communications technologies, and in particular, to a method, a system, an apparatus, and a product for defending a wraparound attack. Background In modern intelligent automotive and industrial control systems, communication between electronic control units (Electronic Control Unit, ECU) is typically based on bus protocols such as Controller Area Network (CAN), flexible data rate controller area network (CAN FD), local Interconnect Network (LIN), etc. Because these buses lack encryption and authentication mechanisms at the link layer, third parties can easily intercept message data exchanged by the ECU in the communication process through a common bus monitoring tool. If an attacker re-injects the intercepted message into the bus in a playback mode, the system can be caused to have abnormal functions and even safety accidents. To reduce such risk, it is desirable to propose a protection scheme against a wraparound attack during communication. Disclosure of Invention The method, the system, the equipment and the product for defending the wrapping attack improve the reliability of defending the wrapping attack. In a first aspect, an embodiment of the present application provides a method for defending a wraparound attack, including: The sender acquires a current freshness value to be transmitted; comparing the difference between the current freshness value and the freshness threshold value; If the absolute value of the difference between the current freshness value and the freshness threshold is larger than a preset threshold, a first key and data to be transmitted are used for generating a message authentication code by combining the current freshness value; If the absolute value of the difference between the current freshness value and the freshness threshold is not greater than a preset threshold, generating the message authentication code by using a second key and the data to be transmitted and combining the current freshness value, and sending a key switching instruction to a receiver; And sending the message authentication code, the current freshness value and the to-be-transmitted data to a receiver. In one possible embodiment, the method further comprises: When the receiver responds to the key switching instruction, the first key and the second key are used for verifying the message authentication code respectively, and if any verification is passed, the data to be transmitted is received for subsequent processing. In one possible embodiment, the method further comprises: if the receiver uses the second key to verify the message authentication code, the receiver does not use the first key to verify the message authentication code. In one possible implementation, the method further includes: before the message authentication code is verified by using the first key and the second key respectively, the sender sends the encrypted second key to the receiver. In one possible implementation, the method further includes: Before verifying the message authentication code using the first key and the second key, respectively, a receiver sequentially extracts the second key from a stored key sequence in response to the key switch instruction. In one possible implementation, the method further includes: The receiver builds a freshness value sliding window, wherein the sliding window is used for marking a freshness value range; And receiving the current freshness value, if the current freshness value is in the range of the sliding window and is not marked or the freshness value is larger than the maximum value of the sliding window, verifying the received message authentication code, if the verification is not passed, triggering the first key to be switched to the second key, and sending the key switching instruction to a sender. In one possible implementation, the method further includes: If the current freshness value is smaller than the minimum value of the sliding window, determining that the data to be transmitted is old data; if the current freshness value is in the sliding window and marked, determining that the data to be transmitted is replay data; Discarding the old data and the replay data. In a second aspect, an embodiment of the present application provides a wrapping attack defense system, including a sender and a receiver; The sender is used for acquiring a current freshness value to be transmitted, comparing the difference value between the current freshness value and a freshness threshold value, if the absolute value of the difference value between the current freshness value and the freshness threshold value is larger than a preset threshold value, using a first key and data to be transmitted and combining the current freshness value to generate a message authentication code, if the absolute value of the difference value between the current freshness value and t