《SAE J2186-1996 E/E DATA LINK SECURITY.pdf》由会员分享,可在线阅读,更多相关《SAE J2186-1996 E/E DATA LINK SECURITY.pdf(5页珍藏版)》请在三一文库上搜索。
1、 REV. OCT96SURFACE J2186 VEHICLE RECOMMENDED PRACTICE Submitted for recognition as an American National Standard (R) E/E DATA LINK SECURITY SAE Technical Standards Board Rules provide that: “This report is published by SAE to advance the state of technical and engineering sciences. The use of this r
2、eport is entirely voluntary, and its applicability and suitability for any particular use, including any patent infringement arising therefrom, is the sole responsibility of the user.” SAE reviews each technical report at least every five years at which time it may be reaffirmed, revised, or cancell
3、ed. SAE invites your written comments and suggestions. QUESTIONS REGARDING THIS DOCUMENT: (412) 772-8512 FAX: (412) 776-0243 TO PLACE A DOCUMENT ORDER: (412) 776-4970 FAX: (412) 776-0790 Copyright 1996 Society of Automotive Engineers, Inc. All rights reserved.Printed in U.S.A. Issued1991-09 Revised1
4、996-10 Superseding J2186 SEP91 TABLE OF CONTENTS 1.Scope.1 2.References .1 2.1Applicable Documents.1 2.1.1SAE Publications 1 2.1.2ISO Publications .2 3.Definitions.2 4.Technical Requirements2 4.1Characteristics of Security.2 4.2Functional Requirements.3 5.Notes4 5.1Marginal Indicia.4 1. ScopeThis SA
5、E Recommended Practice establishes a uniform practice for protecting vehicle components from “unauthorized“ access through a vehicle data link connector (DLC). The document defines a security system for motor vehicle and tool manufacturers. It will provide flexibility to tailor systems to the securi
6、ty needs of the vehicle manufacturer. The vehicle modules addressed are those that are capable of having solid state memory contents accessed or altered through the data link connector. Improper memory content alteration could potentially damage the electronics or other vehicle modules; risk the veh
7、icle compliance to government legislated requirements; or risk the vehicle manufacturers security interests. This document does not imply that other security measures are not required nor possible. 2. References 2.1 Applicable DocumentThe following publication forms a part of this specification to t
8、he extent specified herein. Unless otherwise indicated, the latest issue of SAE publications shall apply. 2.1.1 SAE PUBLICATIONAvailable from SAE, 400 Commonwealth Drive, Warrendale, PA 15096-0001. SAE J2186 Revised OCT96 - 2 - SAE J2190Enhanced E/E Diagnostic Test Modes 2.2 Related PublicationsThe
9、following publications are provided for information purposes only and are not a required part of this document. 2.2.1 SAE PUBLICATIONSAvailable from SAE, 400 Commonwealth Drive, Warrendale, PA 15096-0001. SAE J1850Class B Data Communication Network Interface SAE J1930Terms, Definitions, Abbreviation
10、s, and Acronyms 2.2.2 ISO DOCUMENTSAvailable from ANSI, 11 West 42nd Street, New York, NY 10036-8002. ISO 9141-2Road vehiclesDiagnostic systemsCARB requirements for interchange of digital information ISO/DIS 14230Road vehiclesDiagnostic systemsKeyword protocol 2000 3. Definitions 3.1 Unsecured Funct
11、ionsStandard diagnostic functions that are provided by vehicle manufacturers such as read data parameters, diagnostic trouble codes, etc. These are controlled and protected by the on-vehicle controller. The unsecured capability may include reprogramming of selected items for which the reprogrammer i
12、s liable. 3.2 Secured FunctionsFunctions that require “Unlocking“ the on-vehicle controller to gain access. Typical functions include programming of vehicle emission systems, vehicle theft, and odometer. 3.3 SeedThe data value sent from the on-board controller to the access tool. 3.4 KeyThe data val
13、ue sent from the access tool to the on-board controller. 4. Technical RequirementsProvide a method to access secured vehicle controller functions. Provide a protection method for the seed/key algorithms in the access tool. “Unlocking“ of the controller shall be a prerequisite to access secured on-bo
14、ard controller functions. This permits the product software to protect itself and the rest of the vehicle control system from unauthorized access. Different on-board functions may be protected by separate seed/key relationships. This document does not attempt to define capability or information that
15、 is secured. The security system shall not prevent access to unsecured functions between the external device and the on-board controller. 4.1 Characteristics of SecurityThis security technique can be incorporated in any communications protocol. Special commands shall be provided via the DCL to “Unlo
16、ck“ the on-board controller secured functions. There shall be three parameters which control the security access of the on-board controller and the secured tool: a.The “Seed“ and “Key“ shall each be a minimum of 2 bytes in length. Selection of the minimum number of bytes will result in a minimum sec
17、urity level. Use of 4 or more bytes are suggested when higher levels of security are required. The relationship between the “Seed“ and “Key“ is the responsibility of the vehicle manufacturer. Multiple “Seed/Key“ relationships may exist for access to different functions within a controller, or system
18、s within a vehicle. As an example, refer to SAE J2190 mode $27. SAE J2186 Revised OCT96 - 3 - b.The Delay Time (DT) shall be a minimum of 10 s. The vehicle manufacturer may specify an increased delay time to suit its specific requirements. c.The Number of False Access Attempts (NFAA) shall be a maxi
19、mum of two. The vehicle manufacturer may specify a reduced number of false attempts to suit its specific requirements. When the “Key“ received by the controller is not correct, it shall be considered as a false access attempt. If access is rejected for any other reason, it shall not be considered a
20、false access attempt. Disclosure of the “Seed/Key“ relationship shall be limited to those persons as authorized by the vehicle manufacturer. CAUTIONCare should be taken when selecting the values of all the parameters since their combination determines the robustness of the security for an applicatio
21、n or a system. 4.2 Functional RequirementsTwo request/response communication message pairs (Request #1/Response #1, Request #2/Response #2) shall be used to “Unlock“ the on-board controller. The specific message content is not specified by this document and is the responsibility of the vehicle manuf
22、acturer. a.Step 1The external device shall request a “seed” from the on-board controller by sending Request #1. The controller shall respond by sending a “Seed“ using Response #1. A seed value of zero shall indicate that the controller is currently unlocked. b.Step 2The external device shall respond
23、 by returning a “Key“ number back to the controller using Request #2. The controller shall compare this “Key“ to one internally determined and issue Response #2. If the two numbers agree, then the controller shall enable (“Unlock“) the external devices access to secured communication modes. If, upon
24、 “NFAA“ attempts, the two keys do not compare (false attempt), then the controller and the tool shall insert the “DT“ time delay before allowing further attempts. The “DT“ time delay shall also be required at each controller and tool power-on. The tool shall automatically insert the delay time (DT)
25、prior to requesting a new seed for any reason. Three on-board controller responses shall be decoded by the external device: a.AcceptThe controller has “Unlocked“ its access. b.Invalid KeyThe access attempt was rejected because the key was determined to be invalid by the controller. The access attemp
26、t was false. c.Process ErrorThe access attempt was rejected for reasons other than receiving the wrong key. This shall not be counted as a false access attempt. Termination of security access, “Locking“ the product, shall result after any of the following conditions: a.Each time the controller is po
27、wered up. b.Upon commanding the product to a normal operational mode. c.Conditions at the vehicle manufacturers discretion. SAE J2186 Revised OCT96 - 4 - If an attempt is made to communicate with a “Locked“ on-board controller and access a “Secured“ function, the controller may return a special resp
28、onse indicating that the controller is “Locked“ and cannot respond as requested. 5. Notes 5.1 Marginal IndiciaThe (R) is for the convenience of the user in locating areas where technical changes have been made to the previous issue of the report. If the symbol is next to the report title, it indicat
29、es a complete revision of the report. PREPARED BY THE SAE VEHICLE E/E DIAGNOSTICS STANDARDS COMMITTEE J2186 OCT96 RationaleNot applicable. Relationship of SAE Standard to ISO StandardNot applicable. ApplicationThis SAE Recommended Practice establishes a uniform practice for protecting vehicle compon
30、ents from “unauthorized“ access through a vehicle data link connector (DLC). The recommended practice defines a security system for motor vehicle and tool manufacturers. It will provide flexibility to tailor systems to the security needs of the vehicle manufacturer. The vehicle modules addressed are
31、 those that are capable of having solid state memory contents accessed or altered through the data link connector. Improper memory content alteration could potentially damage the electronics or other vehicle modules; risk the vehicle compliance to government legislated requirements; or risk the vehi
32、cle manufacturers security interests. This document does not imply that other security measures are not required nor possible. Reference Section SAE J2190Enhanced E/E Diagnostic Test Modes SAE J1850Class B Data Communication Network Interface SAE J1930Terms, Definitions, Abbreviations, and Acronyms ISO 9141-2Road vehiclesDiagnostic systemsCARB requirements for interchange of digital information ISO/DIS 14230Road vehiclesDiagnostic SystemsKeyword Protocol 2000 Developed by the SAE Vehicle E/E Diagnostics Standards Committee