MACsec Extension over Software-Defined Networks for In-Vehicle Secure Communication

The automotive industry has recently introduced Advanced driver assistance systems (ADAS) for safety and better driving. Many Electronic Control Units (ECUs) have been installed in the vehicle to support ADAS, and massive data stream flows over the in-vehicle network. Therefore, the Ethernet backbone, which can guarantee the high bandwidth, has emerged as an in-vehicle communication technology. However, security on automotive Ethernet has not yet been proposed. The IEEE MACsec with IEEE 802.1X Authentication and Key Management (AKM) may be applied for the in-vehicle secure communication, but it has a constraint that its security scope is based on a point-to-point approach. Whenever a frame arrives at the switches in the transmission path, the decryption and reencryption of the frame are repeated. It may adversely affect the performance of ADAS related to the driver's safety by increasing the end-to-end latency. We therefore propose a new MACsec extension over the Software-Defined Networks (SDN) for an in-vehicle secure communication, which is based on IEEE 802.1X authentication mechanism. The proposed scheme extends the security scope of MACsec from point-to-point to end-to-end by delegating AKM process of ECUs and switches to SDN controller. It could minimize the cryptographic processes of the ECUs and switches without any modification of the existing MACsec standard, and could protect an automotive system from any manipulation by unauthorized third parties. The experimental results show that the proposed scheme is applicable for an in-vehicle secure communication.