← Back to Blog
Embedded SoftwareApril 30, 2026 • 11 min read

SecOC in AUTOSAR Classic: Message Authentication at Bus Level

By Shreyansh, Founder & CTO, Agnile Technologies

Key Takeaways

TL;DR — AUTOSAR Secure Onboard Communication adds authenticity and freshness to in-vehicle Protocol Data Units by appending a Message Authentication Code computed over payload and a freshness counter. Implemented well — full MAC on CAN-FD or Ethernet, Hardware Security Module-protected keys, freshness sync that holds across reset and wake — it closes the message-injection hole that the 2015 Jeep Cherokee and 2020 Volvo XC60 cases exploited at the bus level. Implemented badly — over-truncated MACs, software-stored keys, no recovery on reset — it produces compliance theatre.

  1. 1.Secure Onboard Communication was introduced in AUTOSAR Classic Platform 4.2 to add MAC-based authenticity and freshness to PDUs that the original CAN protocol never provided.
  2. 2.The default AUTOSAR profile transmits the lower 4 bits of the freshness value and the upper 28 bits of the MAC alongside the authentic payload — a tradeoff dictated by Classical CAN's 8-byte payload limit.
  3. 3.CMAC-AES128 is the dominant MAC primitive in production; HMAC-SHA256 appears on higher-bandwidth buses where larger MACs are practical and SHA-2 is already provisioned for other purposes.
  4. 4.CAN-FD's 64-byte payload removes most truncation pressure; Ethernet 100/1000BASE-T1 supports full SecOC and may be layered with TLS or IPsec for confidentiality; LIN is typically out of SecOC scope.
  5. 5.The single most common SecOC failure mode in the field is freshness desynchronisation after ECU reset, sleep and wake, or bus-off recovery — the protocol is correct, the integration is fragile.
  6. 6.Keys must live in the Hardware Security Module and be exercised through the AUTOSAR Crypto Stack; software-only key storage defeats the SecOC threat model entirely.
  7. 7.A 16-bit truncated MAC gives an attacker a 1-in-65,536 forgery probability per attempt — typically unacceptable for safety-critical PDUs and a finding R155 assessors flag immediately.

At a Glance

One-Sentence Answer
SecOC helps protect AUTOSAR Classic communication by adding freshness and authentication checks to selected in-vehicle messages.
Who This Is For
AUTOSAR engineers, communication-stack teams, cybersecurity architects, ECU suppliers, and validation teams.
Last Reviewed
May 2026
Primary References
AUTOSAR Classic, SecOC, freshness values, message authentication, in-vehicle networks.
Practical Use
Use this guide to plan where SecOC is useful, how freshness is handled, and what must be validated.

Why Secure Onboard Communication exists

The CAN protocol predates automotive cybersecurity by two decades. Its frame format authenticates nothing — any node electrically attached to the bus can transmit any arbitration ID, and every other node accepts the message as legitimate. That design choice was reasonable when ECUs lived in a sealed vehicle without remote interfaces; it became indefensible the moment infotainment heads, telematics units, and OTA gateways shared the same physical and logical buses as powertrain and chassis controllers.

The 2015 Jeep Cherokee disclosure remains the canonical illustration. Researchers pivoted from a remote interface to the internal CAN network, then sent spoofed arbitration IDs that legitimate ECUs accepted as commands. The protocol behaved exactly as designed; the architecture had no authenticity property to violate. AUTOSAR Secure Onboard Communication, introduced in Classic Platform 4.2, is the standardised counter to that class of attack: every cybersecurity-critical PDU carries a Message Authentication Code over its payload and a monotonic freshness value, and receivers reject anything that does not verify.

Architecture: where SecOC sits in the stack

Secure Onboard Communication is a Basic Software module that wraps the PDU Router and intercepts traffic on either side of the communication path. On the transmit side, the SecOC authenticator reads a freshness value, requests a MAC from the Crypto Service Manager, and assembles a Secured I-PDU consisting of the original payload plus a freshness fragment and a MAC. On the receive side, the verifier extracts the MAC and freshness fragment, reconstructs the full freshness from local state, recomputes the MAC, and compares. PDUs that fail verification are dropped before the Receiver Software Component ever sees them.

The module configuration ties three identifiers together: an authentic PDU (the original signal payload), a secured PDU (what actually traverses the bus), and a cryptographic PDU (a compact transport for sync messages and keys). The mapping from authentic to secured to cryptographic is set at configuration time and immutable at runtime.

Secured I-PDU on Classical CAN (default profile)

Authentic Payload
application data (variable, fits CAN payload)
FV
4 bits
Truncated MAC
28 bits (upper bits of CMAC-AES128)
The authenticator computes CMAC over (Authentic Payload || full Freshness Value || PDU header).
Receiver reconstructs full FV from local counter + transmitted lower bits, then verifies.
Default Secured I-PDU layout per AUTOSAR_SWS_SecureOnboardCommunication — authentic payload, 4-bit freshness fragment, 28-bit truncated MAC. CAN-FD and Ethernet profiles widen both fields.

Freshness management: where most projects stumble

Freshness is the property that makes SecOC resistant to replay. Each PDU carries a freshness value — a monotonically increasing counter, derived from a counter, or anchored to a synchronised time base — and the MAC binds payload and freshness together. Replaying a previously valid frame fails verification because the receiver's freshness pointer has moved past the captured value.

AUTOSAR provides a Freshness Manager that supplies counters to the SecOC module on demand. Profile choices range from SecOCFreshnessValueLength of 64 bits down to small vendor-specific sizes; the longer the counter, the longer the time to wraparound and the smaller the truncation relative to the full value. Sender and receiver must agree on the upper bits of the counter even though only the lower bits travel on the wire — this is the synchronisation problem.

Freshness counter sequence across reset and resync

t = 0

Both ECUs power on. Local Freshness Value reads from Hardware Security Module-backed non-volatile storage: FV = 0x00000050 .

t = 1

Sender transmits Secured I-PDU: payload + lower 4 bits of FV (0x0) + 28-bit MAC. Receiver reconstructs FV as 0x00000050 by combining its local upper bits with the wire fragment.

t = 2

Sender's FV increments to 0x00000051 . Verification continues to succeed for each subsequent frame.

t = 3

Receiver ECU resets unexpectedly. Local FV restored from non-volatile storage at 0x0000004F — one window behind the sender. First few frames after reset fail verification; the receiver enters a configurable tolerance window.

t = 4

Receiver issues a freshness sync request on the cryptographic PDU channel. Sender responds with authenticated full-FV broadcast.

t = 5

Receiver's local FV moves to 0x00000060 . Subsequent frames verify; replay protection is restored without writing soft state to flash on every PDU.

A single reset on the receive side is enough to break SecOC until the freshness state is resynchronised. Robust designs broadcast authenticated sync messages on a cryptographic PDU channel and tolerate a small window of misses.

Three patterns avoid the failure mode that reaches production most often: periodic broadcast of an authenticated freshness sync message; a sync request the receiver issues when it sees repeated MAC failures; and an idle-cycle write of the current upper-FV bits to non-volatile storage so that power-cycle drift is bounded. The default AUTOSAR integration provides hooks for all three, but the configuration values matter — a 4-frame tolerance window may be fine on a 100 ms cycle and indefensible on a 1 ms cycle.

MAC algorithms and truncation tradeoffs

Two MAC primitives dominate Secure Onboard Communication deployments: CMAC-AES128 per NIST SP 800-38B, and HMAC-SHA256 per FIPS 198-1. CMAC is the more common choice for two reasons: it reuses the AES engine that the Hardware Security Module already provides for SecOC and other crypto, and its throughput on dedicated AES hardware comfortably meets control-loop budgets. HMAC-SHA256 is more common where SHA-2 is already a hot path for signature verification or where the higher security margin of a 256-bit MAC is desired on Ethernet links with no truncation pressure.

Truncation is where engineering judgement bites. The truncated MAC is the lower bound on attacker work: with N MAC bits, a forgery attempt succeeds with probability 1 / 2^N. A 16-bit MAC gives 1 in 65,536 per attempt, which an unfiltered attacker on the bus can exhaust in seconds; a 24-bit MAC raises that to 1 in 16,777,216; a 28-bit MAC to 1 in 268,435,456; a 32-bit MAC to 1 in 4,294,967,296. Bus monitoring that rate-limits or alarms on repeated MAC failures pushes effective attacker cost up further.

MAC truncationForgery probability per attemptSuitable use
16 bits1 / 65,536Generally insufficient for cybersecurity-critical PDUs.
24 bits1 / 16,777,216Acceptable for many comfort and convenience PDUs with rate-limiting.
28 bits1 / 268,435,456AUTOSAR default profile on Classical CAN; common production choice.
64 bits1 / 1.84 × 10^19Recommended minimum for safety-critical PDUs; comfortable on CAN-FD.
128 bits1 / 2^128Full MAC; standard on Ethernet and any link without payload pressure.
MAC truncation tradeoffs. The forgery probability is per-attempt; bus monitoring that alarms on repeated MAC failures shrinks the effective attacker window further.

MAC verification flow

The receive-side path is where the integration earns its keep. The numbered sequence below traces a single inbound frame from wire to Software Component:

  1. 1

    PDU Router delivers Secured I-PDU to SecOC verifier

    The Communication stack receives the CAN/Ethernet frame, demuxes it into a Secured I-PDU, and routes it to the SecOC verify path indicated by configuration.

  2. 2

    SecOC parses payload, freshness fragment, and truncated MAC

    The module splits the secured PDU according to the configured profile; payload length and MAC offset are constants set at configuration time.

  3. 3

    Freshness Manager reconstructs full freshness value

    Local upper bits (held in RAM, periodically persisted) are concatenated with the wire fragment to form the full FV used in the MAC computation.

  4. 4

    Csm_MacVerify() invoked through Crypto Service Manager

    SecOC requests verification asynchronously by submitting a job to the Csm queue. The job carries authentic payload, full FV, claimed MAC, and the SecOC key slot identifier.

  5. 5

    Crypto Driver routes through CryIf to the Hardware Security Module

    CryIf maps the SecOC key slot to the appropriate Crypto Driver Object. The Hardware Security Module computes CMAC-AES128 over the supplied input using the configured key without exposing key material to MCU memory.

  6. 6

    Verification result returned via callback

    On success, the Freshness Manager advances; on failure, SecOC drops the PDU and increments a verification-failure counter. Repeated failures may trigger a sync request or a reportable cybersecurity event.

  7. 7

    Authentic payload forwarded to Software Component

    Only verified PDUs reach the Receiver Software Component. The Software Component is unaware of MAC computation by design; SecOC is transparent at the application API.

Receive-side MAC verification through SecOC, the Crypto Service Manager, the Crypto Interface, and the Hardware Security Module-backed Crypto Driver.

Key management for Secure Onboard Communication

SecOC operates against a shared symmetric key per communication relationship. In production, that key never touches application memory: it is provisioned into the Hardware Security Module at end of line, exposed to SecOC only through a key-slot identifier, and exercised through the AUTOSAR Crypto Stack. Per-ECU diversification is implemented through key derivation functions (HKDF, KDF in counter mode) anchored to a long-term root key plus an ECU-specific salt; the derived key for a given session lives in volatile HSM storage and disappears on power down.

Key rotation is the procurement question that exposes weak CSMS submissions. R155 assessors will ask how a SecOC key is rotated after a known compromise. Defensible answers involve a Key Manager-driven flow: KeyM revokes the affected key element, requests a fresh derivation from backend PKI through an authenticated channel, and updates the SecOC key slot atomically. Designs that rely on flashing every ECU to rotate a SecOC key fail this question because they do not survive a fleet-wide event.

Secure Onboard Communication across bus types

The default 4-bit-FV / 28-bit-MAC profile makes sense only on Classical CAN. On other buses the tradeoffs invert:

  • Classical CAN (8-byte payload). Truncation pressure is severe. Default profile is the pragmatic compromise; safety-critical PDUs should be lifted to CAN-FD where possible.
  • CAN-FD (up to 64-byte payload). Comfortable room for a 64-bit MAC plus a 32-bit freshness fragment. This is the default sweet spot for new designs.
  • Automotive Ethernet (100/1000BASE-T1). No truncation pressure at all; full 128-bit MAC and full 64-bit freshness counter are routine. SecOC may be paired with TLS or IPsec for confidentiality.
  • LIN. Typically out of SecOC scope. LIN is segmented behind a domain gateway that enforces authenticity at its CAN or Ethernet egress.
  • FlexRay. SecOC is supported but rare in new designs as FlexRay itself is sunsetting in favour of CAN-FD and Ethernet.

Performance and integration with the Crypto Stack

The CMAC-AES128 round trip from SecOC verifier through Csm and CryIf to a hardware AES engine and back is typically dominated by the asynchronous job latency, not the AES core. On a typical Cortex-R52 platform with a dedicated AES engine and a 4-byte authentic payload, full round-trip verification routinely fits inside 1 ms; on processors without hardware AES, software CMAC may push that into the 5–10 ms range, which is incompatible with most chassis control loops.

The integration point is the Crypto Service Manager. The SecOC module submits MAC and verify jobs; the Crypto Interface routes them through the configured Crypto Driver Object to either the Hardware Security Module or the software fallback. For a layered walkthrough of how Csm, CryIf, the Crypto Driver, and KeyM cooperate, see the companion guide to the AUTOSAR Crypto Stack.

Implementation pitfalls and mitigations

PitfallMitigation
Freshness desync after resetAuthenticated sync broadcast on a cryptographic PDU channel; receiver-issued sync request on repeated failures; periodic upper-FV persistence.
Over-truncated MAC on safety-critical PDULift safety-critical signals to CAN-FD or Ethernet; specify a 64-bit minimum MAC for cybersecurity-critical functions in the SecOC matrix.
Software-stored keysHardware Security Module-backed key slots only; KeyM-driven derivation; flash dump at decommission must not yield active keys.
Critical PDU not in SecOC matrixDrive matrix from TARA output: every PDU on a cybersecurity-critical attack path must be in scope. Audit gap surfaces in any defensible TARA review.
No replay window on receiveConfigure a small tolerance window for in-order misses while rejecting decreasing FV; alarm on tolerance-window saturation.
Verification failure goes unreportedWire SecOC verification-failure counters to the Diagnostic Event Manager and to the Cybersecurity Event handler; chronic failures are an indicator of attack or misconfiguration.
Pitfalls observed across SecOC integrations and the mitigations that survive R155 assessment.

SecOC in ISO/SAE 21434 and UNECE R155 context

At the Work Product level, Secure Onboard Communication produces direct evidence for ISO/SAE 21434 WP-10-01 (cybersecurity specification) and WP-10-04 (integration and verification report). The MAC matrix, freshness configuration, key-slot allocation, and verification counters are all auditable artefacts. UNECE R155 Annex 5 maps SecOC mitigations to the back-end and communication channel threat categories — specifically the message-injection and replay sub-entries that any defensible TARA must address. The relationship between ISO/SAE 21434 and UNECE R155 is laid out in the companion comparison post on ISO/SAE 21434 vs UNECE R155.

SecOC is necessary, not sufficient. A vehicle with perfectly implemented SecOC on every bus is still vulnerable to a remote pivot through a head unit that legitimately sits inside the SecOC trust boundary, which is precisely how the 2015 Jeep attack played out. Bus authentication closes the bus-level injection vector; it does not substitute for secure boot on every ECU, defence in depth at gateways, or the Hardware Security Module-anchored key hierarchy that backs both.

Take-aways for an architect-grade SecOC programme

SecOC is a mature, standardised control with a well-trodden integration path. The bugs that delay programmes are not in the protocol; they are in freshness handling at startup, in the key lifecycle that spans factory through fleet, and in the SecOC matrix that translates a TARA into per-PDU scope. Get those three right and SecOC becomes an asset on the cybersecurity case. Get them wrong and the resulting evidence will not survive R155 assessment, no matter how much MAC computation the ECU performs.

Agnile Technologies provides AUTOSAR Cybersecurity Engineering for global OEMs and Tier-1 suppliers. Engage us early on the SecOC matrix — before the communication database is frozen — and we will help you get the freshness, MAC sizing, and key lifecycle right the first time.

Related Reading

Need Help Applying This to a Real Programme?

Agnile supports engineering teams from architecture and requirements through implementation, validation, release, and evidence preparation.

Contact Us