12.3. VU — Motion Sensor Pairing and Communication using AES U.K.
CSM_218As specified in Table 3 in section 9.2.1, all keys involved in the pairing of a (second-generation) vehicle unit and a motion sensor and in subsequent communication shall be AES keys, rather than double-length TDES keys as specified in [ISO 16844-3]. These AES keys may have a length of 128, 192 or 256 bits. Since the AES block size is 16 bytes, the length of an encrypted message must be a multiple of 16 bytes, compared to 8 bytes for TDES. Moreover, some of these messages will be used to transport AES keys, the length of which may be 128, 192 or 256 bits. Therefore, the number of data bytes per instruction in Table 5 of [ISO 16844-3] shall be changed as shown in Table 6:U.K.
| [F1Table 6 | |||||||
| Number of plaintext and encrypted data bytes per instruction defined in [ISO 16844-3] | |||||||
| Instruction | Request / reply | Description of data | # of plaintext data bytes according to [ISO 16844-3] | # of plaintext data bytes using AES keys | # of encrypted data bytes when using AES keys of bitlength | ||
|---|---|---|---|---|---|---|---|
| 128 | 192 | 256 | |||||
| 10 | request | Authentication data + file number | 8 | 8 | 16 | 16 | 16 |
| 11 | reply | Authentication data + file contents | 16 or 32, depend on file | 16 or32, depend on file | 32 / 48 | 32 / 48 | 32 / 48 |
| 41 | request | MoS serial number | 8 | 8 | 16 | 16 | 16 |
| 41 | reply | Pairing key | 16 | 16 / 24 / 32 | 16 | 32 | 32 |
| 42 | request | Session key | 16 | 16 / 24 / 32 | 16 | 32 | 32 |
| 43 | request | Pairing information | 24 | 24 | 32 | 32 | 32 |
| 50 | reply | Pairing information | 24 | 24 | 32 | 32 | 32 |
| 70 | request | Authentication data | 8 | 8 | 16 | 16 | 16 |
| 80 | reply | MoS counter value + auth. data | 8 | 8 | 16 | 16 | 16] |
CSM_219The pairing information that is sent in instructions 43 (VU request) and 50 (MoS reply) shall be assembled as specified in section 7.6.10 of [ISO 16844-3], except that the AES algorithm shall be used instead of the TDES algorithm in the pairing data encryption scheme, thus resulting in two AES encryptions, and adopting the padding specified in CSM_220 to fit with the AES block size. The key K'p used for this encryption shall be generated as follows:U.K.
In case the pairing key KP is 16 bytes long: K'p = KP XOR (Ns||Ns)
In case the pairing key KP is 24 bytes long: K'p = KP XOR (Ns||Ns||Ns)
In case the pairing key KP is 32 bytes long: K'p = KP XOR (Ns||Ns||Ns||Ns)
where Ns is the 8-byte serial number of the motion sensor.
CSM_220In case the plaintext data length (using AES keys) is not a multiple of 16 bytes, padding method 2 defined in [ISO 9797-1] shall be used.U.K.
Note: in [ISO 16844-3], the number of plaintext data bytes is always a multiple of 8, such that padding is not necessary when using TDES. The definition of data and messages in [ISO 16844-3] is not changed by this part of this Appendix, thus necessitating the application of padding.U.K.
CSM_221For instruction 11 and in case more than one block of data must be encrypted, the Cipher Block Chaining mode of operation shall be used as defined in [ISO 10116], with an interleave parameter m = 1. The IV to be used shall beU.K.
For instruction 11: the 8-byte authentication block specified in section 7.6.3.3 of [ISO 16844-3], padded using padding method 2 defined in [ISO 9797-1]; see also section 7.6.5 and 7.6.6 of [ISO 16844-3].
For all other instructions in which more than 16 bytes are transferred, as specified in Table 6: ‘00’ {16}, i.e. sixteen bytes with binary value 0.
Note: As shown in section 7.6.5 and 7.6.6 of [ISO 16844-3], when the MoS encrypts data files for inclusion in instruction 11, the authentication block is bothU.K.
Used as the initialization vector for the CBC-mode encryption of the data files
Encrypted and included as the first block in the data that is sent to the VU.