0

Regarding UDS (ISO 14229-1:2020), the new service Authentication (0x29) was added to increase the security of ECUs by using PKI certificates. Does this make the use of the SecurityAccess service (0x27) obsolete and not needed in ECUs anymore? Or they must both be present? Can't the Authentication service be used as the sole service that provides security? (I understand that Authentication uses a whitelisting approach and SecurityAccess uses a blacklisting approach) In addition, Authentication service (0x29) has the feature of assigning user roles, and each has a set of access rights (i.e. which services does this user role have access to). Are these access rights encoded within the ECU? Or are they part of the certificates that are being transmitted between the client (a.k.a. Tester) and the server (a.k.a. ECU). So in other words, should the ECU supplier be informed of the user role state machine that decides which user gets what services so that they can encode it into the ECU? Are there any recent github implementations for the 0x29 service?

I have researched different resources (ofcourse after going through the UDS ISO 14229-1:2020 document) including watching guides from VECTOR about these services. Since service 0x29 (Authentication) has only been around for a little over 2 years, it has not been widely used and published about. There were some conflicting statements with what is found in online forums and discussions and what is stated in the UDS standard document regarding how Authentication is implemented in an ECU, and whether or not Security Access 0x27 service is needed if the Authentication service is already there.

  • Tough question. I have yet to see an ECU that implements `0x29`. As far as I'm understanding the standard, Authentication `0x29` is an alternative to SecurityAccess `0x27`. Since so many UDS-things are vendor specific though, I wouldn't be surprised if a vendor chooses to allow `0x29` only after a previous `0x27` authorization. Think "2nd factor" ;-) – DrMickeyLauer Feb 13 '23 at 08:28
  • 1
    Thanks for the reply. That could be a way of looking at it. However 0x29 has more coverage of services than 0x27 and it is more flexible to use even in default sessions. Also 0x29 is for splitting up the authorization based on user roles, whereas 0x27 is based on security access levels. I think it might be more of a process to phase out 0x27 slowly. – Feras Nasser Feb 14 '23 at 15:49

0 Answers0