Permission, not topology, decides who reads and writes what.

Secure Object Fieldbus Access (SOFA)

For CANopen, SOFA means secure write or read access to selected Object Dictionary entries. The mechanism is based on AEAD with AES-128-GCM and pre-shared keys. Two primary use cases drive its design: authentication of identification and configuration protection or locking. The SOFA specification is currently under definition at CiA. Where Frame Security protects frames in flight, SOFA decides who can read or write specific application-layer objects. SR 1.2 SR 2.1 SR 3.1 SR 4.1

What SOFA Protects

SOFA covers application-layer assets, potentially segmented across multiple frames: configuration tables set during commissioning, calibration data factory-set or field-tuned, selected process variables exposed through the fieldbus, and security-relevant objects such as key material. The CRA expects integrity and access-control protection for these. Frame Security alone protects the frames that carry them but not the objects exchanged on a higher layer.

SOFA on CANopen: Selected Object Dictionary Entries

For CANopen, SOFA marks selected Object Dictionary entries as security-protected. A client that wants to read or write a protected entry must follow a sequre cTLS style sequence: a challenge/response exchange under the authentication key. On success, subsequent (U)SDO transfers against protected entries are wrapped in an AEAD construction so receivers can verify both integrity and origin. Entries that are not marked protected continue to use the standard CANopen (U)SDO path; SOFA does not change the access pattern of objects that do not need it.

AEAD with AES-128-GCM

SOFA is based on AEAD (Authenticated Encryption with Associated Data) using AES-128-GCM. AES-128-GCM is recommended by BSI TR-02102 and is widely supported on modern microcontrollers, including hardware-accelerated implementations. The same AEAD construction underpins the Secure Bootloader's authenticated firmware update path (under a separate Update Key), so a CANopen device that already carries the SOFA primitives can reuse them for the bootloader without adding a second algorithm.

Use Case: Authentication of Identification

When a SOFA client reads or writes a protected Object Dictionary entry, the SDO transfer itself proceeds normally over the CANopen channel; the receiver does not refuse the request up front. Authenticity is verified only after the transfer has completed. Each protected entry is wrapped in an AEAD construction (AES-128-GCM) under the device's authentication key (system-specific: typically the Provisioning Key or the Update Key, depending on the deployment), so the receiver recomputes the authentication tag (a MAC under the authentication key) over the transferred bytes and compares it against the tag carried in the message. If the tags match, the value is accepted; if they do not, the value is discarded. Encryption of the payload is optional in this use case: AEAD supports an authenticated-only mode (associated data without ciphertext), so configuration values can remain readable on the wire while still being protected against modification.

The exchange is not a novel construction. It aligns with a combination of two well-established standards: TLS-PSK (RFC 4279) for the pre-shared-key authentication model, and ISO/IEC 9798-2 for the symmetric-key challenge/response mechanism between two entities. Both are widely deployed and reviewed, and both rely on the same primitives (a symmetric authentication key plus a nonce-and-MAC exchange) that SOFA carries onto the CANopen fieldbus.

Use Case: Configuration Protection and Locking

The two options supported here are that either the configuration data exchanged is security protected or that configurable parameters can only be changed while in a secure maintenance state. As secure SOFA communication has significant overhead, the most efficient option is the use of configuration tables written to a single secure object (in CANopen terms, this could be a concise DCF file carrying settings for multiple objects).
Alternatively, selected Object Dictionary entries (for example all 1xxxh writable configuration parameters) can be marked write-protected, after the initial configuration process happened. So keywords like "LOCK" and "UNLK" can be written to a secure object that implements the lock and unlock function. This satisfies CRA Annex I's least-privilege and integrity expectations on configuration data, and maps onto IEC 62443 SR 2.x (Use control) cleanly.

SOFA on Other Higher-Layer Protocols

Other non-CANopen higher-layer protocols on CAN do not yet have a published SOFA-equivalent standard. Manufacturers facing CRA Annex I integrity and access-control requirements have three options today: (1) adapt the CANopen AEAD construction onto the HLP-specific message structure; (2) layer a SOFA-equivalent envelope on top of the HLP's existing parameter-access services; or (3) rely on Frame Security alone and accept the residual risk on application-layer access control. The CAN Security Reference treats this as one of the gaps between regulation and standard; see the Why Now: regulation–standard gap page.

Currently Under Definition at CiA

The full SOFA specification is currently under definition at CiA. The mechanism described on this page (AEAD with AES-128-GCM, challenge/response under the authentication key, write/read gating on selected Object Dictionary entries) is the agreed direction; specific document numbers and the formal review state will be published by CiA when the specification reaches consensus. Until then, manufacturers building CRA-relevant CAN products can use the EmSA reference implementations and consult our white papers for traceable, defensible design choices.

IEC 62443 and CRA Mapping

SOFA contributes to SR 1.2 (Software and device identification and authentication via the authentication key), SR 2.1 (Authorization enforcement for object access), SR 3.1 (Communication integrity at the application layer), and SR 4.1 / SR 4.3 (Information confidentiality and use of cryptography) where entries are encrypted. CRA Annex I lines up similarly: integrity and access control on configuration data and process variables. SR 1.2 SR 2.1 SR 3.1 SR 4.1 SR 4.3 CRA Annex I

What This Shell Does Not Catch

SOFA protects access to objects at the application layer; it does not authenticate or encrypt the underlying frames. An attacker who can inject frames at the data-link layer can flood, replay, or spoof at a lower level than SOFA cares about; that is Frame Security's territory. SOFA also depends on the authentication key; key extraction from a compromised node bypasses the shell. Pair SOFA with the Secure Bootloader to ensure the bootloader is only activated by authentic loader or diagnostic tools.

Frequently Asked Questions

What is Secure Object Fieldbus Access (SOFA)?

SOFA is the application-layer cryptographic shell for CAN-based fieldbuses. For CANopen, SOFA provides authenticated read or write access to selected Object Dictionary entries. The mechanism is based on AEAD with AES-128-GCM and an authentication key (system-specific, typically the Provisioning Key or the Update Key). The challenge/response authentication-of-identification exchange aligns with a combination of TLS-PSK (RFC 4279) for the pre-shared-key model and ISO/IEC 9798-2 for the symmetric-key challenge/response mechanism. The two principal use cases are authentication of identification and configuration locking. SOFA is currently under definition at CiA.

How does SOFA differ from Frame Security?

Frame Security protects individual frames on the wire at the data-link or network layer. SOFA protects access to specific application-layer objects (Object Dictionary entries on CANopen) regardless of how many frames an access spans. The two are complementary: SPsec or CANcrypt protect transport; SOFA decides who is allowed to read or write what. Many real systems use both.

What about SOFA on J1939, FireCAN, or CleANopen?

There is no published SOFA-equivalent standard yet for J1939, FireCAN, or CleANopen. CRA Annex I integrity and access-control requirements still apply, so manufacturers either adapt the CANopen AEAD construction onto the HLP-specific message structure, layer a SOFA-equivalent envelope on top, or rely on Frame Security only. This is one of the gaps the CAN Security Reference's Why Now: regulation–standard gap page calls out.