Security belongs in a sublayer, not scattered through the application.

Concept and Architecture

How SPsec is structured: where the sublayer sits, the planes it separates, and the roles each device can play.

The Sublayer and Its Planes

The SPsec crypto sublayer between Application and Network, with internal and external control plane on the left side and the data plane on the right, drawing on key storage, random number generator and timer security functions — SPsec wraps the network's data plane and adds a control plane for security maintenance. Cryptographic primitives such as key storage, random number generation and timing are accessed through a defined boundary.

SPsec is positioned directly above the Data Link Layer of the underlying network. The application, or any higher-layer protocol such as CANopen FD, continues to exchange addressed data units through what SPsec calls the data plane. The sublayer wraps each outgoing data unit with a Security Stamp and verifies and unwraps incoming data units, so the application sees the same interface it always did. Two further channels keep the sublayer working: the external control plane carries the SPsec messages between participants (synchronization, configuration sessions and heartbeats), and the internal control plane connects the sublayer to the local host application to report status changes and security events.

Roles

SPsec defines three roles. The Participant role is mandatory for every node on the secure network; the Sync and Configurator roles are optional, and each is filled by at most one entity at a time:

Participant. The mandatory role. Every node that takes part in secure communication implements at least the Participant role and is identified by a unique Participant ID.
Sync. An optional role. One participant additionally takes the Sync role and distributes the uniqueness value the cryptographic functions rely on: a synchronized timestamp on multi-access networks or an initial counter value on point-to-point links. At most one Sync is active at any time.
Configurator. A separate role: the secure client used to configure participants. It may or may not be a participant on the network. Over a secure session it installs keys, reads status and applies parameter changes. It operates only during commissioning and maintenance, not during regular operation, and at most one Configurator is active at a time.

Each outgoing data unit is wrapped with a Security Stamp (a uniqueness value plus an AEAD authentication tag) and verified on the way in; the byte layout of that stamp is defined per network and is covered on SPsec on CAN FD. The keys behind it are described under Keys and Key Lifecycle, and the control-plane messages and participant states under Control Plane and Services.

Frequently Asked Questions

Where does the SPsec sublayer sit?

Directly above the Data Link Layer. It wraps outgoing data units with a Security Stamp and verifies incoming ones, so the application sees the same interface it always did.

What roles does SPsec define?

Three: Participant, the mandatory role every secure node implements; Sync, an optional role that one participant takes to distribute the uniqueness value, with at most one Sync active at a time; and Configurator, a separate secure client that configures participants and is not active during regular operation.