Blog
UDS Security Access (0x27) vs. Authentication (0x29)
June 30, 2026
Every embedded ECU that supports firmware flashing, calibration writes, or protected diagnostics must answer a fundamental question: who is allowed in, and how do you prove it? For two decades, UDS Security Access (Service 0x27) handled this with a seed-and-key challenge-response mechanism. In 2020, ISO 14229-1 introduced Authentication (Service 0x29) to address 0x27's structural limitations in connected vehicle environments.
This article provides a service-level deep dive into both mechanisms: how each protocol exchange works byte by byte, what cryptographic assumptions each makes, where each fails, and how to decide which belongs in your bootloader, diagnostic stack, or OTA pipeline.
This article covers: (1) UDS session and security architecture overview, (2) 0x27 Security Access — full protocol walkthrough, cryptography, attack surface, and AUTOSAR integration, (3) 0x29 Authentication — APCE and ACR modes, PKI vs HMAC, bidirectional flows, (4) side-by-side comparison, (5) migration strategy and coexistence patterns, (6) decision framework for your application.
The Unified Diagnostic Services protocol (ISO 14229-1) structures ECU access as a layered state machine. Before any sensitive service can execute — firmware download (0x34/0x36/0x37), calibration write (0x2E), routine control (0x31) — the tester must occupy the right session and hold the correct security level.
The session ladder works as follows:
A tester that drops out of a non-default session (S3Server timeout, ECUReset, or session change) immediately loses its unlocked security level. Every state transition resets the lock. This design choice means authentication is not a one-time ceremony but an active, session-scoped credential.
ISO 14229-1:2020 preserves both security services in the standard:
Service 0x27 — SecurityAccess: A challenge-response protocol where the ECU issues a random seed and the tester must return the correct key derived from a shared secret algorithm. The algorithm and key material are OEM-defined and not standardized by ISO.
Service 0x29 — Authentication: Introduced in ISO 14229-1:2020. Supports asymmetric PKI certificate exchange (APCE) and symmetric challenge-response (ACR), with optional bidirectional mutual authentication and session key derivation.
Important: ISO 15765-4 has formally deprecated 0x27 in favor of 0x29 for new designs. However, 0x27 remains in ISO 14229-1 and in the majority of production ECUs in service today.
Service 0x27 implements a symmetric challenge-response. The ECU (server) and tester (client) share knowledge of a secret algorithm and key material. The ECU verifies the tester's identity by confirming it can produce the correct transformation of a random challenge — the seed.
Step 1 — RequestSeed (subfunction = odd: 0x01, 0x03, 0x05... depending on security level):
| Field | Byte Position | Value / Description |
|---|---|---|
| Service ID (SID) | Byte 0 | 0x27 |
| Sub-Function | Byte 1 | 0x01 (request seed, level 1) |
| securityAccessDataRecord | Bytes 2+ | Optional: tester-supplied data (e.g., tester serial number) |
Step 2 — Positive Response to RequestSeed (Response SID = 0x67):
| Field | Byte Position | Value / Description |
|---|---|---|
| Response SID | Byte 0 | 0x67 |
| Sub-Function Echo | Byte 1 | 0x01 (echoes the request subfunction) |
| securitySeed | Bytes 2+ | Random nonce generated by ECU; length is OEM-defined (typically 4-16 bytes) |
Special case: If the ECU is already unlocked at the requested level, it returns a seed of all zeros. The tester must detect this and skip the SendKey step.
Step 3 — SendKey (subfunction = even: 0x02, 0x04, 0x06... level + 1):
| Field | Byte Position | Value / Description |
|---|---|---|
| Service ID (SID) | Byte 0 | 0x27 |
| Sub-Function | Byte 1 | 0x02 (send key, level 1) |
| securityKey | Bytes 2+ | Key computed from seed using shared algorithm; must match ECU's expected key |
Step 4 — Positive Response to SendKey (0x67 + even subfunction). The ECU transitions to the unlocked security level. All subsequent requests in the current session may now access protected services.
A single ECU commonly exposes multiple security levels, each with a separate seed-key pair and a distinct algorithm or key material:
| Security Level | Sub-Functions | Typical Use Case |
|---|---|---|
| Level 1 | 0x01 / 0x02 | Extended session: calibration DIDs, actuator tests |
| Level 3 | 0x03 / 0x04 | Programming session: firmware download (0x34/0x36/0x37) |
| Level 9 | 0x09 / 0x0A | EOL / production: permanent variant coding, lockout flags |
| Level 11 | 0x0B / 0x0C | Supplier-specific or development-only access |
Each level requires an independent seed-key exchange. Unlocking Level 3 does not imply Level 1 is unlocked. On any session change, ECUReset, or S3Server timeout, the ECU drops to security level 0x00 and the tester must re-authenticate.
These weaknesses are not theoretical. CAN's broadcast nature means all bus nodes receive every frame, including seed-key exchanges. A passive observer can accumulate seed-key pairs and recover weak algorithms through reverse engineering or brute force.
Best Practice: The seed must be a true random nonce from a TRNG, not a pseudo-random sequence. Predictable seeds defeat the entire challenge-response model. Use at least 128 bits (16 bytes) for modern designs.
| NRC Code | Mnemonic | Condition |
|---|---|---|
| 0x22 | conditionsNotCorrect | Wrong session type for this security level |
| 0x24 | requestSequenceError | SendKey sent before RequestSeed, or wrong subfunction order |
| 0x31 | requestOutOfRange | Requested security level not supported |
| 0x35 | invalidKey | Key computed by tester does not match ECU's expected key |
| 0x36 | exceededNumberOfAttempts | Consecutive failed SendKey attempts exceeded configured limit |
| 0x37 | requiredTimeDelayNotExpired | Delay timer active following exceededNumberOfAttempts lockout |
AUTOSAR DCM configuration parameters governing lockout behavior:
In AUTOSAR Classic, Service 0x27 is handled by the DCM module via DcmDspSecurityRow containers — one per security level. Key parameters:
With AUTOSAR Classic, there is a single Security Access Level state machine globally, regardless of physical connection channel. A tester on CAN and a tester on Ethernet share the same state — important for multi-interface ECUs.
Service 0x29 was introduced in ISO 14229-1:2020 to address structural limitations of 0x27 in connected vehicle environments. It defines a standardized authentication framework with two primary modes and optional bidirectional mutual authentication and session key derivation.
| Mode | Acronym | Cryptographic Basis | Key Exchange |
|---|---|---|---|
| Authentication with PKI Certificate Exchange | APCE | Asymmetric (RSA/ECDSA) | X.509 certificates via PKI |
| Authentication with Challenge-Response | ACR | Asymmetric or symmetric | Pre-shared keys or pre-installed public keys |
Both modes support two authentication directions:
APCE is the primary 0x29 mode natively supported by AUTOSAR DCM (from AUTOSAR 4.4.0). It uses X.509 certificates and asymmetric cryptography — typically ECDSA P-256 — to establish identity without sharing secret keys.
Each certificate has an expiration date. Revocation is managed via CRLs or OCSP-like mechanisms. Unlike 0x27 where key material is typically static for the ECU's lifetime, certificate lifecycle management enables selective revocation and time-limited access.
| Step | Direction | Sub-Function | Content |
|---|---|---|---|
| 1 | Tester to ECU | authenticationConfiguration (0x00) | Specifies algorithm suite, whether session key is needed, DHE preference |
| 2 | ECU to Tester | authenticationConfiguration response | ECU confirms supported configuration |
| 3 | Tester to ECU | verifyCertificateUnidirectional (0x01) | Tester sends its X.509 certificate (DER-encoded) |
| 4 | ECU to Tester | Challenge (nonce) | ECU verifies cert against CA chain, then issues a random challenge nonce |
| 5 | Tester to ECU | proofOfOwnership (0x03) | Tester signs the challenge with its private key (e.g., ECDSA P-256) |
| 6 | ECU to Tester | Positive Response | ECU verifies signature; if valid, grants role-based access |
Optional Session Key Derivation: When communicationConfiguration requests it, both parties perform an ephemeral Diffie-Hellman key exchange (DHE). The derived session key secures subsequent communication via SecuredDataTransmission (0x84). Essential for OTA scenarios over untrusted transports.
ACR mode simplifies 0x29 deployment for resource-constrained ECUs that cannot support full PKI infrastructure. Instead of exchanging certificates, the ECU and tester rely on pre-shared symmetric keys or pre-installed asymmetric public keys.
| Step | Direction | Content |
|---|---|---|
| 1 | Tester to ECU | authenticationConfiguration: ACR mode, algorithm (HMAC-SHA256 or ECDSA), no certificate exchange |
| 2 | ECU to Tester | Challenge nonce (random, minimum 16 bytes recommended) |
| 3 | Tester to ECU | proofOfOwnership: HMAC or ECDSA signature over the challenge |
| 4 | ECU to Tester | Positive response if verification succeeds; role-based access granted |
ACR avoids PKI complexity but shares 0x27's vulnerability to key compromise: a leaked pre-shared key allows any device to authenticate. Unlike APCE, compromised ACR keys cannot be selectively revoked without re-provisioning all affected ECUs. AUTOSAR DCM does not natively support ACR — it requires custom callout implementation.
One of 0x29's most significant architectural shifts is the move from numeric security levels to role-based access control. A tester authenticates to a named role — OEM_Engineering, SupplierA_EOL, AfterSales_Technician — rather than unlocking 'Level 3.'
Each role maps to a permitted set of services, DIDs, and routines defined in ECU configuration and referenced in the tester's certificate attributes (e.g., X.509 extension fields). This enables fine-grained access:
With AUTOSAR Adaptive, the 0x29 authentication state machine is per physical connection — unlike Classic where it is global. This enables multi-client Ethernet diagnostics where different testers on different channels hold independent authentication states.
| Dimension | 0x27 Security Access | 0x29 APCE | 0x29 ACR |
|---|---|---|---|
| ISO Standard Basis | ISO 14229-1 (all editions) | ISO 14229-1:2020+ | ISO 14229-1:2020+ |
| Cryptographic Model | Symmetric (shared algorithm + key) | Asymmetric PKI (public/private keypairs) | Pre-shared symmetric or asymmetric |
| Identity Model | Security level numbers (0x01-0x7F) | Role-based (certificate attributes) | Pre-configured role per key |
| Key Exchange | None — pre-shared out-of-band | X.509 certificates via PKI chain | Pre-installed keys (no exchange) |
| Bidirectional Auth | Not supported | Supported (verifyCertificateBidirectional) | Limited — implementation-dependent |
| Session Key Derivation | Not supported | Supported via DHE + 0x84 | Not standard |
| Certificate Revocation | Not applicable | CRL / OCSP-like mechanisms | Key update requires re-flash |
| Algorithm Standardization | None — OEM-defined | Standardized (ECDSA P-256, AES-256-GCM) | Standardized suites |
| AUTOSAR DCM Support | Classic and Adaptive (native) | Classic 4.4.0+ (native); Adaptive (native) | Custom callout required |
| Replay Attack Resistance | Depends on nonce quality + algorithm | Strong (nonce + signature + freshness) | Depends on nonce quality |
| Key Compromise Impact | All ECUs sharing key compromised | Specific certificate revoked; others unaffected | All ECUs sharing key compromised |
| Infrastructure Requirement | None (out-of-band key sharing) | PKI: CA, cert issuance, revocation | Key provisioning infrastructure |
| Computational Overhead | Low (HMAC or symmetric op) | High (asymmetric verify + sign + optional DHE) | Medium |
| Bootloader Suitability | Excellent (low RAM/ROM) | Feasible on Cortex-M4+; heavy on M0/M0+ | Good — lighter than APCE |
| OTA / Remote Suitability | Poor (no mutual auth, no session key) | Excellent (mutual auth + encrypted channel) | Moderate |
CAN is a broadcast bus — every node receives every frame, including seed-key exchanges. A passive observer accumulating seed-key pairs can apply brute force or lookup table attacks against weak algorithms. For a 16-bit seed space (65,536 values), a complete lookup table is achievable over a vehicle's diagnostic history. XOR and CRC-based algorithms have been publicly documented for numerous OEM implementations.
Seed-key algorithms are embedded in diagnostic tester software and ECU firmware. DLL extraction from Windows-based tester tools has historically exposed OEM algorithms. ECU firmware extraction via JTAG, voltage glitching, or side-channel attacks can expose the computation directly.
Mitigation: Store K_device in an HSM or secure element with anti-extraction properties. Use per-device key material (HKDF with hardware UID) so compromise of one ECU does not cascade.
If the attempt counter is RAM-only, toggling ignition resets the lockout. An attacker with physical access can attempt unlimited brute-force with ~3 attempts per boot cycle.
Mitigation: Persist the attempt counter in NvM. Consider progressive delays (10s, 60s, 300s) rather than a fixed delay per lockout event.
APCE security depends entirely on the PKI chain. A compromised Root CA private key allows an attacker to issue certificates granting arbitrary roles. Certificate management — key ceremony procedures, HSM storage, CA revocation — becomes a critical operational security discipline.
A 2024 academic evaluation (CSCS '24, ACM) demonstrated practical replay-based attacks against 0x29 implementations that did not correctly enforce nonce freshness. Both APCE and ACR include nonce-based challenges to defeat replay, but weak PRNG usage or failure to enforce single-use nonces creates exploitable windows.
Mitigation: Use a TRNG for challenge generation. Enforce each challenge is single-use within a session. Embed a monotonic counter or timestamp in the signed data.
Remote diagnostics over cellular or Wi-Fi expose the channel to man-in-the-middle attacks impossible on physical CAN. Without bidirectional authentication and session key derivation (0x84), even an authenticated 0x29 session can have subsequent diagnostic traffic intercepted and manipulated.
Mitigation: For OTA and remote diagnostics, mandate bidirectional APCE with DHE session key derivation and SecuredDataTransmission (0x84) for all post-authentication frames.
| Step | UDS Service | Purpose |
|---|---|---|
| 1 | 0x10 DiagnosticSessionControl | Enter Programming Session (subfunction 0x02) |
| 2 | 0x27 or 0x29 | Authenticate / unlock programming security level |
| 3 | 0x31 RoutineControl | Pre-programming check: verify voltage, erase flash sectors |
| 4 | 0x34 RequestDownload | Declare download: specify memory address, size, compression/encryption |
| 5 | 0x36 TransferData | Block transfer: send firmware blocks with blockSequenceCounter |
| 6 | 0x37 RequestTransferExit | Finalize transfer; ECU validates image hash and digital signature |
| 7 | 0x31 RoutineControl | Post-programming check: verify flash content, activate software |
| 8 | 0x11 ECUReset | Reset ECU to execute new firmware |
Security gates Step 2: the 0x34/0x36/0x37 download sequence must be blocked until the tester holds the correct security level (0x27) or authenticated role (0x29). In AUTOSAR DCM, DcmDspServiceSecurityLevelRef and DcmDspServiceSessionRef enforce this declaratively in configuration.
ISO 14229-1 does not prohibit an ECU from supporting both 0x27 and 0x29 simultaneously. A common migration pattern:
| Weakness | Mitigation |
|---|---|
| Predictable seed | Use TRNG, minimum 128-bit (16-byte) seed length |
| Weak algorithm (XOR/CRC) | Replace with HMAC-SHA256 using per-device key in HSM or secure element |
| Shared key across fleet | Per-device key derivation using unique ECU hardware UID as HKDF input |
| RAM-only lockout counter | Persist attempt counter in NvM; use progressive delay intervals |
| No session binding | Bind key computation to session ID or tester serial in HMAC context data |
| Question | If YES — Implication |
|---|---|
| ECU supports OTA updates over Automotive Ethernet / DoIP? | 0x29 APCE with bidirectional auth and session keys is required. |
| ECU has hardware crypto acceleration (PKA, AES engine)? | 0x29 APCE is feasible; asymmetric overhead is manageable. |
| ECU flash < 128 KB or RAM < 32 KB? | 0x27 with HMAC-SHA256 is the practical choice; full APCE is too heavy. |
| Regulatory compliance (UN R155 / ISO 21434 / R156) requires update auditability? | 0x29 APCE certificate traceability directly satisfies this requirement. |
| Dealership tooling deployed with no near-term update path? | Maintain 0x27 for field service; layer 0x29 on OTA path only. |
| Fleet key compromise is a critical risk (high-value target, long vehicle lifespan)? | 0x29 APCE enables per-supplier certificate revocation without ECU reflash. |
| Multiple Tier-1 suppliers require access to the same ECU? | 0x29 role-based access with per-supplier certificates provides better isolation than shared security level keys. |
ISO 15765-4 (the CAN-specific UDS transport) has deprecated 0x27. ISO 14229-1 itself still includes both services. For new ECU designs, 0x29 is the recommended direction, but 0x27 remains widely deployed and is dominant in production vehicles through at least the 2025-2026 model years.
Yes, with the right implementation. 0x27 with HMAC-SHA256, a per-device key in an HSM, a TRNG-generated 128-bit seed, and a NvM-persisted lockout counter is computationally secure. The residual risk is key management: a compromised K_device affects all ECUs sharing that key. Per-device key derivation via HKDF with the hardware UID limits blast radius significantly.
AUTOSAR Classic DCM supports both. AUTOSAR 4.4.0 added 0x29 APCE support natively. The two services coexist and are not mutually exclusive in configuration. AUTOSAR Adaptive natively supports 0x29 with per-connection authentication state machines.
Service 0x84 encrypts and authenticates individual diagnostic messages using a session key derived during a 0x29 APCE exchange with DHE enabled. Without 0x29, there is no standardized UDS mechanism to derive a per-session key for 0x84. Service 0x27 does not produce a session key.
ISO 14229-1:2020 defines algorithm suites including ECDSA P-256 and P-384 for signatures, AES-128-GCM and AES-256-GCM for session encryption (combined with 0x84), SHA-256 and SHA-384 for hashing, and ECDH for key agreement. The communicationConfiguration sub-function negotiates the specific suite.
Service 0x27 Security Access is a mature, broadly deployed mechanism well-suited to resource-constrained ECUs with physical diagnostic access models. Its weakness is not fundamental — a well-implemented 0x27 with HMAC-SHA256 and per-device keys is computationally sound — but structural: it cannot provide bidirectional mutual authentication, certificate-based role management, or session key derivation for encrypted channels.
Service 0x29 Authentication solves these structural problems at the cost of PKI infrastructure complexity and asymmetric computational overhead. It is the correct choice for ECUs that participate in OTA update flows, remote diagnostics over untrusted transports, or multi-supplier access control scenarios where per-entity accountability and revocability matter.
For most embedded programs, the answer is not either/or. Existing ECUs benefit from 0x27 hardening. New platforms should design for 0x29 on the OTA path, with 0x27 retained for backward-compatible workshop access during the transition period. Both services can coexist within a single ECU, and the decision should be driven by the threat model, resource constraints, and tooling reality of each specific program.
References: ISO 14229-1:2020 Road vehicles — Unified diagnostic services (UDS) — Part 1: Application layer | AUTOSAR SWS DiagnosticCommunicationManager Classic R22-11 & Adaptive R22-11 | Lauser et al., "(Un)authenticated Diagnostic Services: A Practical Evaluation of Vulnerabilities in the UDS Authentication Service," CSCS '24, ACM (2024) | Embedded Computing Design: "New UDS Authentication: Enhanced Security, Familiar Challenges" (2024) | NIST SP 800-193 Platform Firmware Resiliency Guidelines | UN Regulation No. 156 (SUMS) | ISO/SAE 21434:2021 Road vehicles — Cybersecurity engineering