CANcrypt comes in two generations: V1 for classical CAN and CANopen; V2 for CAN FD on the SPsec sublayer. The best fit is rarely a single question. It depends on the CAN version you run, the number of nodes on the bus and the protection or security level you need.
Both generations protect communication at the link layer
rather than asking every application to invent its own
security, and both can run on classical CAN and on CAN FD.
They differ in the cryptographic toolbox they draw on and in
how much of the traffic they protect. The right choice depends
on how constrained your devices are and how many frames need
protection. For a feature-by-feature comparison of CANcrypt
V1, CANcrypt V2 and CANsec, see the
link-layer security comparison.
The original CANcrypt provides authentication and key management for classical CAN and CANopen, with a published book, use cases and the original documentation. A secure group holds up to 16 participants, and because the design can use lightweight ciphers it suits very constrained devices. The classic site is preserved and fully browsable.
CANcrypt V2 is optimized for CAN FD and CANopen FD, where
it can protect all frames with authenticated
encryption, built on the SPsec security sublayer and aligned
with the EU Cyber Resilience Act. Which frames are protected
is configurable, so V2 can also run on classical CAN when
only a limited number of frames need protection.
Use CANcrypt V1 for classical CAN on very constrained devices where the secure group does not exceed 16 nodes. For all other cases we recommend CANcrypt V2, built on SPsec.
Yes. The original CANcrypt site, book, use cases and documentation are preserved and fully browsable under the CANcrypt V1 link.
