KeeLoq

Last updated

KeeLoq is a proprietary hardware-dedicated block cipher that uses a non-linear feedback shift register (NLFSR). The uni-directional command transfer protocol was designed by Frederick Bruwer of Nanoteq (Pty) Ltd., the cryptographic algorithm was created by Gideon Kuhn at the University of Pretoria, and the silicon implementation was by Willem Smit at Nanoteq Pty Ltd (South Africa) in the mid-1980s. KeeLoq was sold to Microchip Technology Inc in 1995 for $10 million. [1] It is used in "code hopping" encoders and decoders such as NTQ105/106/115/125D/129D, HCS101/2XX/3XX/4XX/5XX and MCS31X2. KeeLoq is or was used in many remote keyless entry systems by such companies as Chrysler, Daewoo, Fiat, GM, Honda, Toyota, Volvo, Volkswagen Group, Clifford, Shurlok, and Jaguar. [2]

Contents

Description

KeeLoq Encryption Kodirovka.png
KeeLoq Encryption

KeeLoq "code hopping" encoders encrypt a 0-filled 32-bit block with KeeLoq cipher to produce a 32-bit "hopping code". A 32-bit initialization vector is linearly added (XORed) to the 32 least significant bits of the key prior to encryption and after decryption.

KeeLoq cipher accepts 64-bit keys and encrypts 32-bit blocks by executing its single-bit NLFSR for 528 rounds. The NLFSR feedback function is 0x3A5C742E or

KeeLoq uses bits 1, 9, 20, 26 and 31 of the NLFSR state as its inputs during encryption and bits 0, 8, 19, 25 and 30 during decryption. Its output is linearly combined (XORed) with two of the bits of the NLFSR state (bits 0 and 16 on encryption and bits 31 and 15 on decryption) and with a key bit (bit 0 of the key state on encryption and bit 15 of the key state on decryption) and is fed back into the NLFSR state on every round.

Versions

This article describes the Classic KeyLoq protocol, but newer versions has been developed. The Dual KeeLoq system [3] is a timer-based algorithm enhancing the Classic KeeLoq system. The goal of this newer version is to have a timer-driven counter which continuously increments, which is the opposite of the Classic KeeLoq where the counter increments based on the events it received. This provides protection against capture and replay attack, known as RollJam for Samy Kamkar's work.

Attacks

Replay attack

For simplicity, individual "code hopping" implementations typically do not use cryptographic nonces or timestamping. This makes the protocol inherently vulnerable to replay attacks: For example, by jamming the channel while intercepting the code, a thief can obtain a code that may still be usable at a later stage. [4] This sort of "code grabber," [5] while theoretically interesting, does not appear to be widely used by car thieves. [6]

A detailed description of an inexpensive prototype device designed and built by Samy Kamkar to exploit this technique appeared in 2015. The device about the size of a wallet could be concealed on or near a locked vehicle to capture a single keyless entry code to be used at a later time to unlock the vehicle. The device transmits a jamming signal to block the vehicle's reception of rolling code signals from the owner's fob, while recording these signals from both of his two attempts needed to unlock the vehicle. The recorded first code is forwarded to the vehicle only when the owner makes the second attempt, while the recorded second code is retained for future use. [7] A demonstration was announced for DEF CON 23. [8]

Cryptanalysis

KeeLoq Decryption Dekodirovka.png
KeeLoq Decryption

KeeLoq was first cryptanalyzed by Andrey Bogdanov using sliding techniques and efficient linear approximations. Nicolas Courtois attacked KeeLoq using sliding and algebraic methods. The attacks by Bogdanov and Courtois do not pose any threat to the actual implementations that seem to be much more vulnerable to simple brute-force of the key space that is reduced in all the code-hopping implementations of the cipher known to date. Some KeeLoq "code grabbers" use FPGA-based devices to break KeeLoq-based keys by brute force within about two weeks due to the reduced key length in the real world implementations.[ citation needed ]

In 2007, researchers in the COSIC group at the university at Leuven, Belgium, (K.U.Leuven) in cooperation with colleagues from Israel found a new attack against the system. [9] Using the details of the algorithm that were leaked in 2006, the researchers started to analyze the weaknesses. After determining the part of the key common to cars of a specific model, the unique bits of the key can be cracked with only sniffed communication between the key and the car.

Microchip introduced in 1996 [10] a version of KeeLoq ICs which use a 60-bit seed. If a 60-bit seed is being used, an attacker would require approximately 1011 days of processing on a dedicated parallel brute force attacking machine before the system is broken. [11]

Side-channel attacks

In March 2008, researchers from the Chair for Embedded Security of Ruhr University Bochum, Germany, presented a complete break of remote keyless entry systems based on the KeeLoq RFID technology. [12] [13] Their attack works on all known car and building access control systems that rely on the KeeLoq cipher.

The attack by the Bochum team allows recovering the secret cryptographic keys embedded in both the receiver and the remote control. It is based on measuring the electric power consumption of a device during an encryption. Applying what is called side-channel analysis methods to the power traces, the researchers can extract the manufacturer key from the receivers, which can be regarded as a master key for generating valid keys for the remote controls of one particular manufacturer. Unlike the cryptanalytic attack described above which requires about 65536 chosen plaintext-ciphertext pairs and days of calculation on a PC to recover the key, the side-channel attack can also be applied to the so-called KeeLoq Code Hopping mode of operation (a.k.a. rolling code) that is widely used for keyless entry systems (cars, garages, buildings, etc.).

The most devastating practical consequence of the side-channel analysis is an attack in which an attacker, having previously learned the system's master key, can clone any legitimate encoder by intercepting only two messages from this encoder from a distance of up to 100 metres (330 ft). Another attack allows one to reset the internal counter of the receiver (garage door, car door, etc.), which makes it impossible for a legitimate user to open the door. [14]

Related Research Articles

In cryptography, a block cipher is a deterministic algorithm that operates on fixed-length groups of bits, called blocks. Block ciphers are the elementary building blocks of many cryptographic protocols. They are ubiquitous in the storage and exchange of data, where such data is secured and authenticated via encryption.

<span class="mw-page-title-main">Cipher</span> Algorithm for encrypting and decrypting information

In cryptography, a cipher is an algorithm for performing encryption or decryption—a series of well-defined steps that can be followed as a procedure. An alternative, less common term is encipherment. To encipher or encode is to convert information into cipher or code. In common parlance, "cipher" is synonymous with "code", as they are both a set of steps that encrypt a message; however, the concepts are distinct in cryptography, especially classical cryptography.

<span class="mw-page-title-main">Cryptanalysis</span> Study of analyzing information systems in order to discover their hidden aspects

Cryptanalysis refers to the process of analyzing information systems in order to understand hidden aspects of the systems. Cryptanalysis is used to breach cryptographic security systems and gain access to the contents of encrypted messages, even if the cryptographic key is unknown.

<span class="mw-page-title-main">Data Encryption Standard</span> Early unclassified symmetric-key block cipher

The Data Encryption Standard is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for modern applications, it has been highly influential in the advancement of cryptography.

<span class="mw-page-title-main">Encryption</span> Process of converting plaintext to ciphertext

In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decipher a ciphertext back to plaintext and access the original information. Encryption does not itself prevent interference but denies the intelligible content to a would-be interceptor.

In cryptography, linear cryptanalysis is a general form of cryptanalysis based on finding affine approximations to the action of a cipher. Attacks have been developed for block ciphers and stream ciphers. Linear cryptanalysis is one of the two most widely used attacks on block ciphers; the other being differential cryptanalysis.

In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transformation of one fixed-length group of bits called a block. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.

<span class="mw-page-title-main">Ciphertext</span> Encrypted information

In cryptography, ciphertext or cyphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext that is unreadable by a human or computer without the proper cipher to decrypt it. This process prevents the loss of sensitive information via hacking. Decryption, the inverse of encryption, is the process of turning ciphertext into readable plaintext. Ciphertext is not to be confused with codetext because the latter is a result of a code, not a cipher.

<span class="mw-page-title-main">GOST (block cipher)</span> Soviet/Russian national standard block cipher

The GOST block cipher (Magma), defined in the standard GOST 28147-89, is a Soviet and Russian government standard symmetric key block cipher with a block size of 64 bits. The original standard, published in 1989, did not give the cipher any name, but the most recent revision of the standard, GOST R 34.12-2015, specifies that it may be referred to as Magma. The GOST hash function is based on this cipher. The new standard also specifies a new 128-bit block cipher called Kuznyechik.

Cryptography, the use of codes and ciphers to protect secrets, began thousands of years ago. Until recent decades, it has been the story of what might be called classical cryptography — that is, of methods of encryption that use pen and paper, or perhaps simple mechanical aids. In the early 20th century, the invention of complex mechanical and electromechanical machines, such as the Enigma rotor machine, provided more sophisticated and efficient means of encryption; and the subsequent introduction of electronics and computing has allowed elaborate schemes of still greater complexity, most of which are entirely unsuited to pen and paper.

In cryptography, Madryga is a block cipher published in 1984 by W. E. Madryga. It was designed to be easy and efficient for implementation in software. Serious weaknesses have since been found in the algorithm, but it was one of the first encryption algorithms to make use of data-dependent rotations, later used in other ciphers, such as RC5 and RC6.

In cryptography, FROG is a block cipher authored by Georgoudis, Leroux and Chaves. The algorithm can work with any block size between 8 and 128 bytes, and supports key sizes between 5 and 125 bytes. The algorithm consists of 8 rounds and has a very complicated key schedule.

<span class="mw-page-title-main">Remote keyless system</span> Electronic lock without a mechanical key

A remote keyless system (RKS), also known as remote keyless entry (RKE) or remote central locking, is an electronic lock that controls access to a building or vehicle by using an electronic remote control (activated by a handheld device or automatically by proximity). RKS largely and quickly superseded keyless entry, a budding technology that restrictively bound locking and locking functions to vehicle-mounted keypads.

<span class="mw-page-title-main">Boomerang attack</span> Form of cryptanalysis

In cryptography, the boomerang attack is a method for the cryptanalysis of block ciphers based on differential cryptanalysis. The attack was published in 1999 by David Wagner, who used it to break the COCONUT98 cipher.

The Texas Instruments digital signature transponder (DST) is a cryptographically enabled radio-frequency identification (RFID) device used in a variety of wireless authentication applications. The largest deployments of the DST include the Exxon-Mobil Speedpass payment system, as well as a variety of vehicle immobilizer systems used in many late model Ford, Lincoln, Mercury, Toyota, Nissan, Kia, Hyundai and Tesla vehicles.

<span class="mw-page-title-main">SM4 (cipher)</span> Block cipher used in Chinese wireless standards

ShāngMì 4 is a block cipher used in the Chinese National Standard for Wireless LAN WAPI and also used with Transport Layer Security.

A rolling code is used in keyless entry systems to prevent a simple form of replay attack, where an eavesdropper records the transmission and replays it at a later time to cause the receiver to 'unlock'. Such systems are typical in garage door openers and keyless car entry systems.

<span class="mw-page-title-main">Cryptography</span> Practice and study of secure communication techniques

Cryptography, or cryptology, is the practice and study of techniques for secure communication in the presence of adversarial behavior. More generally, cryptography is about constructing and analyzing protocols that prevent third parties or the public from reading private messages. Modern cryptography exists at the intersection of the disciplines of mathematics, computer science, information security, electrical engineering, digital signal processing, physics, and others. Core concepts related to information security are also central to cryptography. Practical applications of cryptography include electronic commerce, chip-based payment cards, digital currencies, computer passwords, and military communications.

<span class="mw-page-title-main">Simon (cipher)</span> Family of lightweight block ciphers

Simon is a family of lightweight block ciphers publicly released by the National Security Agency (NSA) in June 2013. Simon has been optimized for performance in hardware implementations, while its sister algorithm, Speck, has been optimized for software implementations.

<span class="mw-page-title-main">Orr Dunkelman</span> Israeli cryptographer and cryptanalyst

Orr Dunkelman is an Israeli cryptographer and cryptanalyst, currently a professor at the University of Haifa Computer Science department. Dunkelman is a co-director of the Center for Cyber Law & Privacy at the University of Haifa and a co-founder of Privacy Israel, an Israeli NGO for promoting privacy in Israel.

References

  1. USpatent 5517187,Bruwer, Frederick J.; Smit, Willem& Kuhn, Gideon J.,"Microchips and remote control devices comprising same",issued 1996-05-14, assigned to Microchip Technology Inc
  2. Some evidence that Chrysler indeed uses KeeLoq can be found in (this video).
  3. MicroChip - MCS3142 - Security - KeeLoq Encoder Devices
  4. Analysis of RF Remote Security Using Software Defined Radio
  5. http://www.microchip.com/stellent/idcplg?IdcService=SS_GET_PAGE&nodeId=2075&param=en001022#P108_5361 stating, "It is a simple matter to build a circuit to record such transmissions for reply at the later time. Such a system is known as a code or key grabber."
  6. "FACT CHECK: Are Car Thieves Using 'Code Grabbers' to Steal Automobiles?". 2 July 2008.
  7. Thompson, Cadie (2015-08-06). "A hacker made a $30 gadget that can unlock many cars that have keyless entry". Tech Insider . Retrieved 2015-08-11.
  8. Kamkar, Samy (2015-08-07). "Drive It Like You Hacked It: New Attacks and Tools to Wirelessly Steal Cars". DEF CON 23. Retrieved 2015-08-11.
  9. How To Steal Cars — A Practical Attack on KeeLoq
  10. (Will be in Web archive backup later): a Microchip press release on Dec 11, 1996 Quote: "...HCS410 KEELOQ Code Hopping Transponder and Encoder..."
  11. Martin Novotny; Timo Kasper. "Cryptanalysis of KeeLoq with COPACOBANA" (PDF). SHARCS 2009 Conference: 159–164.{{cite journal}}: Cite journal requires |journal= (help)
  12. "A complete break of the KeeLoq access control system". Archived from the original on 2015-09-24. Retrieved 2015-08-10.
  13. Thomas Eisenbarth; Timo Kasper; Amir Moradi; Christof Paar; Mahmoud Salmasizadeh; Mohammad T. Manzuri Shalmani (2008-02-29). "Physical Cryptanalysis of KeeLoq Code Hopping Applications" (PDF). Ruhr University of Bochum, Germany. Retrieved 2009-03-22.{{cite journal}}: Cite journal requires |journal= (help)
  14. Kasper, Timo (November 2012). Security Analysis of Pervasive Wireless Devices—Physical and Protocol Attacks in Practice (Ph.D.). Ruhr University Bochum, Germany. Retrieved 2023-07-03.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.