World Library  
Flag as Inappropriate
Email this Article
 

KeeLoq

KeeLoq is a proprietary hardware-dedicated block cipher that uses a non-linear feedback shift register (NLFSR). The uni-directional command transfer protocol was designed by Frederick Bruwer of Nanoteq (Pty) Ltd., the cryptographic algorithm was created by Gideon Kuhn, and the silicon implementation was by Willem Smit at Nanoteq Pty Ltd (South Africa) in the mid-1980s. KeeLoq was sold to Microchip Technology Inc in 1995 for $10 million.[1] It is used in "code hopping" encoders and decoders such as NTQ105/106/115/125D/129D and HCS101/2XX/3XX/4XX/5XX. KeeLoq is or was used in many remote keyless entry systems by such companies as Chrysler, Daewoo, Fiat, GM, Honda, Toyota, Volvo, Volkswagen Group, Clifford, Shurlok, Jaguar, etc.[2]

Contents

  • Description 1
  • Attacks 2
    • Replay attack 2.1
    • Cryptanalysis 2.2
    • Side-channel attacks 2.3
  • References 3
  • External links 4

Description

KeeLoq Encryption

KeeLoq "code hopping" encoders encrypt a 0-filled 32-bit block with KeeLoq cipher to produce a 32-bit "hopping code". A 32-bit initialization vector is linearly added (XORed) to the 32 least significant bits of the key prior to encryption and after decryption.

KeeLoq cipher accepts 64-bit keys and encrypts 32-bit blocks by executing its single-bit NLFSR for 528 rounds. The NLFSR feedback function is 0x3A5C742E or

F(a,b,c,d,e) = d \oplus e \oplus ac \oplus ae \oplus bc \oplus be \oplus cd \oplus de \oplus ade \oplus ace \oplus abd \oplus abc

KeeLoq uses bits 1, 9, 20, 26 and 31 of the NLFSR state as its inputs during encryption and bits 0, 8, 19, 25 and 30 during decryption. Its output is linearly combined (XORed) with two of the bits of the NLFSR state (bits 0 and 16 on encryption and bits 31 and 15 on decryption) and with a key bit (bit 0 of the key state on encryption and bit 15 of the key state on decryption) and is fed back into the NLFSR state on every round.

Attacks

Replay attack

For simplicity, individual "code hopping" implementations do not use cryptographic nonces and clock drift excludes the possibility of using timestamping. This makes the protocol inherently vulnerable to replay attacks: For example, by jamming the channel while intercepting the code, a thief can obtain a code that may still be usable at a later stage.[3] This sort of "code grabber,"[4] while theoretically interesting, does not appear to be widely used by car thieves.[5]

A detailed description of an inexpensive prototype device designed and built by Samy Kamkar to exploit this technique appeared in 2015. The device about the size of a wallet could be concealed on or near a locked vehicle to capture a single keyless entry code to be used at a later time to unlock the vehicle. The device transmits a jamming signal to block the vehicle's reception of rolling code signals from the owner's fob, while recording these signals from both of his two attempts needed to unlock the vehicle. The recorded first code is forwarded to the vehicle only when the owner makes the second attempt, while the recorded second code is retained for future use.[6] A demonstration was announced for DEF CON 23.[7]

Cryptanalysis

KeeLoq Decryption

KeeLoq was first cryptanalyzed by Andrey Bogdanov using sliding techniques and efficient linear approximations. Nicolas Courtois attacked KeeLoq using sliding and algebraic methods. The attacks by Bogdanov and Courtois do not pose any threat to the actual implementations that seem to be much more vulnerable to simple brute-force of the key space that is reduced in all the code-hopping implementations of the cipher known to date. Some KeeLoq "code grabbers" use FPGA-based devices to break KeeLoq-based keys by brute force within about two weeks due to the reduced key length in the real world implementations.

In 2007, researchers in the COSIC group at the university at Leuven, Belgium, (K.U.Leuven) in cooperation with colleagues from Israel found a new attack against the system.[8] Using the details of the algorithm that were leaked in 2006, the researchers started to analyze the weaknesses. After determining the part of the key common to cars of a specific model, the unique bits of the key can be cracked with only sniffed communication between the key and the car.

Microchip introduced in 1996[9] a version of KeeLoq ICs which use a 60-bit seed. If a 60-bit seed is being used, an attacker would require approximately 100 days of processing on a dedicated parallel brute force attacking machine before the system is broken.[10]

Side-channel attacks

In March 2008, researchers from the Chair for Embedded Security of Ruhr University Bochum, Germany, presented a complete break of remote keyless entry systems based on the KeeLoq RFID technology.[11][12] Their attack works on all known car and building access control systems that rely on the KeeLoq cipher.

The attack by the Bochum team allows recovering the secret cryptographic keys embedded in both the receiver and the remote control. It is based on measuring the electric power consumption of a device during an encryption. Applying what is called side-channel analysis methods to the power traces, the researchers can extract the manufacturer key from the receivers, which can be regarded as a master key for generating valid keys for the remote controls of one particular manufacturer. Unlike the cryptanalytic attack described above which requires about 65536 chosen plaintext-ciphertext pairs and days of calculation on a PC to recover the key, the side-channel attack can also be applied to the so-called KeeLoq Code Hopping mode of operation (a.k.a. rolling code) that is widely used for keyless entry systems (cars, garages, buildings, etc.).

The most devastating practical consequence of the side-channel analysis is an attack in which an attacker, having previously learned the system's master key, can clone any legitimate encoder by intercepting only two messages from this encoder from a distance of up to 100 metres (330 ft). Another attack allows one to reset the internal counter of the receiver (garage door, car door, etc.) which makes it impossible for a legitimate user to open the door.[13]

References

  1. ^ US patent 5517187, Bruwer, Frederick J.; Smit, Willem & Kuhn, Gideon J., "Microchips and remote control devices comprising same", issued 1996-05-14, assigned to Microchip Technology Inc 
  2. ^ Some evidence that Chrysler indeed uses KeeLoq can be found in (this video).
  3. ^ Analysis of RF Remote Security Using Software Defined Radio
  4. ^ http://www.microchip.com/stellent/idcplg?IdcService=SS_GET_PAGE&nodeId=2075¶m=en001022#P108_5361 stating, "It is a simple matter to build a circuit to record such transmissions for reply at the later time. Such a system is known as a code or key grabber."
  5. ^ http://www.snopes.com/autos/techno/lockcode.asp
  6. ^ Thompson, Cadie (2015-08-06). "A hacker made a $30 gadget that can unlock many cars that have keyless entry".  
  7. ^ Kamkar, Samy (2015-08-07). "Drive It Like You Hacked It: New Attacks and Tools to Wirelessly Steal Cars".  
  8. ^ How To Steal Cars — A Practical Attack on KeeLoq
  9. ^ (Will be in Web archive backup later): a Microchip press release on Dec 11, 1996 Quote: "...HCS410 KEELOQ Code Hopping Transponder and Encoder..."
  10. ^ Martin Novotny and Timo Kasper. "Cryptanalysis of KeeLoq with COPACOBANA" (PDF). SHARCS 2009 Conference. pp. 159–164. 
  11. ^ A complete break of the KeeLoq access control system
  12. ^ Thomas Eisenbarth, Timo Kasper, Amir Moradi, Christof Paar, Mahmoud Salmasizadeh, and Mohammad T. Manzuri Shalmani (2008-02-29). "Physical Cryptanalysis of KeeLoq Code Hopping Applications" (PDF). Ruhr University of Bochum, Germany. Retrieved 2009-03-22. 
  13. ^ Kasper, Timo (November 2012). Security Analysis of Pervasive Wireless Devices—Physical and Protocol Attacks in Practice (PDF) (Ph.D.).  

External links

  • KeeLoq decryption algorithm specification PDF
  • C source code by Ruptor
  • Bogdanov, Andrey (August 31 – September 5, 2007), Cryptanalysis of the KeeLoq block cipher, Xining, China  [2].
  • N.T. Courtois and G.V. Bard, 'Algebraic and Slide Attacks on KeeLoq'
  • University of Bochum / HGI press release on the complete break of KeeLoq based entry systems PDF
  • Physical Cryptanalysis of KeeLoq code-hopping applications
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and USA.gov, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for USA.gov and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
 
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
 
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.
 


Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.