1 / 18

563.12.2 Keyless Entry

563.12.2 Keyless Entry. Ryan Kagin University of Illinois Fall 2007. Overview. History Structure Communication protocols Automobile applications Security issues Case Study: Texas Instruments Device. History. 1950’s: Garage door openers used one common frequency for all garage doors

ganit
Download Presentation

563.12.2 Keyless Entry

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 563.12.2 Keyless Entry Ryan Kagin University of Illinois Fall 2007

  2. Overview • History • Structure • Communication protocols • Automobile applications • Security issues • Case Study: Texas Instruments Device

  3. History • 1950’s: Garage door openers used one common frequency for all garage doors • 1970’s: DIP switches used to vary transceiver / transmitter codes • 1993: Lectron’s passive keyless entry for Corvette Brain 07, Hirano 88 3

  4. Garage Door Openers Less security threat One-way communication Simple programming – allow garage door to receive shared key Allow multiple openers for one door Automobile Systems High security threat model Uses combination of one-way and two-way communication Shared key preprogrammed into automobile and key Comparison Between Garage Doors and Automobile Systems

  5. Basic Structure • Contains 2 parts: • Transmitter (typically key fob) • Receiver (typically automobile) • Current designs use: • Two way communication • LF for sleeping mode 5

  6. Communication Protocols • Fixed Code Technique • Transmit constant code within certain range, similar to garage door openers in the past. • Typically unusued: moved away from this because of scan and replay attacks Alrabady 05 6

  7. Communication Protocols • Rolling Code Technique • Initially start with 40-bit counter • Each communication first transmits counter, then increments it in algorithmic fashion • Automobile verifies transmitted code • Precautions: padding and “resynchronizing” Alrabady 05 7

  8. Communication Protocols • Challenge-Response Technique • Automobile challenges key fob by sending random number • Key fob encrypts it and sends it back to automobile • Automobile compares for validity • Used in remote keyless entry Alrabady 05 8

  9. Applications in Automobiles Three main components: • Remote Keyless Entry System (RKE) • Also includes passive keyless entry • Remote Keyless Ignition System (RKI) • Immobilizer (Im) 9

  10. Remote Keyless Entry System • A system designed to remotely permit or deny access to premises or automobiles. • Typically uses rolling code technique • When button is pressed, function code and counter is sent • Automobile verifies counter and performs function if correct Alrabady 03 10

  11. Passive Keyless Entry • Typically uses challenge-response technique • When reaching for door handle, automobile wakes key fob with LF signal • Communication begins when pulling commences. • Requires fast protocol to prevent mechanical jam. Alrabady 03, 05 11

  12. Passive Keyless Entry User pulls door handle Challenge with pseudorandom number Automobile computes expected response Key fob computes response If response is valid, automobile performs requested function. Time The key to the protocol: it needs to be fast to prevent mechanical jam 12

  13. Remote Keyless Ignition • A system that allows remote communication to start or turn off a car. • Also typically uses challenge-response technique Alrabady 03 13

  14. Immobilizer • An electronic device fitted to an automobile which prevents the engine from running unless the correct key is present. • If key fob is not present, then fuel does not get injected into the engine. 14

  15. Security Issues Types of attacks: • Scan attack – generic brute force • Playback attack – record old messages • Two-thief attack – generic man-in-the-middle attack • Challenge forward prediction attack – predict future answer from previous • Dictionary attack – compile valid pairs Alrabady 05

  16. Case Study: TRC1300 Texas Instruments Remote Control Encoders/Decoders • Uses 40-bit rolling code  ~1.1 trillion different potential codes • Transmitter sends 40-bit code and function code (up to 15 different codes) • Both transmitter and receiver use same pseudorandom number generator

  17. Case Study: TRC1300

  18. References • Marshall Brian, “How Remote Entry Works”, http://auto.howstuffworks.com/remote-entry.htm, accessed 11 Nov 2007. • Ansaf Ibrahem Alrabady and Syed Masud Mahmud, “Some Attacks Against Vehicles’ Passive Entry Systems and Their Solutions”. IEEE Transactions on Vehicular Technology, vol. 52, no. 2, pp. 431-439 , March 2003. • Ansaf Ibrahem Alrabady and Syed Masud Mahmud, “Analysis of Attacks Against the Security of Keyless-Entry Systems for Vehicles and Suggestions for Improved Designs. IEEE Transactions on Vehicular Technology, vol. 54, no. 1, pp. 41-50, January 2005. • Xiao Ni and Victor Foo Siang Fook, “AES Security Protocol Implementation for Automobile Remote Keyless System”. IEEE Transactions on Vehicular Technology, vol. 56, no. 3, pp. 2526-2529 , April 2007. • Steve Bono, Matthew Green, Adam Stubblefield, and Avi Rubin, “Analysis of the Texas Instruments DST RFID”, http://web.archive.org/web/20061013023542/http://rfid-analysis.org/ accessed 11 Nov 2007. • Texas Instruments, “TRC1300 Specifications”, http://focus.ti.com/lit/ds/slws011d/slws011d.pdf accessed 11 Nov 2007. • M. Hirano, M. Takeuchi, T. Tomoda, and K. Nakano, “Keyless entry system with radio card transponder”, IEEE Transactions on Industrial Electronics and Control, vol. 35, no. 2, pp. 208-216, March 2007. 18

More Related