Page 1
SECURITY OF PASSIVE ACCESS VEHICLE
by
ANSAF IBRAHEM ALRABADY
DISSERTATION
Submitted to the Graduate School
of Wayne State University,
Detroit, Michigan
in partial fulfillment of the requirements
for the degree of
DOCTOR OF PHILOSOPHY
2002
MAJOR: ELECTRICAL AND COMPUTER ENGINEERING
Approved by: ______________________________ Advisor Date ______________________________ ______________________________ ______________________________ ______________________________
Page 2
© COPYRIGHT BY
ANSAF IBRAHEM ALRABADY
2002
All Rights Reserved
Page 3
DEDICATION
To my family
Page 4
ACKNOWLEDGMENTS
First, I would like to express my sincere thanks to my adviser, Dr.
Mahmud for his guidance throughout my dissertation and for his willingness
to welcome me to his home in order to work around my hectic schedule.
Also, my deep appreciation to his family for their warm welcome and for the
time I took from them every weekend to make this work possible.
Second, my special thanks to the people I worked with at TRW, a
place of highly talented people. Thanks to David Juzswik for his motivation
and for his help to select my research topic, Casilda de Benito and Sandra
MacDonald for their continued support, Ernie Pacsai for his confidence in me
and for creating an enjoyable and challenging workplace. My thanks also
goes to my friends I worked with at TRW, John Duquette, Koki Mizono, Paul
Lumley, Tony Cool, Dave Parent, Peter Lin, Tim Dezorzi, Tom Tracz, Jason
Evens, Jerome Gholston and many other that I learned from and enjoyed
working with.
My thanks also goes to my parents for their unlimited support, my
brothers and sisters Ruba, Rula, Majdi Rabi, Rama and Rania for their love,
my uncle Dr. Munier Dababneh for his encouragement. Great thanks to my
wife Tamara for her patience, love, support, and understanding during the
long working hours at work and study
Page 5
TABLE OF CONTENTS
CHAPTER 1 - INTRODUCTION .................................................................... 1
CHAPTER 2 - BACKGROUND MATERIAL .................................................. 6
2.1 CRYPTOLOGY ....................................................................................... 7
2.2 REMOTE KEYLESS ENTRY.................................................................... 10
2.2.1 Fixed Code ................................................................................. 11
2.2.2 Rolling Code............................................................................... 11
2.2.2.1 Synchronization....................................................................... 15
2.3 BI-DIRECTIONAL RKE.......................................................................... 17
2.4 IMMOBILIZER....................................................................................... 20
2.4.1 Fixed Code ................................................................................. 20
2.4.2 Rolling Code............................................................................... 21
2.4.3 Password Protection .................................................................. 22
2.4.4 Challenge Response .................................................................. 22
2.5 PASSIVE ACCESS SYSTEM................................................................... 24
2.5.1 Unidirectional Link ...................................................................... 25
2.5.2 Bi-directional Link ....................................................................... 27
2.6 RANDOM NUMBER GENERATORS .......................................................... 33
2.7 SECURITY THREAT .............................................................................. 36
2.7.1 Deterministic approach............................................................... 38
2.7.1.1 Playback Attack....................................................................... 39
2.7.1.2 Relay Attack ............................................................................ 39
2.7.2 Statistical approach .................................................................... 41
Page 6
2.7.2.1 Scanning Attack ...................................................................... 41
2.7.2.2 Dictionary Attack ..................................................................... 42
2.7.3 Analytical approach: ................................................................... 43
2.7.3.1 Cryptanalysis Attack................................................................ 44
2.7.3.2 Challenge Prediction Attack .................................................... 46
CHAPTER 3 - SECURITY ANALYSIS......................................................... 48
3.1 PLAYBACK ATTACK ............................................................................. 49
3.2 RELAY ATTACK................................................................................... 51
3.3 CRYPTANALYSIS ATTACK..................................................................... 53
3.4 CHALLENGE PREDECTION ATTACK ....................................................... 56
3.4.1 ExternAl Manipulation. ............................................................... 57
3.4.2 Different Sequence for Different ECUs....................................... 58
3.4.3 Statistical Requierments............................................................. 59
3.4.3.1 Flat distribution ........................................................................ 60
3.4.3.2 Avalanche Effect ..................................................................... 62
3.4.3.3 Strict Avalanche Effect ............................................................ 65
3.5 RANDOM CHALLENGE MODEL............................................................... 67
3.6 MEASURING SECURITY........................................................................ 73
3.7 SCANNING ATTACK ............................................................................. 76
3.7.1 Independent Random Challenge................................................ 76
3.7.2 Cyclic Random Challenge .......................................................... 79
3.7.3 EFFECT OF Randomization Factor ........................................... 82
3.8 DICTIONARY ATTACK........................................................................... 87
Page 7
3.8.1 The Devil’s Advocate.................................................................. 93
CHAPTER 4 - SOLUTIONS OF DICTIONARY AND RELAY ATTACKS.... 98
4.1 DICTIONARY ATTACK COUNTERFEIT ................................................... 100
4.1.1 Use of Password ...................................................................... 100
4.1.2 Decrease Repetition Rate ........................................................ 103
4.1.3 Mutual Authentication............................................................... 103
4.1.4 Enhanced Mutual Authentication.............................................. 106
4.2 NEW DICTIONARY ATTACK AND SOLUTION........................................... 111
4.3 RELAY ATTACK................................................................................. 113
4.3.1 Relay solution categories ......................................................... 114
4.3.1.1 Repeater Detection ............................................................... 114
4.3.1.2 Signal Corruption................................................................... 115
4.3.2 Feedback Solution.................................................................... 116
4.3.3 Feedback Signal Analysis ........................................................ 120
4.3.4 Feedback Counter Measure Attack .......................................... 122
4.3.5 Secure Protocol........................................................................ 123
4.3.6 Three Thief Attack .................................................................... 126
4.3.7 Two Power Levels Counter Measure ....................................... 128
4.3.8 Two power levels Analysis ....................................................... 129
CHAPTER 5 - CONCLUSIONS ................................................................. 138
CHAPTER 6 - FUTURE RESEARCH ........................................................ 140
ABSTRACT ............................................................................................... 147
Page 8
AUTOBIOGRAPHICAL STATEMENT....................................................... 148
Page 9
LIST OF TABLES
Table 1: Summary of available authentication using a bi-directional link for
passive vehicle ....................................................................................... 32
Table 2: Example of random numbers probability distribution and their
corresponding amount of information ..................................................... 61
Table 3: Summary of different authentication protocols and their impact on
the system security and performance................................................... 113
Page 10
LIST OF FIGURES
Figure 1 : An example of a cryptosystem data transformation ....................... 8
Figure 2: Example of rolling code authentication for unidirectional RKE ...... 13
Figure 3: Sequence Counter Operation Window.......................................... 17
Figure 4: Example of rolling code for bi-directional RKE .............................. 19
Figure 5: Communication between the vehicle and the CID......................... 28
Figure 6: Illustration of a two-thief attack problem........................................ 40
Figure 7: Block diagram of a thief’s repeater system.................................... 51
Figure 8: A complete theft device using two repeaters................................. 52
Figure 9: Cryptanalysis attack spectrum ...................................................... 53
Figure 10: Examples of different systems on the cryptanalysis spectrum .... 54
Figure 11: Number of combinations for each number of bits changed ......... 65
Figure 12: Entropy vs. probability of bit change ........................................... 67
Figure 13: Model for random number generator........................................... 68
Figure 14: F(X) for cyclic and independent random challenges ................... 81
Figure 15: F(k,n,m) for different system parameters .................................... 84
Figure 16: F(X) for dictionary attack with different dictionary size ................ 92
Figure 17: Password protection authentication process............................. 101
Figure 18: Mutual authentication challenge................................................ 104
Figure 19: Vehicle processing to a received challenge in a mutual
authentication protocol ......................................................................... 105
Figure 20: Challenge block diagram........................................................... 108
Figure 21: Enhanced mutual authentication flowchart................................ 109
Page 11
Figure 22: Communication between the vehicle and the CID using a
unidirectional LF link and a bi-directional RF link. ................................ 116
Figure 23: Communication between the owner and the vehicle with the two
thieves in the loop. ............................................................................... 118
Figure 24: The feedback loop between Thief-1 and Thief-2 ....................... 121
Figure 25: Communication protocol for the solution. .................................. 124
Figure 26: Encryption of the Communication Protocol ............................... 125
Figure 27: Positions of the thieves, the CID and the vehicle in a three-thief
attack problem...................................................................................... 127
Figure 28: Positions of Thief-1, Thief-3 and the vehicle. ............................ 133
Page 12
1
CHAPTER 1
INTRODUCTION
The use of keyless entry for automotive application has grown rapidly
since it was introduced as a numerical keypad at the exterior of the vehicle’s
door. In the early version, the user was required to enter a Personal
Identification Number (PIN) as a proof of identity before allowing access to
the vehicle’s compartment. The numerical keypad provides some level of
user comfort. It was more appreciated by those who are involved in sport
activities since they do not want to carry a mechanical key and yet want to
access their vehicles. While numerical keypad provides some comfort to
certain people, it did not provide the desired comfort level for normal day-to-
day use. In addition, the level of security provided by such system was
unacceptable for automotive use.
As the technology moved forward, a more desirable type of keyless
entry system known as Remote Keyless Entry (RKE) was introduced. Unlike
the numerical keypad that was based on knowledge of a PIN to gain access
to the vehicle, the RKE system was based on the possession of a portable
transmitter. RKE system has been in production for over twenty years. It has
become such a desirable convenience feature that it is standard on many of
today’s vehicles. The system mainly consists of two units, a portable
transmitter known as the fob, and a receiver connected to a control unit
installed in the vehicle. When a user attempts to access his vehicle he
Page 13
2
presses one of the several buttons available on the fob. In response to the
user press, the fob transmits a message. The message contains a function
code and an identification code. Every transmitter has a unique identification
code stored in its memory at the manufacturing time. The same identification
code is also stored in the vehicle memory. If the vehicle is within the fob’s
transmission range, the control unit in the vehicle receives the fob’s
transmitted message. The vehicle then compares the received identification
code with the one stored in its memory. If the received identification code
matches the stored identification code, the vehicle then recognizes the
message as a valid message. In response to a valid message, the vehicle
generates the appropriate signals to perform the desired function as
requested by the function code. Remote functions include door lock, unlock,
trunk open, panic, and remote engine start.
The search for other types of keyless entry to improve the user
comfort and security continues in different technological fields. The objective
was to increase the user comfort to access the vehicle at the same time
prevent any unauthorized access. Some of the technology investigated the
use of biological attributes as methods for authentication. These attributes
include fingerprints, voice, and vision. While these methods are promising to
prove the user identity, the cost and reliability of such technology is still far
from being acceptable for automotive use.
Although RKE systems have enhanced user convenience, the user
still has to reach for the fob and physically press a button to unlock the
Page 14
3
vehicle. This level of user interface is not convenient for users with hands full
of groceries or for someone who is rushing to enter the vehicle. To eliminate
a user from reaching for the fob and then press a button, a more
sophisticated type of keyless entry system has been recently introduced to
the market [8],[38]. The system is a hands-free or passive system. A user no
longer needs to search for a mechanical key or a fob to unlock the vehicle.
The vehicle identifies authorized users through the possession of a CID that
is carried in their pocket or purse. The CID is a credit card or fob like device.
When a user tries to access the vehicle (doors, trunk, or ignition), the vehicle
sends an interrogation message. If an authorized CID is within the
transmission range of the interrogation message, the CID responds with an
identification code to the vehicle. The vehicle checks the received
identification code to verify the user identity. The communication time
between the vehicle and the CID, the verification process and the unlocking
process, all have to be completed in a short period of time such that a normal
door handle lift will not cause a mechanical lock jam or interference.
While the main objective of the passive entry system is to provide the
user with a high level of convenience, the system must also meet or exceed
the current RKE security. One of the most technical challenges in designing
a secure system is the communication protocol between the CID and the
vehicle. The protocol has to meet the communication timing imposed by the
system requirements. A fast protocol is important to ensure that the vehicle
will unlock before the door handle reaches its full travel, or a mechanical jam
Page 15
4
may occur. Other challenges in designing the protocol includes but not
limited to, support of multiple CIDs to the same vehicle, synchronization
between the CID and the vehicle, program and deprogram a new CID in case
of lost or stolen CID, and most importantly vehicle security.
On the security side, the battle between the system designer and the
system attackers is an on going process. It is an unfortunate and unfair battle
against the system designers. System designers are considered successful
in their design if they design a system that is secure against any possible
attack. On the other side, system attackers are considered successful if they
find one method only to break the system. This leaves a huge burden on the
system designers. They have to think not only as system designers, but also
as system attackers. Their job goes beyond the system design to identify all
possible methods to break the system, regardless of whether these methods
are available today or they may be developed in the future.
It is important on one hand to recognize the fact that there are criminal
organizations that have the skills and capability to design and build
electronics to attack RKE and passive access systems. On the other hand, a
highly secure system might be cost prohibitive for automotive use. For these
reasons analyzing the different security threats against the system is a
crucial part in meeting the overall system requirements and design tradeoffs.
Security consideration is important at an early stage of the system
design phases. Adding security after the system design may be expensive
Page 16
5
and difficult to implement. Design for security can be split into three different
steps. First, identify the different security weaknesses and possible threats
against the system. Second, analyze and measure each of the security
threats identified and its impact on the overall system design. Third, provide
solution based on analysis that balances between security aspect and other
system design parameters. It is the objective of this research work to go
through these three steps in order to provide a reliable and secure system for
passive access vehicle.
This dissertation is organized in six chapters. Chapter 1 is an
introduction. Background material is presented in Chapter 2. This material
includes an overview of cryptology, current available systems in the vehicle
for access and security, and identification of the security threats against the
passive access system. Analysis of different attacks, security measures and
random challenge model is presented in Chapter 3. Solutions to the
dictionary and relay attacks are given in Chapter 4. Conclusions are
presented in Chapter 5, and future research directions are presented in
Chapter 6.
Page 17
6
CHAPTER 2
BACKGROUND MATERIAL
Passive access system for vehicles is a new technology. A secure and
reliable communication protocol for passive vehicle access systems is still
under development. Several authentication protocols have been investigated
in the past for other systems in the vehicle. Systems such as RKE and
immobilizer are rapidly evolving to increase user convenience and vehicle
security. It is important to understand how these systems work. What are the
existing security weaknesses against these systems? What kind of security
measures has been implemented to prohibit an unauthorized access? What
are the different variations? Understanding the current technology and the
challenges involved, provide a valuable guidance toward the development of
a secure and reliable protocol for passive access system.
This chapter is divided into seven sections. An overview of the use of
cryptology in information security is presented in Section 2.1. Available
communication protocols and authentication techniques for unidirectional and
bi-directional RKE are shown in Section 2.2 and Section 2.3, respectively.
Several authentication methods used in the immobilizer system are shown in
Section 2.4. Communication links for passive access system between the
vehicle and the CID are presented in Section 2.5. Random number generator
is one important component of the authentication protocol. An overview of
Page 18
7
random number generators is shown in Section 2.6. Different security threats
against the passive access system are presented in Section 2.7.
2.1 CRYPTOLOGY
Cryptology is one field of mathematics that deals with information
security. It consists of two branches, cryptography and cryptanalysis. The
people who practice cryptography are called cryptographer while the people
who practice cryptanalysis are called cryptanalysts. Cryptographers’ main
objective is to build a cryptosystem that secures information communicated
over a public channel (e.g. wireless communication). Cryptanalysts represent
the enemy side; their main mission is to break the security of the
communicated information.
A cryptosystem normally consists of an encryption algorithm and a
matching decryption algorithm. An encryption algorithm, represented by E(),
is a mathematical transformation that takes a plain-text P and produces a
cipher-text (encrypted text) C using an encryption key KE. A Decryption
algorithm, represented by D(), is a mathematical transformation that takes a
cipher-text C and produces a plain-text P using a decryption key KD. The
encryption key KE and the decryption key KD may have the same value or
they may have different values. This mainly depends on the encryption and
decryption algorithms used. For simplicity of illustration, we use the same
symbol for both encryption and decryption keys (i.e. KE = KD = K). Figure 1
shows the information transformation.
Page 19
8
EK(P)P DK(C)
K
C
K
P
Figure 1 : An example of a cryptosystem data transformation
Different encryption algorithms provide different degree of security.
While some algorithms maintain their security by keeping the details of
encryption and decryption transformation secret, other algorithms are
available to the general public. The security of a public domain algorithm is
maintained in the encryption and decryption keys. The encryption and
decryption keys are assigned at a later phase in the design process. Public
domain algorithms are available to the general public for review, analysis,
and use. Their strength is drawn from the complexity to calculate the inverse
of the algorithm without knowing the key. The use of public domain
algorithms provides a system that is secure by design not by trust. The
system maintains its security without concerns of any type of threats against
the system. One threat example may be possible from one of the members
of a design team who was frustrated and left the organization. A second
threat example may be possible form some criminal organizations with
advanced technology in reverse engineering. They may have the power and
tools to read and de-assemble the ROM content. Even though some of the
processors provide a security bit against reading the ROM once it is
Page 20
9
programmed, several techniques are available to erase the security bit for
some of the known processors [2].
The strength of an encryption algorithm is normally measured by the
time and space complexity needed to break the encryption algorithm. The
use of the phrase “break the algorithm” means to find a method either to
recover the plaintext or the encryption key that has been used. From a
mathematical point of view, an encryption algorithm may be classified as: -
i) Unconditionally secure:- The encryption algorithm is said to be
unconditionally secure if the amount of information available to the
outside is insufficient to figure out the encryption and decryption
transformation. This is true regardless of the amount of time and tools
available to a cryptanalyst. Encryption algorithms that are based on
one-time-pad [19] techniques belong to this category. In this technique
different encryption key is used every time the system is used. Of
course, the sequence of encryption keys has to be known to both
communicating parties ahead of time. This might not be possible for
all systems or it might be as difficult as sending the messages
themselves.
ii) Mathematically insecure:- The encryption algorithm is said to be
mathematically insecure if the encryption algorithm can be broken in a
short period of time. By a short period of time, we mean that the value
Page 21
10
of information obtained - in a short period of time - is much more than
the cost and effort involved to break the algorithm.
iii) Mathematically secure: - The encryption algorithm is said to be
mathematically secure if the time required to break the algorithm is
much more than the value of information obtained. The development
of new technology always tends to replace an old one. In general, the
information communicated over a public channel will have less value
in the future than its current value. If the amount of time and cost
needed to break an encryption algorithm is more than the future value
of the information obtained, we say that the algorithm is
mathematically secure.
2.2 REMOTE KEYLESS ENTRY
The communication protocol for the RKE systems has been under
development since it was first introduced in the early 1980 [9]. Most of the
current RKE systems available in the market are based on unidirectional
communication links. The communication starts when one of the fob buttons
is pressed. The fob sends a digital signal message that is received by a
controller mounted inside the vehicle. Two major variations of RKE
authentication that uses a unidirectional communication link exist. These are
described in the following two subsections
Page 22
11
2.2.1 FIXED CODE
In the early version of RKE, the message contains a fixed
identification code (ID) and a function code. The function code defines the
user’s intent to lock or unlock the vehicle. The fixed ID code is intended to
discriminate between different fobs programmed for different vehicles. When
the vehicle receives the message, it compares the received ID code with a
stored ID in the vehicle’s memory. If the IDs match, the vehicle then executes
the user’s request as defined by the function code bits. Fixed code system is
vulnerable to several attacks. The most widely known attack is the code
grabbing or playback attack [31]. A thief with a radio receiver can learn or
record the digital signal message when transmitted by an authorized fob. He
can then playback the recorded message to gain an unauthorized access to
the vehicle while the user is not around.
2.2.2 ROLLING CODE
To improve the system security against playback attack, recent RKE
systems provide a cryptographic rolling code protocol. The protocol is based
on changing the transmitted message every time the fob button is pressed.
Once the vehicle recognizes a message, the vehicle can’t use the same
message till a huge number of valid transmissions occur. The technique is
based on a sequence counter that is stored and initialized to the same value
in the vehicle and the fob upon manufacturing. The sequence counter is
incremented according to a predefined algorithm every time a fob button is
pressed. The new sequence counter number is stored in place of the
Page 23
12
previous value and then transmitted to the vehicle. When the vehicle
receives the transmitted message, it retrieves the sequence counter from its
memory. The vehicle then starts a verification process before authenticating
the message. To ensure the system reliability when the fob buttons are
pressed while it is not within the vehicle reception range, a synchronization
mechanism is implemented in the protocol. Synchronization between the fob
and the vehicle is described in more detail in Section 2.2.2.1
For example, one of the techniques used in rolling code is shown in
Figure 2. The fob serial number is a unique number assigned to each fob at
manufacturing time. The serial number is stored in the vehicle memory when
the fob is programmed for the vehicle. Similarly, each fob is assigned an
encryption key and an initial value to the sequence counter. The encryption
key and the sequence counter are stored in the vehicle memory during the
learning process. Since it is possible to have multiple fobs programmed for
the vehicle, the vehicle maintains a memory block for each fob. Each block
consists of three components, a serial number, an encryption key, and a
sequence counter.
Page 24
13
EncryptionAlgorithmEncryption Key
Serial Number
Encrypted Field Serial Number Pressed Button
DecryptionAlgorithm
Sequence Counter
Encryption Key
Serial Number
Encrypted Field Serial Number Pressed Button
Match ?
Y
Sequence Counter
Sequence Counter
Match ?
ProcessRequest
Y
Transmitted Message
Fob Memory
Vehicle Memory
Basic Fob Operation
Basic Vehicle Operation
1
2
3
4
Figure 2: Example of rolling code authentication for unidirectional RKE
Figure 2 shows two main sections. The upper section represents the
fob operation when a button is pressed. The fob sends a message that
consists of an encrypted field, a fob serial number, and information about the
button pressed. The lower section in the figure represents the vehicle
operation as it receives a transmitted message from the fob.
Page 25
14
When the fob button is pressed, the fob controller reads the sequence
counter, increments the sequence counter by one (not shown in the figure),
and stores the result back in place of the previous value. The incremented
sequence counter is then used as one input to the encryption algorithm. The
encryption algorithm reads the encryption key from the memory and encrypts
the sequence counter. The output is an encrypted field that is sent to the
vehicle along with the fob serial number and button press information.
When the vehicle receives the message, it performs the following
steps to verify the authenticity of the received message.
1. Compares the received fob serial number to the serial number in
every memory block stored in the memory. If a match is found, the
corresponding memory block content is used for further processing. In
this case the vehicle proceeds to Step 2. If the received serial number
did not match with any of the stored serial numbers, the vehicle
identifies the message as an invalid message.
2. In this step the vehicle decrypts the received encrypted field using the
encryption key from the memory block that has the matching serial
number. The result is a decrypted sequence counter.
3. The decrypted sequence counter (from Step 2) is then compared with
the stored sequence counter form the corresponding memory block. If
the received decrypted sequence counter has a newer value within a
predefined window, shown as match in the figure, the vehicle identifies
Page 26
15
the message as a valid message. In this case the vehicle updates the
sequence counter by storing the received value in place of the current
value. This concludes the authentication process. The vehicle then
proceeds to Step 4.
4. At this point the vehicle identifies the message as a valid message.
The controller translates the button press information and commands
the appropriate hardware to execute the requested function, i.e. door
lock, unlock….
Several variations of this technique are possible. One implementation
is to include the button press information as part of the encrypted field. Other
implementation is to use a fixed discriminator in addition to the sequence
counter and button press information in the encrypted field [34]. Adding a
discriminator to the encrypted message increases the number of possible
combinations. Increasing the number of possible combinations reduce the
risk of possible attacks such as the scan attack that will be discussed in a
later section. When the vehicle receives the message and decrypts its
content, it verifies whether the discriminator field matches with the one stored
in the memory. If they match, the vehicle then tests the sequence counter
value according to the procedure described earlier.
2.2.2.1 SYNCHRONIZATION
It is possible that the fob buttons may accidentally been pressed when
the fob was beyond the vehicle reception range. In this case the sequence
Page 27
16
counter is updated in the fob only. As a consequence the sequence counter
in the fob will not match the sequence counter in the vehicle for the next
button press. This problem is known as the synchronization problem.
To solve the synchronization problem, the vehicle defines an
operation window (OW) for the sequence counter value. The OW is defined
as the number of next consecutive values of the sequence counter stored in
the vehicle’s memory. In other words, it is the set of consecutive counts that
is greater than (signed comparison) the current value of the sequence
counter, but less than the current value plus the OW size. Signed
comparison is required to allow for counter overflow as the counter reaches
its absolute maximum value. If the received sequence counter is within the
OW, the vehicle recognizes the message. The OW is updated continuously
for every valid message received. The update is done simply by storing the
received sequence counter in place of the current value in the memory. If the
received sequence counter is beyond the OW, due to multiple presses of the
button, the vehicle recognizes the message as an invalid message. Figure 3
illustrates the sequence counter OW.
Page 28
17
OW
Vehicle's Sequence CounterCurrent Value
IncrementDirection
Valid Sequence Counter
Invalid Sequence Counter
Figure 3: Sequence Counter Operation Window
More sophisticated synchronization mechanisms are also available if
the fob button is accidentally pressed a number of times beyond the OW.
One solution is based on the reception of two consecutive valid messages for
re-synchronization to occur [35].
2.3 BI-DIRECTIONAL RKE
A bi-directional communications protocols for RKE, also known as
Two-Way RKE [9], has been investigated in the past. Two-Way RKE
provides the user with a feedback regarding the status of the vehicle. The
feedback adds more value to the system especially for functions such as
remote engine start, or vehicle intrusion.
One of the communication protocols for bi-directional RKE is
presented in [41]. The communication starts when the user presses one of
the fob buttons. Initially both controllers in the fob and the vehicle are in a low
power consumption mode, also known as sleep mode. When a user presses
a button on the fob, the fob wakes up from its sleep mode. The fob then
Page 29
18
sends an initial message. The initial message consists of a wake up signal
and a fob identification code. The wake up signal wakes up all vehicles within
the fob transmission range from their sleep mode. The fob identification code
is a unique code for each fob manufactured. Each vehicle that wakes up
compares the received fob identification code against an initially stored one
in the memory. The vehicles that woke up but do not have a matching fob
identification code go back to sleep. The vehicle with a matching code is then
engaged with the fob in a sequence of steps to further identify the validity of
the fob. The authentication process is shown in Figure 4. The process can be
summarized as follows:
1. After the vehicle validates the identification code, it generates a
random challenge. The random challenge is then transmitted to the
fob. At the same time the vehicle encrypts the random challenge
using the same encryption key stored in the fob. The vehicle saves
the encrypted output of the random challenge as the “expected-
response”.
2. When the fob receives the random challenge, it encrypts the
challenge. The encrypted challenge is then transmitted as the
challenge-response.
3. When the vehicle receives the challenge-response, it compares the
challenge-response against the expected-response calculated in step
1. If the two match, the vehicle then identifies the fob as a valid fob.
Page 30
19
Wakeup Circuit
Generate RandomChallenge
Send RandomChallenge
Encrypt RandomChallenge
Receive RandomChallenge
Encrypt RandomChallenge
Send EncryptedChallenge
Receive EncryptedChallenge
Compare
Match ?
Valid Fob
Invalid Fob
Y
N
Fob Operation Vehicle Operation
Fob ButtonPressed
Transmit InitialCode
Sleep
Sleep
Time-outY
N
Figure 4: Example of rolling code for bi-directional RKE
Page 31
20
2.4 IMMOBILIZER
The immobilizer system provides the vehicle with additional level of
security. The main functionality of an immobilizer system is to electronically
verify the key when inserted in the ignition cylinder. The verification shall be
completed prior to engine start. To verify a valid key form others, a
batteryless Radio Frequency Identification Device (RFID), known as
transponder, is embedded in the head of the key. The ignition cylinder is
equipped with a loop antenna that communicates with the transponder via
Low Frequency (LF) magnetic field. When the user inserts the key in the
ignition cylinder the authentication protocol is started between the loop
antenna and the transponder. The authentication protocol for the immobilizer
system has been through several development stages. Different types of
transponders are required to support each protocol [12]. The authentication
protocols provide different security levels that can be summarized in the
following four subsections.
2.4.1 FIXED CODE
Fixed code is based on a read only transponder [21]. Each
transponder has an ID that is stored in its memory. The vehicle initially learns
the ID when the key is assigned to the vehicle. When the user inserts the key
in the ignition, the vehicle generates an interrogation field to read the fixed
code from the transponder. The vehicle then verifies the received code with
the one in its memory. If the two codes match, the vehicle recognizes the key
as a valid key. In response to a valid key, the vehicle authorizes the engine
Page 32
21
to start. Two types of fixed code transponders are presented in [12]. The
flexibility and security levels are different for each type. One type is based on
a unique ID that is assigned to each transponder at the manufacturing time.
The other type is based on the write-once transponder. The write-once
transponder provides the capability to someone with a read/write device
capability to duplicate the key without the need for the vehicle. This provides
additional level of flexibility to duplicate the key, however, the problem is if
that someone belongs to a criminal group who had access to the key during
valet parking or vehicle service.
2.4.2 ROLLING CODE
Rolling code system provides a higher level of security compared to
the fixed code transponder. It is based on a read-write transponder. The
vehicle controller has the ability to read and write the transponder’s memory.
It works similar to the fixed code except that the transponder sends a new
code to the vehicle every time the key is placed in the ignition cylinder. The
new code is uploaded and stored in the transponder memory during the
previous ignition cycle. Though rolling code immobilizer system provides a
higher level of security than a fixed code, it is more expensive, and requires
synchronization method in the event that the write to the transponder fails
during the previous ignition cycle
Page 33
22
2.4.3 PASSWORD PROTECTION
In this type of authentication the transponder is protected by a
password. The transponder requires the reader to send a password every
time the reader requests the transponder ID. If the reader sends the correct
password, the transponder then responds back with its ID code. This is a
simple mutual authentication process. Both parties have to identify
themselves. Though, this type of authentication provides a higher level of
security compared to the fixed code, it is still vulnerable to an attack. An
intruder with read capability equipment could read the vehicle password and
the transponder ID during valet parking or vehicle service. He could then
build an emulation circuit to bypass the password sent by the vehicle and
always respond with the transponder ID code.
2.4.4 CHALLENGE RESPONSE
Challenge response, also known as Identify Friend or Foo (IFF)
[35],[36], or digital signature [11],[12], provides a more secure and reliable
protocol. The protocol is based on cryptography. Typically, the transponder
has an encryption algorithm built into it. The same algorithm is also
implemented in the vehicle. Both the vehicle’s controller and the transponder
share the same encryption key that is initially stored in their memory. The
protocol starts when the user places the key in the ignition cylinder; the
vehicle sends an interrogation message that contains a random number,
called the challenge or the question. The transponder then encrypts the
challenge and sends the result back to the vehicle, normally referred to as
Page 34
23
the challenge-response or the answer. While the vehicle is waiting for the
response, it calculates the expected response using the same encryption key
in the transponder. If the received response matches the expected response,
the vehicle then identifies the key as a valid key. To ensure security, the
vehicle sends a new random challenge every time the key is inserted in the
ignition cylinder.
One of the requirements for the immobilizer system is to support
multiple keys for the same vehicle. In this case, the vehicle has to calculate
the expected response from each transponder programmed in the system.
This is because each transponder might be programmed with different
encryption key and the vehicle does not know which transponder has been
used during that ignition cycle. Calculating all possible responses may have
some security issues as well as increasing the system response time. One
approach is to have all transponders programmed with the same encryption
key. In this case one response is expected from all transponders. This might
be an issue if one of the transponders is lost. A different approach is to have
the transponder identify itself prior to the challenge signal. The vehicle then
looks up the corresponding encryption key to calculate the expected
response. This is very similar to the RKE bi-directional protocol described
earlier
It is interesting to mention at this point that the immobilizer system is
one of several applications based on RFID technology. Other applications for
RFID technology such as automatic retail fueling system [45], smart labels
Page 35
24
for baggage, super security access control, and many other applications are
available in the market or been advertised for [46].
2.5 PASSIVE ACCESS SYSTEM
The passive access system was introduced to the market as a
convenient feature. It eliminates the users need to reach for a fob or a
mechanical key to access their vehicles. The users are not required to take
any actions to identify themselves to the vehicle. The vehicle automatically
recognizes an authorized user from others by the possession of a CID. Any
user who carries an authorized CID is recognized as an authorized user to
the vehicle. Since the passive access system is installed on more than one
vehicle, each vehicle shall recognize a uniquely coded CID. This requires a
communication protocol to take place prior to any access to the vehicle. The
main purpose of the communication protocol is to validate the identity of the
CID held by the user. One of the major problems in a passive access system
is to start and establish the communication between the CID and the vehicle.
Several techniques were investigated to establish the communication without
the user interaction. One technique is to have the CID transmit an access
code message continuously. When the CID is within the vehicle reception
range, the vehicle receives the message. If the access code in the message
is valid, the vehicle unlocks the doors. This technique requires a
unidirectional communication link from the CID to the vehicle. The CID
battery consumption and security are major concerns in this technique. The
unidirectional link will be investigated in more detailed in Section 2.5.1. A
Page 36
25
different technique to establish the communication is to have the vehicle
continuously send an interrogation message. A CID within the vehicle’s
interrogation message range responds with an access code. If the access
code is valid, the vehicle unlocks the doors. This technique requires a bi-
directional communication link between the CID and the vehicle. The bi-
directional link is investigated in detail, with different trigger mechanisms, in
Section 2.5.2.
2.5.1 UNIDIRECTIONAL LINK
The first passive keyless entry system was introduced on the 1993
corvette [42]. It was designed and patented by Lectron Products [49],[50].
Lectron’s system was based on a unidirectional communication link from the
CID to the vehicle. The CID continuously transmits an access code message
while a user is carrying it. To save the power consumption of the CID battery,
a motion sensor is integrated inside the CID. In this system, the CID can be
in one of two different states:
Active state: In this state, the CID continuously transmits access
code messages. The CID enters this state when the motion sensor
detects a motion.
Sleep state: The CID enters this state when it is stationary. In this
state, the CID stops transmitting any messages in order to save power
consumption.
Page 37
26
A user walking with a CID causes the motion sensor to trigger the
CID to send its access code message. If the user is walking toward his
vehicle, the vehicle receives the CID’s message. If a valid message is
received, the vehicle then unlocks the doors. In addition to transparent
unlocking feature, the system is capable of automatically locking the vehicle
when the CID’s message is not received within a predefined time window.
There are several problems with this technique, such as:
i) If the user accidentally left the CID inside the vehicle, then there could
be some problem like the user might be locked out. Or some intruders
may come and shake the vehicle for the CID to transmit the access
code message. This will cause the vehicle to unlock the doors and
allow the intruders to get into the vehicle.
ii) Since the CID continuously transmits while the user is moving, power
consumption of the CID’s battery remains an issue.
iii) Collision of multiple signals may occur when multiple CIDs are
moving. As a result the vehicle may deny access since the received
signal might be corrupted due to collision. This situation may occur, for
example, when a user and a spouse, each carrying a different CID,
are approaching their vehicle. The collision of signals is also possible
at the sport arena parking lot where everybody is walking toward his
or her vehicle at the same time.
Page 38
27
iv) A thief can easily break the security of the system by grabbing the
code transmitted from the CID and then playing the code back next to
the vehicle when the authorized user is not around.
2.5.2 BI-DIRECTIONAL LINK
Even though Lectron’s system provides a user with a transparent
mechanism to access the vehicle, the security and reliability issues remain
as major concerns. Additionally, the system still requires the user to reach for
a key to start the engine. In order to provide the user with additional security
and comfort levels, Mercedes S-Class has introduced a different type of
passive keyless system [8],[33],[52]. Similar to the Corvette system, the
Mercedes system requires the user to carry a CID as a proof of identity.
When a user tries to open the vehicle’s doors or trunk or start the engine
either by pulling a door handle or pressing a button on the vehicle, the
vehicle sends an interrogation message. If an authorized CID is present
within the vehicle’s operating range, the CID responds with an access code
message. After receiving a valid access code message from the CID, the
vehicle performs the necessary operation based on the trigger source. For
example, unlocks the door if the door handle is pulled, or starts the engine if
a button is pressed inside the vehicle.
Different mechanisms have been investigated to initiate the
interrogation message. One approach is to use a mechanical switch installed
in the door handle assembly unit. The triggering switch could be a push
Page 39
28
button [15], or integrated with the door handle [51], or touch-sensitive switch
[16]. A second approach is the use of an infrared movement detector that is
positioned in the door handle region [28]. A third approach is to continuously
send an interrogation message to recognize the presence or absence of an
authorized user and automatically lock or unlock the vehicle [48]. The generic
term “vehicle trigger” will be used throughout this dissertation to indicate one
of the mechanisms that starts the communication from the vehicle side.
Regardless of the triggering mechanism, the communication protocol
starts from the vehicle side. The vehicle starts the communication by
transmitting an interrogation message. A CID within the vehicle’s
transmission range responds back with a message response. The
Interrogation message is sent via a Low Frequency (LF) magnetic field link.
The CID sends a response via a Radio Frequency signal (RF). The
communication links between the vehicle and the CID are shown in Figure 5
LF RF
T
T
RVeh
CID
Figure 5: Communication between the vehicle and the CID
To support the LF communication link, the vehicle is equipped with a
loop antenna in each door handle. The operating range between the CID and
the loop antenna as suggested in [38] is about 2 to 2.6 meters. The LF link is
Page 40
29
used in order to have a better range control between the interior and exterior
of the vehicle [18]. This is due to the fact that the intensity of a magnetic field
generated by an LF coil decreases at a rate proportional to the cube of the
distance [16]. This property of LF signals allows for a better control of the
coverage boundary within the vehicle interior. It also provides better control
over the operating range of the signals outside the vehicle. The RF link is
used in the return communication link (i.e. from the CID to the vehicle) due to
the following reasons:
An RF signal needs less power than an LF signal to transmit a
message within the same range. This is due to the fact that the
strength of an RF signal decreases with the square of the distance as
opposed to the cube of the distance for an LF signal.
The CID runs from a small battery power supply, so the use of an RF
signal from the CID to the vehicle will have less impact on the CID
battery power consumption compared to an LF signal in order to cover
the same communication range.
A high bit rate can be achieved if a message is transmitted using an
RF signal as opposed to LF signals.
Only one RF receiver is necessary inside the vehicle as opposed to
multiple LF receivers needed to cover the entire operating range of the
system.
Page 41
30
An authentication process starts as soon as the vehicle is triggered.
The vehicle starts the communication by sending an LF interrogation
message. One portion of the LF interrogation message is a wake-up signal.
This signal is used to wake up all CIDs within the operating range from their
sleep mode. The interrogation message may also include some coded bits
for security purposes. Once a CID wakes up from its sleep mode, it decodes
the information received if any, and responds back to the vehicle with an
access code. The entire bi-directional authentication process has to be
completed before a door handle reaches its full travel. If the control unit in the
vehicle receives a valid message from the CID, it unlocks the doors and
allows the user to access its compartment.
The use of the bi-directional communication link for passive access
systems provides several variations to implement an authentication process
between the CID and the vehicle. Similar protocols like the one used for
immobilizer systems may also be used for passive access systems.
However, there are several important requirement differences between
immobilizer systems and passive access systems. These differences are
summarized as follows:
i) The passive access system has a longer range than the immobilizer
system. This may introduce an easy method for an attacker to grab
the code and analyze it.
Page 42
31
ii) Access to the immobilizer interrogation message requires an attacker
to be inside the vehicle compartment. This is not the case for the
passive access system where an attacker can access the
interrogation message by simply pulling the door handle.
iii) The protocol for the passive system has to provide means to
coordinate among two or more units involved in the protocol (multiple
CIDs in the working range when the vehicle is triggered). This is not
the case for the immobilizer system where only the vehicle and one
key are engaged in the protocol.
iv) The timing requirements to complete the authentication process for a
passive access system is more restrict than the timing requirements
for an immobilizer system.
In summary, the use of bi-directional communication links between the
vehicle and the CID allows several protocol variations. Table 1 shows some
of those variations.
Page 43
32
Protocol Name LF RF
Trigger-Fixed Trigger Fixed code
Trigger-Rolling Trigger Rolling Code
Fixed-Fixed Fixed code Fixed code
Fixed-Rolling Fixed code Rolling Code
Variable-Variable Rolling Code Rolling Code
Challenge-Response Challenge Response
Table 1: Summary of available authentication using a bi-directional link for passive vehicle
i) Trigger-Fixed: In this protocol, the vehicle sends an LF trigger. The
trigger contains no information. The CID senses the LF trigger and
responds back with its fixed code. One advantage of using a non-
coded LF trigger is to reduce the cost of an LF demodulator circuitry in
the CID
ii) Trigger-Rolling: In this protocol, the vehicle sends an LF trigger. The
trigger contains no information. When the CID senses the LF trigger it
responds back with a rolling code. The system works exactly as a
rolling code RKE. However, the user’s action of pressing a button on
the fob is replaced by sensing an LF trigger from the vehicle.
Page 44
33
iii) Fixed-Fixed: This is similar to the password protection method used in
the immobilizer system. One implementation of this approach can be
found in [37].
iv) Fixed-Rolling: This is similar to the Trigger-Rolling method except that
the CID checks if the received fixed code matches a preset code in
the CID memory before the CID responds back with its rolling code.
v) Variable-Variable: This is similar to the rolling code described in
Section 2.4.2.
vi) Challenge-Response: This is also similar to the challenge-response
described in Section 2.4.4.
2.6 RANDOM NUMBER GENERATORS
One of the suggested protocols in Table 1 is the use of a challenge
response protocol. The protocol starts when the vehicle sends a challenge
that is a random code and different for every activation. The heart of the
random challenge is a random number. A random number provides the
challenge with its randomness property. Random numbers are commonly
used for simulation purposes. They form the basic tool for any stochastic
modeling. Good simulation results mainly depend on the selection of the
random number generator. A good generator provides a sequence of random
numbers that are non-deterministic and completely independent from each
other. On a computing machine, a completely independent random numbers
Page 45
34
are very difficult if not impossible to generate [14]. A completely independent
random number generator needs to collect its input from a non-predictable
and non-deterministic behavior natural source. Such source might not be
available or expensive to provide in a computing machine.
Other problem with completely independent random number generator
is the lack of reproducing the random sequence. For certain systems, it is
important at one point to have the capability to provide the same input
random sequence to the tested model. For example, during the debugging
phase, it may be much easier to isolate a problem if a designer has the
capability to provide the same input sequence while tuning other calibration
parameters.
As an alternative solution to completely independent random
numbers, programmers commonly use a more deterministic approach to
generate a random sequence. The algorithms that generate a deterministic
sequence of random numbers are known as pseudo-random number
generator algorithms. Throughout this chapter and the following chapters, we
will use the term random to mean pseudo-random.
Different algorithms to generate random numbers have been
investigated in the past for several applications. Most of these algorithms
start with a seed value and use a set of mathematical operations to generate
a sequence of random numbers. Linear Congruential Generator (LCG) is one
Page 46
35
known method to generate random numbers. The general expression of an
LCG is given by the following equation
Yn+1 = (a*Yn+b) mod m
Where a, b, and m are constants. Yn is the current random number,
and Yn+1 is the next random number in the sequence. The sequence starts
with Y0 (the seed value). Because of the mod function, random numbers
produced using an LCG ranges from 0 to m-1. However, it is possible that
some of the random numbers within the range may not be produced. Careful
selection of a, b, and m parameters are necessary to produce a random
number sequence of maximum length. Details on the proper selection of
these parameters can be found in [23],[27].
Linear congruential generator is one example of a polynomial random
number generator. Other examples of polynomial random number generators
are the quadratic and the cubic random number generators. These
generators take the form shown in the following equations
Quadratic: mcYbYaY nnn mod)**( 21 ++=+
Cubic: mdYcYbYaY nnnn mod)***( 231 +++=+
One of the main advantages of using a LCG over other polynomial
generators is its efficiency. It is fast to execute, and it does not take a lot of
code space to implement. Other variations of LCG were examined to
Page 47
36
combine several LCGs together [26]. The result was a longer cycle of
random sequence.
2.7 SECURITY THREAT
The main purpose of a passive access system is to eliminate the
users’ need to reach for an authentication device in order to gain access to
their vehicles. The authentication process is made transparent to the users
while they attempt to access their vehicles. While providing the user with a
transparent authentication process is a desirable feature it introduces several
security weaknesses. These weaknesses may provide an attacker with an
unauthorized access to the vehicle. The main security weaknesses against
passive access vehicles are due to two main reasons:
i) An attacker can pull the vehicle’s door handle unlimited number of
times to transmit interrogation messages.
ii) The CID responses can be solicited without the owner’s knowledge.
An attacker can generate an interrogation message next to the
vehicle’s owner who carries an authorized CID. The CID responds to
an interrogation message since it can’t differentiate whether the
received interrogation message is from the vehicle or from a non-
trusted party.
Evaluating the level of security threat against the system is an interesting
subject. The article in [1] categorizes different types of attacks into three
Page 48
37
different classes. We summarized these classes according to the attacker’s
capability to build a theft device.
I. Clever Outsiders: This class represents a person or a group of
people who are very intelligent with limited resources. They have the
required skill level and knowledge to assemble and build a device that
takes advantage of a certain security weakness.
II. Knowledgeable Insiders: This class represents a person or a group
of people who have detailed knowledge of the system components.
They gain their knowledge either from their capability to access
sophisticated equipment to analyze the system functionality or from
their capability to obtain detailed description regarding the system
design. One example could be a former employee who works on the
system design.
III. Funded organizations: This class represents a group with unlimited
resources. They have the capability to bring the required skills and
tools to design a sophisticated attack.
Assembling an attack-device is the first step in the attack process. The
second step is to perform the attack. The motive for the people who builds an
attack-device may be different than the motive for those who perform the
attack against the passive access vehicles. Of course, the most obvious
motivation for both parties is the financial gain. However, the method,
volume, and associated risk with this gain are different. In general, the
Page 49
38
people who develop an attack-device have higher degree of intelligence than
those who perform the attack. They are willing to take a minimal risk or no
risk at all of being caught. Their objective is to sell as many devices as
possible in the black market. On the other side, the people who perform the
attack are under a lot of pressure with high risk of being caught. They try to
finish their attack as fast as possible. Understanding the circumstances and
working environment around the system attackers are important parts of
evaluating the security threat. For example, if a security threat against a
system requires an attacker to spend two or three months to break into a
vehicle, it may not be a viable threat. Similarly, the threat may not be a valid
threat if an attacker is required to buy or develop a customized device that is
more expensive than the vehicle itself in order to perform his attack. Unless
the same device can be used with minimal calibrations and adjustments to
break into multiple vehicles, the financial impact of building a customized
attack device may not be justifiable.
Based on the attacker’s approach against the passive access system,
several attacks have been identified. These attacks can be classified in three
different categories as discussed in the following subsections.
2.7.1 DETERMINISTIC APPROACH
In this approach, we use the word thief to denote an attacker. Attacks in this
approach are easy to perform. They are deterministic in nature. The thief
performs the attack only once to gain an unauthorized access. There is no
Page 50
39
trial and error process in this approach. Playback attack and relay attack are
two examples that belong to this approach. These attacks are summarized in
the following two subsections. Little bit more descriptions of the analysis of
these two attacks are presented in the next chapter
2.7.1.1 PLAYBACK ATTACK
Playback attack, also known as replay attack, is briefly described in
the previous chapter. In this attack, the thief captures a previously
transmitted message from an authorized device. Later on, the thief plays
back the captured message pretending that it is sent from an authorized
device.
Building a theft device to perform a playback attack is a simple thing to
do. The main components of the device are a transceiver and a micro-
controller. In fact, such devices have been advertised as tools for the “legal
repossession of vehicles” [33].
2.7.1.2 RELAY ATTACK
Relay attack, also known as the two-thief attack, is another
deterministic approach to gain an unauthorized access to the vehicle. In this
type of attack, two thieves come to bridge the gap (distance) between the
vehicle and its owner as shown in Figure 6. All the communication between
the vehicle and the CID are done in real-time. The thieves are not required to
know or analyze the contents of the messages communicated.
Page 51
40
//
Thief-1Thief-2
OwnerWith CID
Figure 6: Illustration of a two-thief attack problem
To perform the attack, two thieves are required. Let us call them Thief-
1 and Thief-2. Thief-1 stands next to the vehicle and Thief-2 stands next to
the owner with the authorized CID. Each one of the two thieves carries a
repeater that is capable of transmitting and receiving at the same time. The
repeater mainly receives a signal from one side and sends the signal to the
other side after amplification. Thief-1 first triggers the vehicle to send an
interrogation message. Thief-1 who is within the vehicle’s transmission range
receives the signal from the vehicle. As Thief-1 receives the signal from the
vehicle, the repeater amplifies the signal and transmits it via a predetermined
channel to Thief-2. Thief-2 receives the signal from Theif-1 on the
predetermined channel and then sends the signal to the authorized user. The
CID that is carried by the authorized user, responds upon receiving the signal
from Thief-2. Thief-2 receives the response from the CID and then sends it
back to Thief-1. Thief-1 then receives the signal from Thief-2 and sends it to
the vehicle. Since the vehicle receives a valid CID message in response to
its interrogation message, the vehicle unlocks the doors.
Page 52
41
2.7.2 STATISTICAL APPROACH
In this approach, we use the word intruder to denote the attacker.
Theoretically speaking, if the system is secure to guard against all known
attacks, then there is no way to break the system other than trial and error.
The objective of using trial and error is to try as many combinations as
possible till a successful trial is achieved. Such attacks are statistical in
nature. The success of an attack mainly depends on the system design
parameters. The most critical parameter is the number of bits used to create
different combinations. Increasing the number of combinations can
significantly reduce the risk of such attacks. However, the chance to break
the system is still there. Scanning attack and dictionary attack are two
examples that belong to this approach. These attacks are summarized in the
following two subsections. Some more descriptions of the analysis of these
two attacks are presented in the next chapter.
2.7.2.1 SCANNING ATTACK
In the rolling code RKE system, the intruder performs a scanning
attack by transmitting a different code to the vehicle for each trial. The
intruder’s main objective is to try as many different combinations as possible
till the vehicle recognizes a valid code. In a passive vehicle access system
that utilizes a challenge-response authentication approach, the scanning
attack is a little bit different. An intruder could try to gain an unauthorized
access to the vehicle by initiating the vehicle-trigger (e.g. pull the door
handle) many times. As a result of each vehicle-trigger, the vehicle sends a
Page 53
42
different interrogation message. Each time the vehicle sends an interrogation
message, the intruder responds back with a fixed code. The objective is to
have the vehicle generate a random challenge that corresponds to the fixed
code transmitted by the intruder. The probability of a successful attack
depends on three main things, the number of bits used in the random
challenge, the random number generation algorithm, and the number of trials
conducted by the thief. The random number generation algorithm plays a
significant role in increasing and decreasing the probability of a successful
attack. A model of the random number generator is presented in Section 3.5.
The model is then used in Section 3.7 to analyze the risk of the scanning
attack.
2.7.2.2 DICTIONARY ATTACK
The dictionary attack is a powerful statistical approach against the
passive access system that employs a challenge-response protocol. The
dictionary attack is possible only if there is access to the CID. Since sending
an interrogation message can trigger the CID, a dictionary attack may be
performed as follows:
1. An electronic dictionary is constructed by sending different challenges
to the CID and recording the CID’s responses. This method requires
proximity to the CID, usually with the vehicle’s owner. The vehicle’s
owner is not aware of the attack since the CID automatically
responses to the challenge. The CID’s responses to the challenges
will be stored as a challenge and a challenge-response pair. Let D
Page 54
43
denote the number of challenge and challenge-response pair entries
captured in this step.
2. After building a dictionary of size D, the next step in the attack is to
pull the vehicle’s door handle in order to initiate an interrogation
message (challenge) from the vehicle.
3. If the challenge matches any entry in the dictionary, the corresponding
response is sent. If the challenge does not match any of the
challenges stored in the dictionary, the dictionary responds with a
fixed response (modified scanning attack). The fixed response is
chosen to be different from any of the responses captured in the first
step.
A security threat analysis of the dictionary attack is presented in Section 3.8
of the next chapter
2.7.3 ANALYTICAL APPROACH:
. This approach is different from the other two. The success of this type of
attack is based on the attacker’s capability to capture several authentication
messages and analyze them to reveal some of the system security
parameters (e.g. encryption key used). Cryptanalysis and challenge
prediction attacks are two examples that belong to this approach. These
attacks are summarized in the following two subsections. More description
on the analysis of these two attacks is presented in the next chapter.
Page 55
44
2.7.3.1 CRYPTANALYSIS ATTACK
Cryptosystems provide different degree of security based on the
amount of information and degree of freedom available to a cryptanalyst.
This is regardless of the encryption algorithm used. Two different
cryptosystems could use the same encryption and decryption algorithms but
they may provide two different levels of security. From cryptanalysis point of
view, there are several levels of security classification [39]. The most
common three that are related to our work is described below. These
classifications assume that the encryption and decryption algorithms are
public domain.
i) Ciphertext-only: This is the most difficult attack classification due to
the limitation of information available to a cryptanalyst. In this
classification, the cryptosystem communicates over a public channel
using encrypted messages only. This allows a cryptanalyst who listen
on the same public channel to capture one or more encrypted
messages (ciphertext). All captured messages are encrypted using
the same encryption key. The cryptanalyst’s task is to recover the
plaintext of current or future messages, or better find the encryption
key used.
ii) Known-Plaintext: In this type of classification, a cryptanalyst has
access to the ciphertext and the plaintext of one or more messages.
For example, a system that uses a challenge-response protocol for
authentication, sends both the plaintext (challenge) and the ciphertext
Page 56
45
(response) over the public channel (wireless communication). The
cryptanalyst task is to develop an algorithm to encrypt any plaintext, or
better deduce the encryption key used.
iii) Chosen-plaintext: This classification is similar to the known plaintext
in terms of the amount of information available to a cryptanalysts. In
addition, the cryptosystem allows a cryptanalyst to select the plaintext
to encrypt. This provides a cryptanalyst with an additional degree of
freedom to deduce the encryption key in less amount of time. For
example, in the challenge-response protocol used in the immobilizer
system, if the transponder responds to any challenge it receives, a
cryptanalyst can select certain challenges that may help to recover the
encryption key quicker. Cryptosystems that provide this amount of
information and degree of freedom are classified to be less secure
than the known-plaintext classification. This is true because of two
reasons. First, the cryptanalyst does not need to wait for the
communicating parties to communicate. Second, the cryptanalyst
selects the inputs based on an initial study that certain inputs reveal
more information than others do.
There are several cryptanalysis methods and techniques that are
investigated in the literature. Related-Key cryptanalysis attack developed in
[3],[22],[20] where used against several algorithms such as GOST [13], IDEA
[29], and SAFER [32]. Differential cryptanalysis attack is another technique
introduced in [4],[5],[6],[7]. The differential cryptanalysis is used against the
Page 57
46
Data Encryption Standard (DES) algorithm and other known algorithms.
Cryptanalysis methods and techniques are part of a very wide subject. For
this research work our need is limited to know that such techniques exist.
The details of these techniques are beyond the scope of our work and will
not be further investigated.
2.7.3.2 CHALLENGE PREDICTION ATTACK
In this attack an intruder tries to predict the next challenge by
observing the previous few challenges. Previous challenges can be obtained
simply by triggering the vehicle’s door handle several times. If an intruder has
a method to predict the next challenge, he can build a device to generate the
predicted challenge himself. To perform the attack, the intruder sends the
predicted challenge next to the owner of the vehicle who carries an
authorized CID. In response to the challenge, the CID responds back with a
challenge-response message. The intruder records the challenge-response
message and proceeds in his attack next to the vehicle. The next step for the
intruder is to pull the vehicle’s door handle in order to send the predicted
challenge. In response to the challenge, the intruder plays the message
previously recorded from the CID. Of course, the intruder will be successful
in his attack provided the vehicle generates exactly the same challenge that
the intruder had predicted.
This attack can be made possible for an average user to perform. The
intruder is not required to be a cryptanalyst to conduct the attack. However,
Page 58
47
the person who designed the attack equipment should have a certain degree
of knowledge. For example, the attack equipment can be self-calibrated with
instructions to use. The user interface can be made via two light indicators,
red and green light indictors. The red indicator informs the user that the
system is not calibrated yet to predict the next challenge. In this case the
user is required to trigger the vehicle again. The green indicator informs the
user that the equipment has captured enough challenges to predict the next
one. In this case the user can continue with the attack as described earlier.
Page 59
48
CHAPTER 3
SECURITY ANALYSIS
In Section 2.7, we identified several security weaknesses against
passive access vehicle system. Identifying the security weaknesses and
possible threats are the first step in the design process towards a secure
system. The second step is to analyze and measure each security threat.
What is the root cause of the threat? How can we measure the risk
associated with a threat? What options do we have to eliminate or reduce the
risk of a threat? Is there a tradeoff between improving security and other
system parameters? The main objective of this chapter is to provide analysis
for each one of the security threats identified in Section 2.7 of the previous
chapter.
This chapter is organized in seven sections. These sections are
presented in the following order for better flow and understanding of the
material. In the first two sections, we analyzed the deterministic approach
attacks. Playback attack analysis for different communication links is shown
in Section 3.1. Analysis of the tools needed to perform a relay attack is
presented in Section 3.2. More details on relay attacks, relay attack
countermeasures, and analysis of solutions are left to the next chapter. In the
third and fourth sections, we analyzed the analytical approach attacks. A
visual spectrum of different cryptanalysis categories is given in Section 3.3.
Analysis for the challenge forward prediction attack is presented in the form
of requirements in Section 3.4. A model for random challenge and methods
Page 60
49
for measuring system security are presented in Section 3.5 and Section 3.6,
respectively. These sections are presented after the challenge prediction
attack and before the statistical attacks for two reasons. First, the analysis of
the challenge prediction attack imposes some requirements that are
necessary to implement in the random challenge model. Second, the random
challenge model and the security measures are used as basic tools to
analyze the risk of the statistical attacks. Detailed analyses of the scanning
attack and dictionary attack are given in Section 3.7 and Section 3.8,
respectively.
3.1 PLAYBACK ATTACK
Playback attack can be easily performed against passive access
vehicle system that is based on a unidirectional communication link. For
example, the Lectron’s system described in the previous chapter is an easy
target for a playback attack. In this system a thief can easily capture and
record the message transmitted by an authorized CID just by standing close
to the owner of the vehicle. The thief can then replay the recorded message
next to the vehicle to gain an unauthorized access.
An alternative approach to a unidirectional communication link is the
use of a bi-directional communication link. In Section 2.5.2 of the previous
chapter we examined several authentication protocols that is based on a bi-
directional communication link for use in passive access system. Several
protocols were examined. The first four protocols in Table 1 were based on a
Page 61
50
fixed content message in either or both directions. The use of a fixed content
message in any communication link of the authentication process is subject
to a playback attack. A successful playback attack can be performed
regardless of whether the fixed code is sent from the vehicle to the CID or
from the CID to the vehicle. As long as one of the communication links
content is the same in every authentication, a thief can record the fixed
content communication link either to gain access to the vehicle, or to solicit a
new valid access code from the CID. For example, if the LF signal is used
only to wake up the CID every time a door handle is pulled, a thief can simply
assemble a device to perform a playback attack. One implementation is to
equip the theft device with two buttons, ‘solicit’ button, and ‘play’ button.
When a thief presses the ‘solicit’ button, the device performs two steps: First,
it sends an LF wake up signal similar to the one the vehicle sends. Second, it
records any message in response to the LF wake up signal. The ‘play’ button
is then used to send the recorded message captured when the ‘solicit’ button
was pressed. With such a device, a thief can solicit any CID response by
pressing the ‘solicit’ button while standing next to the vehicle’s owner. Of
course, the captured message from the CID is a valid message whether its
content is variable or fixed.
The rolling code protocol was also examined for bi-directional
communication link. There are several variations of rolling code that can be
implemented. The major problem with rolling code is the synchronization
between the vehicle and the CID. Synchronization is a problem when any of
Page 62
51
the communication links are not reliable. It is also a problem when one side
is triggered to transmit while the other side is not in the reception range.
To address the playback attack and the synchronization problems, a
random challenge response protocol was introduced as an alternative
solution. In this solution, the message contents from the vehicle to the CID
and vice versa changes in every authentication. This prevents a thief with
recording equipments to obtain any valid message that could be used later to
gain access. The challenge response protocol is also synchronization free.
There is no need to implement any synchronization method for future
authentication in the event that one of the communication links is corrupted
during the previous authentication.
3.2 RELAY ATTACK
In this section we take a close look on how the thieves may design a
relay attack device and how they may attack the passive access security
system. Figure 7 shows the block diagram of a repeater that the thieves may
use.
Figure 7: Block diagram of a thief’s repeater system.
A repeater consists mainly of two units, U1 and U2. Each unit, Ux, has
a transmitter Tx and a receiver Rx. The two units are physically apart from
Page 63
52
each other. Unit U1 communicates with U2 via an RF signal at carrier
frequency f1. The frequency f1 is predefined and selected by the thieves. U1
modulates the input signal received through the receiver R1 using a carrier
frequency f1. The modulated signal is then sent to unit U2. U2 demodulates
the signal to reconstruct the original input signal IN. The reconstructed input
signal IN is the signal OUT shown in Figure 7. The signal OUT is then sent
using transmitter T2. Ideally the output signal OUT is equal to the input signal
IN with some delay. In order to bridge the signals from the vehicle to the CID
and vice versa, two repeaters are required as shown in Figure 8. The first
repeater sends the signal from the vehicle to the CID, and the second
repeater sends the signal from the CID to the vehicle. In order to avoid any
interference between the two repeaters, the thieves can design their systems
to communicate at two different carrier frequencies f1, and f2.
Figure 8: A complete theft device using two repeaters.
In the current passive entry system an LF link is used from the vehicle
to the CID and an RF link is used from the CID to the vehicle. So in the
above figure, Repeater-1 will be used to bridge the gap (distance) between
Page 64
53
the vehicle and the CID for the LF link, and Repeater-2 will be used to bridge
the gap for the RF link from the CID to the vehicle. The thieves are using two
different carrier frequencies f1 and f2 to avoid interference among the signals
in the link between the two thieves. Since the signals IN1 and OUT1 are LF
signals and IN2 and OUT2 are RF signals, there will not be any other kind of
interference between repeater-1 and repeater-2. As a result Thief-1 will be
able to gain access to the vehicle.
3.3 CRYPTANALYSIS ATTACK
In Section 2.7.3.1, three different classifications of cryptanalysis attack
were presented. These classifications are based on the amount of
information and degree of freedom the system provides to an intruder. The
system is more secure if the amount of information and degree of freedom is
less. Figure 9 shows a classification spectrum that represents the three
classifications.
Known Plaintext
Chosen Plaintext
CiphertextOnly
Figure 9: Cryptanalysis attack spectrum
Page 65
54
The Chosen-Plaintext represents the class with the most amount of
information and degree of freedom available to the outside. The Known-
Plaintext represents a class with less information and freedom. It is
represented as a subset of the Chosen-Plaintext class. Any information that
is available in the Known-Plaintext is also available in the Chosen-Plaintext.
Finally, the Ciphertext-only class provides the least amount of information. It
is represented in the center of the spectrum.
The spectrum provides a visual comparison to compare different
cryptosystems against each other from a cryptanalysis point of view. We said
that the cryptosystem is more secure if it is closer to the center of the
spectrum. For example consider the three cryptosystems ‘A’, ‘B’, and ‘C’
represented on the spectrum in Figure 10.
Known Plaintext
Chosen Plaintext
CiphertextOnly A
C
B
Figure 10: Examples of different systems on the cryptanalysis spectrum
Cryptosystem ‘A’ could be a rolling code RKE for example. It is placed
as shown on the spectrum to overlap between the ciphertext and the known
Page 66
55
Plaintext class. A cryptanalyst can observe the ciphertext when the user
presses a button to unlock or lock the vehicle. Even though the cryptanalyst
can’t see the full plaintext, he could see part of it by observing the action
taken by the vehicle, assuming that the function code ‘lock’ or ‘unlock’ is part
of the encrypted message. Furthermore, since the rolling code is based on a
sequence counter that is incremented for every transmission, a cryptanalyst
can depend on this fact to obtain additional information about the plaintext.
Cryptosystem B, and C may represent an immobilizer system that
uses a challenge response protocol. Both fall in the Chosen-Plaintext class.
System B always responds to any challenge received. If system C is
designed such that the transponder responds to a limited number of
challenges per unit time, then we place system C to be closer to the
spectrum center. It is obvious that system B provides higher degree of
freedom to a cryptanalyst than system C. For this reason it is represented as
shown on the spectrum.
The Cryptanalysis attack presents a low risk method against the
passive access system for the following reasons:
i) A Cryptanalysis attack requires time and effort to capture several
messages for analysis.
ii) A Cryptanalysis attack requires an individual with a higher degree of
intelligence. Such individual can do better things in his life than
attacking the passive access vehicle system.
Page 67
56
iii) The attack is different from one vehicle to the other. The time and
effort an intruder needs to spend on attacking one vehicle, is the same
if he wants to attack another vehicle. This demoralizes the intruder to
proceed with his attack, because the financial gain may not be
justifiable. The need to solve the system security weaknesses to
prevent a cryptanalysis attack is of very low concern.
3.4 CHALLENGE PREDECTION ATTACK
Prediction of a challenge mainly depends on the strength of the
random number generator used to assemble the challenge. In Section 2.6 we
studied the LCG as a method for random number generator. While LCG is
fast and useful to generate a sequence of random numbers for simulation
purposes, they are not suitable for other applications. One of the major
problems with LCG method is that they are predictable. The next random
number in the sequence is predictable to a cryptanalyst who observes
previous random numbers. For example, if the detailed information about the
generator used is public, then predicting Yn+1 is as simple as observing the
current value Yn. Even without knowing the generator parameters, several
techniques are investigated in the past to break LCG, quadratic generators,
cubic generators, and in general any polynomial congruent generator
[24],[25].
Prediction of a new random number is the key threat for a successful
attack against the passive access system. There are other applications
Page 68
57
where forward prediction of random numbers is a concern. For example, in
the gaming industry, a slot machine will fail if a gambler can predict the next
spin based on previous spins. Such application requires the random
sequence to be forward unpredictable. Backward predictability of previous
sequence is harmless if the gambler predicts the previous spins based on the
current spin.
Though prediction of random numbers via mathematical analysis
constitute a strong and efficient method to brake some of the known random
number generators, there are several other methods or tools to do so. The
validity of these tools and methods depends mainly on the proprieties of the
random number generator used. Each random number generator has its own
unique features. Similarly, each application has its own unique requirements
from a security point of view. In selecting a random number generator, it is
important that the selected random number generator features matches or
exceeds the system requirements. Some of the requirements in selecting a
random number generator for passive access system are outlined in the
following subsections.
3.4.1 EXTERNAL MANIPULATION.
External physical quantities such as the time delay between activation,
temperature measurements, external reset via battery disconnect, and time
of an external event is not hard for an intruder to induce into the system. An
intruder can easily manipulate a random number sequence if such quantities
Page 69
58
are used as a seed value to the random number generator. For example,
imagine a random generator that depends on the system clock as a seed
value. In an embedded system design, most of the Electronic Control Units
(ECU) in the vehicle enters a sleep state to reduce the power consumption.
Each ECU has different requirements to enter or exit a sleep state. When an
ECU exits a sleep state the system clock starts. Typically, the system clock
starts from an initial value known as the power on reset initial value. In a
passive access vehicle system, an ECU exits a sleep state upon door handle
trigger. After an initialization phase, the ECU starts the random generator
with a seed value captured from the system clock. Every time a door handle
is triggered, the seed value will be about the same, hence the same random
number. Slight variations are possible due to other activities the ECU may
manage at the same time. For this example, it does not matter whether a
random number generator provides a large number of bits or not, an intruder
has a small space to search for those random numbers that are the most
likely to occur.
3.4.2 DIFFERENT SEQUENCE FOR DIFFERENT ECUS
Random number generators are normally implemented as part of the
source code that is stored in the micro-controller ROM. It is cost effective to
provide the same code in the ROM for each ECU produced. In general, each
ECU has a non-volatile read-write memory, EEPROM alike, which holds
calibration specific parameters for a vehicle. The ECU that contains the
random number generator has to implement a mechanism to provide
Page 70
59
different sequence of random numbers when installed in different vehicles. A
random number generator that produces the same sequence of random
numbers for different vehicles is subject to a pre-knowledge or forward
prediction of the random number sequence. An intruder can monitor the
random sequence on one vehicle and then use that knowledge against other
vehicles. Most of the random number generators start from a seed value that
is stored in the EEPROM. The seed value is then updated every time the
random number generator is invoked. Having different seed values for
different ECUs will not guarantee that the random sequence on the two
vehicles will not synchronize to the same sequence at one point in the future.
3.4.3 STATISTICAL REQUIERMENTS
In a cryptographic random number generator, the statistical
characteristics of the random numbers produced plays an important key to
measure the strength of the random sequence. One of the main objectives in
choosing a random number generator is to make the random sequence
extremely difficult for an intruder to guess.
In this section, we impose several statistical requirements on the
random number sequence. The main purpose for these requirements is to
maximize the challenge search space to an external observer. In other
words, we would like to have a random number generator with statistical
proprieties that make the possibility to guess the next random number as
difficult as possible.
Page 71
60
3.4.3.1 FLAT DISTRIBUTION
One of the statistical requirements of a random number generator is to
produce random numbers that are equally likely to occur. If the probability of
different random numbers is unequal, then there are some random numbers
with higher probability than the rest. Typically, an intruder starts his guesses
with those random numbers that have the highest probability.
Flat distribution of the random numbers is an important requirement,
since the size of the space an intruder has to search for successful guess is
directly related to the amount of information a random number generator
produces. According to Shannon [40], a source produces an amount of
information that is proportional to the probability distribution of the produced
code. An estimate or a measure of the amount of information known as the
entropy or H, is given by:
∑=
−=C
iii pLogpH
12 )(
Where:-
i : is an index that represents the random number
C : is the size of the random space.
pi : is the probability of each random number generated.
To better understand the effect of a non-uniform distribution, consider
the following example:
Page 72
61
Assume a simple 3 bit random number generator. At any instant, the
random number generator produces one of eight possible values. Let i
denote the random number, and pi denote the corresponding probability as
shown in Table 2.
i pi Log2(pi)
1 1/32 -5
2 1/16 -4
3 1/8 -3
4 1/4 -2
5 1/2 -1
6 1/64 -6
7 1/128 -7
8 1/128 -7
Table 2: Example of random numbers probability distribution and their corresponding amount of information
Note that:-
∑=
=8
11
iip
For this example, H can be calculated by
∑=
−=8
12 )(*
iii pLogpH
Page 73
62
−+−+−+−+−+−+−+−−=
1287
1287
646
21
42
83
164
325H
H = 1.984
While 3 bits are required to present any of the 8 possible random
numbers, the effective or average bits of information is equal to 1.984. This
means that the intruder search space has been reduced from 8 (23=8)
possible combinations to 3.96 (21.984=3.96). Typically an intruder has to start
with the most likely random number, followed by the next and so on. In the
above example the intruder has to start with the random number 5 since it
has the highest probability (pi =0.5) to occur.
3.4.3.2 AVALANCHE EFFECT
A different statistical requirement on the random number generator is
to satisfy the avalanche effect criterion. This criterion requires that a single bit
change in the input causes on average, half the bits to change on the output
of the generator. It is important to emphasize that we used the word “on
average” to describe the total number of bits change. The use of the word
“on average” does not mean that the number of bits that changes their value
between two consecutive random numbers is exactly half the total number of
bits. It is possible to have less or more number of bits that changes their
value than half the total number of bits. However, the probability for this to
occur is lower. To better understand the avalanche effect on maximizing the
intruder search space, we present the following analysis
Page 74
63
Let n and k represent the total number of bits in the random number, and the
total number of bits that changes in consecutive random numbers,
respectively.
If one bit only changes its value (k=1) between two consecutive
random numbers, then there are n different possibilities to guess the next
random number.
If two bits change their values (k=2), then there are C2 possibilities to
guess the next random number. Where C2 is given by
2)1(*
22−=
= nnn
C
In general, for any k bit change, there are Ck different possibilities to
guess the next random number, where Ck is given by
!)!*(!
kknn
kn
Ck −=
=
As the number of possibilities increases, an intruder’s search space
increases too. So, what is the value of k that maximizes the total number of
possibilities?
To answer this question, let Dk represent the difference between Ck
and Ck-1.
Dk = Ck - Ck-1
Page 75
64
−
−
=
1kn
kn
Dk
)!1)!*(1(
!!)!*(
!−+−
−−
=kkn
nkkn
nDk (3.4.3.2-1)
With some mathematical simplifications, Equation (3.4.3.2-1) can be
reduced to
!)!*1()21!*(
kknknnDk −+
−+= (3.4.3.2-2)
The number of possibilities Ck increases as long as Dk is positive. The
first value of k that makes Dk negative represents the prior value of k at which
Ck is maximum. Dk is negative when the numerator in Equation (3.4.3.2-2) is
negative
n!*(n+1-2k) < 0 (3.4.3.2-3)
Solving Equation (3.4.3.2-3) for k
21+> nk
This means that the value of k at which Ck has its maximum value is
equal to
+=
21nk
For example if n =16, then
Page 76
65
85.82
116 ==
+=k
Figure 11 shows Ck for n=16 and k=0,1,2,..,16
0
2000
4000
6000
8000
10000
12000
14000
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
k
C k
Figure 11: Number of combinations for each number of bits changed
3.4.3.3 STRICT AVALANCHE EFFECT
The strict avalanche effect requires that each bit in the random number
sequence has 50% chance to change. This is another important requirement
in order to maximize the random number search space. If the probability for
each bit to change is more or less than 50%, then the intruder’s search
space is reduced. For example consider a random number generator in
which one of the output random number bits has a pc probability to change. If
pn denotes the probability that the bit does not change, then
Page 77
66
(3.4.3.3-1) cn pp −=1
Let H represent the amount of information in this bit. H can be
calculated by the following equation
)(*)(* 22 nncc pLogppLogpH −−= (3.4.3.3-2)
Substituting Equation (3.4.3.3-1) in Equation (3.4.3.3-2) we get
)1(*)1()(* 22 cccc pLogppLogpH −−−= (3.4.3.3-3)
Note that
From [44], as X→0, X*Log(X) → 0
If pc → 0, then from Equation (3.4.3.3-3) H → 0. This follows from the
fact that a bit that does not change provides no uncertainty to an
intruder. The intruder will set this bit to a specific value for all random
numbers he is searching.
If pc → 1, then from Equation (3.4.3.3-3) H → 0. This follows from the
fact that a bit that changes every time provides no uncertainty to an
intruder. The intruder will always change the bit for every vehicle
trigger.
The amount of information H reaches its maximum value Hmax=1 bit,
when pc = pn = 0.5.
Page 78
67
Figure 12 shows H versus pc as pc changes from 0 to 1
0
0.25
0.5
0.75
1
0 0.25 0.5 0.75 1P c
H
Figure 12: Entropy vs. probability of bit change
3.5 RANDOM CHALLENGE MODEL
One of the main components of a random challenge is a random
number. A random number can be classified as dependent, partially
dependent or independent of the previously produced random numbers. On
one extreme case, a random number can be cyclic. This means that, a
random number that is produced this time will not be produced again till all
numbers within the random number space are produced. We refer to such a
random number as a cyclic random number. On another extreme case, a
random number is totally independent of all previously produced ones, i.e.
the probability of getting the same random number in the next time is the
same as getting any other random number from the random number space.
We refer to such random number as a non-cyclic random number. In this
Page 79
68
section, we present a generic model, shown in Figure 13, for producing
random numbers.
EncryptionAlgorithm
m bits I1j bits I2
n bits O1k bits O2
Encryption Key
Figure 13: Model for random number generator
The model has been designed based on an encryption algorithm. The
subject of the encryption algorithm itself is not covered in this chapter. We
assume that the encryption algorithm is a public domain algorithm that was
reviewed and withstand cryptanalysis attack. One example is the use of DES
algorithm. We further assume that the algorithm has the following properties:
i) The secrecy of the encryption algorithm is maintained in the
encryption key not in the encryption algorithm used. This means that if
the algorithm details are known, the system will maintain a strong
degree of security as long as the encryption key remains secret.
Encryption keys are normally assigned randomly at manufacturing
time. Maintaining the security of the random sequence in the
encryption key is similar in concept to the use of a mechanical key to
Page 80
69
lock or unlock a home entry door. The company that manufactures the
lock system may only produce one generic design, but each lock is
coded different from the others. Similarly, the use of encryption key
allows one generic design of the encryption algorithm. The use of
different encryption keys generates different mathematical
transformation between the input and the output. Having a different
mathematical transformation based on different encryption keys
means different sequence of random numbers for different units. This
of course satisfies one of the requirements stated in Section 3.4.2.
ii) The algorithm is one-to-one and reversible. This means that if the
plane texts P1 and P2 are respectively converted to the cipher texts
(encrypted texts) C1 and C2 using an encryption key K, then C1 = C2 if
and only if P1 = P2 and vice versa. This also means that the number of
input bits is equal to the number of output bits, but the key may be of
any length. We impose this requirement to ensure that the generator
produces all possible outputs, and all outputs are equally likely as the
input sequences through a complete cycle.
iii) Statistical characteristics: A 1-bit change in the input will cause, on an
average, half the output bits to change if the same encryption key is
used. Also a single bit change in the encryption key will cause, on an
average, half the output bits to change if the same input is used.
Moreover, we assume that each bit has 50% chance to change if a
single or multiple bits change in the encryption key or the input.
Page 81
70
The model presented in Figure 13 shows an encryption algorithm,
which takes an input that is divided into two blocks, I1 (m bits), and I2 (j bits).
The output of the algorithm is also divided into two blocks, O1 (n bits), and O2
(k bits). Due to the second property of the encryption algorithm we can say
that m+j=n+k.
The method we present in this section and will be used for later
analysis assumes a sequence counter of m bits. These bits are stored in a
non-volatile memory. The sequence counter is used as an input (I1) to the
encryption algorithm for the model shown in Figure 13. The sequence
counter value is updated (e.g. incremented by 1) every time a call to the
algorithm is made. For this method, we consider that the sequence counter is
the only input (I1) to the algorithm, i.e. j=0. The other input (I2) is not
available. It is shown in the model for generality purposes and future
research. Since we are using an encryption algorithm, we expect that for
each value of the m-bit sequence counter, there is a corresponding output
that consists of m (m=n+k) bits. We use the lower n bits (O1) to represent the
random number. The other part of the output (O2) is not used, but available
for randomization purposes as explained later.
Let Ri be the value of the random number (available at O1) when the
sequence counter is equal to i. Then there exists an X such that Ri=Ri+X for
all 0≤ i≤ 2m. If the only value of X that satisfies the previous condition is X=2m,
then we say that the random number has a maximum cycle. A random
Page 82
71
number with a maximum cycle does not repeat the sequence until all the 2m
combinations are produced.
For one cycle of the sequence counter, there are 2m = 2n+k different
combinations presented at the output. For each combination of the output O1
there are 2k combinations of the output O2. Thus every random number R
(0≤R≤2n-1) appears 2k times within one cycle of the sequence counter.
On one extreme, we have defined a random number as a non-cyclic
random number if the probability to produce such a number remains the
same no matter how many times this number has already been produced
before. Our model, shown in Figure 3, will produce such a random number if
k is a very large number.
Lemma
A non-cyclic random number can be produced using our model if
k → ∞ .
Proof:
Let U represent the total number of random numbers produced, and L
represent the number of times a specific random number R is produced
within the previous U times. Then the probability p to produce R again is
given by
UL
ULp kn
k
m
k
−−=
−−= +2
222 (3.5-1)
Page 83
72
Divide the numerator and denominator of (3.5-1) by 2k.
kn
k
U
L
p
22
21
−
−= (3.5-2)
If k → ∞, then 022
→= kk
UL
The probability p in Equation (3.5-2) can be simplified to
np21=
Hence, if k → ∞, then the probability of generating a random number
R during the next trail is np2
= 1 . This is a constant value for a fixed value of
n. This means that, the probability of producing R again is independent of the
fact, how many times the random number R has already been produced.
For a practical system, the value of k can’t be very large. A large value
of k has several drawbacks. First, it requires a large storage space in a non-
volatile memory. Second, it increases the system response time since the
encryption algorithm has to run over larger data input size.
On the other extreme case, if k=0 then our model produced cyclic
random numbers. A random number that is produced this time will not be
produced again till all random numbers in the cycle are produced.
Page 84
73
For values of k between 0 and ∞, different degree of randomness can
be produced within one cycle of the sequence input. For this reason, we refer
to k as the randomization factor of the random number generator shown in
Figure 13.
3.6 MEASURING SECURITY
In Section 2.7.2, we mentioned that the success of a statistical
approach attack mainly depends on the system design parameters. The most
critical parameter is the number of bits used to create different combinations.
Increasing the number of combinations implies more bits to be transmitted.
More bits have several drawbacks on the system performance. First, it
increases the system response time. This might not be desirable for passive
entry applications. Second, for each bit transmitted, there is a probability of
error due to noise or interference from the environment. Transmitting more
bits implies a higher overall message probability of error. Hence, the
message will more likely be rejected. Third, increasing the number of bits
requires more energy from the CID that runs from a small battery power
supply. Hence, an increase in the number of bits reduces the usable battery
life. So how can we balance between security and system performance? This
leads us to define a method to measure the system security.
One simple way to measure the system security against a statistical
attack is to use the average time needed by an intruder to break into the
vehicle. We use the term “average time” because an intruder might be lucky
Page 85
74
in his first trial or he might end up with a huge number of trials. We use the
term ‘Average Theft Time’ or ATT to denote the average time needed by an
intruder for a successful attack. The ATT is defined as the number of trials an
intruder needs (on average) to be successful in his attack divided by the
repetition rate of the trials. In mathematical notation, if M is a random variable
that defines the number of trials, an intruder needs to conduct in order to be
successful, then ATT is given by
RMEATT )(=
Where : -
E(M) : The expected value of the random variable M, and
R : The repetition rate. Defined as the number of trials conducted
by the intruder per unit time.
While the ATT is a simple method to calculate and understand, it does
not provide enough information regarding the system security. Consider a
hypothetical system that requires the user to enter a password to gain
access. Furthermore, studies have shown that 60% of the people who use
the hypothetical system enter a single digit (0 to 9) password while the other
40% enter 4-digit (0000 to 9999) password. The average number of trails or
ATT to gain access for such system is 2003 trials (0.6*5 + 0.4*5000). Where
5, and 5000 are the average number of trials for a single digit and 4-digit
code respectively. Using the ATT as a measure of security might be
Page 86
75
misleading for such system. One could concentrate on only the 10 single-
digit passwords with a 60% probability of success. If the first 10 trials fail,
then proceed to the next system, and so on. To better understand the
problem of using the ATT as a measure of system security, imagine that
there are several systems available for attack. A 1000 trail over 100 units,
with 10 or less trials per unit, would have a success rate of at least 60%. This
means access to at least 60 systems. A better method to measure the
system security is needed. One way is to assign a probability of successful
attack on the system, given a certain amount of attack time used. For
example, we define the system to be secure against statistical attacks if the
following condition is satisfied:
If an intruder spends at most X amount of time trying to break
into the vehicle, then the probability of a successful attack shall
be less than Y%.
We refer to the (X,Y) pair as the security parameters of the system. In
mathematical notation, if M is a random variable that defines the number of
trials conducted till a successful attack is achieved, then the Cumulative
Distribution Function (CDF) of the random variable M given by F(X)
represents the probability of successful attack in X or fewer trials
}{)( XMPXF ≤=
We said that the system is secure if
Page 87
76
%)( YXF ≤
As many people are more familiar with ATT than any other measures,
E(M) will be used in addition to the (X,Y) parameters.
3.7 SCANNING ATTACK
As we indicated earlier, the probability of successful scanning attack
from a statistical point of view depends on three main parameters. First, the
length of the random challenge, we quantify this parameter by the number of
bits used (i.e. n). Second, the random number generation method, this
parameter is quantified by the randomization factor (k) in the model
presented in Section 3.5. Third, the number of trials conducted by an
intruder, we use the symbol m to denote this parameter.
This section is divided into three subsections. In the first and second
subsections, we present the effect of an independent random challenge and
the effect of a cyclic random challenge, respectively, on the success of a
scanning attack. In the third subsection we generalize the success of a
scanning attack results for any randomization factor.
3.7.1 INDEPENDENT RANDOM CHALLENGE
In this case, the probability of each challenge generated is
independent of the previous ones. Let p represents the probability of getting
an expected challenge. Let M denote the number of trials performed by an
Page 88
77
intruder until he becomes successful. Then M is a random variable taking on
one of the values 1, 2, 3, … with respective probabilities
P{M=1} = f(1) = p ,
P{M=2} = f(2) = (1-p)*p ,
P{M=3} = f(3) = (1-p)2*p ,
:
P{M=m} = f(m) = (1-p)m-1
*p , for 1 ∞<≤ i
Where, f(m) represents the probability distribution function of the
random variable M.
Note that :
ppmfm
m
m∑∑∞
=
−∞
=
−=1
1
1*)1()(
∑∞
=
−−=1
1)1(*m
mpp
p
p 1*=
1)(1
=∑∞
=mmf
Page 89
78
To find the average number of trials required by an intruder for a
successful attack we need to find the expected value of the random variable
M. i.e. E[M]
( ) ∑∞
=
=1
)(*m
mfmME
∑∞
=
−−=1
1)1(*m
m ppm
∑∞
=
−−=1
1)1(**m
mpmp
2
1*p
p=
( )p
ME 1=
In words, the average number of trials performed by an intruder to
attain the first success is equal to the reciprocal of the probability p. If the
response to the challenge consists of n bits, and all 2n response
combinations are equally likely then p is given
np21=
In this case
E(M) = 2n (3.7.1-1)
Page 90
79
3.7.2 CYCLIC RANDOM CHALLENGE
In this case, the probability of the challenge generated depends on the
previous challenge. For simplicity of analysis and calculations, we assume
the challenge and challenge response consists of n bits, and all 2n
combinations are possible. Let p0, p1 , p2 , ... represent the probability the
expected challenge is generated on the 1st, 2nd, 3rd, …, 2n trial, respectively.
Then
np21
0 =
121
1 −= np
221
2 −= np
:
ip ni −
=2
1 ; for 120 −≤≤ ni
Let M denote the number of trials performed by the intruder till the first
success is achieved, then M is a random variable taking on one of the values
1, 2, 3,…, 2n with respective probabilities
npfMP21)1(}1{ 0 ====
Page 91
80
nppfMP21*)1()2(}2{ 10 =−===
npppfMP21*)1(*)1()3(}3{ 210 =−−===
:
n
m
iim ppmfmMP
21)1(*)(}{
2
01 =−=== ∏
−
=−
To find the average number of trials E(M) for a successful attack
( ) ∑=
=n
mmfmME
2
1)(*
∑=
=n
mnm
2
1 21*
∑=
=n
mn m
2
1*
21
2)12(*2*
21 +=
nn
n
212 +=
n
If 2n >> 1, then the result can be simplified to
12)( −≅ nME (3.7.2-1)
Page 92
81
From Equations (3.7.1-1) and (3.7.2-1), we can conclude that the ATT
for a system that is based on a cyclic random challenge is 50% less than a
system based on independent random challenge. To complete the analysis
and compare between the two challenges, Figure 14 shows F(X) for both
cases
Where F(X) is give by
∑=
=X
iifXF
1)()(
0
0.2
0.4
0.6
0.8
1
X
F(X)
Cyclic
Independent
0.5*C 0.75*C C0.25*C
Figure 14: F(X) for cyclic and independent random challenges
In the figure, C represents the total number of combinations in the
random challenge space (in our case C=2n). While it is clear in this section
Page 93
82
that an independent random challenge is safer to use, in a later section we
will show that it introduces more risk for different type of attacks.
3.7.3 EFFECT OF RANDOMIZATION FACTOR
Let p0, p1 , p2 , ... be the probability that the expected challenge is
produced on the 1st, 2nd, 3rd, … trial, respectively. Then
nk
k
p +=22
0
122
1 −= +nk
k
p
222
2 −= +nk
k
p
In general
jp nk
k
j −= +2
2 (3.7.3-1)
If an intruder fails in all m trials, then probability of a non-successful
attack, after trying m times, is given by
(∏−=
=
−=1
0
1),,(mj
jjpmnkp ) (3.7.3-2)
From (3.7.3-1), substitute pj in (3.7.3-2)
Page 94
83
∏−=
=+
−
−=1
0 221),,(
mj
jkn
k
jmnkp (3.7.3-3)
Where k is the randomization factor and n is the number of bits in the
random challenge.
Let F(k,n,m) be the probability of a successful attack within the first m
trials. Then F(k,n,m) is given by
),,(1),,( mnkpmnkF −=
From (3.7.3-3)
∏−=
=+
−
−−=1
0 2211),,(
mj
jkn
k
jmnkF
Note that F(k,n,m) represents a Cumulative Distribution Function
(CDF) of random variable M. It should be noted that F(k,n,m) is valid only for
. If , then F(k,n,m) assumes the value of 1. )22(1 m −≤≤ knk + knk +
),,( mnkF ∞→
)22(m −>
As , the random number is non-cyclic or independent random
number. In this case can be simplified to
∞→k
m
nmnkF
−−=∞→
2111),,(
If k=0, the challenge is cyclic. In this case F(0,n,m) can be simplified
to
Page 95
84
n
mmnF2
),,0( =
A plot of F(k,n,m) for k=0,1,2 and ∞, and n=16 is shown in Figure 15.
A plot of F(k,n,m) for k=0, and n=17 is also shown in Figure 15.
0
0.2
0.4
0.6
0.8
1
0 13000 26000 39000 52000 65000
m
F(k,
n,m
)
(k=0,n=16)
(k=1,n=16)
(k=2,n=16)(k= ∞ ,n=16
(k=0,n=17)
Figure 15: F(k,n,m) for different system parameters
From Figure 15, it is clear that for a given value of n, say n=16, there
is not much difference in the value of F(k,n,m) for k=2 and k= ∞. So for a
given value of n, the vulnerability of a system due to a scan attack with a
randomization factor of k=2 will be as close as that with k = ∞.
To measure the ATT as defined in Section 3.6, let us assume the
following system parameters:
Page 96
85
The vehicle supports 4 different CIDs. Each CID responds in an
assigned time slot. The intruder takes advantage of this multiple CID
support by sending a different response in each time slot assigned for
each individual CID.
The vehicle can be triggered once every 200ms
The vehicle uses a 16 bit random number
If the vehicle receives 5 consecutive invalid responses to the
challenge from all 4 CIDs, the vehicle inhibits any further challenges
for the next 7 seconds
In this case the repetition rate R can be calculated as follows
sec/5.275*2.0
5*4 trialsR =+
=
Let E(k,n) represent the average number of trials as a function of the
randomization factor k.
As k→ ∞, E(k →∞,n) is calculated in Section 3.7.1. It is given by
E(k →∞,n) = 2n
E(k →∞,16) = 216 = 65536 trails
HoursATT 28.7sec262145.2
65536 ===
Page 97
86
For k =0, E(0,n) is calculated in Section 3.7.2. It is given by
E(0,n) = 2n-1
E(k →∞,16) = 215 = 32768 trails
HoursATT 64.3sec131075.2
32768 ===
For the same value of n, if the challenge is based on a non-cyclic
random number, the ATT is twice as much compared to a challenge that is
based on a cyclic random number. In general, the 3.64 ≤ ATT ≤ 7.28,
depends on the value of the randomization factor k. A higher value of k leads
to a higher ATT, hence better security system. But if we increase the value of
n by 1, then E(k,n+1) for k=0 is equal to 2n. This is the same value of E(k,n)
for k→∞ . i.e.
E(0,n+1) = E(k →∞,n)
From these analysis we can improve the system security against
scanning attack by several methods
Decrease the repetition rate R. i.e. decreases the number of times the
vehicle sends interrogation messages per unit time.
Increase the number of challenge bits.
Increase the randomization factor.
Page 98
87
Though the above features improve the system security against
scanning attack, each one of the above features has some disadvantages
associated with it. For example, decreasing the repetition rate has a system
reliability disadvantage. Increasing the number of random challenge bits will
increase the system response time. Hence, it will affect fast and smooth
operation. Increasing the randomization factor requires an increase in the
storage space to store the extra bits.
3.8 DICTIONARY ATTACK
The dictionary attack is another statistical approach to gain an
unauthorized access to the vehicle. This attack was defined previously in
Section 2.7.2.2. In this section, we will focus on the analysis part to evaluate
the security threat from such an attack. For simplicity of the analysis and
calculation we assume that the challenge is an independent random
challenge, and the challenge and its response use the same number of bits
(n bits).
Let C = 2n represent the size of the challenge space. Let E and S
respectively be the event that the challenge sent is in the dictionary and the
event that the handle triggers results in a successful attack. Then we can find
the probability of a successful attack P(S) as follows
( ) ( ) ( ) ( )EPESPEPESPSP */*/)( +=
Where:-
Page 99
88
P(S/E) is the probability of a successful attack given that the
vehicle generates a challenge that is in the dictionary. In this case,
the probability of success is 100%. This is because the dictionary
responds with a valid challenge-response that is previously
captured from the authorized CID. In this case
( ) 1/ =ESP
)/( ESP is the probability of a successful attack given that the
vehicle generates a challenge that is not in the dictionary. The
number of possible challenge combinations that are not in the
dictionary is equal to the challenge space minus the dictionary
size. In this case, the probability of a success is the reciprocal of
the challenge space minus the size of the dictionary. This is
because the dictionary responds with a fixed challenge-response
that is not previously captured from the authorized CID. In this
case
DCESP
−= 1)/( .
P(E) is the probability that the vehicle generates a challenge that is
in the dictionary. In this case
CDEP =)(
Page 100
89
)(EP is the probability that the vehicle generates a challenge that
is not in the dictionary. In this case
CDEPEP −=−= 1)(1)( .
Now we can find the probability of success P(S)
−
−+=
CD
DCCDSP 1*1*1)(
CDSP 1)( +=
If D=0 then P(S) represents the scanning attack. Let p=P(S)
represents the probability of successful attack.
CDp 1+= (3.8-1)
Furthermore, Let M be the number of trials performed by an intruder
until he becomes successful. Then M is a random variable taking on one of
the values 1, 2, 3, … with respective probabilities
P{M=1} = f(1) = p ,
P{M=2} = f(2) = (1-p)*p ,
P{M=3} = f(3) = (1-p)2*p ,
:
Page 101
90
P{M=m} = f(m) = (1-p)m-1
*p
To find the average number of trials required by an intruder for a
successful attack, we need to find the expected value of the random variable
M. i.e. E[M]
( ) ∑∞
=
=1
)(*m
mfmME
∑∞
=
−−=1
1)1(*m
m ppm
With some mathematical simplification
pME 1)( =
But p is given by (3.8-1).
CD
ME1
1)(+
=
12
1)(
+=
+=
DDCME
n
(3.8-2)
From Equation (3.8-2), it is clear that the average number of trials next
to the vehicle as compared to the scanning attack is reduced significantly by
a factor proportional to the size of the dictionary. This result assumes that a
dictionary of size D is already built. It does not take into consideration the
Page 102
91
amount of time spent by an intruder in order to build the dictionary. If we
assume that building each entry in the dictionary takes the same amount of
time as triggering the door handle, then we can find the total number of trials
(T) conducted by an intruder by adding the size of the dictionary D to the
average number of trials next to the vehicle E(M).
DD
DMETn
++
=+=1
2)( (3.8-3)
From Equation (3.8-3), it is apparent that there is a tradeoff from an
intruder point of view between the time spent to build up the dictionary and
the time spent next to the door handle. As the dictionary size D increases,
the average number of trials conducted next to the door handle E(M)
decreases. Increasing D requires the intruder to spend more time building up
the dictionary. To better understand the effect of the dictionary attack and
the tradeoff from the intruder’s point of view between building the dictionary
and triggering the door handle, let us find the cumulative distribution function
F(X). For the first D trials, the intruder just built the dictionary. In this case
0)( =XF , for DX ≤
For X > D, let Y=X-D denote the number of trials next to the door
handle. The probability of success for each trial based on independent
random number is previously calculated and is given by P(S). If the intruder
tries Y times and all Y trails failed, then the probability that all Y trials failed is
given by
Page 103
92
P(Fail /Y trials) = ( )YSP )(1−
Then the probability of success in Y or less number of trials is given as
a function of X and D by F(X)
F(X) = 1- P(Fail /Y trials)
F(X) = DX
n
D −
+−−
2111 , for X >D (3.8-4)
The following figure shows F(X) for different dictionary sizes against
the total number of trails available to the intruder. The dictionary size is
represented as a percentage of the number of trials.
0
0.2
0.4
0.6
0.8
1
X
F(X
)
D=0.95*X
D=0.10*X
D=0
D=0.50*X
D=0.70*X
0.00625*C 0.0125*C 0.0187*C 0.025*C
Figure 16: F(X) for dictionary attack with different dictionary size
Page 104
93
F(X) demonstrates that the threat imposed by a dictionary attack
against the passive entry system is higher for dictionary size greater than
zero (scanning attack).
From Figure 16, for a dictionary size that is 50% of the total number of
trials, it takes less than 1% of the challenge space (C) to obtain more than
80% probability of successful attack. Comparing the scan attack (D=0) to the
dictionary attack with 50% split, a dictionary attack imposes a much higher
risk against the passive access system.
3.8.1 THE DEVIL’S ADVOCATE
In the previous section we found that the probability of a successful
attack through the use of the dictionary depends on two main factors. The
size of the challenge space C, and the size of the dictionary D. The size of
the challenge space C is fixed. It is defined at the system development
phase. An intruder has no control over this parameter. The dictionary size D
is a variable parameter that is defined by an intruder. An intruder has the
freedom to build a dictionary of any size. The question is, if an intruder is
willing to spend m amount of time to attack the system, how should he split
this time between building up the dictionary and triggering the vehicle? From
an intruder point of view, the intruder wants to maximize his probability of
success given that he can afford to spend a total amount of time equal to m.
Page 105
94
In this section, our objective is to optimize the attack time in favor of
an intruder. This is important in order to evaluate the security threat against
the system if an intruder does this himself.
Let m, D, and C be the total amount of time an intruder is willing to
spend, the size of the dictionary, and the size of the challenge space,
respectively.
From Equation (3.8-4), let g(D) be F(X) as a function of D when
X=m. Then g(D) is given by
g(D) =Dm
CD −
+−− 111
Assumption
The time and difficulty to build one entry in the dictionary are
equivalent to the time and difficulty to trigger the vehicle. In other
words, the intruder has no preference whether to spend any trial
building up the dictionary or triggering the vehicle.
To simplify the problem we assume that the dictionary will not
respond if the challenge generated by the vehicle is not in the
dictionary. This simplify g(D) to
g(D) =Dm
CD −
−− 11
Page 106
95
The dictionary size is much greater than 1 but much less than m.
This is a valid assumption to make, otherwise the dictionary attack
become more like a scan attack.
The problem is, what is D such that g(D) is maximum?
g(D) is maximum when the term Dm
CD −
−1 is minimum
Let
Dm
CDy
−
−= 1
Dm
CDCy
−
−= (3.8.1-1)
We want to find D such that 0=dDdy in Equation (3.8.1-1).
By taking the natural logarithm for both sides of Equation (3.8.1-1)
)(
ln)ln(Dm
CDCy
−
−=
−−=
CDCDmy ln)()ln( (3.8.1-2)
Differentiating both sides of Equation (3.8.1-2)
Page 107
96
CDDm
CDC
ydDdy
−−+
−−=
1*)(ln*11 (3.8.1-3)
Multiply both sides of Equation (3.8.1-3) by y.
yCD
DmC
DCdDdy *1*)(ln*1
−
−+
−−=
Dm
CDC
CDDm
CDC −
−
−
−+
−−= *1*)(ln*1 (3.8.1-4)
Equating 0=dDdy in (3.8.1-4), leads to
CDDm
CDC
−−=
−ln (3.8.1-5)
By expanding the left side of Equation (3.8.1-5) around D=0 into its
Taylor series
....ln4
41
3
31
2
21 −
−
−
−−=
−
CD
CD
CD
CD
CDC (3.8.1-6)
If then , then the 2Cm << CD << nd, 3rd, … terms in Equation (3.8.1-
6) can be ignored, this simplifies Equation (3.8.1-6) to
CD
CDC −≅
−ln (3.8.1-7)
Substituting Equation (3.8.1-7) back in Equation (3.8.1-5) we get
Page 108
97
CDDm
CD
−−=−
Solving for D
mCCCD *2 −±=
The root mCCCD *2 −+= violates the assumption and will
not be considered.
CD <<
The other root mCCCD *2 −−= can be expanded into its Taylor
series as
−
−
−−−= ....
2
3
161
2
81
Cm
CmmCCD (3.8.1-8)
Similarly the 2nd,3rd, … terms can be ignored. This simplifies Equation
(3.8.1-8) to
−−≅
2mCCD
2mD ≅
The result suggests that an intruder makes the best of his time in
breaking the system by splitting the number of trials equally between the CID
interrogation (building the dictionary) and triggering the door handle.
Page 109
98
CHAPTER 4
SOLUTIONS OF DICTIONARY AND RELAY ATTACKS
In the previous chapters, six different attacks against a passive access
system were identified. The attacks were categorized into three different
categories according to an attacker approach in performing the attack. The
first category represents the deterministic approach attacks. In this category
we identified playback attack and relay attack. The second category
represents the statistical approach attacks. In this category we identified
scanning attack and dictionary attach. The third category represents the
analytical approach attacks. In this approach we identified cryptanalysis
attack and challenge prediction attack.
Deterministic approach attacks are the most powerful attacks. A thief
can simply perform such attacks with a minimal effort. These attacks present
the highest risk against the passive vehicle access system. The need to
solve the system security weaknesses to prevent deterministic approach
attacks is an important component of the system design. In the previous
chapter, we have shown that using a challenge response protocol we can
prevent a playback attack. However, the challenge response protocol did not
prevent other attacks or it introduces few other variations of possible attacks.
Statistical approach attacks present a moderate risk against the
passive access system. These attacks require more time and effort from an
Page 110
99
intruder to perform. The need to solve the system security weaknesses to
prevent the statistical approach attacks is of moderate concern. Different
techniques to reduce the risk against scanning attack were presented at the
end of Section 3.7.3. In Section 3.8 we have shown that the dictionary attack
presents a higher risk against a passive access system than the scanning
attack. In this chapter we will present several solutions and suggestions to
reduce the risk of a dictionary attack.
Analytical approach attacks present the lowest risk against the
system. First, an analytical approach attack requires a lot of time and effort to
capture several message and analyze them. Second, the analytical approach
requires an individual with a higher degree of intelligence. Such individual
can do better things in his life than attacking the vehicle. Third, the attack is
different from one vehicle to the other. Designing different attacks for
different vehicles demoralizes an intruder to proceed with an attack since the
financial gain may not be justifiable. The need to solve the system security
weaknesses to prevent the analytical approach attacks is of very low
concern.
In this chapter we will focus our effort to address the dictionary attack
and the relay attack. First we address the dictionary attack since the
solutions we are presenting are soft solutions. These solutions do not require
a system architecture change or new hardware components to be added to
the system. Second we address the relay attack. The relay attack requires
Page 111
100
some architecture changes to implement different communication
mechanism in order to solve the security weaknesses against this attack.
4.1 DICTIONARY ATTACK COUNTERFEIT
In the previous chapter we showed that a simple challenge response
protocol is a weak protocol to protect the system against a dictionary attack.
One of the fundamental axioms of a dictionary attack is the intruder’s
capability to independently access information from both sides involved in the
protocol. From the CID side, an intruder sends interrogation messages to
capture the CID response without the owner’s knowledge. From the vehicle,
an intruder initiates the interrogation messages by simply pulling the vehicle’s
door handle. Several solutions are presented in the next subsections to
reduce the risk of a dictionary attack threat.
4.1.1 USE OF PASSWORD
In this technique the vehicle sends an interrogation message upon
vehicle trigger. The interrogation message consists of a wake up signal and a
challenge. The challenge is made from a password and a random number.
The wake up signal is sent to wake up the CID from sleep mode. The
password is a preset fixed code that is initially programmed to the CID and
the vehicle. The password may represent a Vehicle ID (VID) or it may be part
of a wake up pattern. The authentication process is shown in Figure 17.
Page 112
101
Send RN &Password
Encrypt RN
Request received
password match
Send Encrypted RN
Sleep
Sleep
Authorize Access
Y
Y
Y
N
N
N
Generate RandomNumber (RN)
Vehicle Trigger
Y
N
Compare
Match ?
Receive EncryptedRN
Encrypt RN
CID OperationVehicle Operation
Figure 17: Password protection authentication process
Upon vehicle trigger, the vehicle sends an interrogation message. A
CID within the vehicle reception range wakes up from sleep mode. The CID
then compares the received password with the one stored in its memory. If
the received password matches the stored password, the CID generates a
challenge-response message. In generating the challenge-response
message, the CID encrypts the random number. The encrypted random
Page 113
102
number is then sent as the challenge-response to the vehicle. While the
vehicle is waiting for the challenge-response message, the vehicle encrypts
the random number using an encryption key that is identical to the encryption
key of the CID. The result of the encrypted random number is an expected-
response. Upon receiving the challenge-response message from the CID,
the vehicle compares the challenge-response received to the expected-
response. The vehicle authorizes access when the challenge-response
matches the expected-response.
This technique not only enhance the system security by preventing an
intruder from building up his dictionary, it also prevents the CID from
responding to other random challenges. The other random challenges may
arrive from different sources such as other vehicles that use the same
passive system but programmed to work with different CIDs. Preventing the
CID from responding to other challenges, will increase CID’s battery life.
The use of a password technique improves the system security.
However, this technique does not prevent a smart intruder from knowing the
password. Since the password is a fixed code that is sent by the vehicle, an
intruder can trigger the vehicle several times to identify the password. Once
an intruder identifies the password, he can then build this password in every
interrogation message his dictionary sends to the vehicle
Page 114
103
4.1.2 DECREASE REPETITION RATE
One other suggestion to reduce the effect of the dictionary attack is to
decrease the system repetition rate (R). This can be done either at the
vehicle, the CID, or at both. For example, the vehicle can only allow up to a
certain number of interrogation messages within a given ‘active period’ time.
If the vehicle does not receive a valid response within the active period, the
vehicle enters a dead time period. During the dead time period the vehicle
will not respond to any further trigger until the dead time period expires.
Similar technique can also be used at the CID side. The CID may only
respond to several interrogation messages within a given period of time.
Decreasing the repetition rate is a known technique used in several
RKE systems to increase attack time. However, decreasing the repetition
rate has a drawback on the system performance. The vehicle owner has to
be aware of the dead time period. He has to wait for this period to elapse in
the event that several trials fail due to poor communication link between the
CID and the vehicle. This situation may occur when there is RF interference.
This might not be intuitive for the average user to realize.
4.1.3 MUTUAL AUTHENTICATION
An alternative solution against a dictionary attack is the use of mutual
authentication. Both the CID and the vehicle have to validate any received
message. The CID verifies the vehicle interrogation message before it sends
a response back. Likewise, the vehicle verifies the CID response before it
Page 115
104
allows access to its compartment. The password protection explained in
Section 4.1.1 is one example of mutual authentication.
A more secure method is presented in this section. In this method two
encryption keys K1 and K2 are both programmed to the CID and to the
vehicle. Upon vehicle trigger, the vehicle sends an interrogation message
that contains a challenge. The challenge consists of a random number, and a
random number matching pair. The random number matching pair is
obtained by encrypting the random number using the encryption key K1 as
shown in Figure 18
Random Number
EncryptionAlgorithm
Matching Pair Random Number
K1
ChallengeSend to CID
Figure 18: Mutual authentication challenge
A CID within the vehicle reception range wakes up from sleep mode.
The CID processes the challenge in two steps, Step 1 and Step 2 as shown
in Figure 19. In Step 1, the CID breaks the challenge into two parts, the
random number and the matching pair. The CID then encrypts the received
random number using the same encryption key K1 used in the vehicle. The
result is an expected matching pair. The CID then compares the received
matching pair with the expected matching pair. If the two matches, the CID
Page 116
105
proceeds to Step 2. If the two does not match, the CID goes back to sleep
without sending any response. In Step 2 the CID assembles its response to
the vehicle. In assembling the CID response, the CID encrypts the received
random number using a different encryption key K2. The result is the
challenge response that is sent back to the vehicle
EncryptionAlgorithm
Matching Pair Random Number
K1
ChallengeReceived
Compare ifMatchSleep N
EncryptionAlgorithm
Y
K2
Challenge Response
Step 1
Step 2
Challenge Response
Figure 19: Vehicle processing to a received challenge in a mutual authentication protocol
While the vehicle is waiting for the challenge response, the vehicle
encrypts the random number using an encryption key K2 that is identical to
the encryption key used in the CID. The result of the encrypted random
number is the expected challenge response. Upon receiving the challenge
response signal from the CID, the vehicle compares the challenge response
Page 117
106
received to the expected challenge response. The vehicle authorizes access
when the challenge response matches the expected response.
Several variations of this technique can also be implemented. One
implementation is to include a VID with the challenge. The VID could be a
part of the wake up pattern. The CID uses the VID as an initial check prior to
wake up the controller to validate the challenge in Step 1 as described
earlier. Testing the VID as an initial step improves the CID power
consumption. This is because the CID may use a very low power
consumption wake up circuit to check for a matching VID. The wake up
circuit can be as simple as a shift register that continuously checks for a
matching pattern. If the wake up circuit detects a matching VID, the circuit
then wakes up the controller to execute the encryption algorithm and
verifying the authenticity of the challenge received.
4.1.4 ENHANCED MUTUAL AUTHENTICATION
Mutual authentication as described in the previous section provides
higher security against dictionary attack, however there are several
drawbacks.
i) The vehicle has to send, in addition to the random number in the
interrogation message, bits that represent the encrypted random
number (i.e. the matching pair). Increasing the number of bits has
several performance issues. First, it increases the system response
time. This might not be desirable for passive entry applications.
Page 118
107
Second, for each bit transmitted there is a probability of error due to
noise or interference in the environment. Transmitting more bits
implies a higher overall message probability of error. Hence, the
message will more likely be rejected. Third, increasing the number of
bits requires longer processing time. This translates to more power
consumption from the CID that runs from a small battery powered
supply. Hence, increasing bits reduces the usable battery lifetime.
ii) The CID has to encrypt the random number twice. In doing so the CID
has to remain up for a longer period of time. This will increase the CID
power consumption as well as increase the authentication timing.
iii) Sending the random number and the encrypted random number in the
same message is more vulnerable to cryptanalysis attack. The
intruder can capture several interrogation messages to analyze the
random number and its matching pair to reveal the encryption key
used. This falls in known-plaintext classification as described in a
previous chapter.
To address the system performance issues described above and still
maintain or increase the security level we developed a new protocol. In this
protocol, the challenge consists of VID and a random number as shown in
Figure 20.
Page 119
108
Random Number VID(MSB) VID(LSB)
Figure 20: Challenge block diagram
The figure shows two color-coded fields. The gray field represents the
portion of the challenge that is encrypted. The clear field represents the
portion of the challenge that is not encrypted. The VID is divided into two
portions, the Least Significant Bits (LSB) portion, and the Most Significant
Bits (MSB) portion. The VID-LSB portion is sent in the clear (no encryption)
as part of the wake up pattern. The reason for this is to reduce the CID
power consumption if the interrogation message comes from a different
vehicle. Hence, increases the CID battery lifetime. The VID-MSB portion is
encrypted with the random number. The VID-MSB functions as a secret
identifier to the CID for further validation. It is important to note that the VID-
MSB and the random number are encrypted together to assemble the
encrypted portion of the challenge. This ensures that the VID-MSB remains
secret and random to an outside observer. It also prevents any attacks based
on recording the challenge. To better understand the authentication process,
Figure 21 shows a flowchart that describes the steps involved when a vehicle
trigger is initiated while the CID is within the vehicle’s range.
Page 120
109
Send Interrogation Msg
Response received
Is R.N. received match
Decrypt
Request received
VID(LSB) match
VID(MSB) match
Send Random Number (R.N)
Sleep
CIDVehicle
Sleep
Authorize Access
Y
Y
Y
Y
Y
N
N
N
N
Figure 21: Enhanced mutual authentication flowchart
Both the CID and the vehicle have the same encryption key and the
same VID. We refer to the VID stored in the CID memory as the reference
code. When the CID receives the challenge, it compares the VID-LSB portion
with the portion in the reference code. This process could be part of the wake
up mechanism. If the VID-LSB portion fails to match the corresponding
portion, the CID ignores the challenge and remains in sleep mode. If the VID-
LSB matches the corresponding portion of the reference code, the CID then
decrypts the encrypted portion of the challenge. The result of this decryption
Page 121
110
is a received VID-MSB, and a random number. The CID then compares the
VID-MSB portion with the corresponding reference code. If the VID-MSB
portion fails to match the corresponding portion of the reference code, the
CID ignores the challenge and goes back to sleep mode. If the VID-MSB
portion matches the corresponding portion of the reference code, the CID
assembles a challenge response to be transmitted. In assembling the
challenge response, the decrypted random number is used as the challenge
response.
When the vehicle receives the challenge response, or the non-
encrypted random number, it compares it against the initially generated
random number. If they fail to match, the vehicle ignores the response and
denies access to its compartment.
Since the CID responds to valid interrogation messages only, an
intruder task to build up a dictionary becomes invisible. For example if k and
n represent the number of bits in the VID-MSB and the random number,
respectively, then there are 2n+k combination of interrogation messages that
can be sent to the CID. Out of those 2n+k combinations, the CID will only
respond to 2n combinations (a 2k reduction factor). This means that in order
for the intruder to build up a dictionary of size D, he needs to scan on the
average D*2k combinations. Depending on the value of k (a design
parameter), the intruder might be more successful in his attack by the
scanning method.
Page 122
111
The benefits of this technique are
i) Less number of bits needed to be sent compared to the method
described in Section 4.1.3. The advantage of that is described earlier.
ii) Only one time decryption is needed in the CID. This translates to less
wake up time, hence less power consumption
iii) The CID responds to valid interrogation messages only. This is due to
the VID-MSB that is hidden within the encrypted field. This makes the
VID-MSB invisible to an outside observer every time an interrogation
message is sent
iv) The system provides higher security against cryptanalysis. The
system provides very little information or freedom to an outsider
analyzing the communication traffic.
4.2 NEW DICTIONARY ATTACK AND SOLUTION
Even though the solution presented in the previous section improves
the system security against dictionary attack, it is still not a bulletproof
solution against a new attack an intruder may conduct. An intruder may
perform an attack as shown in the following steps
i) Record valid interrogation messages from the vehicle when pulling the
vehicle door handle.
ii) Playback the recorded interrogation messages next to the CID.
Page 123
112
iii) Record the CID responses. The CID responds to the interrogation
messages since they are recorded from the vehicle.
iv) Go back next to the vehicle and trigger the door handle till the vehicle
sends a challenge that is in the dictionary.
For the same probability of success the new attack increases the
intruder’s time by one third as compared to the system that does not use
mutual authentication. The increase in the intruder time is due to the first step
conducted. The intruder needs to capture valid interrogation messages from
the vehicle first, before he sends those messages to the CID.
Though the new dictionary attack might not be very practical, it
imposes a threat that can be easily addressed. To solve this issue, we need
to ensure that when the vehicle generates a new challenge, the challenge
will not be produced again for a very long period of time. This requires that
the random number used in generating the challenge to be based on a cyclic
random number generator. The random number generated this time will not
be generated again till all combinations are used. This way if an intruder
records interrogation messages, those interrogation messages will not be
valid unless he records all the challenges in the challenge space. In this
case, an intruder’s task will be much easier with higher probability of success
if he adopts a scanning method for his attack.
In summary, different authentication protocols were presented to
address the dictionary attack. Table 3 summarizes the different variations
Page 124
113
analyzed and their impact on system performance. Each entry in the table is
relative to the corresponding entry in the original challenge response
protocol.
Challenge Response
Password Protection
Mutual Authentication
Enhanced Mutual Authentication
Number of Bits Higher message error Longer processing Time
Low Medium High Medium
Cryptanalysis Easy Easy Medium Hard False Wake up Non Protected Protected Protected Protected Response Time Fast Fast Slow Fast Dictionary Attack Easy Easy-Medium Difficult Difficult
Table 3: Summary of different authentication protocols and their impact on the system security and performance
4.3 RELAY ATTACK
Several techniques were suggested in [38] to protect the passive
vehicle access system from a relay attack. One suggestion that is vaguely
investigated in the article is the use of two frequency tones. The CID
simultaneously transmits two frequency tones in response to an interrogation
message. Since the communication range between the vehicle and the CID
is limited to a short distance, the two tones are transmitted with low power. If
a larger distance than the transmitted two tones range separates the CID and
the vehicle, the thieves’ repeater is required to amplify the two tones with a
certain amplification gain. As a result of the repeater amplification, some
harmonics are generated that fall in the band of the two tones. The article of
Schmitz et. al. [38], is ambiguous, and it didn’t clearly explain the details of
the solution. It did not clarify whether the vehicle’s receiver detects the
harmonics to flag the presence of the repeaters, or the harmonics cause a
Page 125
114
corruption of the two tones transmitted. A drawback of such a solution is the
assumption made in regard to the theft repeaters equipment concerning the
amplifier stage. The article assumes that the thieves are equipped with a low-
end amplifier stage that will be driven into the saturation region to generate
the in-band harmonics.
The main issue with the relay attack is that the thieves have full
access to the CID via wireless communication, just as if they are the
vehicle’s owners. They use the CID as a valid authentication device to
encrypt or decrypt the messages from the vehicle. This means that any
cryptographic solution based on the communication link presented in Section
2.5.2 only will be subject to this attack. The need to solve this problem
requires the search for a solution that is not based on cryptography alone,
but also on the use of the signal physical quantities or communication link
attributes to distinguish between the presence and absence of the repeaters.
4.3.1 RELAY SOLUTION CATEGORIES
It is important to emphasize that our objective is not to detect the
presence or absence of the repeater as much as to develop a solution to
protect the system from the relay attack. Two different strategies can be
used to develop a solution against the relay attack:
4.3.1.1 REPEATER DETECTION
All solutions in this category are based on the system capability to
detect the presence of the repeaters. One physical difference between
Page 126
115
presence and absence of the repeater network is the communication range
between the vehicle and the CID. There are several ranging techniques. The
vehicle may detect the presence of repeaters between the vehicle and the
CID by measuring the time the signal takes to travel from the vehicle to the
CID and back to the CID. If the signal travel time is greater than a preset
threshold value, the vehicle concludes that a repeater exists between the
vehicle and the CID. Though measuring the signal travel time is a reliable
method to detect the distance between the vehicle and the CID, it requires a
high-speed electronic devices that may be expensive for automotive
applications.
4.3.1.2 SIGNAL CORRUPTION
In this category, the system is designed such that the communication
links between the vehicle and the CID are corrupted if a repeater exists in the
communication link. The method used in [38] may fall in this category. The
presence of the harmonics as a result of amplification falls in the same band
of the two tones may cause the received two tones to be corrupted. Other
method that we developed to solve the problem is based on feedback of the
transmitted signal that causes corruption if the repeaters are present in the
loop. The feedback solution based on signal corruption is described in
Section 4.3.2.
While maintaining the system security is a crucial part of the passive
access system design, the following key objectives have to be met for the
passive access system to be acceptable by the automotive industry.
Page 127
116
The system is produced for the automotive industry at a high volume,
thus a low cost design is very desirable.
The system is intended to increase the user comfort. This requires fast
and smooth operation that is transparent to the user.
The system has to work reliably under various environmental
conditions, such as variable temperature, acceptable noise
interference, etc.
The solution we presented in Section 4.3.2 is carefully designed to
secure the communication link against the relay attack as well as satisfy the
above key objectives.
4.3.2 FEEDBACK SOLUTION
In order to protect the vehicle from the relay attack, we define a new
communication protocol that requires a bi-directional RF communication link
along with the unidirectional LF communication link. The communication
protocol is shown Figure 22.
R
LF RF2
T T
T
RVeh
CID
RF1
Figure 22: Communication between the vehicle and the CID using a unidirectional LF link and a bi-directional RF link.
Page 128
117
The protocol is initiated first by sending an LF signal from the vehicle
to CID upon vehicle trigger. The LF signal is used for two purposes: 1) it
provides better control over the communication range, and also 2) it provides
a wake up mechanism for the CID from a battery saving mode. Some other
system design specifications also require the LF supporting hardware to be
there for battery-less backup mode. The interesting part is in the RF
communication. One of the key design requirements is to have the CID and
the vehicle to communicate at the same frequency. This means that the RF
link from the CID to the vehicle will use the same frequency as the frequency
of the RF link from the vehicle to the CID. After the vehicle sends the LF
signal, it sends RF1 packet. This packet may contain some identification and
challenge code. In response to the RF1 packet, the CID then sends RF2
packet. Note that both RF1 and RF2 packets are transmitted using the same
frequency.
Now let’s try to understand how the system is going to be protected
against the relay attack. Let us assume that a thief does not know the exact
format of the communication protocol. This is a valid assumption unless the
thief was a prior employee of the company that developed the protocol, or
the thief has vast knowledge about the communication mechanism and spent
some time in studying the communication timing of the signals between the
vehicle and the CID. To proceed with the discussion, let us assume for now,
the thieves don’t know exactly what time the vehicle will be transmitting and
what time the CID will be responding. Since the thieves have no knowledge
Page 129
118
regarding the communication timing, they are required to keep their
repeaters on all the time. So, after a vehicle trigger by a thief, there is a
continuous transmission among the vehicle, the two thieves and the CID as
shown in Figure 23.
f1ff'
f2
f' f"
Thief-1Thief-2Ownerwith CID
Figure 23: Communication between the owner and the vehicle with the two thieves in the loop.
A third repeater, not shown in the figure for simplicity, is assumed to
be in the loop to repeat the LF signal from the vehicle to the CID. The vehicle
sends its RF packet using carrier frequency f. Thief-1 first receives the
vehicle’s signal through his/her receiver. Thief-1 then modulates, amplifies
and sends the signal to Thief-2 using carrier frequency f1. Thief-2 then
demodulates the signal and sends it to the CID using carrier frequency f.
However, the receiver of the second repeater of Thief-2 is on and listening at
the same frequency. Thus, the receiver of the second repeater of Thief-2 will
also receive the same signal that is being transmitted by his/her own
transmitter of the first repeater. The transmitter of the second repeater of
Thief-2 will then send the same signal, received from the vehicle, to Thief-1
via carrier frequency f2. Thief-1 will then demodulate and transmit this signal
Page 130
119
to the vehicle. Since the receiver of the first repeater of Thief-1 is also on all
the time, the signal that is sent to the vehicle by the second repeater of Thief-
1 will also be picked up by the receiver of the first repeater of Thief-1. As a
result, a feedback occurs within the loop of Thief-1 and Thief-2. Since the
vehicle is still sending an RF message to the CID, the feedback signal will
get added with this RF message. As a result, the RF message from the
vehicle to the CID will get distorted. After that, the CID will not be able to
understand the message sent by the vehicle. Thus, the CID will not respond
to this signal, and thereby Thief-1 will not be able to enter into the vehicle.
Two kinds of distortion may occur in the message
i) Both the amplitude and phase of the transmitted signal will have
nonlinear distortions in the signal components due to the presence of
feedback channel. The non-linear distortion corrupts the
communicated signal between the CID and the Vehicle. As a result of
signal corruption, neither the CID nor the vehicle will be able to
understand each other messages. This phenomena will be more
analyzed in Section 4.3.3.
ii) The second kind of distortion occurs due to inter-symbol interference.
When the vehicle or the CID transmits a new symbol, the signal for the
previous symbol remains in the loop due to the presence of positive
feedback. Similar distortions may occur within the same symbol if
encoding techniques like manchester or pulse width modulation is
Page 131
120
used. The presence of these types of distortions will also prevent the
CID and the vehicle from understanding the communication signals.
The bi-directional RF link that we used between the CID and the
vehicle in order to come up with a solution for the relay attack also provides
another advantage in terms of reducing the system authentication process.
This is due to the ability to send information from the vehicle to the CID via
the RF link as opposed to the LF link. Typically, a higher bit rate can be
transmitted via RF link compare to LF link. A higher bit rate means faster
communication, and faster communication might lead to the elimination of
some hardware that may be needed for fast and smooth operation. As a
result there may be a big savings in costs of parts and labor.
4.3.3 FEEDBACK SIGNAL ANALYSIS
Figure 24 shows the feedback loop between Thief-1 and Thief-2. The
signal from the vehicle to Thief-1 is represented by x(t) and the signal from
Thief-2 to the CID is represented by y(t). The time delay between Thief-1 and
Thief-2 is τ. For simplicity of the analysis we assume the time delay (τ)
between the two thieves is identical in both direction. The time delay
depends on the distance between the two thieves, and the propagation delay
through different components, such as filters, mixers, etc., of each repeater.
Page 132
121
Figure 24: The feedback loop between Thief-1 and Thief-2
In time domain, the signals x(t) and y(t) are related as:
)2()()( 211 ττ −+−= tyGGtxGty
Let X(ω) and Y(ω) be the frequency responses of x(t) and y(t),
respectively. X(ω) and Y(ω)are related as:
ωτωτ ωωω 2211 )()()( ji eYGGeXGY −− +=
Hence, the transfer function of the feedback loop can be expressed
as:
ωτ
ωτ
ωωω 2
21
1
1)()()( j
j
eGGeG
XYH −
−
−==
−
+− −
−+= )2(1
)2(tan
2122
21
1 21
211
)2(21ωτ
ωττ
ωτCosGG
SinGGwj
eCosGGGG
G
The amplitude of the signal can be expressed as
Page 133
122
)2(21|)(|
2122
21
1
ωτω
CosGGGG
GH−+
=
and the phase of the signal can be expressed as
)2(211
)2(211tan)(ωτ
ωττϖφ
CosGG
SinGGw
−−+=
It is clear that the magnitude and phase characteristics of the
feedback loop channel cause a non-linear distortion for the different
frequency components of the transmitted pulse. Such distortion is similar in
nature to the distortion caused by multi-path effect [30]. Different equalization
techniques can be used to partly correct for such distortion [30]. However,
these techniques have to be built in the vehicle and the CID receivers,
something that the thieves have no control over. Thus, the above solution will
protect the vehicle from the simple attack by two thieves.
4.3.4 FEEDBACK COUNTER MEASURE ATTACK
Once the passive access system is in production, all the
communication protocol timing is defined. The protocol sequence of the
communicated packets and the dead time between packets are fixed. If the
thieves gain knowledge about the timing of the packets and the dead time in
between, then they could develop a counter measure attack against the
feedback solution presented in Section 4.3.2. By knowing the communication
timing, the thieves can switch on and off their transmitters and receivers to
avoid the feedback loop. The repeaters could be designed to automatically
Page 134
123
turn on and off during the dead time based on the packet timing and the
predefined signal direction. This way the thieves may avoid any feedback
and interference in their signals. However, designing a system that
automatically turns on and off may requires high-speed and complex
electronic circuits. As a result, the repeaters may be too expensive to build.
But, if such repeaters are built then the thieves may be able to break the
security. Keep in mind, that in order to break the security by turning on and
off the repeaters, the thieves must have a prior knowledge about the format
and timing of the communication protocol. Knowing the communication
protocol timing may not be hard to do once the system is designed and in
production. A simple method is to use a vector analyzer to monitor the
communication timing upon vehicle trigger.
4.3.5 SECURE PROTOCOL
A counter measure to the feedback counter measure attack presented
in the previous section is the design of a secure protocol. We have
developed a secure protocol in order to protect the passive access system
from this attack. The idea behind developing this protocol is to prevent the
thieves from knowing the exact timing and direction of the RF packets. The
protocol is based on changing the timing and direction of the packets for
every transmission. This protocol will guarantee system security even if the
thieves have all the knowledge regarding system design and communication
protocol.
Page 135
124
The communication protocol starts with an LF signal upon vehicle
trigger. The LF signal wakes up the CID from sleep mode. It also establishes
a time reference for the RF communication to come. If multi-channel is
supported in the communication protocol, the LF signal may contain some
additional information such as the RF communication channel number. It
could also contain some wake up pattern to reduce system interference from
other sources. Three RF packets are communicated following the LF signal
as shown in Figure 25.
R
LF RF2 RF3
T T
T
RVeh
CID
RF1
Figure 25: Communication protocol for the solution.
These RF packets are summarized as follows:
The content of RF1 packet is an encrypted data that contains
information regarding the transmission direction of the data bits in the
second packet (RF2). The contents of RF1 packet changes every time
the system is activated. Since the content of RF1 packet is encrypted,
and different encryption key is used for different vehicle/CID pairs,
there is no way the thieves can know what is going to be the contents
of RF1 packet for every trigger. Note that even if the thieves were
employees of the company that has designed the passive entry
Page 136
125
security system, they don’t know what encryption key is used for
which vehicle. Thus, they can’t read the contents of RF1 packet.
RF2 packet consists of several mini packets. Each mini packet
consists of data bit(s) that is transmitted from either direction. The
direction of each mini packet is defined and deduced from the
decrypted information received from RF1 packet. The contents of the
packets exchanged between the CID and the vehicle are used along
with other encryption keys to build the RF3 response packet as shown
in Figure 26.
RF1 / RF2 information
Encryption key EncryptionAlgorithm RF3
Figure 26: Encryption of the Communication Protocol
RF3 packet concludes the protocol. It contains the CID’s unique
signature and response to the previous packets. The vehicle checks
this packet and compares it to its pre-calculated response. If all match,
the control unit authorizes access to the vehicle. Note that only the
authorized CID has the same identical encryption key used by the
vehicle to build the proper RF3 response packet.
If the above secure protocol is used, then the thieves will not know the
timing and direction of the RF2 packets. Thus, the thieves will have to keep
Page 137
126
their transmitters and receivers on all the time. And if they do that, then there
will be feedback in the communication channel between the vehicle and CID.
As a result, the signal will be distorted and unreadable by the CID and
vehicle.
The only way the thieves can break the passive vehicle security
system is if somehow they can avoid feedback in the communication channel
between the vehicle and the CID. In the next section we described another
technique in which the thieves can break the feedback to avoid signal
distortion. However, in order to break the feedback loop three thieves are
necessary. Thus, we are calling this type of attack as the ‘three-thief attack’.
A solution for the three-thief attack is presented in Section 4.3.7.
4.3.6 THREE THIEF ATTACK
The solution presented in the previous section protects the vehicle
against an attack by two thieves. But if three thieves come, they can still
attack the passive access security system by breaking the feedback loop that
exists in the solution for the two-thief attack. If the feedback loop can be
broken, then the signals will not get distorted. As a result, both the CID and
the vehicle will be able to understand and validate the signals, and then the
thieves will be able to access the vehicle.
One thief, Thief-2, will stay close to the owner of the vehicle carrying
the CID, and the other two thieves, Thief-1 and Thief-3, will stay close to the
vehicle as shown Figure 27.
Page 138
127
Figure 27: Positions of the thieves, the CID and the vehicle in a three-thief attack problem.
Thief-1 initiates the vehicle trigger to start the communication. Focus
on the RF side, the vehicle starts transmitting using frequency ‘f’. Thief-1 will
receive the signal from the vehicle and then send it to Thief-2 using
frequency ‘f1’. Thief-2 will send the signal to the CID using frequency ‘f’. The
CID will respond using frequency ‘f’. Thief-2 will receive this signal from the
CID and then send it to Thief-3 using frequency ‘f2’. Thief-3 will receive this
signal from Thief-2 and then send it to the vehicle using frequency ‘f’. The
distance between Thief-1 and Thief-3 is far enough so that Thief-1’s receiver
can’t pick up the signal sent by Thief-3. However, both of them are close
enough to the vehicle so that the vehicle can pick up the signal sent by Thief-
3 and Thief-1 can pick up the signal sent by the vehicle. The three thieves
will be able to break the feedback loop due to the following two reasons:
i) The link between Thief-1 and Thief-2 uses a different frequency than
the link between Thief-2 and Thief-3. Hence, when Thief-1 sends
signals to Thief-2, Thief-3’s receiver can’t pick up that signal. Similarly,
Page 139
128
when Thief-2 sends signals to Thief-3, Thief-1’s receiver can’t pick up
that signal either.
ii) Thief-1 is far enough away from Thief-3. Hence, when Thief-3 sends
signals to the vehicle, Thief-1’s receiver can’t detect that signal. As a
result, there is no feedback among the thieves.
Hence, if the feedback loop is broken using the above mechanism, the
signals will not be distorted and as a result the thieves will gain access to the
vehicle.
4.3.7 TWO POWER LEVELS COUNTER MEASURE
Here a solution is presented to protect the vehicle from the three-thief
attack. This solution requires that the CID has to transmit its signals using
two different power levels. Some bits will be transmitted at low power levels
and some other bits will be transmitted at high power levels. The vehicle,
after receiving the signal from the CID, will check for the difference in power
levels of the bits. If the power level difference is the same as the expected
difference and if all other authentication checks pass, then the vehicle will
validate the signals received from the CID. So, the key technique behind this
solution is to maintain the power level difference in the signals from the CID
to the vehicle. If the thieves try to break the feedback loop, then Thief-1 and
Thief-3 must separate themselves by enough distance so that the high power
signal can’t reach Thief-1 from Thief-3. But, if they separate themselves by
that much distance, then at least one of them will be too far away from the
Page 140
129
vehicle. If Thief-3 is too far away from the vehicle, then the vehicle will not be
able to pick up the low power signal from Thief-3. But, if Thief-1 is too far
away from the vehicle, then Thief-1 will not be able to receive the signals
sent by the vehicle. As a result, the communication link between the vehicle
and the CID will be broken. If the communication link is broken then the
vehicle and the CID will not receive each other messages. Therefore, the
thieves will not be able to gain access to the vehicle. The analysis in the next
section proves the concept. First, it shows that if the thieves try to maintain
the communication range between the vehicle and the CID by keeping Thief-
1 and Thief-3 closer to the vehicle then there will be feedback in the signals.
Second, if the thieves try to avoid feedback in the signals, by keeping Thief-1
and Thief-3 far enough away from each other, then either the vehicle will not
receive the signals from the CID via Thief-2 and Thief-3, or Thief-1 will not
receive any signals from the vehicle. Thus, the thieves will not get access to
the vehicle.
4.3.8 TWO POWER LEVELS ANALYSIS
Let PT be the power transmitted by a transmitter and PR be the power
received by a receiver. The received power in dbm is given by the following
equation [17], where dbm means decibel with respect to one-milliwatt power.
−=
CfdPP TR
π4log20
Page 141
130
)log(204log20 dC
fPT −
−= π (4.3.8-1)
Where:
f : is the carrier frequency,
d : is the distance between the transmitter and the receiver, and
C : is the speed of light.
For a given carrier frequency f, the term 20log(4πf/C) is a constant.
Let’s assume that
k = 20log(4πf/C)
The received power can then be expressed as
)log(20 dkPP TR −−= (4.3.8-2)
The following notations are used in our analysis:
d1 : The distance between Thief-3’s RF transmitter and vehicle’s RF
receiver, and it is just small enough for the vehicle to receive the low
power signal transmitted by Thief-3.
d2 : The distance between vehicle’s RF transmitter and Thief-1’s RF
receiver, and it is just large enough for Thief-1 not to receive the high
power signal transmitted by Thief-3, so that the feedback in the loop
can be avoided.
Page 142
131
PTH : High power level, in dbm, transmitted by the CID
PTL : Low power level, in dbm, transmitted by the CID. Note, the vehicle will
also transmit all of its signals at this power level.
PRH : Received power level at the vehicle when the CID transmits high
power level PTH.
PRL : Received power level at the vehicle when the CID transmits low power
level PTL.
PTH3 : High power level, in dbm, transmitted by Thief-3
PTL3 : Low power level, in dbm, transmitted by Thief-3
PRH1 : This is the power level, in dbm, at which Thief-1 receives the high
power signal transmitted by Thief-3.
PSV : Sensitivity, in dbm, of the receivers of the CID and vehicle. This
means that the signals, when they arrive at the receivers of the CID or
vehicle, must have at least this much power for them to be detected
by the CID or vehicle.
PS1 : Sensitivity, in dbm, of Thief-1’s receiver. Note that, PSV and PS1 need
not be the same, because the thieves can design their hardware to
have different sensitivity.
Pdiff : Difference in transmitted power levels, in dbm, from the CID
Page 143
132
dr : Range of vehicle’s as well as CID’s signals. This means that when the
thieves are not in the loop, the CID must be within a distance of dr
from the vehicle’s transceiver for the vehicle and CID to exchange
messages.
dr1 : Thief-1 must be within a distance of dr1 from the vehicle’s transceiver
for Thief-1 to detect the signals transmitted by the vehicle. Note that,
dr and dr1 need not be the same, because PSV may not be the same as
PS1. If Thief-1 uses a very high-sensitivity receiver then dr1 will be
greater than dr. On the other hand, if the sensitivity of Thief-1’s
receiver is very low, then dr1 will be less than dr.
Let the CID be at a distance of d from the vehicle, where d < dr. Using
Equation (4.3.8-2) we can express PRH and PRL as
)log(20 dkPP THRH −−= (4.3.8-3)
)log(20 dkPP TLRL −−= (4.3.8-4)
Equations (4.3.8-3) and (4.3.8-4) imply that
TLTHRLRHdiff PPPPP −=−= (4.3.8-5)
Hence, the difference between the received power levels, in dbm, is
the same as the difference between the transmitted power levels. The power
level difference of the CID’s transmitted signals is a known parameter to the
vehicle. Thus, after receiving signals from the CID, the vehicle will measure
Page 144
133
the power level difference of the signals, and if this difference is not equal to
the expected value, then the vehicle will not validate the signals even if all
other authentication checks are valid.
The RF transmitter and receiver of the vehicle are located at the same
place inside the vehicle. The manufacturer of the vehicle can select an
appropriate location inside the vehicle where the RF transmitter and receiver
can be installed. The thieves don’t have any control over this location.
However, the thieves can control the values of d1 and d2, shown in Figure 28,
by adjusting the gain of Thief-3’s hardware and the sensitivity of Thief-1’s
receiver.
Figure 28: Positions of Thief-1, Thief-3 and the vehicle.
When the CID is within a distance of dr from the vehicle, the vehicle’s
receiver must be able to detect the low power signal transmitted by the CID.
Hence, using Equation (4.3.8-2) we get
)log(20 rTLSV dkPP −−= (4.3.8-6)
Page 145
134
When Thief-3 is within a distance of d1 from the vehicle, the vehicle’s
receiver must be able to detect the low power signal transmitted by Thief-3.
Hence, using Equation (4.3.8-2) we get
)log(20 13 dkPP TLSV −−= (4.3.8-7)
From Equations (4.3.8-6) and (4.3.8-7) we get
=−
rTLTL d
dPP 1
3 log20 (4.3.8-8)
When Thief-1 is within a distance of dr1 from the vehicle, Thief-1’s
receiver must be able to detect the signals transmitted by the vehicle. Hence,
)log(20 11 rTLS dkPP −−= (4.3.8-9)
Since d2 is large enough for Thief-1 not to detect the high power signal
transmitted by Thief-3, we can write PRH1 < PS1, where the value of PRH1 is
)log(20 2131 ddkPP THRH +−−= (4.3.8-10)
Now using Equations (4.3.8-9) and (4.3.8-10) and the relation
PRH1<PS1 we get
( ) ( 1213 log20log20 rTLTH dkPddkP −−<+−− )
i.e.
+<−
1
213 log20
rTLTH d
ddPP
Page 146
135
i.e.
+<−+
1
213 log20
rTLTLdiff d
ddPPP
Note that, PTH3 = Pdiff + PTL3
Using Equation (4.3.8-8) we can write the above expression as
+<
+
1
211 log20log20rr
diff ddd
dd
P
i.e.
+<
11
21 )(log20
r
rdiff dd
dddP
i.e.
+<
1
2
11
*log20r
r
r
rdiff d
ddd
dd
P
If the thieves can satisfy the above expression then there will be no
feedback in the loop. Thus, if the thieves can satisfy the above expression
without breaking the communication link between the CID and vehicle, then
they will be able to get into the vehicle. Now we are going to show that the
thieves will not be able to satisfy the above expression if we appropriately
select a value of Pdiff. In order for the communication link between the CID
and the vehicle not to be broken by the thieves, Thief-1 must be within a
distance of dr1 from the vehicle. Hence, d2 ≤ dr1, and the maximum value of
d2/dr1 = 1. Thus, the thieves need to satisfy the following condition
+<
11
log20dd
dd
P r
r
rdiff
Page 147
136
The value of the parameter dr is a design parameter that is determined
by the manufacturer of the vehicle security system. The thieves don’t have
any control over the value of this parameter. A typical value, possibly the
maximum value, of dr can be 2 meters. This means that, when the thieves
are not in the loop, the CID must be within a range of 2 meters from the
vehicle’s transceiver for the CID and vehicle to receive each other signals. A
value of more than 2 meters for dr doesn’t make any sense, because when
the owner with the CID initiates the vehicle trigger, the CID will not be more
than 2 meters away from the vehicle’s transceiver, unless the owner is a
giant with a really long arm.
The thieves have control over the parameter d1 and dr1. Hence, for a
given value of Pdiff, the thieves will try to satisfy the above expression by
selecting the minimum values of d1 and dr1. The minimum value of d1 as well
as dr1 is the distance between the vehicle’s transceiver and the vehicles
exterior side. If the vehicle’s transceiver is located halfway between the doors
of the two sides of the vehicle, then the minimum value of d1 and dr1 can’t be
less than 0.5 meter. So, if dr = 2 meters and d1=dr1 = 0.5 meter, then the
above expression becomes
+<
5.02
5.02log20diffP
i.e. Pdiff < 18.062 dbm
Page 148
137
Hence, if the difference between the two transmitted power levels from
the CID is higher than 18.062 dbm, the thieves will not be able to get into the
vehicle.
In the above solution for the three-thief attack problem we assumed
that two thieves will be standing near the vehicle and one thief will be
standing near the CID. The thieves can also break the feedback loop by
keeping two thieves, Thief-2 and Thief-3, near the CID and Thief-1 near the
vehicle. Thief-1 will initiate the communication by pulling a door handle.
Thief-1 will receive signal from the vehicle and send it to Thief-2. Thief-2 will
then send the signal to the CID. Thief-3 will collect the response from the CID
and send it to Thief-1. Thief-1 will then send the response to the vehicle. In
order to break the feedback loop, Thief-2 and Thief-3 must be far enough
from each other so that Thief-3 doesn’t pick up the signal sent by Thief-2.
And also they must be close enough to the CID so that the CID can pick up
Thief-2’s signal and Thief-3 can pick up the response from the CID. In this
case the vehicle has to send the signals using two different power levels.
However, this type of attack using two thieves near the CID and one thief
near the vehicle is not that realistic. This is not realistic because if the two
thieves try to do something in order to manipulate the distance among the
owner of the vehicle and themselves, then the owner may become
suspicious about the thieves’ activities.
Page 149
138
CHAPTER 5
CONCLUSIONS
Passive access system for vehicles is the new generation of keyless
entry. Several security weaknesses against the system have been identified.
These security weaknesses are due to the unlimited access to the vehicle
door handle and to the CID response that can be solicited without the
owner’s knowledge. The security weaknesses were classified into three
different categories based on the attacker’s approach. The first category is
the deterministic approach. In this category we identified two different
methods, playback attack and relay attack. The second category is the
statistical approach. In this category we identified scanning attack and
dictionary attack. The third category is the analytical approach. In this
category we identified cryptanalysis attack and challenge prediction attack.
Identifying the security weaknesses and possible threats are the first
step in the design process towards a secure system. The second step is to
analyze and measure each one of these threats. In Chapter 3 we focus our
effort on the analysis of each individual threat. These analyses were an
important step in identifying the security parameters and measures. The
security parameters were then weighted against other system requirements
to balance between security and system performance. To facilitate our
analysis for several threats, we introduced a random challenge model in
Section 3.5 and methods for measuring security in Section 3.6.
Page 150
139
In Chapter 4, we focus our efforts on providing solutions to two of the
most challenging attacks, dictionary attack and relay attack. The dictionary
attack was addressed by developing a unique authentication mechanism that
is fast and secure. The solution was based on cryptography and the use of
random numbers and vehicle identification code. The relay attack is an
easier attack to perform, however, it was the most difficult attack to
counterfeit. For this attach we proposed a solution that is based on
cryptography and communication theory. The solution was presented into
three different incremental steps. The first step presents a solution that is
based on signal corruption due to feedback if a repeater exists in the
communication link between the CID and the vehicle. Two thieves with
higher level of intelligence and more sophisticated attack equipment can
break the feedback loop presented in the first step. The second step
presents a unique use of cryptography to encrypt information regarding the
signal direction. This step prevents any two thieves from breaking the
feedback loop presented in the first step. However, if there are three thieves
with more sophisticated equipment they could still break the feedback loop
by power manipulation. Step three presents a solution that is based on the
use of two power levels to protect the system against three thieves or more.
Page 151
140
CHAPTER 6
FUTURE RESEARCH
Imagine the possibility of having the ability to diagnose your vehicle
without driving to the dealer, simply by using an internet browser that
connects you directly to the vehicle and perform the necessary test. Imagine
the possibility of having the ability to access personal information such as
your bank account from your vehicle without going through the drive-through.
Imagine the possibility of being able to trade your stocks while you are
driving in the middle of nowhere. Imaging the possibility of having a mobile
office where information is available to you anywhere anytime you want. The
emerging technology of wireless communication and the availability of
information via the internet make such imaginations possible for the next
generation vehicles. While there is a treasure of features that can be made
possible and available to the users, there are the hackers who should be
prevented from gaining access to these features. Developing security
procedures that make the system available and convenient to use at the
same time prevent the hackers from using it is an ongoing research area.
Page 152
141
APENDIX A - ACRONYMS
RKE : Remote Keyless Entry
CID : Customer Identification Device
OW : Operation Window
PIN : Personal Identification Number
CDF : Cumulative Distribution Function
PDF : Probability Distribution Function
VID : Vehicle Identification
ECU : Electronic Control Unit
RFID : Radio Frequency Identification Device
RAM : Read Access Memory
ROM : Read Only Memory
Page 153
142
REFERENCES
[1] DG Abraham, GM Dolan, GP Double, JV Stevens, “Transaction
Security System”, in IBM system Journal, v 30 no 2 (1991), pp. 206-229
[2] R. Anderson, M. Kuhn, “Tamper Resistance – a cautionary note”, The
Second USENIX Workshop on Electronic Commerce Proceedings,
Oakland, California, November 18-21, 1996, pp. 1-11.
[3] E. Biham, “New Types of Cryptanalytic Attacks Using Related Keys”,
Advances in cryptology – EUROCRYPT ’93, Springer-Verlag, 1994, pp.
398-409
[4] E. Biham, A. Shamir, “Differential cryptanalysis of DES-like
cryptosystem”, Advances in Cryptology, CRYPTO ’90 Proceedings,
Berlin Springer-Verlag, 1991, pp. 2-21
[5] E. Biham, A. Shamir, “Differential cryptanalysis of DES-like
cryptosystem”, Journal of Cryptology, v. 4, n.1, 1991, pp. 3-72
[6] E. Biham, A. Shamir, “Differential cryptanalysis of Feal and N-Hash”,
Advances in Cryptology, EUROCRYPT ’91 proceedings, Berlin
Springer-Verlag, 1991
[7] E. Biham, A. Shamir, “Differential cryptanalysis of Snefru, Khafre,
REDOC-II, LOKI,and Lucifer”, Advances in Cryptology-CRYPTO ’91
proceedings, Berlin Springer-Verlag, 1992
[8] W. Diem, “Smart Card Opens the Door”, AutoTechnology, January
2001, pp 32-33
[9] J. Duquette, D. Juzswik, G. Fischer, B Dunbridge, “Smart Automotive
Keyless Entry – An Application of Advanced Digital Communications
Signal Processing”, Technology Review Journal, Millennium Issue,
Fall/Winter 2000, pp. 107-116, TRW, Cleveland, Ohio, USA.
[10] J. Garnault “Hands-Free System for Unlocking and/or Opening an
Openable Member of Motor Vehicle”, US Patent number 5929769.
Assigned to Valeo Security Habitacle
Page 154
143
[11] J. Gordon, “Designing Codes for Vehicle Remote Security Systems”,
Concept Laboratories Ltd. And Police Science Development Branch,
Herfordshire, G.B., 1994, pp. 1-22
[12] J. Gordon, U. Kaiser, T. Sabetti, “A Low Cost Transponder for High
Security Vehicle Immobilizers”, Proceedings of ISATA ’96, Florence,
Automotive Electronics, 96AE001
[13] GOST, Gosudarstvennyi Standard 28147-89, “Cryptographic Protection
for Data Processing Systems”, Government committee of the USSR for
standards, 1989
[14] P. Hellekalek, “Good Random Number Generators are (not so) Easy to
Find”, Mathematics and Computers in simulation, Elsevier Science B.V.,
1998, pp. 485-505
[15] M. Hirano, M. Takeuchi, K. Nakano, “Keyless Entry System for
Automotive Vehicle with Power consumption Saving Feature”, US
Patent number 4688036. Assigned to Nissan Motor Company.
[16] M. Hirano, M. Takeuchi, T. Tomoda, and K. Nakano, “Keyless entry
system with radio card transponder”, IEEE Transactions on Industrial
Electronics, vol 35, No.2, pp. 208 – 216, May 1988
[17] Walt Husak, Charles Einolf, and Stan Salamon, “On-Channel Repeaters
for Digital Television Implementation and Field Testing”, Presented at
the NAB99 Broadcast
[18] D. Juzswik, “Evolving Automotive Access Systems”, proceedings of the
4th International conference on Vehicle Electronic System 2001,
Coventry, UK, June 2001, pp. 8.2.1-8.2.7, ERA Technology Ltd., 54
Lombard Street, London EC3V 9EX, UK.
[19] D. Kahn, “The Codebreakers: The Story of Secret Writing”, New York,
Macmillam Publishing,1967
[20] J. Kelsey, B. Schneier, D. Wagner, “key-schedule cryptanalysis of
IDEA, G-DES, GOST, SAFER, and triple-DES”, advances in cryptology,
CRYPTO ’96, Springer-Verlag, 1996, pp. 237-251
Page 155
144
[21] K. Khangura, N. Middleton, M. Ollivier, “Vehicle Anti-Theft System Uses
Radio Frequency Identification”, proceedings of Colloquium on Vehicle
Security System, October 8, 1993, digest 1993-178, C. 1993, IEE.
[22] L. Knudsen, “Cryptanalysis of LOKI91”, Advances in Cryptology -
AUSCRYPT ’92, Springer-Verlag, 1993, pp. 196-208
[23] D. Knuth, “The Art of Computer Programming”, Volume 2,
Seminumirical Algorithms, 2nd edition, Addison-Wesley, 1981
[24] H. Krawczyk, “How to Predict Congruential Generators”, Advances in
Cryptology-CRYPTO’89, Volume 435 of Lecture Notes in Computer
Science, pp. 138-153, Springer-Verlag. 1990
[25] H. Krawczyk, “How to Predict Congruential Generators”, Journal of
Algorithms, v. 13, n. 4, December 1992
[26] P. L’Ecuyer, “Efficient and Portable Combined Random Number
Generators” Communications of the ACM, V. 31, N. 6, June 1988, pp.
742-749
[27] P. L’Ecuyer, “Random Numbers for Simulation”, Communications of the
ACM, v. 33, n. 10, October 1990, pp. 85-97
[28] D. Labonde, “Motor Vehicle Security System”, US Patent number
5682135. Assigned to Kiekert AG
[29] X. Lai, J. Massey, S. Murphy, “Markov Cipher and Differential
Cryptanalysis”, Advances in Cryptology, CRYPTO ’91, Springer-Verlag,
1996, pp. 252-267
[30] B.P. Lathi, “Modern Digital and Analog Communication Systems”, HRW
Series in Electrical and Computer Engineering, NY, 1983
[31] K. Marneweck, “An introduction to keeloq code hopping”, TB003
application notes from Microchip technology Inc. 1996, Chandler,
Arizona.
[32] J. Massey, “SAFER K-64: A Byte-Oriented Block-Ciphering Algorithm”,
Fast Software Encryption, Cambridge Security Workshop Proceedings,
Springer-Verlag, 1994, pp. 1-17.
Page 156
145
[33] E. Mayne, “Genetic Re-Engineering”, Ward’s AutoWorld, June 2001, pp.
34-35, Intertec Publishing Corp., 9800 Metcalf, Overland Park, KS,
66212-2215.
[34] Microchip Inc, Data sheet for HCS300, “Keeloq Code Hopping Encoder”
,Microchip Technology Inc., 2355 West Chandler Blvd., Chandler, Az,
85224-6199
[35] Microchip Inc, Data sheet for HCS410, “Keeloq Code Hopping Encoder
and Transponder” ,Microchip Technology Inc., 2355 West Chandler
Blvd., Chandler, Az, 85224-6199, 2001
[36] Microchip Inc, Data sheet for HCS412, “Keeloq Code Hopping Encoder
and Transponder” ,Microchip Technology Inc., 2355 West Chandler
Blvd., Chandler, Az, 85224-6199, 2000
[37] K. Nakano, M. Takeuchi, “Automotive Keyless Entry System
Incorporating Portable Radio Self-Identification Code Signal
Transmitter”, US Patent number 4794268. Assigned to Nissan Motor
Company.
[38] S. Schmitz, J. Kruppa, P. Crowhurst, T. Oexle, and W. Ulke, “New door
closure concept”, September 2000 issue of the Automotive Engineering
International, SAE, pp. 118-120, vol. 108, No. 9
[39] B. Schneier “Applied Cryptography”, John Wiley & Sons, 1994
[40] C. Shannon, “The Mathematical Theory of Communication”, University
of Illinois Press, 1963
[41] M. Simon, C. Luebke, “Keyless Motor Vehicle Entry and Ignition
system”, US patent Number 5937065, Assigned to Eaton Corporation,
August 10, 1997
[42] D. Smith, “Passive Keyless Entry, Latest from Lectron”, Ward’s Auto
World, July 1993, pp 111, Intertec Publishing Corp., 9800 Metcalf,
Overland Park, KS, 66212-2215.
[43] M. Stippler, “Antitheft Device for a Motor Vehicle and Method for
Operating the Antitheft Device”, US Patent number 6218932, Assigned
to Siemens Aktiengesellschaft
Page 157
146
[44] G. Thomas Jr, R. Finney, “Calculus and Analytic Geometry”, 9th edition,
Addison-Wesley Publishing Company, 1996
[45] Texas Instruments, “TIRIS Automatic Recognition of consumers”;
Application notes, 5000 series reader system, Texas Instruments,
13536 North Central, Dallas, Texas 75243.
[46] Texas Instruments, “TIRIS News”; International newsletter of the TIRIS
group, Issue No. 19, 1999, Texas Instruments, 13536 North Central,
Dallas, Texas 75243.
[47] T. Tomoda, M. Takeuchi, K. Nakano, “Pocket-Portable Radio Code
Signal Transmitter for Automotive Keyless Entry System”, US Patent
number 5111199. Assigned to Nissan Motor Company.
[48] T. Tomoda, M. Takeuchi, K. Nakano, M. Hirano, “Keyless Entry System
for Automatically Operating Automotive Door Locking Devices Without
Manual Operation”, US Patent number 4763121. Assigned to Nissan
Motor Company.
[49] T. Waraksa, K. Farley, R. Kiefer, D. Douglas, and L. Gilbert “Passive
keyless Entry System”, US Patent number 4942393. Assigned to
Lectron Products Inc.
[50] T. Waraksa, K. Farley, R. Kiefer, D. Douglas, and L. Gilbert “Passive
keyless Entry System”, US Patent number 5319364. Assigned to
Lectron Products Inc.
[51] W. Weishaupt, “Security Installation for Motor Vehicles”, US Patent
number 4738334, Assigned to Bayerische Motoren Werke, AG.
[52] A. Wielgat, ”What’s the Frequency? Suppliers seek new applications for
RF technology”, Automotive Industries, July 2001, Randall Publishing
Co. Inc., 3200 Rice Mine Rd., N.E., Tuscaloosa, Alabama, 35406.
Page 158
147
ABSTRACT
SECURITY OF PASSIVE ACCESS SYSTEMS
by
ANSAF IBRAHEM ALRABADY
December, 2002
Advisor: Dr. Syed M. Mahmud Major: Electrical and Computer Engineering Degree: Doctor of Philosophy
A passive vehicle system for automotive applications is an evolution of
the popular remote keyless entry systems. It provides the ultimate user
comfort to access the vehicle. The user no longer needs to reach for any
form of mechanical or electronic key to gain access to the vehicle. The
vehicle recognizes an authorized user from others by the possession of a
Customer Identification Device that is kept in the user’s pocket or purse when
they approach the vehicle. While this extra level of comfort is a desirable
feature, it introduces several security weakness issues with the existing
technology. This research addresses these issues with emphasis on design
tradeoff and analysis. Solutions that meet the design goals and eliminate an
unauthorized access to the vehicle are also presented.
Page 159
148
AUTOBIOGRAPHICAL STATEMENT
ANSAF IBRAHEM ALRABADY [email protected]
Ansaf Alrabady received a Bachelor of Science degree in Electrical and Computer Engineering from Jordan University of Science and Technology, Jordan. A Master of Science degree in Computer Engineering form Wayne State University, Detroit, Michigan. Alrabady, joined TRW automotive Electronics in 1995. In his first assignment, he worked on developing software and algorithms for airbag electronic sensing module. After two years at TRW he was the lead software engineer for different projects at the research and advanced product development division. During his time at TRW, he filed over 30 patent disclosures related to vehicle safety and security. TRW has recognized his significant contribution to the vehicle safety and security through multiple awards. In 2001, Alrabady received the “Automotive Hall of Fame Young Leadership and Excellence” award, the only industry-wide means to honor the men and women of the global motor vehicle and related industries. Recently, Alrabady joined the electrical and controls integration labs at the General Motors corporation at its facility in Warren, Michigan. His main research work is related to vehicle security. PUBLICATIONS: 1. Ansaf I. Alrabady and Syed Masud Mahmud, “Some Attacks Against Vehicle’s
Passive Entry Security Systems and Their Solutions” Accepted for publication in the IEEE Transactions on Vehicular Technology.
2. Syed Masud Mahmud and Ansaf I. Alrabady, "A New Decision Making Algorithm for Airbag Control", IEEE Transaction on Vehicular Technology, Vol. 44, No 3, Aug. 1995, pp. 690-697.
3. Ansaf I. Alrabady, Syed Masud Mahmud and Vipin Chaudhary, "Placement of Resources In The Star Network," Proc. of the Internatinal Conference on Algorithms and Architectures for Parallel Processing, IEEE, June 11-13, 1996, Singapore, pp. 61-67.
4. Ansaf I. Alrabady and Syed Masud Mahmud, "Development of a Decision Making Algorithm for Airbag Control", Proceedings of the IEEE Measurement and Technology Conference, May 18-20, 1993, Hyatt Regency Hotel, Irvine, CA. pp. 81-84.
5. Ansaf I. Alrabady and Syed Masud Mahmud, “Analysis of Attacks Against the Security of Keyless Vehicles and Suggestions for Improved Designs”, Submitted for publication to the IEEE Transactions on Vehicular Technology.
6. Ansaf I. Alrabady and Syed Masud Mahmud, “A Solution of Multiple-Thief Attack Against Passive Keyless Vehicle Systems”, submitted to the 57th IEEE Semiannual Vehicular Technology Conference, April 21 – 24, 2003, Korea.
7. Ansaf I. Alrabady and Syed Masud Mahmud, “Comparative Study of Different Attacks Against the Vehicles with Keyless Entry”, submitted to the 57th IEEE Semiannual Vehicular Technology Conference, April 21 – 24, 2003, Korea.