Top Banner
SECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION Submitted to the Graduate School of Wayne State University, Detroit, Michigan in partial fulfillment of the requirements for the degree of DOCTOR OF PHILOSOPHY 2002 MAJOR: ELECTRICAL AND COMPUTER ENGINEERING Approved by: ______________________________ Advisor Date ______________________________ ______________________________ ______________________________ ______________________________
159

SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

Jun 27, 2018

Download

Documents

vuongkien
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

SECURITY OF PASSIVE ACCESS VEHICLE

by

ANSAF IBRAHEM ALRABADY

DISSERTATION

Submitted to the Graduate School

of Wayne State University,

Detroit, Michigan

in partial fulfillment of the requirements

for the degree of

DOCTOR OF PHILOSOPHY

2002

MAJOR: ELECTRICAL AND COMPUTER ENGINEERING

Approved by: ______________________________ Advisor Date ______________________________ ______________________________ ______________________________ ______________________________

Page 2: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

© COPYRIGHT BY

ANSAF IBRAHEM ALRABADY

2002

All Rights Reserved

Page 3: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

DEDICATION

To my family

Page 4: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

ACKNOWLEDGMENTS

First, I would like to express my sincere thanks to my adviser, Dr.

Mahmud for his guidance throughout my dissertation and for his willingness

to welcome me to his home in order to work around my hectic schedule.

Also, my deep appreciation to his family for their warm welcome and for the

time I took from them every weekend to make this work possible.

Second, my special thanks to the people I worked with at TRW, a

place of highly talented people. Thanks to David Juzswik for his motivation

and for his help to select my research topic, Casilda de Benito and Sandra

MacDonald for their continued support, Ernie Pacsai for his confidence in me

and for creating an enjoyable and challenging workplace. My thanks also

goes to my friends I worked with at TRW, John Duquette, Koki Mizono, Paul

Lumley, Tony Cool, Dave Parent, Peter Lin, Tim Dezorzi, Tom Tracz, Jason

Evens, Jerome Gholston and many other that I learned from and enjoyed

working with.

My thanks also goes to my parents for their unlimited support, my

brothers and sisters Ruba, Rula, Majdi Rabi, Rama and Rania for their love,

my uncle Dr. Munier Dababneh for his encouragement. Great thanks to my

wife Tamara for her patience, love, support, and understanding during the

long working hours at work and study

Page 5: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

TABLE OF CONTENTS

CHAPTER 1 - INTRODUCTION .................................................................... 1

CHAPTER 2 - BACKGROUND MATERIAL .................................................. 6

2.1 CRYPTOLOGY ....................................................................................... 7

2.2 REMOTE KEYLESS ENTRY.................................................................... 10

2.2.1 Fixed Code ................................................................................. 11

2.2.2 Rolling Code............................................................................... 11

2.2.2.1 Synchronization....................................................................... 15

2.3 BI-DIRECTIONAL RKE.......................................................................... 17

2.4 IMMOBILIZER....................................................................................... 20

2.4.1 Fixed Code ................................................................................. 20

2.4.2 Rolling Code............................................................................... 21

2.4.3 Password Protection .................................................................. 22

2.4.4 Challenge Response .................................................................. 22

2.5 PASSIVE ACCESS SYSTEM................................................................... 24

2.5.1 Unidirectional Link ...................................................................... 25

2.5.2 Bi-directional Link ....................................................................... 27

2.6 RANDOM NUMBER GENERATORS .......................................................... 33

2.7 SECURITY THREAT .............................................................................. 36

2.7.1 Deterministic approach............................................................... 38

2.7.1.1 Playback Attack....................................................................... 39

2.7.1.2 Relay Attack ............................................................................ 39

2.7.2 Statistical approach .................................................................... 41

Page 6: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

2.7.2.1 Scanning Attack ...................................................................... 41

2.7.2.2 Dictionary Attack ..................................................................... 42

2.7.3 Analytical approach: ................................................................... 43

2.7.3.1 Cryptanalysis Attack................................................................ 44

2.7.3.2 Challenge Prediction Attack .................................................... 46

CHAPTER 3 - SECURITY ANALYSIS......................................................... 48

3.1 PLAYBACK ATTACK ............................................................................. 49

3.2 RELAY ATTACK................................................................................... 51

3.3 CRYPTANALYSIS ATTACK..................................................................... 53

3.4 CHALLENGE PREDECTION ATTACK ....................................................... 56

3.4.1 ExternAl Manipulation. ............................................................... 57

3.4.2 Different Sequence for Different ECUs....................................... 58

3.4.3 Statistical Requierments............................................................. 59

3.4.3.1 Flat distribution ........................................................................ 60

3.4.3.2 Avalanche Effect ..................................................................... 62

3.4.3.3 Strict Avalanche Effect ............................................................ 65

3.5 RANDOM CHALLENGE MODEL............................................................... 67

3.6 MEASURING SECURITY........................................................................ 73

3.7 SCANNING ATTACK ............................................................................. 76

3.7.1 Independent Random Challenge................................................ 76

3.7.2 Cyclic Random Challenge .......................................................... 79

3.7.3 EFFECT OF Randomization Factor ........................................... 82

3.8 DICTIONARY ATTACK........................................................................... 87

Page 7: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

3.8.1 The Devil’s Advocate.................................................................. 93

CHAPTER 4 - SOLUTIONS OF DICTIONARY AND RELAY ATTACKS.... 98

4.1 DICTIONARY ATTACK COUNTERFEIT ................................................... 100

4.1.1 Use of Password ...................................................................... 100

4.1.2 Decrease Repetition Rate ........................................................ 103

4.1.3 Mutual Authentication............................................................... 103

4.1.4 Enhanced Mutual Authentication.............................................. 106

4.2 NEW DICTIONARY ATTACK AND SOLUTION........................................... 111

4.3 RELAY ATTACK................................................................................. 113

4.3.1 Relay solution categories ......................................................... 114

4.3.1.1 Repeater Detection ............................................................... 114

4.3.1.2 Signal Corruption................................................................... 115

4.3.2 Feedback Solution.................................................................... 116

4.3.3 Feedback Signal Analysis ........................................................ 120

4.3.4 Feedback Counter Measure Attack .......................................... 122

4.3.5 Secure Protocol........................................................................ 123

4.3.6 Three Thief Attack .................................................................... 126

4.3.7 Two Power Levels Counter Measure ....................................... 128

4.3.8 Two power levels Analysis ....................................................... 129

CHAPTER 5 - CONCLUSIONS ................................................................. 138

CHAPTER 6 - FUTURE RESEARCH ........................................................ 140

ABSTRACT ............................................................................................... 147

Page 8: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

AUTOBIOGRAPHICAL STATEMENT....................................................... 148

Page 9: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

LIST OF TABLES

Table 1: Summary of available authentication using a bi-directional link for

passive vehicle ....................................................................................... 32

Table 2: Example of random numbers probability distribution and their

corresponding amount of information ..................................................... 61

Table 3: Summary of different authentication protocols and their impact on

the system security and performance................................................... 113

Page 10: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

LIST OF FIGURES

Figure 1 : An example of a cryptosystem data transformation ....................... 8

Figure 2: Example of rolling code authentication for unidirectional RKE ...... 13

Figure 3: Sequence Counter Operation Window.......................................... 17

Figure 4: Example of rolling code for bi-directional RKE .............................. 19

Figure 5: Communication between the vehicle and the CID......................... 28

Figure 6: Illustration of a two-thief attack problem........................................ 40

Figure 7: Block diagram of a thief’s repeater system.................................... 51

Figure 8: A complete theft device using two repeaters................................. 52

Figure 9: Cryptanalysis attack spectrum ...................................................... 53

Figure 10: Examples of different systems on the cryptanalysis spectrum .... 54

Figure 11: Number of combinations for each number of bits changed ......... 65

Figure 12: Entropy vs. probability of bit change ........................................... 67

Figure 13: Model for random number generator........................................... 68

Figure 14: F(X) for cyclic and independent random challenges ................... 81

Figure 15: F(k,n,m) for different system parameters .................................... 84

Figure 16: F(X) for dictionary attack with different dictionary size ................ 92

Figure 17: Password protection authentication process............................. 101

Figure 18: Mutual authentication challenge................................................ 104

Figure 19: Vehicle processing to a received challenge in a mutual

authentication protocol ......................................................................... 105

Figure 20: Challenge block diagram........................................................... 108

Figure 21: Enhanced mutual authentication flowchart................................ 109

Page 11: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

Figure 22: Communication between the vehicle and the CID using a

unidirectional LF link and a bi-directional RF link. ................................ 116

Figure 23: Communication between the owner and the vehicle with the two

thieves in the loop. ............................................................................... 118

Figure 24: The feedback loop between Thief-1 and Thief-2 ....................... 121

Figure 25: Communication protocol for the solution. .................................. 124

Figure 26: Encryption of the Communication Protocol ............................... 125

Figure 27: Positions of the thieves, the CID and the vehicle in a three-thief

attack problem...................................................................................... 127

Figure 28: Positions of Thief-1, Thief-3 and the vehicle. ............................ 133

Page 12: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

1

CHAPTER 1

INTRODUCTION

The use of keyless entry for automotive application has grown rapidly

since it was introduced as a numerical keypad at the exterior of the vehicle’s

door. In the early version, the user was required to enter a Personal

Identification Number (PIN) as a proof of identity before allowing access to

the vehicle’s compartment. The numerical keypad provides some level of

user comfort. It was more appreciated by those who are involved in sport

activities since they do not want to carry a mechanical key and yet want to

access their vehicles. While numerical keypad provides some comfort to

certain people, it did not provide the desired comfort level for normal day-to-

day use. In addition, the level of security provided by such system was

unacceptable for automotive use.

As the technology moved forward, a more desirable type of keyless

entry system known as Remote Keyless Entry (RKE) was introduced. Unlike

the numerical keypad that was based on knowledge of a PIN to gain access

to the vehicle, the RKE system was based on the possession of a portable

transmitter. RKE system has been in production for over twenty years. It has

become such a desirable convenience feature that it is standard on many of

today’s vehicles. The system mainly consists of two units, a portable

transmitter known as the fob, and a receiver connected to a control unit

installed in the vehicle. When a user attempts to access his vehicle he

Page 13: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

2

presses one of the several buttons available on the fob. In response to the

user press, the fob transmits a message. The message contains a function

code and an identification code. Every transmitter has a unique identification

code stored in its memory at the manufacturing time. The same identification

code is also stored in the vehicle memory. If the vehicle is within the fob’s

transmission range, the control unit in the vehicle receives the fob’s

transmitted message. The vehicle then compares the received identification

code with the one stored in its memory. If the received identification code

matches the stored identification code, the vehicle then recognizes the

message as a valid message. In response to a valid message, the vehicle

generates the appropriate signals to perform the desired function as

requested by the function code. Remote functions include door lock, unlock,

trunk open, panic, and remote engine start.

The search for other types of keyless entry to improve the user

comfort and security continues in different technological fields. The objective

was to increase the user comfort to access the vehicle at the same time

prevent any unauthorized access. Some of the technology investigated the

use of biological attributes as methods for authentication. These attributes

include fingerprints, voice, and vision. While these methods are promising to

prove the user identity, the cost and reliability of such technology is still far

from being acceptable for automotive use.

Although RKE systems have enhanced user convenience, the user

still has to reach for the fob and physically press a button to unlock the

Page 14: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

3

vehicle. This level of user interface is not convenient for users with hands full

of groceries or for someone who is rushing to enter the vehicle. To eliminate

a user from reaching for the fob and then press a button, a more

sophisticated type of keyless entry system has been recently introduced to

the market [8],[38]. The system is a hands-free or passive system. A user no

longer needs to search for a mechanical key or a fob to unlock the vehicle.

The vehicle identifies authorized users through the possession of a CID that

is carried in their pocket or purse. The CID is a credit card or fob like device.

When a user tries to access the vehicle (doors, trunk, or ignition), the vehicle

sends an interrogation message. If an authorized CID is within the

transmission range of the interrogation message, the CID responds with an

identification code to the vehicle. The vehicle checks the received

identification code to verify the user identity. The communication time

between the vehicle and the CID, the verification process and the unlocking

process, all have to be completed in a short period of time such that a normal

door handle lift will not cause a mechanical lock jam or interference.

While the main objective of the passive entry system is to provide the

user with a high level of convenience, the system must also meet or exceed

the current RKE security. One of the most technical challenges in designing

a secure system is the communication protocol between the CID and the

vehicle. The protocol has to meet the communication timing imposed by the

system requirements. A fast protocol is important to ensure that the vehicle

will unlock before the door handle reaches its full travel, or a mechanical jam

Page 15: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

4

may occur. Other challenges in designing the protocol includes but not

limited to, support of multiple CIDs to the same vehicle, synchronization

between the CID and the vehicle, program and deprogram a new CID in case

of lost or stolen CID, and most importantly vehicle security.

On the security side, the battle between the system designer and the

system attackers is an on going process. It is an unfortunate and unfair battle

against the system designers. System designers are considered successful

in their design if they design a system that is secure against any possible

attack. On the other side, system attackers are considered successful if they

find one method only to break the system. This leaves a huge burden on the

system designers. They have to think not only as system designers, but also

as system attackers. Their job goes beyond the system design to identify all

possible methods to break the system, regardless of whether these methods

are available today or they may be developed in the future.

It is important on one hand to recognize the fact that there are criminal

organizations that have the skills and capability to design and build

electronics to attack RKE and passive access systems. On the other hand, a

highly secure system might be cost prohibitive for automotive use. For these

reasons analyzing the different security threats against the system is a

crucial part in meeting the overall system requirements and design tradeoffs.

Security consideration is important at an early stage of the system

design phases. Adding security after the system design may be expensive

Page 16: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

5

and difficult to implement. Design for security can be split into three different

steps. First, identify the different security weaknesses and possible threats

against the system. Second, analyze and measure each of the security

threats identified and its impact on the overall system design. Third, provide

solution based on analysis that balances between security aspect and other

system design parameters. It is the objective of this research work to go

through these three steps in order to provide a reliable and secure system for

passive access vehicle.

This dissertation is organized in six chapters. Chapter 1 is an

introduction. Background material is presented in Chapter 2. This material

includes an overview of cryptology, current available systems in the vehicle

for access and security, and identification of the security threats against the

passive access system. Analysis of different attacks, security measures and

random challenge model is presented in Chapter 3. Solutions to the

dictionary and relay attacks are given in Chapter 4. Conclusions are

presented in Chapter 5, and future research directions are presented in

Chapter 6.

Page 17: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

6

CHAPTER 2

BACKGROUND MATERIAL

Passive access system for vehicles is a new technology. A secure and

reliable communication protocol for passive vehicle access systems is still

under development. Several authentication protocols have been investigated

in the past for other systems in the vehicle. Systems such as RKE and

immobilizer are rapidly evolving to increase user convenience and vehicle

security. It is important to understand how these systems work. What are the

existing security weaknesses against these systems? What kind of security

measures has been implemented to prohibit an unauthorized access? What

are the different variations? Understanding the current technology and the

challenges involved, provide a valuable guidance toward the development of

a secure and reliable protocol for passive access system.

This chapter is divided into seven sections. An overview of the use of

cryptology in information security is presented in Section 2.1. Available

communication protocols and authentication techniques for unidirectional and

bi-directional RKE are shown in Section 2.2 and Section 2.3, respectively.

Several authentication methods used in the immobilizer system are shown in

Section 2.4. Communication links for passive access system between the

vehicle and the CID are presented in Section 2.5. Random number generator

is one important component of the authentication protocol. An overview of

Page 18: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

7

random number generators is shown in Section 2.6. Different security threats

against the passive access system are presented in Section 2.7.

2.1 CRYPTOLOGY

Cryptology is one field of mathematics that deals with information

security. It consists of two branches, cryptography and cryptanalysis. The

people who practice cryptography are called cryptographer while the people

who practice cryptanalysis are called cryptanalysts. Cryptographers’ main

objective is to build a cryptosystem that secures information communicated

over a public channel (e.g. wireless communication). Cryptanalysts represent

the enemy side; their main mission is to break the security of the

communicated information.

A cryptosystem normally consists of an encryption algorithm and a

matching decryption algorithm. An encryption algorithm, represented by E(),

is a mathematical transformation that takes a plain-text P and produces a

cipher-text (encrypted text) C using an encryption key KE. A Decryption

algorithm, represented by D(), is a mathematical transformation that takes a

cipher-text C and produces a plain-text P using a decryption key KD. The

encryption key KE and the decryption key KD may have the same value or

they may have different values. This mainly depends on the encryption and

decryption algorithms used. For simplicity of illustration, we use the same

symbol for both encryption and decryption keys (i.e. KE = KD = K). Figure 1

shows the information transformation.

Page 19: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

8

EK(P)P DK(C)

K

C

K

P

Figure 1 : An example of a cryptosystem data transformation

Different encryption algorithms provide different degree of security.

While some algorithms maintain their security by keeping the details of

encryption and decryption transformation secret, other algorithms are

available to the general public. The security of a public domain algorithm is

maintained in the encryption and decryption keys. The encryption and

decryption keys are assigned at a later phase in the design process. Public

domain algorithms are available to the general public for review, analysis,

and use. Their strength is drawn from the complexity to calculate the inverse

of the algorithm without knowing the key. The use of public domain

algorithms provides a system that is secure by design not by trust. The

system maintains its security without concerns of any type of threats against

the system. One threat example may be possible from one of the members

of a design team who was frustrated and left the organization. A second

threat example may be possible form some criminal organizations with

advanced technology in reverse engineering. They may have the power and

tools to read and de-assemble the ROM content. Even though some of the

processors provide a security bit against reading the ROM once it is

Page 20: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

9

programmed, several techniques are available to erase the security bit for

some of the known processors [2].

The strength of an encryption algorithm is normally measured by the

time and space complexity needed to break the encryption algorithm. The

use of the phrase “break the algorithm” means to find a method either to

recover the plaintext or the encryption key that has been used. From a

mathematical point of view, an encryption algorithm may be classified as: -

i) Unconditionally secure:- The encryption algorithm is said to be

unconditionally secure if the amount of information available to the

outside is insufficient to figure out the encryption and decryption

transformation. This is true regardless of the amount of time and tools

available to a cryptanalyst. Encryption algorithms that are based on

one-time-pad [19] techniques belong to this category. In this technique

different encryption key is used every time the system is used. Of

course, the sequence of encryption keys has to be known to both

communicating parties ahead of time. This might not be possible for

all systems or it might be as difficult as sending the messages

themselves.

ii) Mathematically insecure:- The encryption algorithm is said to be

mathematically insecure if the encryption algorithm can be broken in a

short period of time. By a short period of time, we mean that the value

Page 21: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

10

of information obtained - in a short period of time - is much more than

the cost and effort involved to break the algorithm.

iii) Mathematically secure: - The encryption algorithm is said to be

mathematically secure if the time required to break the algorithm is

much more than the value of information obtained. The development

of new technology always tends to replace an old one. In general, the

information communicated over a public channel will have less value

in the future than its current value. If the amount of time and cost

needed to break an encryption algorithm is more than the future value

of the information obtained, we say that the algorithm is

mathematically secure.

2.2 REMOTE KEYLESS ENTRY

The communication protocol for the RKE systems has been under

development since it was first introduced in the early 1980 [9]. Most of the

current RKE systems available in the market are based on unidirectional

communication links. The communication starts when one of the fob buttons

is pressed. The fob sends a digital signal message that is received by a

controller mounted inside the vehicle. Two major variations of RKE

authentication that uses a unidirectional communication link exist. These are

described in the following two subsections

Page 22: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

11

2.2.1 FIXED CODE

In the early version of RKE, the message contains a fixed

identification code (ID) and a function code. The function code defines the

user’s intent to lock or unlock the vehicle. The fixed ID code is intended to

discriminate between different fobs programmed for different vehicles. When

the vehicle receives the message, it compares the received ID code with a

stored ID in the vehicle’s memory. If the IDs match, the vehicle then executes

the user’s request as defined by the function code bits. Fixed code system is

vulnerable to several attacks. The most widely known attack is the code

grabbing or playback attack [31]. A thief with a radio receiver can learn or

record the digital signal message when transmitted by an authorized fob. He

can then playback the recorded message to gain an unauthorized access to

the vehicle while the user is not around.

2.2.2 ROLLING CODE

To improve the system security against playback attack, recent RKE

systems provide a cryptographic rolling code protocol. The protocol is based

on changing the transmitted message every time the fob button is pressed.

Once the vehicle recognizes a message, the vehicle can’t use the same

message till a huge number of valid transmissions occur. The technique is

based on a sequence counter that is stored and initialized to the same value

in the vehicle and the fob upon manufacturing. The sequence counter is

incremented according to a predefined algorithm every time a fob button is

pressed. The new sequence counter number is stored in place of the

Page 23: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

12

previous value and then transmitted to the vehicle. When the vehicle

receives the transmitted message, it retrieves the sequence counter from its

memory. The vehicle then starts a verification process before authenticating

the message. To ensure the system reliability when the fob buttons are

pressed while it is not within the vehicle reception range, a synchronization

mechanism is implemented in the protocol. Synchronization between the fob

and the vehicle is described in more detail in Section 2.2.2.1

For example, one of the techniques used in rolling code is shown in

Figure 2. The fob serial number is a unique number assigned to each fob at

manufacturing time. The serial number is stored in the vehicle memory when

the fob is programmed for the vehicle. Similarly, each fob is assigned an

encryption key and an initial value to the sequence counter. The encryption

key and the sequence counter are stored in the vehicle memory during the

learning process. Since it is possible to have multiple fobs programmed for

the vehicle, the vehicle maintains a memory block for each fob. Each block

consists of three components, a serial number, an encryption key, and a

sequence counter.

Page 24: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

13

EncryptionAlgorithmEncryption Key

Serial Number

Encrypted Field Serial Number Pressed Button

DecryptionAlgorithm

Sequence Counter

Encryption Key

Serial Number

Encrypted Field Serial Number Pressed Button

Match ?

Y

Sequence Counter

Sequence Counter

Match ?

ProcessRequest

Y

Transmitted Message

Fob Memory

Vehicle Memory

Basic Fob Operation

Basic Vehicle Operation

1

2

3

4

Figure 2: Example of rolling code authentication for unidirectional RKE

Figure 2 shows two main sections. The upper section represents the

fob operation when a button is pressed. The fob sends a message that

consists of an encrypted field, a fob serial number, and information about the

button pressed. The lower section in the figure represents the vehicle

operation as it receives a transmitted message from the fob.

Page 25: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

14

When the fob button is pressed, the fob controller reads the sequence

counter, increments the sequence counter by one (not shown in the figure),

and stores the result back in place of the previous value. The incremented

sequence counter is then used as one input to the encryption algorithm. The

encryption algorithm reads the encryption key from the memory and encrypts

the sequence counter. The output is an encrypted field that is sent to the

vehicle along with the fob serial number and button press information.

When the vehicle receives the message, it performs the following

steps to verify the authenticity of the received message.

1. Compares the received fob serial number to the serial number in

every memory block stored in the memory. If a match is found, the

corresponding memory block content is used for further processing. In

this case the vehicle proceeds to Step 2. If the received serial number

did not match with any of the stored serial numbers, the vehicle

identifies the message as an invalid message.

2. In this step the vehicle decrypts the received encrypted field using the

encryption key from the memory block that has the matching serial

number. The result is a decrypted sequence counter.

3. The decrypted sequence counter (from Step 2) is then compared with

the stored sequence counter form the corresponding memory block. If

the received decrypted sequence counter has a newer value within a

predefined window, shown as match in the figure, the vehicle identifies

Page 26: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

15

the message as a valid message. In this case the vehicle updates the

sequence counter by storing the received value in place of the current

value. This concludes the authentication process. The vehicle then

proceeds to Step 4.

4. At this point the vehicle identifies the message as a valid message.

The controller translates the button press information and commands

the appropriate hardware to execute the requested function, i.e. door

lock, unlock….

Several variations of this technique are possible. One implementation

is to include the button press information as part of the encrypted field. Other

implementation is to use a fixed discriminator in addition to the sequence

counter and button press information in the encrypted field [34]. Adding a

discriminator to the encrypted message increases the number of possible

combinations. Increasing the number of possible combinations reduce the

risk of possible attacks such as the scan attack that will be discussed in a

later section. When the vehicle receives the message and decrypts its

content, it verifies whether the discriminator field matches with the one stored

in the memory. If they match, the vehicle then tests the sequence counter

value according to the procedure described earlier.

2.2.2.1 SYNCHRONIZATION

It is possible that the fob buttons may accidentally been pressed when

the fob was beyond the vehicle reception range. In this case the sequence

Page 27: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

16

counter is updated in the fob only. As a consequence the sequence counter

in the fob will not match the sequence counter in the vehicle for the next

button press. This problem is known as the synchronization problem.

To solve the synchronization problem, the vehicle defines an

operation window (OW) for the sequence counter value. The OW is defined

as the number of next consecutive values of the sequence counter stored in

the vehicle’s memory. In other words, it is the set of consecutive counts that

is greater than (signed comparison) the current value of the sequence

counter, but less than the current value plus the OW size. Signed

comparison is required to allow for counter overflow as the counter reaches

its absolute maximum value. If the received sequence counter is within the

OW, the vehicle recognizes the message. The OW is updated continuously

for every valid message received. The update is done simply by storing the

received sequence counter in place of the current value in the memory. If the

received sequence counter is beyond the OW, due to multiple presses of the

button, the vehicle recognizes the message as an invalid message. Figure 3

illustrates the sequence counter OW.

Page 28: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

17

OW

Vehicle's Sequence CounterCurrent Value

IncrementDirection

Valid Sequence Counter

Invalid Sequence Counter

Figure 3: Sequence Counter Operation Window

More sophisticated synchronization mechanisms are also available if

the fob button is accidentally pressed a number of times beyond the OW.

One solution is based on the reception of two consecutive valid messages for

re-synchronization to occur [35].

2.3 BI-DIRECTIONAL RKE

A bi-directional communications protocols for RKE, also known as

Two-Way RKE [9], has been investigated in the past. Two-Way RKE

provides the user with a feedback regarding the status of the vehicle. The

feedback adds more value to the system especially for functions such as

remote engine start, or vehicle intrusion.

One of the communication protocols for bi-directional RKE is

presented in [41]. The communication starts when the user presses one of

the fob buttons. Initially both controllers in the fob and the vehicle are in a low

power consumption mode, also known as sleep mode. When a user presses

a button on the fob, the fob wakes up from its sleep mode. The fob then

Page 29: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

18

sends an initial message. The initial message consists of a wake up signal

and a fob identification code. The wake up signal wakes up all vehicles within

the fob transmission range from their sleep mode. The fob identification code

is a unique code for each fob manufactured. Each vehicle that wakes up

compares the received fob identification code against an initially stored one

in the memory. The vehicles that woke up but do not have a matching fob

identification code go back to sleep. The vehicle with a matching code is then

engaged with the fob in a sequence of steps to further identify the validity of

the fob. The authentication process is shown in Figure 4. The process can be

summarized as follows:

1. After the vehicle validates the identification code, it generates a

random challenge. The random challenge is then transmitted to the

fob. At the same time the vehicle encrypts the random challenge

using the same encryption key stored in the fob. The vehicle saves

the encrypted output of the random challenge as the “expected-

response”.

2. When the fob receives the random challenge, it encrypts the

challenge. The encrypted challenge is then transmitted as the

challenge-response.

3. When the vehicle receives the challenge-response, it compares the

challenge-response against the expected-response calculated in step

1. If the two match, the vehicle then identifies the fob as a valid fob.

Page 30: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

19

Wakeup Circuit

Generate RandomChallenge

Send RandomChallenge

Encrypt RandomChallenge

Receive RandomChallenge

Encrypt RandomChallenge

Send EncryptedChallenge

Receive EncryptedChallenge

Compare

Match ?

Valid Fob

Invalid Fob

Y

N

Fob Operation Vehicle Operation

Fob ButtonPressed

Transmit InitialCode

Sleep

Sleep

Time-outY

N

Figure 4: Example of rolling code for bi-directional RKE

Page 31: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

20

2.4 IMMOBILIZER

The immobilizer system provides the vehicle with additional level of

security. The main functionality of an immobilizer system is to electronically

verify the key when inserted in the ignition cylinder. The verification shall be

completed prior to engine start. To verify a valid key form others, a

batteryless Radio Frequency Identification Device (RFID), known as

transponder, is embedded in the head of the key. The ignition cylinder is

equipped with a loop antenna that communicates with the transponder via

Low Frequency (LF) magnetic field. When the user inserts the key in the

ignition cylinder the authentication protocol is started between the loop

antenna and the transponder. The authentication protocol for the immobilizer

system has been through several development stages. Different types of

transponders are required to support each protocol [12]. The authentication

protocols provide different security levels that can be summarized in the

following four subsections.

2.4.1 FIXED CODE

Fixed code is based on a read only transponder [21]. Each

transponder has an ID that is stored in its memory. The vehicle initially learns

the ID when the key is assigned to the vehicle. When the user inserts the key

in the ignition, the vehicle generates an interrogation field to read the fixed

code from the transponder. The vehicle then verifies the received code with

the one in its memory. If the two codes match, the vehicle recognizes the key

as a valid key. In response to a valid key, the vehicle authorizes the engine

Page 32: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

21

to start. Two types of fixed code transponders are presented in [12]. The

flexibility and security levels are different for each type. One type is based on

a unique ID that is assigned to each transponder at the manufacturing time.

The other type is based on the write-once transponder. The write-once

transponder provides the capability to someone with a read/write device

capability to duplicate the key without the need for the vehicle. This provides

additional level of flexibility to duplicate the key, however, the problem is if

that someone belongs to a criminal group who had access to the key during

valet parking or vehicle service.

2.4.2 ROLLING CODE

Rolling code system provides a higher level of security compared to

the fixed code transponder. It is based on a read-write transponder. The

vehicle controller has the ability to read and write the transponder’s memory.

It works similar to the fixed code except that the transponder sends a new

code to the vehicle every time the key is placed in the ignition cylinder. The

new code is uploaded and stored in the transponder memory during the

previous ignition cycle. Though rolling code immobilizer system provides a

higher level of security than a fixed code, it is more expensive, and requires

synchronization method in the event that the write to the transponder fails

during the previous ignition cycle

Page 33: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

22

2.4.3 PASSWORD PROTECTION

In this type of authentication the transponder is protected by a

password. The transponder requires the reader to send a password every

time the reader requests the transponder ID. If the reader sends the correct

password, the transponder then responds back with its ID code. This is a

simple mutual authentication process. Both parties have to identify

themselves. Though, this type of authentication provides a higher level of

security compared to the fixed code, it is still vulnerable to an attack. An

intruder with read capability equipment could read the vehicle password and

the transponder ID during valet parking or vehicle service. He could then

build an emulation circuit to bypass the password sent by the vehicle and

always respond with the transponder ID code.

2.4.4 CHALLENGE RESPONSE

Challenge response, also known as Identify Friend or Foo (IFF)

[35],[36], or digital signature [11],[12], provides a more secure and reliable

protocol. The protocol is based on cryptography. Typically, the transponder

has an encryption algorithm built into it. The same algorithm is also

implemented in the vehicle. Both the vehicle’s controller and the transponder

share the same encryption key that is initially stored in their memory. The

protocol starts when the user places the key in the ignition cylinder; the

vehicle sends an interrogation message that contains a random number,

called the challenge or the question. The transponder then encrypts the

challenge and sends the result back to the vehicle, normally referred to as

Page 34: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

23

the challenge-response or the answer. While the vehicle is waiting for the

response, it calculates the expected response using the same encryption key

in the transponder. If the received response matches the expected response,

the vehicle then identifies the key as a valid key. To ensure security, the

vehicle sends a new random challenge every time the key is inserted in the

ignition cylinder.

One of the requirements for the immobilizer system is to support

multiple keys for the same vehicle. In this case, the vehicle has to calculate

the expected response from each transponder programmed in the system.

This is because each transponder might be programmed with different

encryption key and the vehicle does not know which transponder has been

used during that ignition cycle. Calculating all possible responses may have

some security issues as well as increasing the system response time. One

approach is to have all transponders programmed with the same encryption

key. In this case one response is expected from all transponders. This might

be an issue if one of the transponders is lost. A different approach is to have

the transponder identify itself prior to the challenge signal. The vehicle then

looks up the corresponding encryption key to calculate the expected

response. This is very similar to the RKE bi-directional protocol described

earlier

It is interesting to mention at this point that the immobilizer system is

one of several applications based on RFID technology. Other applications for

RFID technology such as automatic retail fueling system [45], smart labels

Page 35: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

24

for baggage, super security access control, and many other applications are

available in the market or been advertised for [46].

2.5 PASSIVE ACCESS SYSTEM

The passive access system was introduced to the market as a

convenient feature. It eliminates the users need to reach for a fob or a

mechanical key to access their vehicles. The users are not required to take

any actions to identify themselves to the vehicle. The vehicle automatically

recognizes an authorized user from others by the possession of a CID. Any

user who carries an authorized CID is recognized as an authorized user to

the vehicle. Since the passive access system is installed on more than one

vehicle, each vehicle shall recognize a uniquely coded CID. This requires a

communication protocol to take place prior to any access to the vehicle. The

main purpose of the communication protocol is to validate the identity of the

CID held by the user. One of the major problems in a passive access system

is to start and establish the communication between the CID and the vehicle.

Several techniques were investigated to establish the communication without

the user interaction. One technique is to have the CID transmit an access

code message continuously. When the CID is within the vehicle reception

range, the vehicle receives the message. If the access code in the message

is valid, the vehicle unlocks the doors. This technique requires a

unidirectional communication link from the CID to the vehicle. The CID

battery consumption and security are major concerns in this technique. The

unidirectional link will be investigated in more detailed in Section 2.5.1. A

Page 36: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

25

different technique to establish the communication is to have the vehicle

continuously send an interrogation message. A CID within the vehicle’s

interrogation message range responds with an access code. If the access

code is valid, the vehicle unlocks the doors. This technique requires a bi-

directional communication link between the CID and the vehicle. The bi-

directional link is investigated in detail, with different trigger mechanisms, in

Section 2.5.2.

2.5.1 UNIDIRECTIONAL LINK

The first passive keyless entry system was introduced on the 1993

corvette [42]. It was designed and patented by Lectron Products [49],[50].

Lectron’s system was based on a unidirectional communication link from the

CID to the vehicle. The CID continuously transmits an access code message

while a user is carrying it. To save the power consumption of the CID battery,

a motion sensor is integrated inside the CID. In this system, the CID can be

in one of two different states:

Active state: In this state, the CID continuously transmits access

code messages. The CID enters this state when the motion sensor

detects a motion.

Sleep state: The CID enters this state when it is stationary. In this

state, the CID stops transmitting any messages in order to save power

consumption.

Page 37: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

26

A user walking with a CID causes the motion sensor to trigger the

CID to send its access code message. If the user is walking toward his

vehicle, the vehicle receives the CID’s message. If a valid message is

received, the vehicle then unlocks the doors. In addition to transparent

unlocking feature, the system is capable of automatically locking the vehicle

when the CID’s message is not received within a predefined time window.

There are several problems with this technique, such as:

i) If the user accidentally left the CID inside the vehicle, then there could

be some problem like the user might be locked out. Or some intruders

may come and shake the vehicle for the CID to transmit the access

code message. This will cause the vehicle to unlock the doors and

allow the intruders to get into the vehicle.

ii) Since the CID continuously transmits while the user is moving, power

consumption of the CID’s battery remains an issue.

iii) Collision of multiple signals may occur when multiple CIDs are

moving. As a result the vehicle may deny access since the received

signal might be corrupted due to collision. This situation may occur, for

example, when a user and a spouse, each carrying a different CID,

are approaching their vehicle. The collision of signals is also possible

at the sport arena parking lot where everybody is walking toward his

or her vehicle at the same time.

Page 38: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

27

iv) A thief can easily break the security of the system by grabbing the

code transmitted from the CID and then playing the code back next to

the vehicle when the authorized user is not around.

2.5.2 BI-DIRECTIONAL LINK

Even though Lectron’s system provides a user with a transparent

mechanism to access the vehicle, the security and reliability issues remain

as major concerns. Additionally, the system still requires the user to reach for

a key to start the engine. In order to provide the user with additional security

and comfort levels, Mercedes S-Class has introduced a different type of

passive keyless system [8],[33],[52]. Similar to the Corvette system, the

Mercedes system requires the user to carry a CID as a proof of identity.

When a user tries to open the vehicle’s doors or trunk or start the engine

either by pulling a door handle or pressing a button on the vehicle, the

vehicle sends an interrogation message. If an authorized CID is present

within the vehicle’s operating range, the CID responds with an access code

message. After receiving a valid access code message from the CID, the

vehicle performs the necessary operation based on the trigger source. For

example, unlocks the door if the door handle is pulled, or starts the engine if

a button is pressed inside the vehicle.

Different mechanisms have been investigated to initiate the

interrogation message. One approach is to use a mechanical switch installed

in the door handle assembly unit. The triggering switch could be a push

Page 39: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

28

button [15], or integrated with the door handle [51], or touch-sensitive switch

[16]. A second approach is the use of an infrared movement detector that is

positioned in the door handle region [28]. A third approach is to continuously

send an interrogation message to recognize the presence or absence of an

authorized user and automatically lock or unlock the vehicle [48]. The generic

term “vehicle trigger” will be used throughout this dissertation to indicate one

of the mechanisms that starts the communication from the vehicle side.

Regardless of the triggering mechanism, the communication protocol

starts from the vehicle side. The vehicle starts the communication by

transmitting an interrogation message. A CID within the vehicle’s

transmission range responds back with a message response. The

Interrogation message is sent via a Low Frequency (LF) magnetic field link.

The CID sends a response via a Radio Frequency signal (RF). The

communication links between the vehicle and the CID are shown in Figure 5

LF RF

T

T

RVeh

CID

Figure 5: Communication between the vehicle and the CID

To support the LF communication link, the vehicle is equipped with a

loop antenna in each door handle. The operating range between the CID and

the loop antenna as suggested in [38] is about 2 to 2.6 meters. The LF link is

Page 40: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

29

used in order to have a better range control between the interior and exterior

of the vehicle [18]. This is due to the fact that the intensity of a magnetic field

generated by an LF coil decreases at a rate proportional to the cube of the

distance [16]. This property of LF signals allows for a better control of the

coverage boundary within the vehicle interior. It also provides better control

over the operating range of the signals outside the vehicle. The RF link is

used in the return communication link (i.e. from the CID to the vehicle) due to

the following reasons:

An RF signal needs less power than an LF signal to transmit a

message within the same range. This is due to the fact that the

strength of an RF signal decreases with the square of the distance as

opposed to the cube of the distance for an LF signal.

The CID runs from a small battery power supply, so the use of an RF

signal from the CID to the vehicle will have less impact on the CID

battery power consumption compared to an LF signal in order to cover

the same communication range.

A high bit rate can be achieved if a message is transmitted using an

RF signal as opposed to LF signals.

Only one RF receiver is necessary inside the vehicle as opposed to

multiple LF receivers needed to cover the entire operating range of the

system.

Page 41: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

30

An authentication process starts as soon as the vehicle is triggered.

The vehicle starts the communication by sending an LF interrogation

message. One portion of the LF interrogation message is a wake-up signal.

This signal is used to wake up all CIDs within the operating range from their

sleep mode. The interrogation message may also include some coded bits

for security purposes. Once a CID wakes up from its sleep mode, it decodes

the information received if any, and responds back to the vehicle with an

access code. The entire bi-directional authentication process has to be

completed before a door handle reaches its full travel. If the control unit in the

vehicle receives a valid message from the CID, it unlocks the doors and

allows the user to access its compartment.

The use of the bi-directional communication link for passive access

systems provides several variations to implement an authentication process

between the CID and the vehicle. Similar protocols like the one used for

immobilizer systems may also be used for passive access systems.

However, there are several important requirement differences between

immobilizer systems and passive access systems. These differences are

summarized as follows:

i) The passive access system has a longer range than the immobilizer

system. This may introduce an easy method for an attacker to grab

the code and analyze it.

Page 42: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

31

ii) Access to the immobilizer interrogation message requires an attacker

to be inside the vehicle compartment. This is not the case for the

passive access system where an attacker can access the

interrogation message by simply pulling the door handle.

iii) The protocol for the passive system has to provide means to

coordinate among two or more units involved in the protocol (multiple

CIDs in the working range when the vehicle is triggered). This is not

the case for the immobilizer system where only the vehicle and one

key are engaged in the protocol.

iv) The timing requirements to complete the authentication process for a

passive access system is more restrict than the timing requirements

for an immobilizer system.

In summary, the use of bi-directional communication links between the

vehicle and the CID allows several protocol variations. Table 1 shows some

of those variations.

Page 43: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

32

Protocol Name LF RF

Trigger-Fixed Trigger Fixed code

Trigger-Rolling Trigger Rolling Code

Fixed-Fixed Fixed code Fixed code

Fixed-Rolling Fixed code Rolling Code

Variable-Variable Rolling Code Rolling Code

Challenge-Response Challenge Response

Table 1: Summary of available authentication using a bi-directional link for passive vehicle

i) Trigger-Fixed: In this protocol, the vehicle sends an LF trigger. The

trigger contains no information. The CID senses the LF trigger and

responds back with its fixed code. One advantage of using a non-

coded LF trigger is to reduce the cost of an LF demodulator circuitry in

the CID

ii) Trigger-Rolling: In this protocol, the vehicle sends an LF trigger. The

trigger contains no information. When the CID senses the LF trigger it

responds back with a rolling code. The system works exactly as a

rolling code RKE. However, the user’s action of pressing a button on

the fob is replaced by sensing an LF trigger from the vehicle.

Page 44: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

33

iii) Fixed-Fixed: This is similar to the password protection method used in

the immobilizer system. One implementation of this approach can be

found in [37].

iv) Fixed-Rolling: This is similar to the Trigger-Rolling method except that

the CID checks if the received fixed code matches a preset code in

the CID memory before the CID responds back with its rolling code.

v) Variable-Variable: This is similar to the rolling code described in

Section 2.4.2.

vi) Challenge-Response: This is also similar to the challenge-response

described in Section 2.4.4.

2.6 RANDOM NUMBER GENERATORS

One of the suggested protocols in Table 1 is the use of a challenge

response protocol. The protocol starts when the vehicle sends a challenge

that is a random code and different for every activation. The heart of the

random challenge is a random number. A random number provides the

challenge with its randomness property. Random numbers are commonly

used for simulation purposes. They form the basic tool for any stochastic

modeling. Good simulation results mainly depend on the selection of the

random number generator. A good generator provides a sequence of random

numbers that are non-deterministic and completely independent from each

other. On a computing machine, a completely independent random numbers

Page 45: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

34

are very difficult if not impossible to generate [14]. A completely independent

random number generator needs to collect its input from a non-predictable

and non-deterministic behavior natural source. Such source might not be

available or expensive to provide in a computing machine.

Other problem with completely independent random number generator

is the lack of reproducing the random sequence. For certain systems, it is

important at one point to have the capability to provide the same input

random sequence to the tested model. For example, during the debugging

phase, it may be much easier to isolate a problem if a designer has the

capability to provide the same input sequence while tuning other calibration

parameters.

As an alternative solution to completely independent random

numbers, programmers commonly use a more deterministic approach to

generate a random sequence. The algorithms that generate a deterministic

sequence of random numbers are known as pseudo-random number

generator algorithms. Throughout this chapter and the following chapters, we

will use the term random to mean pseudo-random.

Different algorithms to generate random numbers have been

investigated in the past for several applications. Most of these algorithms

start with a seed value and use a set of mathematical operations to generate

a sequence of random numbers. Linear Congruential Generator (LCG) is one

Page 46: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

35

known method to generate random numbers. The general expression of an

LCG is given by the following equation

Yn+1 = (a*Yn+b) mod m

Where a, b, and m are constants. Yn is the current random number,

and Yn+1 is the next random number in the sequence. The sequence starts

with Y0 (the seed value). Because of the mod function, random numbers

produced using an LCG ranges from 0 to m-1. However, it is possible that

some of the random numbers within the range may not be produced. Careful

selection of a, b, and m parameters are necessary to produce a random

number sequence of maximum length. Details on the proper selection of

these parameters can be found in [23],[27].

Linear congruential generator is one example of a polynomial random

number generator. Other examples of polynomial random number generators

are the quadratic and the cubic random number generators. These

generators take the form shown in the following equations

Quadratic: mcYbYaY nnn mod)**( 21 ++=+

Cubic: mdYcYbYaY nnnn mod)***( 231 +++=+

One of the main advantages of using a LCG over other polynomial

generators is its efficiency. It is fast to execute, and it does not take a lot of

code space to implement. Other variations of LCG were examined to

Page 47: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

36

combine several LCGs together [26]. The result was a longer cycle of

random sequence.

2.7 SECURITY THREAT

The main purpose of a passive access system is to eliminate the

users’ need to reach for an authentication device in order to gain access to

their vehicles. The authentication process is made transparent to the users

while they attempt to access their vehicles. While providing the user with a

transparent authentication process is a desirable feature it introduces several

security weaknesses. These weaknesses may provide an attacker with an

unauthorized access to the vehicle. The main security weaknesses against

passive access vehicles are due to two main reasons:

i) An attacker can pull the vehicle’s door handle unlimited number of

times to transmit interrogation messages.

ii) The CID responses can be solicited without the owner’s knowledge.

An attacker can generate an interrogation message next to the

vehicle’s owner who carries an authorized CID. The CID responds to

an interrogation message since it can’t differentiate whether the

received interrogation message is from the vehicle or from a non-

trusted party.

Evaluating the level of security threat against the system is an interesting

subject. The article in [1] categorizes different types of attacks into three

Page 48: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

37

different classes. We summarized these classes according to the attacker’s

capability to build a theft device.

I. Clever Outsiders: This class represents a person or a group of

people who are very intelligent with limited resources. They have the

required skill level and knowledge to assemble and build a device that

takes advantage of a certain security weakness.

II. Knowledgeable Insiders: This class represents a person or a group

of people who have detailed knowledge of the system components.

They gain their knowledge either from their capability to access

sophisticated equipment to analyze the system functionality or from

their capability to obtain detailed description regarding the system

design. One example could be a former employee who works on the

system design.

III. Funded organizations: This class represents a group with unlimited

resources. They have the capability to bring the required skills and

tools to design a sophisticated attack.

Assembling an attack-device is the first step in the attack process. The

second step is to perform the attack. The motive for the people who builds an

attack-device may be different than the motive for those who perform the

attack against the passive access vehicles. Of course, the most obvious

motivation for both parties is the financial gain. However, the method,

volume, and associated risk with this gain are different. In general, the

Page 49: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

38

people who develop an attack-device have higher degree of intelligence than

those who perform the attack. They are willing to take a minimal risk or no

risk at all of being caught. Their objective is to sell as many devices as

possible in the black market. On the other side, the people who perform the

attack are under a lot of pressure with high risk of being caught. They try to

finish their attack as fast as possible. Understanding the circumstances and

working environment around the system attackers are important parts of

evaluating the security threat. For example, if a security threat against a

system requires an attacker to spend two or three months to break into a

vehicle, it may not be a viable threat. Similarly, the threat may not be a valid

threat if an attacker is required to buy or develop a customized device that is

more expensive than the vehicle itself in order to perform his attack. Unless

the same device can be used with minimal calibrations and adjustments to

break into multiple vehicles, the financial impact of building a customized

attack device may not be justifiable.

Based on the attacker’s approach against the passive access system,

several attacks have been identified. These attacks can be classified in three

different categories as discussed in the following subsections.

2.7.1 DETERMINISTIC APPROACH

In this approach, we use the word thief to denote an attacker. Attacks in this

approach are easy to perform. They are deterministic in nature. The thief

performs the attack only once to gain an unauthorized access. There is no

Page 50: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

39

trial and error process in this approach. Playback attack and relay attack are

two examples that belong to this approach. These attacks are summarized in

the following two subsections. Little bit more descriptions of the analysis of

these two attacks are presented in the next chapter

2.7.1.1 PLAYBACK ATTACK

Playback attack, also known as replay attack, is briefly described in

the previous chapter. In this attack, the thief captures a previously

transmitted message from an authorized device. Later on, the thief plays

back the captured message pretending that it is sent from an authorized

device.

Building a theft device to perform a playback attack is a simple thing to

do. The main components of the device are a transceiver and a micro-

controller. In fact, such devices have been advertised as tools for the “legal

repossession of vehicles” [33].

2.7.1.2 RELAY ATTACK

Relay attack, also known as the two-thief attack, is another

deterministic approach to gain an unauthorized access to the vehicle. In this

type of attack, two thieves come to bridge the gap (distance) between the

vehicle and its owner as shown in Figure 6. All the communication between

the vehicle and the CID are done in real-time. The thieves are not required to

know or analyze the contents of the messages communicated.

Page 51: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

40

//

Thief-1Thief-2

OwnerWith CID

Figure 6: Illustration of a two-thief attack problem

To perform the attack, two thieves are required. Let us call them Thief-

1 and Thief-2. Thief-1 stands next to the vehicle and Thief-2 stands next to

the owner with the authorized CID. Each one of the two thieves carries a

repeater that is capable of transmitting and receiving at the same time. The

repeater mainly receives a signal from one side and sends the signal to the

other side after amplification. Thief-1 first triggers the vehicle to send an

interrogation message. Thief-1 who is within the vehicle’s transmission range

receives the signal from the vehicle. As Thief-1 receives the signal from the

vehicle, the repeater amplifies the signal and transmits it via a predetermined

channel to Thief-2. Thief-2 receives the signal from Theif-1 on the

predetermined channel and then sends the signal to the authorized user. The

CID that is carried by the authorized user, responds upon receiving the signal

from Thief-2. Thief-2 receives the response from the CID and then sends it

back to Thief-1. Thief-1 then receives the signal from Thief-2 and sends it to

the vehicle. Since the vehicle receives a valid CID message in response to

its interrogation message, the vehicle unlocks the doors.

Page 52: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

41

2.7.2 STATISTICAL APPROACH

In this approach, we use the word intruder to denote the attacker.

Theoretically speaking, if the system is secure to guard against all known

attacks, then there is no way to break the system other than trial and error.

The objective of using trial and error is to try as many combinations as

possible till a successful trial is achieved. Such attacks are statistical in

nature. The success of an attack mainly depends on the system design

parameters. The most critical parameter is the number of bits used to create

different combinations. Increasing the number of combinations can

significantly reduce the risk of such attacks. However, the chance to break

the system is still there. Scanning attack and dictionary attack are two

examples that belong to this approach. These attacks are summarized in the

following two subsections. Some more descriptions of the analysis of these

two attacks are presented in the next chapter.

2.7.2.1 SCANNING ATTACK

In the rolling code RKE system, the intruder performs a scanning

attack by transmitting a different code to the vehicle for each trial. The

intruder’s main objective is to try as many different combinations as possible

till the vehicle recognizes a valid code. In a passive vehicle access system

that utilizes a challenge-response authentication approach, the scanning

attack is a little bit different. An intruder could try to gain an unauthorized

access to the vehicle by initiating the vehicle-trigger (e.g. pull the door

handle) many times. As a result of each vehicle-trigger, the vehicle sends a

Page 53: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

42

different interrogation message. Each time the vehicle sends an interrogation

message, the intruder responds back with a fixed code. The objective is to

have the vehicle generate a random challenge that corresponds to the fixed

code transmitted by the intruder. The probability of a successful attack

depends on three main things, the number of bits used in the random

challenge, the random number generation algorithm, and the number of trials

conducted by the thief. The random number generation algorithm plays a

significant role in increasing and decreasing the probability of a successful

attack. A model of the random number generator is presented in Section 3.5.

The model is then used in Section 3.7 to analyze the risk of the scanning

attack.

2.7.2.2 DICTIONARY ATTACK

The dictionary attack is a powerful statistical approach against the

passive access system that employs a challenge-response protocol. The

dictionary attack is possible only if there is access to the CID. Since sending

an interrogation message can trigger the CID, a dictionary attack may be

performed as follows:

1. An electronic dictionary is constructed by sending different challenges

to the CID and recording the CID’s responses. This method requires

proximity to the CID, usually with the vehicle’s owner. The vehicle’s

owner is not aware of the attack since the CID automatically

responses to the challenge. The CID’s responses to the challenges

will be stored as a challenge and a challenge-response pair. Let D

Page 54: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

43

denote the number of challenge and challenge-response pair entries

captured in this step.

2. After building a dictionary of size D, the next step in the attack is to

pull the vehicle’s door handle in order to initiate an interrogation

message (challenge) from the vehicle.

3. If the challenge matches any entry in the dictionary, the corresponding

response is sent. If the challenge does not match any of the

challenges stored in the dictionary, the dictionary responds with a

fixed response (modified scanning attack). The fixed response is

chosen to be different from any of the responses captured in the first

step.

A security threat analysis of the dictionary attack is presented in Section 3.8

of the next chapter

2.7.3 ANALYTICAL APPROACH:

. This approach is different from the other two. The success of this type of

attack is based on the attacker’s capability to capture several authentication

messages and analyze them to reveal some of the system security

parameters (e.g. encryption key used). Cryptanalysis and challenge

prediction attacks are two examples that belong to this approach. These

attacks are summarized in the following two subsections. More description

on the analysis of these two attacks is presented in the next chapter.

Page 55: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

44

2.7.3.1 CRYPTANALYSIS ATTACK

Cryptosystems provide different degree of security based on the

amount of information and degree of freedom available to a cryptanalyst.

This is regardless of the encryption algorithm used. Two different

cryptosystems could use the same encryption and decryption algorithms but

they may provide two different levels of security. From cryptanalysis point of

view, there are several levels of security classification [39]. The most

common three that are related to our work is described below. These

classifications assume that the encryption and decryption algorithms are

public domain.

i) Ciphertext-only: This is the most difficult attack classification due to

the limitation of information available to a cryptanalyst. In this

classification, the cryptosystem communicates over a public channel

using encrypted messages only. This allows a cryptanalyst who listen

on the same public channel to capture one or more encrypted

messages (ciphertext). All captured messages are encrypted using

the same encryption key. The cryptanalyst’s task is to recover the

plaintext of current or future messages, or better find the encryption

key used.

ii) Known-Plaintext: In this type of classification, a cryptanalyst has

access to the ciphertext and the plaintext of one or more messages.

For example, a system that uses a challenge-response protocol for

authentication, sends both the plaintext (challenge) and the ciphertext

Page 56: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

45

(response) over the public channel (wireless communication). The

cryptanalyst task is to develop an algorithm to encrypt any plaintext, or

better deduce the encryption key used.

iii) Chosen-plaintext: This classification is similar to the known plaintext

in terms of the amount of information available to a cryptanalysts. In

addition, the cryptosystem allows a cryptanalyst to select the plaintext

to encrypt. This provides a cryptanalyst with an additional degree of

freedom to deduce the encryption key in less amount of time. For

example, in the challenge-response protocol used in the immobilizer

system, if the transponder responds to any challenge it receives, a

cryptanalyst can select certain challenges that may help to recover the

encryption key quicker. Cryptosystems that provide this amount of

information and degree of freedom are classified to be less secure

than the known-plaintext classification. This is true because of two

reasons. First, the cryptanalyst does not need to wait for the

communicating parties to communicate. Second, the cryptanalyst

selects the inputs based on an initial study that certain inputs reveal

more information than others do.

There are several cryptanalysis methods and techniques that are

investigated in the literature. Related-Key cryptanalysis attack developed in

[3],[22],[20] where used against several algorithms such as GOST [13], IDEA

[29], and SAFER [32]. Differential cryptanalysis attack is another technique

introduced in [4],[5],[6],[7]. The differential cryptanalysis is used against the

Page 57: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

46

Data Encryption Standard (DES) algorithm and other known algorithms.

Cryptanalysis methods and techniques are part of a very wide subject. For

this research work our need is limited to know that such techniques exist.

The details of these techniques are beyond the scope of our work and will

not be further investigated.

2.7.3.2 CHALLENGE PREDICTION ATTACK

In this attack an intruder tries to predict the next challenge by

observing the previous few challenges. Previous challenges can be obtained

simply by triggering the vehicle’s door handle several times. If an intruder has

a method to predict the next challenge, he can build a device to generate the

predicted challenge himself. To perform the attack, the intruder sends the

predicted challenge next to the owner of the vehicle who carries an

authorized CID. In response to the challenge, the CID responds back with a

challenge-response message. The intruder records the challenge-response

message and proceeds in his attack next to the vehicle. The next step for the

intruder is to pull the vehicle’s door handle in order to send the predicted

challenge. In response to the challenge, the intruder plays the message

previously recorded from the CID. Of course, the intruder will be successful

in his attack provided the vehicle generates exactly the same challenge that

the intruder had predicted.

This attack can be made possible for an average user to perform. The

intruder is not required to be a cryptanalyst to conduct the attack. However,

Page 58: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

47

the person who designed the attack equipment should have a certain degree

of knowledge. For example, the attack equipment can be self-calibrated with

instructions to use. The user interface can be made via two light indicators,

red and green light indictors. The red indicator informs the user that the

system is not calibrated yet to predict the next challenge. In this case the

user is required to trigger the vehicle again. The green indicator informs the

user that the equipment has captured enough challenges to predict the next

one. In this case the user can continue with the attack as described earlier.

Page 59: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

48

CHAPTER 3

SECURITY ANALYSIS

In Section 2.7, we identified several security weaknesses against

passive access vehicle system. Identifying the security weaknesses and

possible threats are the first step in the design process towards a secure

system. The second step is to analyze and measure each security threat.

What is the root cause of the threat? How can we measure the risk

associated with a threat? What options do we have to eliminate or reduce the

risk of a threat? Is there a tradeoff between improving security and other

system parameters? The main objective of this chapter is to provide analysis

for each one of the security threats identified in Section 2.7 of the previous

chapter.

This chapter is organized in seven sections. These sections are

presented in the following order for better flow and understanding of the

material. In the first two sections, we analyzed the deterministic approach

attacks. Playback attack analysis for different communication links is shown

in Section 3.1. Analysis of the tools needed to perform a relay attack is

presented in Section 3.2. More details on relay attacks, relay attack

countermeasures, and analysis of solutions are left to the next chapter. In the

third and fourth sections, we analyzed the analytical approach attacks. A

visual spectrum of different cryptanalysis categories is given in Section 3.3.

Analysis for the challenge forward prediction attack is presented in the form

of requirements in Section 3.4. A model for random challenge and methods

Page 60: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

49

for measuring system security are presented in Section 3.5 and Section 3.6,

respectively. These sections are presented after the challenge prediction

attack and before the statistical attacks for two reasons. First, the analysis of

the challenge prediction attack imposes some requirements that are

necessary to implement in the random challenge model. Second, the random

challenge model and the security measures are used as basic tools to

analyze the risk of the statistical attacks. Detailed analyses of the scanning

attack and dictionary attack are given in Section 3.7 and Section 3.8,

respectively.

3.1 PLAYBACK ATTACK

Playback attack can be easily performed against passive access

vehicle system that is based on a unidirectional communication link. For

example, the Lectron’s system described in the previous chapter is an easy

target for a playback attack. In this system a thief can easily capture and

record the message transmitted by an authorized CID just by standing close

to the owner of the vehicle. The thief can then replay the recorded message

next to the vehicle to gain an unauthorized access.

An alternative approach to a unidirectional communication link is the

use of a bi-directional communication link. In Section 2.5.2 of the previous

chapter we examined several authentication protocols that is based on a bi-

directional communication link for use in passive access system. Several

protocols were examined. The first four protocols in Table 1 were based on a

Page 61: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

50

fixed content message in either or both directions. The use of a fixed content

message in any communication link of the authentication process is subject

to a playback attack. A successful playback attack can be performed

regardless of whether the fixed code is sent from the vehicle to the CID or

from the CID to the vehicle. As long as one of the communication links

content is the same in every authentication, a thief can record the fixed

content communication link either to gain access to the vehicle, or to solicit a

new valid access code from the CID. For example, if the LF signal is used

only to wake up the CID every time a door handle is pulled, a thief can simply

assemble a device to perform a playback attack. One implementation is to

equip the theft device with two buttons, ‘solicit’ button, and ‘play’ button.

When a thief presses the ‘solicit’ button, the device performs two steps: First,

it sends an LF wake up signal similar to the one the vehicle sends. Second, it

records any message in response to the LF wake up signal. The ‘play’ button

is then used to send the recorded message captured when the ‘solicit’ button

was pressed. With such a device, a thief can solicit any CID response by

pressing the ‘solicit’ button while standing next to the vehicle’s owner. Of

course, the captured message from the CID is a valid message whether its

content is variable or fixed.

The rolling code protocol was also examined for bi-directional

communication link. There are several variations of rolling code that can be

implemented. The major problem with rolling code is the synchronization

between the vehicle and the CID. Synchronization is a problem when any of

Page 62: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

51

the communication links are not reliable. It is also a problem when one side

is triggered to transmit while the other side is not in the reception range.

To address the playback attack and the synchronization problems, a

random challenge response protocol was introduced as an alternative

solution. In this solution, the message contents from the vehicle to the CID

and vice versa changes in every authentication. This prevents a thief with

recording equipments to obtain any valid message that could be used later to

gain access. The challenge response protocol is also synchronization free.

There is no need to implement any synchronization method for future

authentication in the event that one of the communication links is corrupted

during the previous authentication.

3.2 RELAY ATTACK

In this section we take a close look on how the thieves may design a

relay attack device and how they may attack the passive access security

system. Figure 7 shows the block diagram of a repeater that the thieves may

use.

Figure 7: Block diagram of a thief’s repeater system.

A repeater consists mainly of two units, U1 and U2. Each unit, Ux, has

a transmitter Tx and a receiver Rx. The two units are physically apart from

Page 63: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

52

each other. Unit U1 communicates with U2 via an RF signal at carrier

frequency f1. The frequency f1 is predefined and selected by the thieves. U1

modulates the input signal received through the receiver R1 using a carrier

frequency f1. The modulated signal is then sent to unit U2. U2 demodulates

the signal to reconstruct the original input signal IN. The reconstructed input

signal IN is the signal OUT shown in Figure 7. The signal OUT is then sent

using transmitter T2. Ideally the output signal OUT is equal to the input signal

IN with some delay. In order to bridge the signals from the vehicle to the CID

and vice versa, two repeaters are required as shown in Figure 8. The first

repeater sends the signal from the vehicle to the CID, and the second

repeater sends the signal from the CID to the vehicle. In order to avoid any

interference between the two repeaters, the thieves can design their systems

to communicate at two different carrier frequencies f1, and f2.

Figure 8: A complete theft device using two repeaters.

In the current passive entry system an LF link is used from the vehicle

to the CID and an RF link is used from the CID to the vehicle. So in the

above figure, Repeater-1 will be used to bridge the gap (distance) between

Page 64: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

53

the vehicle and the CID for the LF link, and Repeater-2 will be used to bridge

the gap for the RF link from the CID to the vehicle. The thieves are using two

different carrier frequencies f1 and f2 to avoid interference among the signals

in the link between the two thieves. Since the signals IN1 and OUT1 are LF

signals and IN2 and OUT2 are RF signals, there will not be any other kind of

interference between repeater-1 and repeater-2. As a result Thief-1 will be

able to gain access to the vehicle.

3.3 CRYPTANALYSIS ATTACK

In Section 2.7.3.1, three different classifications of cryptanalysis attack

were presented. These classifications are based on the amount of

information and degree of freedom the system provides to an intruder. The

system is more secure if the amount of information and degree of freedom is

less. Figure 9 shows a classification spectrum that represents the three

classifications.

Known Plaintext

Chosen Plaintext

CiphertextOnly

Figure 9: Cryptanalysis attack spectrum

Page 65: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

54

The Chosen-Plaintext represents the class with the most amount of

information and degree of freedom available to the outside. The Known-

Plaintext represents a class with less information and freedom. It is

represented as a subset of the Chosen-Plaintext class. Any information that

is available in the Known-Plaintext is also available in the Chosen-Plaintext.

Finally, the Ciphertext-only class provides the least amount of information. It

is represented in the center of the spectrum.

The spectrum provides a visual comparison to compare different

cryptosystems against each other from a cryptanalysis point of view. We said

that the cryptosystem is more secure if it is closer to the center of the

spectrum. For example consider the three cryptosystems ‘A’, ‘B’, and ‘C’

represented on the spectrum in Figure 10.

Known Plaintext

Chosen Plaintext

CiphertextOnly A

C

B

Figure 10: Examples of different systems on the cryptanalysis spectrum

Cryptosystem ‘A’ could be a rolling code RKE for example. It is placed

as shown on the spectrum to overlap between the ciphertext and the known

Page 66: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

55

Plaintext class. A cryptanalyst can observe the ciphertext when the user

presses a button to unlock or lock the vehicle. Even though the cryptanalyst

can’t see the full plaintext, he could see part of it by observing the action

taken by the vehicle, assuming that the function code ‘lock’ or ‘unlock’ is part

of the encrypted message. Furthermore, since the rolling code is based on a

sequence counter that is incremented for every transmission, a cryptanalyst

can depend on this fact to obtain additional information about the plaintext.

Cryptosystem B, and C may represent an immobilizer system that

uses a challenge response protocol. Both fall in the Chosen-Plaintext class.

System B always responds to any challenge received. If system C is

designed such that the transponder responds to a limited number of

challenges per unit time, then we place system C to be closer to the

spectrum center. It is obvious that system B provides higher degree of

freedom to a cryptanalyst than system C. For this reason it is represented as

shown on the spectrum.

The Cryptanalysis attack presents a low risk method against the

passive access system for the following reasons:

i) A Cryptanalysis attack requires time and effort to capture several

messages for analysis.

ii) A Cryptanalysis attack requires an individual with a higher degree of

intelligence. Such individual can do better things in his life than

attacking the passive access vehicle system.

Page 67: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

56

iii) The attack is different from one vehicle to the other. The time and

effort an intruder needs to spend on attacking one vehicle, is the same

if he wants to attack another vehicle. This demoralizes the intruder to

proceed with his attack, because the financial gain may not be

justifiable. The need to solve the system security weaknesses to

prevent a cryptanalysis attack is of very low concern.

3.4 CHALLENGE PREDECTION ATTACK

Prediction of a challenge mainly depends on the strength of the

random number generator used to assemble the challenge. In Section 2.6 we

studied the LCG as a method for random number generator. While LCG is

fast and useful to generate a sequence of random numbers for simulation

purposes, they are not suitable for other applications. One of the major

problems with LCG method is that they are predictable. The next random

number in the sequence is predictable to a cryptanalyst who observes

previous random numbers. For example, if the detailed information about the

generator used is public, then predicting Yn+1 is as simple as observing the

current value Yn. Even without knowing the generator parameters, several

techniques are investigated in the past to break LCG, quadratic generators,

cubic generators, and in general any polynomial congruent generator

[24],[25].

Prediction of a new random number is the key threat for a successful

attack against the passive access system. There are other applications

Page 68: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

57

where forward prediction of random numbers is a concern. For example, in

the gaming industry, a slot machine will fail if a gambler can predict the next

spin based on previous spins. Such application requires the random

sequence to be forward unpredictable. Backward predictability of previous

sequence is harmless if the gambler predicts the previous spins based on the

current spin.

Though prediction of random numbers via mathematical analysis

constitute a strong and efficient method to brake some of the known random

number generators, there are several other methods or tools to do so. The

validity of these tools and methods depends mainly on the proprieties of the

random number generator used. Each random number generator has its own

unique features. Similarly, each application has its own unique requirements

from a security point of view. In selecting a random number generator, it is

important that the selected random number generator features matches or

exceeds the system requirements. Some of the requirements in selecting a

random number generator for passive access system are outlined in the

following subsections.

3.4.1 EXTERNAL MANIPULATION.

External physical quantities such as the time delay between activation,

temperature measurements, external reset via battery disconnect, and time

of an external event is not hard for an intruder to induce into the system. An

intruder can easily manipulate a random number sequence if such quantities

Page 69: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

58

are used as a seed value to the random number generator. For example,

imagine a random generator that depends on the system clock as a seed

value. In an embedded system design, most of the Electronic Control Units

(ECU) in the vehicle enters a sleep state to reduce the power consumption.

Each ECU has different requirements to enter or exit a sleep state. When an

ECU exits a sleep state the system clock starts. Typically, the system clock

starts from an initial value known as the power on reset initial value. In a

passive access vehicle system, an ECU exits a sleep state upon door handle

trigger. After an initialization phase, the ECU starts the random generator

with a seed value captured from the system clock. Every time a door handle

is triggered, the seed value will be about the same, hence the same random

number. Slight variations are possible due to other activities the ECU may

manage at the same time. For this example, it does not matter whether a

random number generator provides a large number of bits or not, an intruder

has a small space to search for those random numbers that are the most

likely to occur.

3.4.2 DIFFERENT SEQUENCE FOR DIFFERENT ECUS

Random number generators are normally implemented as part of the

source code that is stored in the micro-controller ROM. It is cost effective to

provide the same code in the ROM for each ECU produced. In general, each

ECU has a non-volatile read-write memory, EEPROM alike, which holds

calibration specific parameters for a vehicle. The ECU that contains the

random number generator has to implement a mechanism to provide

Page 70: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

59

different sequence of random numbers when installed in different vehicles. A

random number generator that produces the same sequence of random

numbers for different vehicles is subject to a pre-knowledge or forward

prediction of the random number sequence. An intruder can monitor the

random sequence on one vehicle and then use that knowledge against other

vehicles. Most of the random number generators start from a seed value that

is stored in the EEPROM. The seed value is then updated every time the

random number generator is invoked. Having different seed values for

different ECUs will not guarantee that the random sequence on the two

vehicles will not synchronize to the same sequence at one point in the future.

3.4.3 STATISTICAL REQUIERMENTS

In a cryptographic random number generator, the statistical

characteristics of the random numbers produced plays an important key to

measure the strength of the random sequence. One of the main objectives in

choosing a random number generator is to make the random sequence

extremely difficult for an intruder to guess.

In this section, we impose several statistical requirements on the

random number sequence. The main purpose for these requirements is to

maximize the challenge search space to an external observer. In other

words, we would like to have a random number generator with statistical

proprieties that make the possibility to guess the next random number as

difficult as possible.

Page 71: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

60

3.4.3.1 FLAT DISTRIBUTION

One of the statistical requirements of a random number generator is to

produce random numbers that are equally likely to occur. If the probability of

different random numbers is unequal, then there are some random numbers

with higher probability than the rest. Typically, an intruder starts his guesses

with those random numbers that have the highest probability.

Flat distribution of the random numbers is an important requirement,

since the size of the space an intruder has to search for successful guess is

directly related to the amount of information a random number generator

produces. According to Shannon [40], a source produces an amount of

information that is proportional to the probability distribution of the produced

code. An estimate or a measure of the amount of information known as the

entropy or H, is given by:

∑=

−=C

iii pLogpH

12 )(

Where:-

i : is an index that represents the random number

C : is the size of the random space.

pi : is the probability of each random number generated.

To better understand the effect of a non-uniform distribution, consider

the following example:

Page 72: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

61

Assume a simple 3 bit random number generator. At any instant, the

random number generator produces one of eight possible values. Let i

denote the random number, and pi denote the corresponding probability as

shown in Table 2.

i pi Log2(pi)

1 1/32 -5

2 1/16 -4

3 1/8 -3

4 1/4 -2

5 1/2 -1

6 1/64 -6

7 1/128 -7

8 1/128 -7

Table 2: Example of random numbers probability distribution and their corresponding amount of information

Note that:-

∑=

=8

11

iip

For this example, H can be calculated by

∑=

−=8

12 )(*

iii pLogpH

Page 73: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

62

−+−+−+−+−+−+−+−−=

1287

1287

646

21

42

83

164

325H

H = 1.984

While 3 bits are required to present any of the 8 possible random

numbers, the effective or average bits of information is equal to 1.984. This

means that the intruder search space has been reduced from 8 (23=8)

possible combinations to 3.96 (21.984=3.96). Typically an intruder has to start

with the most likely random number, followed by the next and so on. In the

above example the intruder has to start with the random number 5 since it

has the highest probability (pi =0.5) to occur.

3.4.3.2 AVALANCHE EFFECT

A different statistical requirement on the random number generator is

to satisfy the avalanche effect criterion. This criterion requires that a single bit

change in the input causes on average, half the bits to change on the output

of the generator. It is important to emphasize that we used the word “on

average” to describe the total number of bits change. The use of the word

“on average” does not mean that the number of bits that changes their value

between two consecutive random numbers is exactly half the total number of

bits. It is possible to have less or more number of bits that changes their

value than half the total number of bits. However, the probability for this to

occur is lower. To better understand the avalanche effect on maximizing the

intruder search space, we present the following analysis

Page 74: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

63

Let n and k represent the total number of bits in the random number, and the

total number of bits that changes in consecutive random numbers,

respectively.

If one bit only changes its value (k=1) between two consecutive

random numbers, then there are n different possibilities to guess the next

random number.

If two bits change their values (k=2), then there are C2 possibilities to

guess the next random number. Where C2 is given by

2)1(*

22−=

= nnn

C

In general, for any k bit change, there are Ck different possibilities to

guess the next random number, where Ck is given by

!)!*(!

kknn

kn

Ck −=

=

As the number of possibilities increases, an intruder’s search space

increases too. So, what is the value of k that maximizes the total number of

possibilities?

To answer this question, let Dk represent the difference between Ck

and Ck-1.

Dk = Ck - Ck-1

Page 75: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

64

=

1kn

kn

Dk

)!1)!*(1(

!!)!*(

!−+−

−−

=kkn

nkkn

nDk (3.4.3.2-1)

With some mathematical simplifications, Equation (3.4.3.2-1) can be

reduced to

!)!*1()21!*(

kknknnDk −+

−+= (3.4.3.2-2)

The number of possibilities Ck increases as long as Dk is positive. The

first value of k that makes Dk negative represents the prior value of k at which

Ck is maximum. Dk is negative when the numerator in Equation (3.4.3.2-2) is

negative

n!*(n+1-2k) < 0 (3.4.3.2-3)

Solving Equation (3.4.3.2-3) for k

21+> nk

This means that the value of k at which Ck has its maximum value is

equal to

+=

21nk

For example if n =16, then

Page 76: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

65

85.82

116 ==

+=k

Figure 11 shows Ck for n=16 and k=0,1,2,..,16

0

2000

4000

6000

8000

10000

12000

14000

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

k

C k

Figure 11: Number of combinations for each number of bits changed

3.4.3.3 STRICT AVALANCHE EFFECT

The strict avalanche effect requires that each bit in the random number

sequence has 50% chance to change. This is another important requirement

in order to maximize the random number search space. If the probability for

each bit to change is more or less than 50%, then the intruder’s search

space is reduced. For example consider a random number generator in

which one of the output random number bits has a pc probability to change. If

pn denotes the probability that the bit does not change, then

Page 77: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

66

(3.4.3.3-1) cn pp −=1

Let H represent the amount of information in this bit. H can be

calculated by the following equation

)(*)(* 22 nncc pLogppLogpH −−= (3.4.3.3-2)

Substituting Equation (3.4.3.3-1) in Equation (3.4.3.3-2) we get

)1(*)1()(* 22 cccc pLogppLogpH −−−= (3.4.3.3-3)

Note that

From [44], as X→0, X*Log(X) → 0

If pc → 0, then from Equation (3.4.3.3-3) H → 0. This follows from the

fact that a bit that does not change provides no uncertainty to an

intruder. The intruder will set this bit to a specific value for all random

numbers he is searching.

If pc → 1, then from Equation (3.4.3.3-3) H → 0. This follows from the

fact that a bit that changes every time provides no uncertainty to an

intruder. The intruder will always change the bit for every vehicle

trigger.

The amount of information H reaches its maximum value Hmax=1 bit,

when pc = pn = 0.5.

Page 78: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

67

Figure 12 shows H versus pc as pc changes from 0 to 1

0

0.25

0.5

0.75

1

0 0.25 0.5 0.75 1P c

H

Figure 12: Entropy vs. probability of bit change

3.5 RANDOM CHALLENGE MODEL

One of the main components of a random challenge is a random

number. A random number can be classified as dependent, partially

dependent or independent of the previously produced random numbers. On

one extreme case, a random number can be cyclic. This means that, a

random number that is produced this time will not be produced again till all

numbers within the random number space are produced. We refer to such a

random number as a cyclic random number. On another extreme case, a

random number is totally independent of all previously produced ones, i.e.

the probability of getting the same random number in the next time is the

same as getting any other random number from the random number space.

We refer to such random number as a non-cyclic random number. In this

Page 79: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

68

section, we present a generic model, shown in Figure 13, for producing

random numbers.

EncryptionAlgorithm

m bits I1j bits I2

n bits O1k bits O2

Encryption Key

Figure 13: Model for random number generator

The model has been designed based on an encryption algorithm. The

subject of the encryption algorithm itself is not covered in this chapter. We

assume that the encryption algorithm is a public domain algorithm that was

reviewed and withstand cryptanalysis attack. One example is the use of DES

algorithm. We further assume that the algorithm has the following properties:

i) The secrecy of the encryption algorithm is maintained in the

encryption key not in the encryption algorithm used. This means that if

the algorithm details are known, the system will maintain a strong

degree of security as long as the encryption key remains secret.

Encryption keys are normally assigned randomly at manufacturing

time. Maintaining the security of the random sequence in the

encryption key is similar in concept to the use of a mechanical key to

Page 80: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

69

lock or unlock a home entry door. The company that manufactures the

lock system may only produce one generic design, but each lock is

coded different from the others. Similarly, the use of encryption key

allows one generic design of the encryption algorithm. The use of

different encryption keys generates different mathematical

transformation between the input and the output. Having a different

mathematical transformation based on different encryption keys

means different sequence of random numbers for different units. This

of course satisfies one of the requirements stated in Section 3.4.2.

ii) The algorithm is one-to-one and reversible. This means that if the

plane texts P1 and P2 are respectively converted to the cipher texts

(encrypted texts) C1 and C2 using an encryption key K, then C1 = C2 if

and only if P1 = P2 and vice versa. This also means that the number of

input bits is equal to the number of output bits, but the key may be of

any length. We impose this requirement to ensure that the generator

produces all possible outputs, and all outputs are equally likely as the

input sequences through a complete cycle.

iii) Statistical characteristics: A 1-bit change in the input will cause, on an

average, half the output bits to change if the same encryption key is

used. Also a single bit change in the encryption key will cause, on an

average, half the output bits to change if the same input is used.

Moreover, we assume that each bit has 50% chance to change if a

single or multiple bits change in the encryption key or the input.

Page 81: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

70

The model presented in Figure 13 shows an encryption algorithm,

which takes an input that is divided into two blocks, I1 (m bits), and I2 (j bits).

The output of the algorithm is also divided into two blocks, O1 (n bits), and O2

(k bits). Due to the second property of the encryption algorithm we can say

that m+j=n+k.

The method we present in this section and will be used for later

analysis assumes a sequence counter of m bits. These bits are stored in a

non-volatile memory. The sequence counter is used as an input (I1) to the

encryption algorithm for the model shown in Figure 13. The sequence

counter value is updated (e.g. incremented by 1) every time a call to the

algorithm is made. For this method, we consider that the sequence counter is

the only input (I1) to the algorithm, i.e. j=0. The other input (I2) is not

available. It is shown in the model for generality purposes and future

research. Since we are using an encryption algorithm, we expect that for

each value of the m-bit sequence counter, there is a corresponding output

that consists of m (m=n+k) bits. We use the lower n bits (O1) to represent the

random number. The other part of the output (O2) is not used, but available

for randomization purposes as explained later.

Let Ri be the value of the random number (available at O1) when the

sequence counter is equal to i. Then there exists an X such that Ri=Ri+X for

all 0≤ i≤ 2m. If the only value of X that satisfies the previous condition is X=2m,

then we say that the random number has a maximum cycle. A random

Page 82: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

71

number with a maximum cycle does not repeat the sequence until all the 2m

combinations are produced.

For one cycle of the sequence counter, there are 2m = 2n+k different

combinations presented at the output. For each combination of the output O1

there are 2k combinations of the output O2. Thus every random number R

(0≤R≤2n-1) appears 2k times within one cycle of the sequence counter.

On one extreme, we have defined a random number as a non-cyclic

random number if the probability to produce such a number remains the

same no matter how many times this number has already been produced

before. Our model, shown in Figure 3, will produce such a random number if

k is a very large number.

Lemma

A non-cyclic random number can be produced using our model if

k → ∞ .

Proof:

Let U represent the total number of random numbers produced, and L

represent the number of times a specific random number R is produced

within the previous U times. Then the probability p to produce R again is

given by

UL

ULp kn

k

m

k

−−=

−−= +2

222 (3.5-1)

Page 83: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

72

Divide the numerator and denominator of (3.5-1) by 2k.

kn

k

U

L

p

22

21

−= (3.5-2)

If k → ∞, then 022

→= kk

UL

The probability p in Equation (3.5-2) can be simplified to

np21=

Hence, if k → ∞, then the probability of generating a random number

R during the next trail is np2

= 1 . This is a constant value for a fixed value of

n. This means that, the probability of producing R again is independent of the

fact, how many times the random number R has already been produced.

For a practical system, the value of k can’t be very large. A large value

of k has several drawbacks. First, it requires a large storage space in a non-

volatile memory. Second, it increases the system response time since the

encryption algorithm has to run over larger data input size.

On the other extreme case, if k=0 then our model produced cyclic

random numbers. A random number that is produced this time will not be

produced again till all random numbers in the cycle are produced.

Page 84: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

73

For values of k between 0 and ∞, different degree of randomness can

be produced within one cycle of the sequence input. For this reason, we refer

to k as the randomization factor of the random number generator shown in

Figure 13.

3.6 MEASURING SECURITY

In Section 2.7.2, we mentioned that the success of a statistical

approach attack mainly depends on the system design parameters. The most

critical parameter is the number of bits used to create different combinations.

Increasing the number of combinations implies more bits to be transmitted.

More bits have several drawbacks on the system performance. First, it

increases the system response time. This might not be desirable for passive

entry applications. Second, for each bit transmitted, there is a probability of

error due to noise or interference from the environment. Transmitting more

bits implies a higher overall message probability of error. Hence, the

message will more likely be rejected. Third, increasing the number of bits

requires more energy from the CID that runs from a small battery power

supply. Hence, an increase in the number of bits reduces the usable battery

life. So how can we balance between security and system performance? This

leads us to define a method to measure the system security.

One simple way to measure the system security against a statistical

attack is to use the average time needed by an intruder to break into the

vehicle. We use the term “average time” because an intruder might be lucky

Page 85: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

74

in his first trial or he might end up with a huge number of trials. We use the

term ‘Average Theft Time’ or ATT to denote the average time needed by an

intruder for a successful attack. The ATT is defined as the number of trials an

intruder needs (on average) to be successful in his attack divided by the

repetition rate of the trials. In mathematical notation, if M is a random variable

that defines the number of trials, an intruder needs to conduct in order to be

successful, then ATT is given by

RMEATT )(=

Where : -

E(M) : The expected value of the random variable M, and

R : The repetition rate. Defined as the number of trials conducted

by the intruder per unit time.

While the ATT is a simple method to calculate and understand, it does

not provide enough information regarding the system security. Consider a

hypothetical system that requires the user to enter a password to gain

access. Furthermore, studies have shown that 60% of the people who use

the hypothetical system enter a single digit (0 to 9) password while the other

40% enter 4-digit (0000 to 9999) password. The average number of trails or

ATT to gain access for such system is 2003 trials (0.6*5 + 0.4*5000). Where

5, and 5000 are the average number of trials for a single digit and 4-digit

code respectively. Using the ATT as a measure of security might be

Page 86: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

75

misleading for such system. One could concentrate on only the 10 single-

digit passwords with a 60% probability of success. If the first 10 trials fail,

then proceed to the next system, and so on. To better understand the

problem of using the ATT as a measure of system security, imagine that

there are several systems available for attack. A 1000 trail over 100 units,

with 10 or less trials per unit, would have a success rate of at least 60%. This

means access to at least 60 systems. A better method to measure the

system security is needed. One way is to assign a probability of successful

attack on the system, given a certain amount of attack time used. For

example, we define the system to be secure against statistical attacks if the

following condition is satisfied:

If an intruder spends at most X amount of time trying to break

into the vehicle, then the probability of a successful attack shall

be less than Y%.

We refer to the (X,Y) pair as the security parameters of the system. In

mathematical notation, if M is a random variable that defines the number of

trials conducted till a successful attack is achieved, then the Cumulative

Distribution Function (CDF) of the random variable M given by F(X)

represents the probability of successful attack in X or fewer trials

}{)( XMPXF ≤=

We said that the system is secure if

Page 87: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

76

%)( YXF ≤

As many people are more familiar with ATT than any other measures,

E(M) will be used in addition to the (X,Y) parameters.

3.7 SCANNING ATTACK

As we indicated earlier, the probability of successful scanning attack

from a statistical point of view depends on three main parameters. First, the

length of the random challenge, we quantify this parameter by the number of

bits used (i.e. n). Second, the random number generation method, this

parameter is quantified by the randomization factor (k) in the model

presented in Section 3.5. Third, the number of trials conducted by an

intruder, we use the symbol m to denote this parameter.

This section is divided into three subsections. In the first and second

subsections, we present the effect of an independent random challenge and

the effect of a cyclic random challenge, respectively, on the success of a

scanning attack. In the third subsection we generalize the success of a

scanning attack results for any randomization factor.

3.7.1 INDEPENDENT RANDOM CHALLENGE

In this case, the probability of each challenge generated is

independent of the previous ones. Let p represents the probability of getting

an expected challenge. Let M denote the number of trials performed by an

Page 88: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

77

intruder until he becomes successful. Then M is a random variable taking on

one of the values 1, 2, 3, … with respective probabilities

P{M=1} = f(1) = p ,

P{M=2} = f(2) = (1-p)*p ,

P{M=3} = f(3) = (1-p)2*p ,

:

P{M=m} = f(m) = (1-p)m-1

*p , for 1 ∞<≤ i

Where, f(m) represents the probability distribution function of the

random variable M.

Note that :

ppmfm

m

m∑∑∞

=

−∞

=

−=1

1

1*)1()(

∑∞

=

−−=1

1)1(*m

mpp

p

p 1*=

1)(1

=∑∞

=mmf

Page 89: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

78

To find the average number of trials required by an intruder for a

successful attack we need to find the expected value of the random variable

M. i.e. E[M]

( ) ∑∞

=

=1

)(*m

mfmME

∑∞

=

−−=1

1)1(*m

m ppm

∑∞

=

−−=1

1)1(**m

mpmp

2

1*p

p=

( )p

ME 1=

In words, the average number of trials performed by an intruder to

attain the first success is equal to the reciprocal of the probability p. If the

response to the challenge consists of n bits, and all 2n response

combinations are equally likely then p is given

np21=

In this case

E(M) = 2n (3.7.1-1)

Page 90: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

79

3.7.2 CYCLIC RANDOM CHALLENGE

In this case, the probability of the challenge generated depends on the

previous challenge. For simplicity of analysis and calculations, we assume

the challenge and challenge response consists of n bits, and all 2n

combinations are possible. Let p0, p1 , p2 , ... represent the probability the

expected challenge is generated on the 1st, 2nd, 3rd, …, 2n trial, respectively.

Then

np21

0 =

121

1 −= np

221

2 −= np

:

ip ni −

=2

1 ; for 120 −≤≤ ni

Let M denote the number of trials performed by the intruder till the first

success is achieved, then M is a random variable taking on one of the values

1, 2, 3,…, 2n with respective probabilities

npfMP21)1(}1{ 0 ====

Page 91: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

80

nppfMP21*)1()2(}2{ 10 =−===

npppfMP21*)1(*)1()3(}3{ 210 =−−===

:

n

m

iim ppmfmMP

21)1(*)(}{

2

01 =−=== ∏

=−

To find the average number of trials E(M) for a successful attack

( ) ∑=

=n

mmfmME

2

1)(*

∑=

=n

mnm

2

1 21*

∑=

=n

mn m

2

1*

21

2)12(*2*

21 +=

nn

n

212 +=

n

If 2n >> 1, then the result can be simplified to

12)( −≅ nME (3.7.2-1)

Page 92: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

81

From Equations (3.7.1-1) and (3.7.2-1), we can conclude that the ATT

for a system that is based on a cyclic random challenge is 50% less than a

system based on independent random challenge. To complete the analysis

and compare between the two challenges, Figure 14 shows F(X) for both

cases

Where F(X) is give by

∑=

=X

iifXF

1)()(

0

0.2

0.4

0.6

0.8

1

X

F(X)

Cyclic

Independent

0.5*C 0.75*C C0.25*C

Figure 14: F(X) for cyclic and independent random challenges

In the figure, C represents the total number of combinations in the

random challenge space (in our case C=2n). While it is clear in this section

Page 93: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

82

that an independent random challenge is safer to use, in a later section we

will show that it introduces more risk for different type of attacks.

3.7.3 EFFECT OF RANDOMIZATION FACTOR

Let p0, p1 , p2 , ... be the probability that the expected challenge is

produced on the 1st, 2nd, 3rd, … trial, respectively. Then

nk

k

p +=22

0

122

1 −= +nk

k

p

222

2 −= +nk

k

p

In general

jp nk

k

j −= +2

2 (3.7.3-1)

If an intruder fails in all m trials, then probability of a non-successful

attack, after trying m times, is given by

(∏−=

=

−=1

0

1),,(mj

jjpmnkp ) (3.7.3-2)

From (3.7.3-1), substitute pj in (3.7.3-2)

Page 94: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

83

∏−=

=+

−=1

0 221),,(

mj

jkn

k

jmnkp (3.7.3-3)

Where k is the randomization factor and n is the number of bits in the

random challenge.

Let F(k,n,m) be the probability of a successful attack within the first m

trials. Then F(k,n,m) is given by

),,(1),,( mnkpmnkF −=

From (3.7.3-3)

∏−=

=+

−−=1

0 2211),,(

mj

jkn

k

jmnkF

Note that F(k,n,m) represents a Cumulative Distribution Function

(CDF) of random variable M. It should be noted that F(k,n,m) is valid only for

. If , then F(k,n,m) assumes the value of 1. )22(1 m −≤≤ knk + knk +

),,( mnkF ∞→

)22(m −>

As , the random number is non-cyclic or independent random

number. In this case can be simplified to

∞→k

m

nmnkF

−−=∞→

2111),,(

If k=0, the challenge is cyclic. In this case F(0,n,m) can be simplified

to

Page 95: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

84

n

mmnF2

),,0( =

A plot of F(k,n,m) for k=0,1,2 and ∞, and n=16 is shown in Figure 15.

A plot of F(k,n,m) for k=0, and n=17 is also shown in Figure 15.

0

0.2

0.4

0.6

0.8

1

0 13000 26000 39000 52000 65000

m

F(k,

n,m

)

(k=0,n=16)

(k=1,n=16)

(k=2,n=16)(k= ∞ ,n=16

(k=0,n=17)

Figure 15: F(k,n,m) for different system parameters

From Figure 15, it is clear that for a given value of n, say n=16, there

is not much difference in the value of F(k,n,m) for k=2 and k= ∞. So for a

given value of n, the vulnerability of a system due to a scan attack with a

randomization factor of k=2 will be as close as that with k = ∞.

To measure the ATT as defined in Section 3.6, let us assume the

following system parameters:

Page 96: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

85

The vehicle supports 4 different CIDs. Each CID responds in an

assigned time slot. The intruder takes advantage of this multiple CID

support by sending a different response in each time slot assigned for

each individual CID.

The vehicle can be triggered once every 200ms

The vehicle uses a 16 bit random number

If the vehicle receives 5 consecutive invalid responses to the

challenge from all 4 CIDs, the vehicle inhibits any further challenges

for the next 7 seconds

In this case the repetition rate R can be calculated as follows

sec/5.275*2.0

5*4 trialsR =+

=

Let E(k,n) represent the average number of trials as a function of the

randomization factor k.

As k→ ∞, E(k →∞,n) is calculated in Section 3.7.1. It is given by

E(k →∞,n) = 2n

E(k →∞,16) = 216 = 65536 trails

HoursATT 28.7sec262145.2

65536 ===

Page 97: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

86

For k =0, E(0,n) is calculated in Section 3.7.2. It is given by

E(0,n) = 2n-1

E(k →∞,16) = 215 = 32768 trails

HoursATT 64.3sec131075.2

32768 ===

For the same value of n, if the challenge is based on a non-cyclic

random number, the ATT is twice as much compared to a challenge that is

based on a cyclic random number. In general, the 3.64 ≤ ATT ≤ 7.28,

depends on the value of the randomization factor k. A higher value of k leads

to a higher ATT, hence better security system. But if we increase the value of

n by 1, then E(k,n+1) for k=0 is equal to 2n. This is the same value of E(k,n)

for k→∞ . i.e.

E(0,n+1) = E(k →∞,n)

From these analysis we can improve the system security against

scanning attack by several methods

Decrease the repetition rate R. i.e. decreases the number of times the

vehicle sends interrogation messages per unit time.

Increase the number of challenge bits.

Increase the randomization factor.

Page 98: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

87

Though the above features improve the system security against

scanning attack, each one of the above features has some disadvantages

associated with it. For example, decreasing the repetition rate has a system

reliability disadvantage. Increasing the number of random challenge bits will

increase the system response time. Hence, it will affect fast and smooth

operation. Increasing the randomization factor requires an increase in the

storage space to store the extra bits.

3.8 DICTIONARY ATTACK

The dictionary attack is another statistical approach to gain an

unauthorized access to the vehicle. This attack was defined previously in

Section 2.7.2.2. In this section, we will focus on the analysis part to evaluate

the security threat from such an attack. For simplicity of the analysis and

calculation we assume that the challenge is an independent random

challenge, and the challenge and its response use the same number of bits

(n bits).

Let C = 2n represent the size of the challenge space. Let E and S

respectively be the event that the challenge sent is in the dictionary and the

event that the handle triggers results in a successful attack. Then we can find

the probability of a successful attack P(S) as follows

( ) ( ) ( ) ( )EPESPEPESPSP */*/)( +=

Where:-

Page 99: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

88

P(S/E) is the probability of a successful attack given that the

vehicle generates a challenge that is in the dictionary. In this case,

the probability of success is 100%. This is because the dictionary

responds with a valid challenge-response that is previously

captured from the authorized CID. In this case

( ) 1/ =ESP

)/( ESP is the probability of a successful attack given that the

vehicle generates a challenge that is not in the dictionary. The

number of possible challenge combinations that are not in the

dictionary is equal to the challenge space minus the dictionary

size. In this case, the probability of a success is the reciprocal of

the challenge space minus the size of the dictionary. This is

because the dictionary responds with a fixed challenge-response

that is not previously captured from the authorized CID. In this

case

DCESP

−= 1)/( .

P(E) is the probability that the vehicle generates a challenge that is

in the dictionary. In this case

CDEP =)(

Page 100: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

89

)(EP is the probability that the vehicle generates a challenge that

is not in the dictionary. In this case

CDEPEP −=−= 1)(1)( .

Now we can find the probability of success P(S)

−+=

CD

DCCDSP 1*1*1)(

CDSP 1)( +=

If D=0 then P(S) represents the scanning attack. Let p=P(S)

represents the probability of successful attack.

CDp 1+= (3.8-1)

Furthermore, Let M be the number of trials performed by an intruder

until he becomes successful. Then M is a random variable taking on one of

the values 1, 2, 3, … with respective probabilities

P{M=1} = f(1) = p ,

P{M=2} = f(2) = (1-p)*p ,

P{M=3} = f(3) = (1-p)2*p ,

:

Page 101: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

90

P{M=m} = f(m) = (1-p)m-1

*p

To find the average number of trials required by an intruder for a

successful attack, we need to find the expected value of the random variable

M. i.e. E[M]

( ) ∑∞

=

=1

)(*m

mfmME

∑∞

=

−−=1

1)1(*m

m ppm

With some mathematical simplification

pME 1)( =

But p is given by (3.8-1).

CD

ME1

1)(+

=

12

1)(

+=

+=

DDCME

n

(3.8-2)

From Equation (3.8-2), it is clear that the average number of trials next

to the vehicle as compared to the scanning attack is reduced significantly by

a factor proportional to the size of the dictionary. This result assumes that a

dictionary of size D is already built. It does not take into consideration the

Page 102: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

91

amount of time spent by an intruder in order to build the dictionary. If we

assume that building each entry in the dictionary takes the same amount of

time as triggering the door handle, then we can find the total number of trials

(T) conducted by an intruder by adding the size of the dictionary D to the

average number of trials next to the vehicle E(M).

DD

DMETn

++

=+=1

2)( (3.8-3)

From Equation (3.8-3), it is apparent that there is a tradeoff from an

intruder point of view between the time spent to build up the dictionary and

the time spent next to the door handle. As the dictionary size D increases,

the average number of trials conducted next to the door handle E(M)

decreases. Increasing D requires the intruder to spend more time building up

the dictionary. To better understand the effect of the dictionary attack and

the tradeoff from the intruder’s point of view between building the dictionary

and triggering the door handle, let us find the cumulative distribution function

F(X). For the first D trials, the intruder just built the dictionary. In this case

0)( =XF , for DX ≤

For X > D, let Y=X-D denote the number of trials next to the door

handle. The probability of success for each trial based on independent

random number is previously calculated and is given by P(S). If the intruder

tries Y times and all Y trails failed, then the probability that all Y trials failed is

given by

Page 103: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

92

P(Fail /Y trials) = ( )YSP )(1−

Then the probability of success in Y or less number of trials is given as

a function of X and D by F(X)

F(X) = 1- P(Fail /Y trials)

F(X) = DX

n

D −

+−−

2111 , for X >D (3.8-4)

The following figure shows F(X) for different dictionary sizes against

the total number of trails available to the intruder. The dictionary size is

represented as a percentage of the number of trials.

0

0.2

0.4

0.6

0.8

1

X

F(X

)

D=0.95*X

D=0.10*X

D=0

D=0.50*X

D=0.70*X

0.00625*C 0.0125*C 0.0187*C 0.025*C

Figure 16: F(X) for dictionary attack with different dictionary size

Page 104: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

93

F(X) demonstrates that the threat imposed by a dictionary attack

against the passive entry system is higher for dictionary size greater than

zero (scanning attack).

From Figure 16, for a dictionary size that is 50% of the total number of

trials, it takes less than 1% of the challenge space (C) to obtain more than

80% probability of successful attack. Comparing the scan attack (D=0) to the

dictionary attack with 50% split, a dictionary attack imposes a much higher

risk against the passive access system.

3.8.1 THE DEVIL’S ADVOCATE

In the previous section we found that the probability of a successful

attack through the use of the dictionary depends on two main factors. The

size of the challenge space C, and the size of the dictionary D. The size of

the challenge space C is fixed. It is defined at the system development

phase. An intruder has no control over this parameter. The dictionary size D

is a variable parameter that is defined by an intruder. An intruder has the

freedom to build a dictionary of any size. The question is, if an intruder is

willing to spend m amount of time to attack the system, how should he split

this time between building up the dictionary and triggering the vehicle? From

an intruder point of view, the intruder wants to maximize his probability of

success given that he can afford to spend a total amount of time equal to m.

Page 105: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

94

In this section, our objective is to optimize the attack time in favor of

an intruder. This is important in order to evaluate the security threat against

the system if an intruder does this himself.

Let m, D, and C be the total amount of time an intruder is willing to

spend, the size of the dictionary, and the size of the challenge space,

respectively.

From Equation (3.8-4), let g(D) be F(X) as a function of D when

X=m. Then g(D) is given by

g(D) =Dm

CD −

+−− 111

Assumption

The time and difficulty to build one entry in the dictionary are

equivalent to the time and difficulty to trigger the vehicle. In other

words, the intruder has no preference whether to spend any trial

building up the dictionary or triggering the vehicle.

To simplify the problem we assume that the dictionary will not

respond if the challenge generated by the vehicle is not in the

dictionary. This simplify g(D) to

g(D) =Dm

CD −

−− 11

Page 106: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

95

The dictionary size is much greater than 1 but much less than m.

This is a valid assumption to make, otherwise the dictionary attack

become more like a scan attack.

The problem is, what is D such that g(D) is maximum?

g(D) is maximum when the term Dm

CD −

−1 is minimum

Let

Dm

CDy

−= 1

Dm

CDCy

−= (3.8.1-1)

We want to find D such that 0=dDdy in Equation (3.8.1-1).

By taking the natural logarithm for both sides of Equation (3.8.1-1)

)(

ln)ln(Dm

CDCy

−=

−−=

CDCDmy ln)()ln( (3.8.1-2)

Differentiating both sides of Equation (3.8.1-2)

Page 107: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

96

CDDm

CDC

ydDdy

−−+

−−=

1*)(ln*11 (3.8.1-3)

Multiply both sides of Equation (3.8.1-3) by y.

yCD

DmC

DCdDdy *1*)(ln*1

−+

−−=

Dm

CDC

CDDm

CDC −

−+

−−= *1*)(ln*1 (3.8.1-4)

Equating 0=dDdy in (3.8.1-4), leads to

CDDm

CDC

−−=

−ln (3.8.1-5)

By expanding the left side of Equation (3.8.1-5) around D=0 into its

Taylor series

....ln4

41

3

31

2

21 −

−−=

CD

CD

CD

CD

CDC (3.8.1-6)

If then , then the 2Cm << CD << nd, 3rd, … terms in Equation (3.8.1-

6) can be ignored, this simplifies Equation (3.8.1-6) to

CD

CDC −≅

−ln (3.8.1-7)

Substituting Equation (3.8.1-7) back in Equation (3.8.1-5) we get

Page 108: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

97

CDDm

CD

−−=−

Solving for D

mCCCD *2 −±=

The root mCCCD *2 −+= violates the assumption and will

not be considered.

CD <<

The other root mCCCD *2 −−= can be expanded into its Taylor

series as

−−−= ....

2

3

161

2

81

Cm

CmmCCD (3.8.1-8)

Similarly the 2nd,3rd, … terms can be ignored. This simplifies Equation

(3.8.1-8) to

−−≅

2mCCD

2mD ≅

The result suggests that an intruder makes the best of his time in

breaking the system by splitting the number of trials equally between the CID

interrogation (building the dictionary) and triggering the door handle.

Page 109: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

98

CHAPTER 4

SOLUTIONS OF DICTIONARY AND RELAY ATTACKS

In the previous chapters, six different attacks against a passive access

system were identified. The attacks were categorized into three different

categories according to an attacker approach in performing the attack. The

first category represents the deterministic approach attacks. In this category

we identified playback attack and relay attack. The second category

represents the statistical approach attacks. In this category we identified

scanning attack and dictionary attach. The third category represents the

analytical approach attacks. In this approach we identified cryptanalysis

attack and challenge prediction attack.

Deterministic approach attacks are the most powerful attacks. A thief

can simply perform such attacks with a minimal effort. These attacks present

the highest risk against the passive vehicle access system. The need to

solve the system security weaknesses to prevent deterministic approach

attacks is an important component of the system design. In the previous

chapter, we have shown that using a challenge response protocol we can

prevent a playback attack. However, the challenge response protocol did not

prevent other attacks or it introduces few other variations of possible attacks.

Statistical approach attacks present a moderate risk against the

passive access system. These attacks require more time and effort from an

Page 110: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

99

intruder to perform. The need to solve the system security weaknesses to

prevent the statistical approach attacks is of moderate concern. Different

techniques to reduce the risk against scanning attack were presented at the

end of Section 3.7.3. In Section 3.8 we have shown that the dictionary attack

presents a higher risk against a passive access system than the scanning

attack. In this chapter we will present several solutions and suggestions to

reduce the risk of a dictionary attack.

Analytical approach attacks present the lowest risk against the

system. First, an analytical approach attack requires a lot of time and effort to

capture several message and analyze them. Second, the analytical approach

requires an individual with a higher degree of intelligence. Such individual

can do better things in his life than attacking the vehicle. Third, the attack is

different from one vehicle to the other. Designing different attacks for

different vehicles demoralizes an intruder to proceed with an attack since the

financial gain may not be justifiable. The need to solve the system security

weaknesses to prevent the analytical approach attacks is of very low

concern.

In this chapter we will focus our effort to address the dictionary attack

and the relay attack. First we address the dictionary attack since the

solutions we are presenting are soft solutions. These solutions do not require

a system architecture change or new hardware components to be added to

the system. Second we address the relay attack. The relay attack requires

Page 111: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

100

some architecture changes to implement different communication

mechanism in order to solve the security weaknesses against this attack.

4.1 DICTIONARY ATTACK COUNTERFEIT

In the previous chapter we showed that a simple challenge response

protocol is a weak protocol to protect the system against a dictionary attack.

One of the fundamental axioms of a dictionary attack is the intruder’s

capability to independently access information from both sides involved in the

protocol. From the CID side, an intruder sends interrogation messages to

capture the CID response without the owner’s knowledge. From the vehicle,

an intruder initiates the interrogation messages by simply pulling the vehicle’s

door handle. Several solutions are presented in the next subsections to

reduce the risk of a dictionary attack threat.

4.1.1 USE OF PASSWORD

In this technique the vehicle sends an interrogation message upon

vehicle trigger. The interrogation message consists of a wake up signal and a

challenge. The challenge is made from a password and a random number.

The wake up signal is sent to wake up the CID from sleep mode. The

password is a preset fixed code that is initially programmed to the CID and

the vehicle. The password may represent a Vehicle ID (VID) or it may be part

of a wake up pattern. The authentication process is shown in Figure 17.

Page 112: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

101

Send RN &Password

Encrypt RN

Request received

password match

Send Encrypted RN

Sleep

Sleep

Authorize Access

Y

Y

Y

N

N

N

Generate RandomNumber (RN)

Vehicle Trigger

Y

N

Compare

Match ?

Receive EncryptedRN

Encrypt RN

CID OperationVehicle Operation

Figure 17: Password protection authentication process

Upon vehicle trigger, the vehicle sends an interrogation message. A

CID within the vehicle reception range wakes up from sleep mode. The CID

then compares the received password with the one stored in its memory. If

the received password matches the stored password, the CID generates a

challenge-response message. In generating the challenge-response

message, the CID encrypts the random number. The encrypted random

Page 113: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

102

number is then sent as the challenge-response to the vehicle. While the

vehicle is waiting for the challenge-response message, the vehicle encrypts

the random number using an encryption key that is identical to the encryption

key of the CID. The result of the encrypted random number is an expected-

response. Upon receiving the challenge-response message from the CID,

the vehicle compares the challenge-response received to the expected-

response. The vehicle authorizes access when the challenge-response

matches the expected-response.

This technique not only enhance the system security by preventing an

intruder from building up his dictionary, it also prevents the CID from

responding to other random challenges. The other random challenges may

arrive from different sources such as other vehicles that use the same

passive system but programmed to work with different CIDs. Preventing the

CID from responding to other challenges, will increase CID’s battery life.

The use of a password technique improves the system security.

However, this technique does not prevent a smart intruder from knowing the

password. Since the password is a fixed code that is sent by the vehicle, an

intruder can trigger the vehicle several times to identify the password. Once

an intruder identifies the password, he can then build this password in every

interrogation message his dictionary sends to the vehicle

Page 114: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

103

4.1.2 DECREASE REPETITION RATE

One other suggestion to reduce the effect of the dictionary attack is to

decrease the system repetition rate (R). This can be done either at the

vehicle, the CID, or at both. For example, the vehicle can only allow up to a

certain number of interrogation messages within a given ‘active period’ time.

If the vehicle does not receive a valid response within the active period, the

vehicle enters a dead time period. During the dead time period the vehicle

will not respond to any further trigger until the dead time period expires.

Similar technique can also be used at the CID side. The CID may only

respond to several interrogation messages within a given period of time.

Decreasing the repetition rate is a known technique used in several

RKE systems to increase attack time. However, decreasing the repetition

rate has a drawback on the system performance. The vehicle owner has to

be aware of the dead time period. He has to wait for this period to elapse in

the event that several trials fail due to poor communication link between the

CID and the vehicle. This situation may occur when there is RF interference.

This might not be intuitive for the average user to realize.

4.1.3 MUTUAL AUTHENTICATION

An alternative solution against a dictionary attack is the use of mutual

authentication. Both the CID and the vehicle have to validate any received

message. The CID verifies the vehicle interrogation message before it sends

a response back. Likewise, the vehicle verifies the CID response before it

Page 115: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

104

allows access to its compartment. The password protection explained in

Section 4.1.1 is one example of mutual authentication.

A more secure method is presented in this section. In this method two

encryption keys K1 and K2 are both programmed to the CID and to the

vehicle. Upon vehicle trigger, the vehicle sends an interrogation message

that contains a challenge. The challenge consists of a random number, and a

random number matching pair. The random number matching pair is

obtained by encrypting the random number using the encryption key K1 as

shown in Figure 18

Random Number

EncryptionAlgorithm

Matching Pair Random Number

K1

ChallengeSend to CID

Figure 18: Mutual authentication challenge

A CID within the vehicle reception range wakes up from sleep mode.

The CID processes the challenge in two steps, Step 1 and Step 2 as shown

in Figure 19. In Step 1, the CID breaks the challenge into two parts, the

random number and the matching pair. The CID then encrypts the received

random number using the same encryption key K1 used in the vehicle. The

result is an expected matching pair. The CID then compares the received

matching pair with the expected matching pair. If the two matches, the CID

Page 116: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

105

proceeds to Step 2. If the two does not match, the CID goes back to sleep

without sending any response. In Step 2 the CID assembles its response to

the vehicle. In assembling the CID response, the CID encrypts the received

random number using a different encryption key K2. The result is the

challenge response that is sent back to the vehicle

EncryptionAlgorithm

Matching Pair Random Number

K1

ChallengeReceived

Compare ifMatchSleep N

EncryptionAlgorithm

Y

K2

Challenge Response

Step 1

Step 2

Challenge Response

Figure 19: Vehicle processing to a received challenge in a mutual authentication protocol

While the vehicle is waiting for the challenge response, the vehicle

encrypts the random number using an encryption key K2 that is identical to

the encryption key used in the CID. The result of the encrypted random

number is the expected challenge response. Upon receiving the challenge

response signal from the CID, the vehicle compares the challenge response

Page 117: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

106

received to the expected challenge response. The vehicle authorizes access

when the challenge response matches the expected response.

Several variations of this technique can also be implemented. One

implementation is to include a VID with the challenge. The VID could be a

part of the wake up pattern. The CID uses the VID as an initial check prior to

wake up the controller to validate the challenge in Step 1 as described

earlier. Testing the VID as an initial step improves the CID power

consumption. This is because the CID may use a very low power

consumption wake up circuit to check for a matching VID. The wake up

circuit can be as simple as a shift register that continuously checks for a

matching pattern. If the wake up circuit detects a matching VID, the circuit

then wakes up the controller to execute the encryption algorithm and

verifying the authenticity of the challenge received.

4.1.4 ENHANCED MUTUAL AUTHENTICATION

Mutual authentication as described in the previous section provides

higher security against dictionary attack, however there are several

drawbacks.

i) The vehicle has to send, in addition to the random number in the

interrogation message, bits that represent the encrypted random

number (i.e. the matching pair). Increasing the number of bits has

several performance issues. First, it increases the system response

time. This might not be desirable for passive entry applications.

Page 118: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

107

Second, for each bit transmitted there is a probability of error due to

noise or interference in the environment. Transmitting more bits

implies a higher overall message probability of error. Hence, the

message will more likely be rejected. Third, increasing the number of

bits requires longer processing time. This translates to more power

consumption from the CID that runs from a small battery powered

supply. Hence, increasing bits reduces the usable battery lifetime.

ii) The CID has to encrypt the random number twice. In doing so the CID

has to remain up for a longer period of time. This will increase the CID

power consumption as well as increase the authentication timing.

iii) Sending the random number and the encrypted random number in the

same message is more vulnerable to cryptanalysis attack. The

intruder can capture several interrogation messages to analyze the

random number and its matching pair to reveal the encryption key

used. This falls in known-plaintext classification as described in a

previous chapter.

To address the system performance issues described above and still

maintain or increase the security level we developed a new protocol. In this

protocol, the challenge consists of VID and a random number as shown in

Figure 20.

Page 119: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

108

Random Number VID(MSB) VID(LSB)

Figure 20: Challenge block diagram

The figure shows two color-coded fields. The gray field represents the

portion of the challenge that is encrypted. The clear field represents the

portion of the challenge that is not encrypted. The VID is divided into two

portions, the Least Significant Bits (LSB) portion, and the Most Significant

Bits (MSB) portion. The VID-LSB portion is sent in the clear (no encryption)

as part of the wake up pattern. The reason for this is to reduce the CID

power consumption if the interrogation message comes from a different

vehicle. Hence, increases the CID battery lifetime. The VID-MSB portion is

encrypted with the random number. The VID-MSB functions as a secret

identifier to the CID for further validation. It is important to note that the VID-

MSB and the random number are encrypted together to assemble the

encrypted portion of the challenge. This ensures that the VID-MSB remains

secret and random to an outside observer. It also prevents any attacks based

on recording the challenge. To better understand the authentication process,

Figure 21 shows a flowchart that describes the steps involved when a vehicle

trigger is initiated while the CID is within the vehicle’s range.

Page 120: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

109

Send Interrogation Msg

Response received

Is R.N. received match

Decrypt

Request received

VID(LSB) match

VID(MSB) match

Send Random Number (R.N)

Sleep

CIDVehicle

Sleep

Authorize Access

Y

Y

Y

Y

Y

N

N

N

N

Figure 21: Enhanced mutual authentication flowchart

Both the CID and the vehicle have the same encryption key and the

same VID. We refer to the VID stored in the CID memory as the reference

code. When the CID receives the challenge, it compares the VID-LSB portion

with the portion in the reference code. This process could be part of the wake

up mechanism. If the VID-LSB portion fails to match the corresponding

portion, the CID ignores the challenge and remains in sleep mode. If the VID-

LSB matches the corresponding portion of the reference code, the CID then

decrypts the encrypted portion of the challenge. The result of this decryption

Page 121: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

110

is a received VID-MSB, and a random number. The CID then compares the

VID-MSB portion with the corresponding reference code. If the VID-MSB

portion fails to match the corresponding portion of the reference code, the

CID ignores the challenge and goes back to sleep mode. If the VID-MSB

portion matches the corresponding portion of the reference code, the CID

assembles a challenge response to be transmitted. In assembling the

challenge response, the decrypted random number is used as the challenge

response.

When the vehicle receives the challenge response, or the non-

encrypted random number, it compares it against the initially generated

random number. If they fail to match, the vehicle ignores the response and

denies access to its compartment.

Since the CID responds to valid interrogation messages only, an

intruder task to build up a dictionary becomes invisible. For example if k and

n represent the number of bits in the VID-MSB and the random number,

respectively, then there are 2n+k combination of interrogation messages that

can be sent to the CID. Out of those 2n+k combinations, the CID will only

respond to 2n combinations (a 2k reduction factor). This means that in order

for the intruder to build up a dictionary of size D, he needs to scan on the

average D*2k combinations. Depending on the value of k (a design

parameter), the intruder might be more successful in his attack by the

scanning method.

Page 122: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

111

The benefits of this technique are

i) Less number of bits needed to be sent compared to the method

described in Section 4.1.3. The advantage of that is described earlier.

ii) Only one time decryption is needed in the CID. This translates to less

wake up time, hence less power consumption

iii) The CID responds to valid interrogation messages only. This is due to

the VID-MSB that is hidden within the encrypted field. This makes the

VID-MSB invisible to an outside observer every time an interrogation

message is sent

iv) The system provides higher security against cryptanalysis. The

system provides very little information or freedom to an outsider

analyzing the communication traffic.

4.2 NEW DICTIONARY ATTACK AND SOLUTION

Even though the solution presented in the previous section improves

the system security against dictionary attack, it is still not a bulletproof

solution against a new attack an intruder may conduct. An intruder may

perform an attack as shown in the following steps

i) Record valid interrogation messages from the vehicle when pulling the

vehicle door handle.

ii) Playback the recorded interrogation messages next to the CID.

Page 123: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

112

iii) Record the CID responses. The CID responds to the interrogation

messages since they are recorded from the vehicle.

iv) Go back next to the vehicle and trigger the door handle till the vehicle

sends a challenge that is in the dictionary.

For the same probability of success the new attack increases the

intruder’s time by one third as compared to the system that does not use

mutual authentication. The increase in the intruder time is due to the first step

conducted. The intruder needs to capture valid interrogation messages from

the vehicle first, before he sends those messages to the CID.

Though the new dictionary attack might not be very practical, it

imposes a threat that can be easily addressed. To solve this issue, we need

to ensure that when the vehicle generates a new challenge, the challenge

will not be produced again for a very long period of time. This requires that

the random number used in generating the challenge to be based on a cyclic

random number generator. The random number generated this time will not

be generated again till all combinations are used. This way if an intruder

records interrogation messages, those interrogation messages will not be

valid unless he records all the challenges in the challenge space. In this

case, an intruder’s task will be much easier with higher probability of success

if he adopts a scanning method for his attack.

In summary, different authentication protocols were presented to

address the dictionary attack. Table 3 summarizes the different variations

Page 124: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

113

analyzed and their impact on system performance. Each entry in the table is

relative to the corresponding entry in the original challenge response

protocol.

Challenge Response

Password Protection

Mutual Authentication

Enhanced Mutual Authentication

Number of Bits Higher message error Longer processing Time

Low Medium High Medium

Cryptanalysis Easy Easy Medium Hard False Wake up Non Protected Protected Protected Protected Response Time Fast Fast Slow Fast Dictionary Attack Easy Easy-Medium Difficult Difficult

Table 3: Summary of different authentication protocols and their impact on the system security and performance

4.3 RELAY ATTACK

Several techniques were suggested in [38] to protect the passive

vehicle access system from a relay attack. One suggestion that is vaguely

investigated in the article is the use of two frequency tones. The CID

simultaneously transmits two frequency tones in response to an interrogation

message. Since the communication range between the vehicle and the CID

is limited to a short distance, the two tones are transmitted with low power. If

a larger distance than the transmitted two tones range separates the CID and

the vehicle, the thieves’ repeater is required to amplify the two tones with a

certain amplification gain. As a result of the repeater amplification, some

harmonics are generated that fall in the band of the two tones. The article of

Schmitz et. al. [38], is ambiguous, and it didn’t clearly explain the details of

the solution. It did not clarify whether the vehicle’s receiver detects the

harmonics to flag the presence of the repeaters, or the harmonics cause a

Page 125: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

114

corruption of the two tones transmitted. A drawback of such a solution is the

assumption made in regard to the theft repeaters equipment concerning the

amplifier stage. The article assumes that the thieves are equipped with a low-

end amplifier stage that will be driven into the saturation region to generate

the in-band harmonics.

The main issue with the relay attack is that the thieves have full

access to the CID via wireless communication, just as if they are the

vehicle’s owners. They use the CID as a valid authentication device to

encrypt or decrypt the messages from the vehicle. This means that any

cryptographic solution based on the communication link presented in Section

2.5.2 only will be subject to this attack. The need to solve this problem

requires the search for a solution that is not based on cryptography alone,

but also on the use of the signal physical quantities or communication link

attributes to distinguish between the presence and absence of the repeaters.

4.3.1 RELAY SOLUTION CATEGORIES

It is important to emphasize that our objective is not to detect the

presence or absence of the repeater as much as to develop a solution to

protect the system from the relay attack. Two different strategies can be

used to develop a solution against the relay attack:

4.3.1.1 REPEATER DETECTION

All solutions in this category are based on the system capability to

detect the presence of the repeaters. One physical difference between

Page 126: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

115

presence and absence of the repeater network is the communication range

between the vehicle and the CID. There are several ranging techniques. The

vehicle may detect the presence of repeaters between the vehicle and the

CID by measuring the time the signal takes to travel from the vehicle to the

CID and back to the CID. If the signal travel time is greater than a preset

threshold value, the vehicle concludes that a repeater exists between the

vehicle and the CID. Though measuring the signal travel time is a reliable

method to detect the distance between the vehicle and the CID, it requires a

high-speed electronic devices that may be expensive for automotive

applications.

4.3.1.2 SIGNAL CORRUPTION

In this category, the system is designed such that the communication

links between the vehicle and the CID are corrupted if a repeater exists in the

communication link. The method used in [38] may fall in this category. The

presence of the harmonics as a result of amplification falls in the same band

of the two tones may cause the received two tones to be corrupted. Other

method that we developed to solve the problem is based on feedback of the

transmitted signal that causes corruption if the repeaters are present in the

loop. The feedback solution based on signal corruption is described in

Section 4.3.2.

While maintaining the system security is a crucial part of the passive

access system design, the following key objectives have to be met for the

passive access system to be acceptable by the automotive industry.

Page 127: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

116

The system is produced for the automotive industry at a high volume,

thus a low cost design is very desirable.

The system is intended to increase the user comfort. This requires fast

and smooth operation that is transparent to the user.

The system has to work reliably under various environmental

conditions, such as variable temperature, acceptable noise

interference, etc.

The solution we presented in Section 4.3.2 is carefully designed to

secure the communication link against the relay attack as well as satisfy the

above key objectives.

4.3.2 FEEDBACK SOLUTION

In order to protect the vehicle from the relay attack, we define a new

communication protocol that requires a bi-directional RF communication link

along with the unidirectional LF communication link. The communication

protocol is shown Figure 22.

R

LF RF2

T T

T

RVeh

CID

RF1

Figure 22: Communication between the vehicle and the CID using a unidirectional LF link and a bi-directional RF link.

Page 128: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

117

The protocol is initiated first by sending an LF signal from the vehicle

to CID upon vehicle trigger. The LF signal is used for two purposes: 1) it

provides better control over the communication range, and also 2) it provides

a wake up mechanism for the CID from a battery saving mode. Some other

system design specifications also require the LF supporting hardware to be

there for battery-less backup mode. The interesting part is in the RF

communication. One of the key design requirements is to have the CID and

the vehicle to communicate at the same frequency. This means that the RF

link from the CID to the vehicle will use the same frequency as the frequency

of the RF link from the vehicle to the CID. After the vehicle sends the LF

signal, it sends RF1 packet. This packet may contain some identification and

challenge code. In response to the RF1 packet, the CID then sends RF2

packet. Note that both RF1 and RF2 packets are transmitted using the same

frequency.

Now let’s try to understand how the system is going to be protected

against the relay attack. Let us assume that a thief does not know the exact

format of the communication protocol. This is a valid assumption unless the

thief was a prior employee of the company that developed the protocol, or

the thief has vast knowledge about the communication mechanism and spent

some time in studying the communication timing of the signals between the

vehicle and the CID. To proceed with the discussion, let us assume for now,

the thieves don’t know exactly what time the vehicle will be transmitting and

what time the CID will be responding. Since the thieves have no knowledge

Page 129: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

118

regarding the communication timing, they are required to keep their

repeaters on all the time. So, after a vehicle trigger by a thief, there is a

continuous transmission among the vehicle, the two thieves and the CID as

shown in Figure 23.

f1ff'

f2

f' f"

Thief-1Thief-2Ownerwith CID

Figure 23: Communication between the owner and the vehicle with the two thieves in the loop.

A third repeater, not shown in the figure for simplicity, is assumed to

be in the loop to repeat the LF signal from the vehicle to the CID. The vehicle

sends its RF packet using carrier frequency f. Thief-1 first receives the

vehicle’s signal through his/her receiver. Thief-1 then modulates, amplifies

and sends the signal to Thief-2 using carrier frequency f1. Thief-2 then

demodulates the signal and sends it to the CID using carrier frequency f.

However, the receiver of the second repeater of Thief-2 is on and listening at

the same frequency. Thus, the receiver of the second repeater of Thief-2 will

also receive the same signal that is being transmitted by his/her own

transmitter of the first repeater. The transmitter of the second repeater of

Thief-2 will then send the same signal, received from the vehicle, to Thief-1

via carrier frequency f2. Thief-1 will then demodulate and transmit this signal

Page 130: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

119

to the vehicle. Since the receiver of the first repeater of Thief-1 is also on all

the time, the signal that is sent to the vehicle by the second repeater of Thief-

1 will also be picked up by the receiver of the first repeater of Thief-1. As a

result, a feedback occurs within the loop of Thief-1 and Thief-2. Since the

vehicle is still sending an RF message to the CID, the feedback signal will

get added with this RF message. As a result, the RF message from the

vehicle to the CID will get distorted. After that, the CID will not be able to

understand the message sent by the vehicle. Thus, the CID will not respond

to this signal, and thereby Thief-1 will not be able to enter into the vehicle.

Two kinds of distortion may occur in the message

i) Both the amplitude and phase of the transmitted signal will have

nonlinear distortions in the signal components due to the presence of

feedback channel. The non-linear distortion corrupts the

communicated signal between the CID and the Vehicle. As a result of

signal corruption, neither the CID nor the vehicle will be able to

understand each other messages. This phenomena will be more

analyzed in Section 4.3.3.

ii) The second kind of distortion occurs due to inter-symbol interference.

When the vehicle or the CID transmits a new symbol, the signal for the

previous symbol remains in the loop due to the presence of positive

feedback. Similar distortions may occur within the same symbol if

encoding techniques like manchester or pulse width modulation is

Page 131: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

120

used. The presence of these types of distortions will also prevent the

CID and the vehicle from understanding the communication signals.

The bi-directional RF link that we used between the CID and the

vehicle in order to come up with a solution for the relay attack also provides

another advantage in terms of reducing the system authentication process.

This is due to the ability to send information from the vehicle to the CID via

the RF link as opposed to the LF link. Typically, a higher bit rate can be

transmitted via RF link compare to LF link. A higher bit rate means faster

communication, and faster communication might lead to the elimination of

some hardware that may be needed for fast and smooth operation. As a

result there may be a big savings in costs of parts and labor.

4.3.3 FEEDBACK SIGNAL ANALYSIS

Figure 24 shows the feedback loop between Thief-1 and Thief-2. The

signal from the vehicle to Thief-1 is represented by x(t) and the signal from

Thief-2 to the CID is represented by y(t). The time delay between Thief-1 and

Thief-2 is τ. For simplicity of the analysis we assume the time delay (τ)

between the two thieves is identical in both direction. The time delay

depends on the distance between the two thieves, and the propagation delay

through different components, such as filters, mixers, etc., of each repeater.

Page 132: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

121

Figure 24: The feedback loop between Thief-1 and Thief-2

In time domain, the signals x(t) and y(t) are related as:

)2()()( 211 ττ −+−= tyGGtxGty

Let X(ω) and Y(ω) be the frequency responses of x(t) and y(t),

respectively. X(ω) and Y(ω)are related as:

ωτωτ ωωω 2211 )()()( ji eYGGeXGY −− +=

Hence, the transfer function of the feedback loop can be expressed

as:

ωτ

ωτ

ωωω 2

21

1

1)()()( j

j

eGGeG

XYH −

−==

+− −

−+= )2(1

)2(tan

2122

21

1 21

211

)2(21ωτ

ωττ

ωτCosGG

SinGGwj

eCosGGGG

G

The amplitude of the signal can be expressed as

Page 133: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

122

)2(21|)(|

2122

21

1

ωτω

CosGGGG

GH−+

=

and the phase of the signal can be expressed as

)2(211

)2(211tan)(ωτ

ωττϖφ

CosGG

SinGGw

−−+=

It is clear that the magnitude and phase characteristics of the

feedback loop channel cause a non-linear distortion for the different

frequency components of the transmitted pulse. Such distortion is similar in

nature to the distortion caused by multi-path effect [30]. Different equalization

techniques can be used to partly correct for such distortion [30]. However,

these techniques have to be built in the vehicle and the CID receivers,

something that the thieves have no control over. Thus, the above solution will

protect the vehicle from the simple attack by two thieves.

4.3.4 FEEDBACK COUNTER MEASURE ATTACK

Once the passive access system is in production, all the

communication protocol timing is defined. The protocol sequence of the

communicated packets and the dead time between packets are fixed. If the

thieves gain knowledge about the timing of the packets and the dead time in

between, then they could develop a counter measure attack against the

feedback solution presented in Section 4.3.2. By knowing the communication

timing, the thieves can switch on and off their transmitters and receivers to

avoid the feedback loop. The repeaters could be designed to automatically

Page 134: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

123

turn on and off during the dead time based on the packet timing and the

predefined signal direction. This way the thieves may avoid any feedback

and interference in their signals. However, designing a system that

automatically turns on and off may requires high-speed and complex

electronic circuits. As a result, the repeaters may be too expensive to build.

But, if such repeaters are built then the thieves may be able to break the

security. Keep in mind, that in order to break the security by turning on and

off the repeaters, the thieves must have a prior knowledge about the format

and timing of the communication protocol. Knowing the communication

protocol timing may not be hard to do once the system is designed and in

production. A simple method is to use a vector analyzer to monitor the

communication timing upon vehicle trigger.

4.3.5 SECURE PROTOCOL

A counter measure to the feedback counter measure attack presented

in the previous section is the design of a secure protocol. We have

developed a secure protocol in order to protect the passive access system

from this attack. The idea behind developing this protocol is to prevent the

thieves from knowing the exact timing and direction of the RF packets. The

protocol is based on changing the timing and direction of the packets for

every transmission. This protocol will guarantee system security even if the

thieves have all the knowledge regarding system design and communication

protocol.

Page 135: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

124

The communication protocol starts with an LF signal upon vehicle

trigger. The LF signal wakes up the CID from sleep mode. It also establishes

a time reference for the RF communication to come. If multi-channel is

supported in the communication protocol, the LF signal may contain some

additional information such as the RF communication channel number. It

could also contain some wake up pattern to reduce system interference from

other sources. Three RF packets are communicated following the LF signal

as shown in Figure 25.

R

LF RF2 RF3

T T

T

RVeh

CID

RF1

Figure 25: Communication protocol for the solution.

These RF packets are summarized as follows:

The content of RF1 packet is an encrypted data that contains

information regarding the transmission direction of the data bits in the

second packet (RF2). The contents of RF1 packet changes every time

the system is activated. Since the content of RF1 packet is encrypted,

and different encryption key is used for different vehicle/CID pairs,

there is no way the thieves can know what is going to be the contents

of RF1 packet for every trigger. Note that even if the thieves were

employees of the company that has designed the passive entry

Page 136: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

125

security system, they don’t know what encryption key is used for

which vehicle. Thus, they can’t read the contents of RF1 packet.

RF2 packet consists of several mini packets. Each mini packet

consists of data bit(s) that is transmitted from either direction. The

direction of each mini packet is defined and deduced from the

decrypted information received from RF1 packet. The contents of the

packets exchanged between the CID and the vehicle are used along

with other encryption keys to build the RF3 response packet as shown

in Figure 26.

RF1 / RF2 information

Encryption key EncryptionAlgorithm RF3

Figure 26: Encryption of the Communication Protocol

RF3 packet concludes the protocol. It contains the CID’s unique

signature and response to the previous packets. The vehicle checks

this packet and compares it to its pre-calculated response. If all match,

the control unit authorizes access to the vehicle. Note that only the

authorized CID has the same identical encryption key used by the

vehicle to build the proper RF3 response packet.

If the above secure protocol is used, then the thieves will not know the

timing and direction of the RF2 packets. Thus, the thieves will have to keep

Page 137: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

126

their transmitters and receivers on all the time. And if they do that, then there

will be feedback in the communication channel between the vehicle and CID.

As a result, the signal will be distorted and unreadable by the CID and

vehicle.

The only way the thieves can break the passive vehicle security

system is if somehow they can avoid feedback in the communication channel

between the vehicle and the CID. In the next section we described another

technique in which the thieves can break the feedback to avoid signal

distortion. However, in order to break the feedback loop three thieves are

necessary. Thus, we are calling this type of attack as the ‘three-thief attack’.

A solution for the three-thief attack is presented in Section 4.3.7.

4.3.6 THREE THIEF ATTACK

The solution presented in the previous section protects the vehicle

against an attack by two thieves. But if three thieves come, they can still

attack the passive access security system by breaking the feedback loop that

exists in the solution for the two-thief attack. If the feedback loop can be

broken, then the signals will not get distorted. As a result, both the CID and

the vehicle will be able to understand and validate the signals, and then the

thieves will be able to access the vehicle.

One thief, Thief-2, will stay close to the owner of the vehicle carrying

the CID, and the other two thieves, Thief-1 and Thief-3, will stay close to the

vehicle as shown Figure 27.

Page 138: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

127

Figure 27: Positions of the thieves, the CID and the vehicle in a three-thief attack problem.

Thief-1 initiates the vehicle trigger to start the communication. Focus

on the RF side, the vehicle starts transmitting using frequency ‘f’. Thief-1 will

receive the signal from the vehicle and then send it to Thief-2 using

frequency ‘f1’. Thief-2 will send the signal to the CID using frequency ‘f’. The

CID will respond using frequency ‘f’. Thief-2 will receive this signal from the

CID and then send it to Thief-3 using frequency ‘f2’. Thief-3 will receive this

signal from Thief-2 and then send it to the vehicle using frequency ‘f’. The

distance between Thief-1 and Thief-3 is far enough so that Thief-1’s receiver

can’t pick up the signal sent by Thief-3. However, both of them are close

enough to the vehicle so that the vehicle can pick up the signal sent by Thief-

3 and Thief-1 can pick up the signal sent by the vehicle. The three thieves

will be able to break the feedback loop due to the following two reasons:

i) The link between Thief-1 and Thief-2 uses a different frequency than

the link between Thief-2 and Thief-3. Hence, when Thief-1 sends

signals to Thief-2, Thief-3’s receiver can’t pick up that signal. Similarly,

Page 139: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

128

when Thief-2 sends signals to Thief-3, Thief-1’s receiver can’t pick up

that signal either.

ii) Thief-1 is far enough away from Thief-3. Hence, when Thief-3 sends

signals to the vehicle, Thief-1’s receiver can’t detect that signal. As a

result, there is no feedback among the thieves.

Hence, if the feedback loop is broken using the above mechanism, the

signals will not be distorted and as a result the thieves will gain access to the

vehicle.

4.3.7 TWO POWER LEVELS COUNTER MEASURE

Here a solution is presented to protect the vehicle from the three-thief

attack. This solution requires that the CID has to transmit its signals using

two different power levels. Some bits will be transmitted at low power levels

and some other bits will be transmitted at high power levels. The vehicle,

after receiving the signal from the CID, will check for the difference in power

levels of the bits. If the power level difference is the same as the expected

difference and if all other authentication checks pass, then the vehicle will

validate the signals received from the CID. So, the key technique behind this

solution is to maintain the power level difference in the signals from the CID

to the vehicle. If the thieves try to break the feedback loop, then Thief-1 and

Thief-3 must separate themselves by enough distance so that the high power

signal can’t reach Thief-1 from Thief-3. But, if they separate themselves by

that much distance, then at least one of them will be too far away from the

Page 140: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

129

vehicle. If Thief-3 is too far away from the vehicle, then the vehicle will not be

able to pick up the low power signal from Thief-3. But, if Thief-1 is too far

away from the vehicle, then Thief-1 will not be able to receive the signals

sent by the vehicle. As a result, the communication link between the vehicle

and the CID will be broken. If the communication link is broken then the

vehicle and the CID will not receive each other messages. Therefore, the

thieves will not be able to gain access to the vehicle. The analysis in the next

section proves the concept. First, it shows that if the thieves try to maintain

the communication range between the vehicle and the CID by keeping Thief-

1 and Thief-3 closer to the vehicle then there will be feedback in the signals.

Second, if the thieves try to avoid feedback in the signals, by keeping Thief-1

and Thief-3 far enough away from each other, then either the vehicle will not

receive the signals from the CID via Thief-2 and Thief-3, or Thief-1 will not

receive any signals from the vehicle. Thus, the thieves will not get access to

the vehicle.

4.3.8 TWO POWER LEVELS ANALYSIS

Let PT be the power transmitted by a transmitter and PR be the power

received by a receiver. The received power in dbm is given by the following

equation [17], where dbm means decibel with respect to one-milliwatt power.

−=

CfdPP TR

π4log20

Page 141: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

130

)log(204log20 dC

fPT −

−= π (4.3.8-1)

Where:

f : is the carrier frequency,

d : is the distance between the transmitter and the receiver, and

C : is the speed of light.

For a given carrier frequency f, the term 20log(4πf/C) is a constant.

Let’s assume that

k = 20log(4πf/C)

The received power can then be expressed as

)log(20 dkPP TR −−= (4.3.8-2)

The following notations are used in our analysis:

d1 : The distance between Thief-3’s RF transmitter and vehicle’s RF

receiver, and it is just small enough for the vehicle to receive the low

power signal transmitted by Thief-3.

d2 : The distance between vehicle’s RF transmitter and Thief-1’s RF

receiver, and it is just large enough for Thief-1 not to receive the high

power signal transmitted by Thief-3, so that the feedback in the loop

can be avoided.

Page 142: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

131

PTH : High power level, in dbm, transmitted by the CID

PTL : Low power level, in dbm, transmitted by the CID. Note, the vehicle will

also transmit all of its signals at this power level.

PRH : Received power level at the vehicle when the CID transmits high

power level PTH.

PRL : Received power level at the vehicle when the CID transmits low power

level PTL.

PTH3 : High power level, in dbm, transmitted by Thief-3

PTL3 : Low power level, in dbm, transmitted by Thief-3

PRH1 : This is the power level, in dbm, at which Thief-1 receives the high

power signal transmitted by Thief-3.

PSV : Sensitivity, in dbm, of the receivers of the CID and vehicle. This

means that the signals, when they arrive at the receivers of the CID or

vehicle, must have at least this much power for them to be detected

by the CID or vehicle.

PS1 : Sensitivity, in dbm, of Thief-1’s receiver. Note that, PSV and PS1 need

not be the same, because the thieves can design their hardware to

have different sensitivity.

Pdiff : Difference in transmitted power levels, in dbm, from the CID

Page 143: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

132

dr : Range of vehicle’s as well as CID’s signals. This means that when the

thieves are not in the loop, the CID must be within a distance of dr

from the vehicle’s transceiver for the vehicle and CID to exchange

messages.

dr1 : Thief-1 must be within a distance of dr1 from the vehicle’s transceiver

for Thief-1 to detect the signals transmitted by the vehicle. Note that,

dr and dr1 need not be the same, because PSV may not be the same as

PS1. If Thief-1 uses a very high-sensitivity receiver then dr1 will be

greater than dr. On the other hand, if the sensitivity of Thief-1’s

receiver is very low, then dr1 will be less than dr.

Let the CID be at a distance of d from the vehicle, where d < dr. Using

Equation (4.3.8-2) we can express PRH and PRL as

)log(20 dkPP THRH −−= (4.3.8-3)

)log(20 dkPP TLRL −−= (4.3.8-4)

Equations (4.3.8-3) and (4.3.8-4) imply that

TLTHRLRHdiff PPPPP −=−= (4.3.8-5)

Hence, the difference between the received power levels, in dbm, is

the same as the difference between the transmitted power levels. The power

level difference of the CID’s transmitted signals is a known parameter to the

vehicle. Thus, after receiving signals from the CID, the vehicle will measure

Page 144: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

133

the power level difference of the signals, and if this difference is not equal to

the expected value, then the vehicle will not validate the signals even if all

other authentication checks are valid.

The RF transmitter and receiver of the vehicle are located at the same

place inside the vehicle. The manufacturer of the vehicle can select an

appropriate location inside the vehicle where the RF transmitter and receiver

can be installed. The thieves don’t have any control over this location.

However, the thieves can control the values of d1 and d2, shown in Figure 28,

by adjusting the gain of Thief-3’s hardware and the sensitivity of Thief-1’s

receiver.

Figure 28: Positions of Thief-1, Thief-3 and the vehicle.

When the CID is within a distance of dr from the vehicle, the vehicle’s

receiver must be able to detect the low power signal transmitted by the CID.

Hence, using Equation (4.3.8-2) we get

)log(20 rTLSV dkPP −−= (4.3.8-6)

Page 145: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

134

When Thief-3 is within a distance of d1 from the vehicle, the vehicle’s

receiver must be able to detect the low power signal transmitted by Thief-3.

Hence, using Equation (4.3.8-2) we get

)log(20 13 dkPP TLSV −−= (4.3.8-7)

From Equations (4.3.8-6) and (4.3.8-7) we get

=−

rTLTL d

dPP 1

3 log20 (4.3.8-8)

When Thief-1 is within a distance of dr1 from the vehicle, Thief-1’s

receiver must be able to detect the signals transmitted by the vehicle. Hence,

)log(20 11 rTLS dkPP −−= (4.3.8-9)

Since d2 is large enough for Thief-1 not to detect the high power signal

transmitted by Thief-3, we can write PRH1 < PS1, where the value of PRH1 is

)log(20 2131 ddkPP THRH +−−= (4.3.8-10)

Now using Equations (4.3.8-9) and (4.3.8-10) and the relation

PRH1<PS1 we get

( ) ( 1213 log20log20 rTLTH dkPddkP −−<+−− )

i.e.

+<−

1

213 log20

rTLTH d

ddPP

Page 146: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

135

i.e.

+<−+

1

213 log20

rTLTLdiff d

ddPPP

Note that, PTH3 = Pdiff + PTL3

Using Equation (4.3.8-8) we can write the above expression as

+<

+

1

211 log20log20rr

diff ddd

dd

P

i.e.

+<

11

21 )(log20

r

rdiff dd

dddP

i.e.

+<

1

2

11

*log20r

r

r

rdiff d

ddd

dd

P

If the thieves can satisfy the above expression then there will be no

feedback in the loop. Thus, if the thieves can satisfy the above expression

without breaking the communication link between the CID and vehicle, then

they will be able to get into the vehicle. Now we are going to show that the

thieves will not be able to satisfy the above expression if we appropriately

select a value of Pdiff. In order for the communication link between the CID

and the vehicle not to be broken by the thieves, Thief-1 must be within a

distance of dr1 from the vehicle. Hence, d2 ≤ dr1, and the maximum value of

d2/dr1 = 1. Thus, the thieves need to satisfy the following condition

+<

11

log20dd

dd

P r

r

rdiff

Page 147: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

136

The value of the parameter dr is a design parameter that is determined

by the manufacturer of the vehicle security system. The thieves don’t have

any control over the value of this parameter. A typical value, possibly the

maximum value, of dr can be 2 meters. This means that, when the thieves

are not in the loop, the CID must be within a range of 2 meters from the

vehicle’s transceiver for the CID and vehicle to receive each other signals. A

value of more than 2 meters for dr doesn’t make any sense, because when

the owner with the CID initiates the vehicle trigger, the CID will not be more

than 2 meters away from the vehicle’s transceiver, unless the owner is a

giant with a really long arm.

The thieves have control over the parameter d1 and dr1. Hence, for a

given value of Pdiff, the thieves will try to satisfy the above expression by

selecting the minimum values of d1 and dr1. The minimum value of d1 as well

as dr1 is the distance between the vehicle’s transceiver and the vehicles

exterior side. If the vehicle’s transceiver is located halfway between the doors

of the two sides of the vehicle, then the minimum value of d1 and dr1 can’t be

less than 0.5 meter. So, if dr = 2 meters and d1=dr1 = 0.5 meter, then the

above expression becomes

+<

5.02

5.02log20diffP

i.e. Pdiff < 18.062 dbm

Page 148: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

137

Hence, if the difference between the two transmitted power levels from

the CID is higher than 18.062 dbm, the thieves will not be able to get into the

vehicle.

In the above solution for the three-thief attack problem we assumed

that two thieves will be standing near the vehicle and one thief will be

standing near the CID. The thieves can also break the feedback loop by

keeping two thieves, Thief-2 and Thief-3, near the CID and Thief-1 near the

vehicle. Thief-1 will initiate the communication by pulling a door handle.

Thief-1 will receive signal from the vehicle and send it to Thief-2. Thief-2 will

then send the signal to the CID. Thief-3 will collect the response from the CID

and send it to Thief-1. Thief-1 will then send the response to the vehicle. In

order to break the feedback loop, Thief-2 and Thief-3 must be far enough

from each other so that Thief-3 doesn’t pick up the signal sent by Thief-2.

And also they must be close enough to the CID so that the CID can pick up

Thief-2’s signal and Thief-3 can pick up the response from the CID. In this

case the vehicle has to send the signals using two different power levels.

However, this type of attack using two thieves near the CID and one thief

near the vehicle is not that realistic. This is not realistic because if the two

thieves try to do something in order to manipulate the distance among the

owner of the vehicle and themselves, then the owner may become

suspicious about the thieves’ activities.

Page 149: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

138

CHAPTER 5

CONCLUSIONS

Passive access system for vehicles is the new generation of keyless

entry. Several security weaknesses against the system have been identified.

These security weaknesses are due to the unlimited access to the vehicle

door handle and to the CID response that can be solicited without the

owner’s knowledge. The security weaknesses were classified into three

different categories based on the attacker’s approach. The first category is

the deterministic approach. In this category we identified two different

methods, playback attack and relay attack. The second category is the

statistical approach. In this category we identified scanning attack and

dictionary attack. The third category is the analytical approach. In this

category we identified cryptanalysis attack and challenge prediction attack.

Identifying the security weaknesses and possible threats are the first

step in the design process towards a secure system. The second step is to

analyze and measure each one of these threats. In Chapter 3 we focus our

effort on the analysis of each individual threat. These analyses were an

important step in identifying the security parameters and measures. The

security parameters were then weighted against other system requirements

to balance between security and system performance. To facilitate our

analysis for several threats, we introduced a random challenge model in

Section 3.5 and methods for measuring security in Section 3.6.

Page 150: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

139

In Chapter 4, we focus our efforts on providing solutions to two of the

most challenging attacks, dictionary attack and relay attack. The dictionary

attack was addressed by developing a unique authentication mechanism that

is fast and secure. The solution was based on cryptography and the use of

random numbers and vehicle identification code. The relay attack is an

easier attack to perform, however, it was the most difficult attack to

counterfeit. For this attach we proposed a solution that is based on

cryptography and communication theory. The solution was presented into

three different incremental steps. The first step presents a solution that is

based on signal corruption due to feedback if a repeater exists in the

communication link between the CID and the vehicle. Two thieves with

higher level of intelligence and more sophisticated attack equipment can

break the feedback loop presented in the first step. The second step

presents a unique use of cryptography to encrypt information regarding the

signal direction. This step prevents any two thieves from breaking the

feedback loop presented in the first step. However, if there are three thieves

with more sophisticated equipment they could still break the feedback loop

by power manipulation. Step three presents a solution that is based on the

use of two power levels to protect the system against three thieves or more.

Page 151: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

140

CHAPTER 6

FUTURE RESEARCH

Imagine the possibility of having the ability to diagnose your vehicle

without driving to the dealer, simply by using an internet browser that

connects you directly to the vehicle and perform the necessary test. Imagine

the possibility of having the ability to access personal information such as

your bank account from your vehicle without going through the drive-through.

Imagine the possibility of being able to trade your stocks while you are

driving in the middle of nowhere. Imaging the possibility of having a mobile

office where information is available to you anywhere anytime you want. The

emerging technology of wireless communication and the availability of

information via the internet make such imaginations possible for the next

generation vehicles. While there is a treasure of features that can be made

possible and available to the users, there are the hackers who should be

prevented from gaining access to these features. Developing security

procedures that make the system available and convenient to use at the

same time prevent the hackers from using it is an ongoing research area.

Page 152: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

141

APENDIX A - ACRONYMS

RKE : Remote Keyless Entry

CID : Customer Identification Device

OW : Operation Window

PIN : Personal Identification Number

CDF : Cumulative Distribution Function

PDF : Probability Distribution Function

VID : Vehicle Identification

ECU : Electronic Control Unit

RFID : Radio Frequency Identification Device

RAM : Read Access Memory

ROM : Read Only Memory

Page 153: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

142

REFERENCES

[1] DG Abraham, GM Dolan, GP Double, JV Stevens, “Transaction

Security System”, in IBM system Journal, v 30 no 2 (1991), pp. 206-229

[2] R. Anderson, M. Kuhn, “Tamper Resistance – a cautionary note”, The

Second USENIX Workshop on Electronic Commerce Proceedings,

Oakland, California, November 18-21, 1996, pp. 1-11.

[3] E. Biham, “New Types of Cryptanalytic Attacks Using Related Keys”,

Advances in cryptology – EUROCRYPT ’93, Springer-Verlag, 1994, pp.

398-409

[4] E. Biham, A. Shamir, “Differential cryptanalysis of DES-like

cryptosystem”, Advances in Cryptology, CRYPTO ’90 Proceedings,

Berlin Springer-Verlag, 1991, pp. 2-21

[5] E. Biham, A. Shamir, “Differential cryptanalysis of DES-like

cryptosystem”, Journal of Cryptology, v. 4, n.1, 1991, pp. 3-72

[6] E. Biham, A. Shamir, “Differential cryptanalysis of Feal and N-Hash”,

Advances in Cryptology, EUROCRYPT ’91 proceedings, Berlin

Springer-Verlag, 1991

[7] E. Biham, A. Shamir, “Differential cryptanalysis of Snefru, Khafre,

REDOC-II, LOKI,and Lucifer”, Advances in Cryptology-CRYPTO ’91

proceedings, Berlin Springer-Verlag, 1992

[8] W. Diem, “Smart Card Opens the Door”, AutoTechnology, January

2001, pp 32-33

[9] J. Duquette, D. Juzswik, G. Fischer, B Dunbridge, “Smart Automotive

Keyless Entry – An Application of Advanced Digital Communications

Signal Processing”, Technology Review Journal, Millennium Issue,

Fall/Winter 2000, pp. 107-116, TRW, Cleveland, Ohio, USA.

[10] J. Garnault “Hands-Free System for Unlocking and/or Opening an

Openable Member of Motor Vehicle”, US Patent number 5929769.

Assigned to Valeo Security Habitacle

Page 154: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

143

[11] J. Gordon, “Designing Codes for Vehicle Remote Security Systems”,

Concept Laboratories Ltd. And Police Science Development Branch,

Herfordshire, G.B., 1994, pp. 1-22

[12] J. Gordon, U. Kaiser, T. Sabetti, “A Low Cost Transponder for High

Security Vehicle Immobilizers”, Proceedings of ISATA ’96, Florence,

Automotive Electronics, 96AE001

[13] GOST, Gosudarstvennyi Standard 28147-89, “Cryptographic Protection

for Data Processing Systems”, Government committee of the USSR for

standards, 1989

[14] P. Hellekalek, “Good Random Number Generators are (not so) Easy to

Find”, Mathematics and Computers in simulation, Elsevier Science B.V.,

1998, pp. 485-505

[15] M. Hirano, M. Takeuchi, K. Nakano, “Keyless Entry System for

Automotive Vehicle with Power consumption Saving Feature”, US

Patent number 4688036. Assigned to Nissan Motor Company.

[16] M. Hirano, M. Takeuchi, T. Tomoda, and K. Nakano, “Keyless entry

system with radio card transponder”, IEEE Transactions on Industrial

Electronics, vol 35, No.2, pp. 208 – 216, May 1988

[17] Walt Husak, Charles Einolf, and Stan Salamon, “On-Channel Repeaters

for Digital Television Implementation and Field Testing”, Presented at

the NAB99 Broadcast

[18] D. Juzswik, “Evolving Automotive Access Systems”, proceedings of the

4th International conference on Vehicle Electronic System 2001,

Coventry, UK, June 2001, pp. 8.2.1-8.2.7, ERA Technology Ltd., 54

Lombard Street, London EC3V 9EX, UK.

[19] D. Kahn, “The Codebreakers: The Story of Secret Writing”, New York,

Macmillam Publishing,1967

[20] J. Kelsey, B. Schneier, D. Wagner, “key-schedule cryptanalysis of

IDEA, G-DES, GOST, SAFER, and triple-DES”, advances in cryptology,

CRYPTO ’96, Springer-Verlag, 1996, pp. 237-251

Page 155: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

144

[21] K. Khangura, N. Middleton, M. Ollivier, “Vehicle Anti-Theft System Uses

Radio Frequency Identification”, proceedings of Colloquium on Vehicle

Security System, October 8, 1993, digest 1993-178, C. 1993, IEE.

[22] L. Knudsen, “Cryptanalysis of LOKI91”, Advances in Cryptology -

AUSCRYPT ’92, Springer-Verlag, 1993, pp. 196-208

[23] D. Knuth, “The Art of Computer Programming”, Volume 2,

Seminumirical Algorithms, 2nd edition, Addison-Wesley, 1981

[24] H. Krawczyk, “How to Predict Congruential Generators”, Advances in

Cryptology-CRYPTO’89, Volume 435 of Lecture Notes in Computer

Science, pp. 138-153, Springer-Verlag. 1990

[25] H. Krawczyk, “How to Predict Congruential Generators”, Journal of

Algorithms, v. 13, n. 4, December 1992

[26] P. L’Ecuyer, “Efficient and Portable Combined Random Number

Generators” Communications of the ACM, V. 31, N. 6, June 1988, pp.

742-749

[27] P. L’Ecuyer, “Random Numbers for Simulation”, Communications of the

ACM, v. 33, n. 10, October 1990, pp. 85-97

[28] D. Labonde, “Motor Vehicle Security System”, US Patent number

5682135. Assigned to Kiekert AG

[29] X. Lai, J. Massey, S. Murphy, “Markov Cipher and Differential

Cryptanalysis”, Advances in Cryptology, CRYPTO ’91, Springer-Verlag,

1996, pp. 252-267

[30] B.P. Lathi, “Modern Digital and Analog Communication Systems”, HRW

Series in Electrical and Computer Engineering, NY, 1983

[31] K. Marneweck, “An introduction to keeloq code hopping”, TB003

application notes from Microchip technology Inc. 1996, Chandler,

Arizona.

[32] J. Massey, “SAFER K-64: A Byte-Oriented Block-Ciphering Algorithm”,

Fast Software Encryption, Cambridge Security Workshop Proceedings,

Springer-Verlag, 1994, pp. 1-17.

Page 156: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

145

[33] E. Mayne, “Genetic Re-Engineering”, Ward’s AutoWorld, June 2001, pp.

34-35, Intertec Publishing Corp., 9800 Metcalf, Overland Park, KS,

66212-2215.

[34] Microchip Inc, Data sheet for HCS300, “Keeloq Code Hopping Encoder”

,Microchip Technology Inc., 2355 West Chandler Blvd., Chandler, Az,

85224-6199

[35] Microchip Inc, Data sheet for HCS410, “Keeloq Code Hopping Encoder

and Transponder” ,Microchip Technology Inc., 2355 West Chandler

Blvd., Chandler, Az, 85224-6199, 2001

[36] Microchip Inc, Data sheet for HCS412, “Keeloq Code Hopping Encoder

and Transponder” ,Microchip Technology Inc., 2355 West Chandler

Blvd., Chandler, Az, 85224-6199, 2000

[37] K. Nakano, M. Takeuchi, “Automotive Keyless Entry System

Incorporating Portable Radio Self-Identification Code Signal

Transmitter”, US Patent number 4794268. Assigned to Nissan Motor

Company.

[38] S. Schmitz, J. Kruppa, P. Crowhurst, T. Oexle, and W. Ulke, “New door

closure concept”, September 2000 issue of the Automotive Engineering

International, SAE, pp. 118-120, vol. 108, No. 9

[39] B. Schneier “Applied Cryptography”, John Wiley & Sons, 1994

[40] C. Shannon, “The Mathematical Theory of Communication”, University

of Illinois Press, 1963

[41] M. Simon, C. Luebke, “Keyless Motor Vehicle Entry and Ignition

system”, US patent Number 5937065, Assigned to Eaton Corporation,

August 10, 1997

[42] D. Smith, “Passive Keyless Entry, Latest from Lectron”, Ward’s Auto

World, July 1993, pp 111, Intertec Publishing Corp., 9800 Metcalf,

Overland Park, KS, 66212-2215.

[43] M. Stippler, “Antitheft Device for a Motor Vehicle and Method for

Operating the Antitheft Device”, US Patent number 6218932, Assigned

to Siemens Aktiengesellschaft

Page 157: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

146

[44] G. Thomas Jr, R. Finney, “Calculus and Analytic Geometry”, 9th edition,

Addison-Wesley Publishing Company, 1996

[45] Texas Instruments, “TIRIS Automatic Recognition of consumers”;

Application notes, 5000 series reader system, Texas Instruments,

13536 North Central, Dallas, Texas 75243.

[46] Texas Instruments, “TIRIS News”; International newsletter of the TIRIS

group, Issue No. 19, 1999, Texas Instruments, 13536 North Central,

Dallas, Texas 75243.

[47] T. Tomoda, M. Takeuchi, K. Nakano, “Pocket-Portable Radio Code

Signal Transmitter for Automotive Keyless Entry System”, US Patent

number 5111199. Assigned to Nissan Motor Company.

[48] T. Tomoda, M. Takeuchi, K. Nakano, M. Hirano, “Keyless Entry System

for Automatically Operating Automotive Door Locking Devices Without

Manual Operation”, US Patent number 4763121. Assigned to Nissan

Motor Company.

[49] T. Waraksa, K. Farley, R. Kiefer, D. Douglas, and L. Gilbert “Passive

keyless Entry System”, US Patent number 4942393. Assigned to

Lectron Products Inc.

[50] T. Waraksa, K. Farley, R. Kiefer, D. Douglas, and L. Gilbert “Passive

keyless Entry System”, US Patent number 5319364. Assigned to

Lectron Products Inc.

[51] W. Weishaupt, “Security Installation for Motor Vehicles”, US Patent

number 4738334, Assigned to Bayerische Motoren Werke, AG.

[52] A. Wielgat, ”What’s the Frequency? Suppliers seek new applications for

RF technology”, Automotive Industries, July 2001, Randall Publishing

Co. Inc., 3200 Rice Mine Rd., N.E., Tuscaloosa, Alabama, 35406.

Page 158: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

147

ABSTRACT

SECURITY OF PASSIVE ACCESS SYSTEMS

by

ANSAF IBRAHEM ALRABADY

December, 2002

Advisor: Dr. Syed M. Mahmud Major: Electrical and Computer Engineering Degree: Doctor of Philosophy

A passive vehicle system for automotive applications is an evolution of

the popular remote keyless entry systems. It provides the ultimate user

comfort to access the vehicle. The user no longer needs to reach for any

form of mechanical or electronic key to gain access to the vehicle. The

vehicle recognizes an authorized user from others by the possession of a

Customer Identification Device that is kept in the user’s pocket or purse when

they approach the vehicle. While this extra level of comfort is a desirable

feature, it introduces several security weakness issues with the existing

technology. This research addresses these issues with emphasis on design

tradeoff and analysis. Solutions that meet the design goals and eliminate an

unauthorized access to the vehicle are also presented.

Page 159: SECURITY OF PASSIVE ACCESS VEHICLE ANSAF …ece.eng.wayne.edu/~smahmud/MyStudents/Dissertation_Ansaf.pdfSECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION ...

148

AUTOBIOGRAPHICAL STATEMENT

ANSAF IBRAHEM ALRABADY [email protected]

Ansaf Alrabady received a Bachelor of Science degree in Electrical and Computer Engineering from Jordan University of Science and Technology, Jordan. A Master of Science degree in Computer Engineering form Wayne State University, Detroit, Michigan. Alrabady, joined TRW automotive Electronics in 1995. In his first assignment, he worked on developing software and algorithms for airbag electronic sensing module. After two years at TRW he was the lead software engineer for different projects at the research and advanced product development division. During his time at TRW, he filed over 30 patent disclosures related to vehicle safety and security. TRW has recognized his significant contribution to the vehicle safety and security through multiple awards. In 2001, Alrabady received the “Automotive Hall of Fame Young Leadership and Excellence” award, the only industry-wide means to honor the men and women of the global motor vehicle and related industries. Recently, Alrabady joined the electrical and controls integration labs at the General Motors corporation at its facility in Warren, Michigan. His main research work is related to vehicle security. PUBLICATIONS: 1. Ansaf I. Alrabady and Syed Masud Mahmud, “Some Attacks Against Vehicle’s

Passive Entry Security Systems and Their Solutions” Accepted for publication in the IEEE Transactions on Vehicular Technology.

2. Syed Masud Mahmud and Ansaf I. Alrabady, "A New Decision Making Algorithm for Airbag Control", IEEE Transaction on Vehicular Technology, Vol. 44, No 3, Aug. 1995, pp. 690-697.

3. Ansaf I. Alrabady, Syed Masud Mahmud and Vipin Chaudhary, "Placement of Resources In The Star Network," Proc. of the Internatinal Conference on Algorithms and Architectures for Parallel Processing, IEEE, June 11-13, 1996, Singapore, pp. 61-67.

4. Ansaf I. Alrabady and Syed Masud Mahmud, "Development of a Decision Making Algorithm for Airbag Control", Proceedings of the IEEE Measurement and Technology Conference, May 18-20, 1993, Hyatt Regency Hotel, Irvine, CA. pp. 81-84.

5. Ansaf I. Alrabady and Syed Masud Mahmud, “Analysis of Attacks Against the Security of Keyless Vehicles and Suggestions for Improved Designs”, Submitted for publication to the IEEE Transactions on Vehicular Technology.

6. Ansaf I. Alrabady and Syed Masud Mahmud, “A Solution of Multiple-Thief Attack Against Passive Keyless Vehicle Systems”, submitted to the 57th IEEE Semiannual Vehicular Technology Conference, April 21 – 24, 2003, Korea.

7. Ansaf I. Alrabady and Syed Masud Mahmud, “Comparative Study of Different Attacks Against the Vehicles with Keyless Entry”, submitted to the 57th IEEE Semiannual Vehicular Technology Conference, April 21 – 24, 2003, Korea.