SECURITY OF PASSIVE ACCESS VEHICLE ANSAF IBRAHEM ALRABADY DISSERTATION. Submitted to the Graduate School. of Wayne State University, Detroit, Michigan

Transcription

1 SECURITY OF PASSIVE ACCESS VEHICLE by ANSAF IBRAHEM ALRABADY DISSERTATION Submitted to the Graduate School of Wayne State University, Detroit, Michigan in partial fulfillment of the requirements for the degree of DOCTOR OF PHILOSOPHY 2002 MAJOR: ELECTRICAL AND COMPUTER ENGINEERING Approved by: Advisor Date

2 COPYRIGHT BY ANSAF IBRAHEM ALRABADY 2002 All Rights Reserved

3 DEDICATION To my family

4 ACKNOWLEDGMENTS First, I would like to express my sincere thanks to my adviser, Dr. Mahmud for his guidance throughout my dissertation and for his willingness to welcome me to his home in order to work around my hectic schedule. Also, my deep appreciation to his family for their warm welcome and for the time I took from them every weekend to make this work possible. Second, my special thanks to the people I worked with at TRW, a place of highly talented people. Thanks to David Juzswik for his motivation and for his help to select my research topic, Casilda de Benito and Sandra MacDonald for their continued support, Ernie Pacsai for his confidence in me and for creating an enjoyable and challenging workplace. My thanks also goes to my friends I worked with at TRW, John Duquette, Koki Mizono, Paul Lumley, Tony Cool, Dave Parent, Peter Lin, Tim Dezorzi, Tom Tracz, Jason Evens, Jerome Gholston and many other that I learned from and enjoyed working with. My thanks also goes to my parents for their unlimited support, my brothers and sisters Ruba, Rula, Majdi Rabi, Rama and Rania for their love, my uncle Dr. Munier Dababneh for his encouragement. Great thanks to my wife Tamara for her patience, love, support, and understanding during the long working hours at work and study

5 TABLE OF CONTENTS CHAPTER 1 - INTRODUCTION...1 CHAPTER 2 - BACKGROUND MATERIAL CRYPTOLOGY REMOTE KEYLESS ENTRY Fixed Code Rolling Code Synchronization BI-DIRECTIONAL RKE IMMOBILIZER Fixed Code Rolling Code Password Protection Challenge Response PASSIVE ACCESS SYSTEM Unidirectional Link Bi-directional Link RANDOM NUMBER GENERATORS SECURITY THREAT Deterministic approach Playback Attack Relay Attack Statistical approach... 41

6 Scanning Attack Dictionary Attack Analytical approach: Cryptanalysis Attack Challenge Prediction Attack CHAPTER 3 - SECURITY ANALYSIS PLAYBACK ATTACK RELAY ATTACK CRYPTANALYSIS ATTACK CHALLENGE PREDECTION ATTACK ExternAl Manipulation Different Sequence for Different ECUs Statistical Requierments Flat distribution Avalanche Effect Strict Avalanche Effect RANDOM CHALLENGE MODEL MEASURING SECURITY SCANNING ATTACK Independent Random Challenge Cyclic Random Challenge EFFECT OF Randomization Factor DICTIONARY ATTACK... 87

7 3.8.1 The Devil s Advocate CHAPTER 4 - SOLUTIONS OF DICTIONARY AND RELAY ATTACKS DICTIONARY ATTACK COUNTERFEIT Use of Password Decrease Repetition Rate Mutual Authentication Enhanced Mutual Authentication NEW DICTIONARY ATTACK AND SOLUTION RELAY ATTACK Relay solution categories Repeater Detection Signal Corruption Feedback Solution Feedback Signal Analysis Feedback Counter Measure Attack Secure Protocol Three Thief Attack Two Power Levels Counter Measure Two power levels Analysis CHAPTER 5 - CONCLUSIONS CHAPTER 6 - FUTURE RESEARCH ABSTRACT

8 AUTOBIOGRAPHICAL STATEMENT

9 LIST OF TABLES Table 1: Summary of available authentication using a bi-directional link for passive vehicle Table 2: Example of random numbers probability distribution and their corresponding amount of information Table 3: Summary of different authentication protocols and their impact on the system security and performance

10 LIST OF FIGURES Figure 1 : An example of a cryptosystem data transformation... 8 Figure 2: Example of rolling code authentication for unidirectional RKE Figure 3: Sequence Counter Operation Window Figure 4: Example of rolling code for bi-directional RKE Figure 5: Communication between the vehicle and the CID Figure 6: Illustration of a two-thief attack problem Figure 7: Block diagram of a thief s repeater system Figure 8: A complete theft device using two repeaters Figure 9: Cryptanalysis attack spectrum Figure 10: Examples of different systems on the cryptanalysis spectrum Figure 11: Number of combinations for each number of bits changed Figure 12: Entropy vs. probability of bit change Figure 13: Model for random number generator Figure 14: F(X) for cyclic and independent random challenges Figure 15: F(k,n,m) for different system parameters Figure 16: F(X) for dictionary attack with different dictionary size Figure 17: Password protection authentication process Figure 18: Mutual authentication challenge Figure 19: Vehicle processing to a received challenge in a mutual authentication protocol Figure 20: Challenge block diagram Figure 21: Enhanced mutual authentication flowchart

11 Figure 22: Communication between the vehicle and the CID using a unidirectional LF link and a bi-directional RF link Figure 23: Communication between the owner and the vehicle with the two thieves in the loop Figure 24: The feedback loop between Thief-1 and Thief Figure 25: Communication protocol for the solution Figure 26: Encryption of the Communication Protocol Figure 27: Positions of the thieves, the CID and the vehicle in a three-thief attack problem Figure 28: Positions of Thief-1, Thief-3 and the vehicle

12 1 CHAPTER 1 INTRODUCTION The use of keyless entry for automotive application has grown rapidly since it was introduced as a numerical keypad at the exterior of the vehicle s door. In the early version, the user was required to enter a Personal Identification Number (PIN) as a proof of identity before allowing access to the vehicle s compartment. The numerical keypad provides some level of user comfort. It was more appreciated by those who are involved in sport activities since they do not want to carry a mechanical key and yet want to access their vehicles. While numerical keypad provides some comfort to certain people, it did not provide the desired comfort level for normal day-today use. In addition, the level of security provided by such system was unacceptable for automotive use. As the technology moved forward, a more desirable type of keyless entry system known as Remote Keyless Entry (RKE) was introduced. Unlike the numerical keypad that was based on knowledge of a PIN to gain access to the vehicle, the RKE system was based on the possession of a portable transmitter. RKE system has been in production for over twenty years. It has become such a desirable convenience feature that it is standard on many of today s vehicles. The system mainly consists of two units, a portable transmitter known as the fob, and a receiver connected to a control unit installed in the vehicle. When a user attempts to access his vehicle he

13 2 presses one of the several buttons available on the fob. In response to the user press, the fob transmits a message. The message contains a function code and an identification code. Every transmitter has a unique identification code stored in its memory at the manufacturing time. The same identification code is also stored in the vehicle memory. If the vehicle is within the fob s transmission range, the control unit in the vehicle receives the fob s transmitted message. The vehicle then compares the received identification code with the one stored in its memory. If the received identification code matches the stored identification code, the vehicle then recognizes the message as a valid message. In response to a valid message, the vehicle generates the appropriate signals to perform the desired function as requested by the function code. Remote functions include door lock, unlock, trunk open, panic, and remote engine start. The search for other types of keyless entry to improve the user comfort and security continues in different technological fields. The objective was to increase the user comfort to access the vehicle at the same time prevent any unauthorized access. Some of the technology investigated the use of biological attributes as methods for authentication. These attributes include fingerprints, voice, and vision. While these methods are promising to prove the user identity, the cost and reliability of such technology is still far from being acceptable for automotive use. Although RKE systems have enhanced user convenience, the user still has to reach for the fob and physically press a button to unlock the

14 3 vehicle. This level of user interface is not convenient for users with hands full of groceries or for someone who is rushing to enter the vehicle. To eliminate a user from reaching for the fob and then press a button, a more sophisticated type of keyless entry system has been recently introduced to the market [8],[38]. The system is a hands-free or passive system. A user no longer needs to search for a mechanical key or a fob to unlock the vehicle. The vehicle identifies authorized users through the possession of a CID that is carried in their pocket or purse. The CID is a credit card or fob like device. When a user tries to access the vehicle (doors, trunk, or ignition), the vehicle sends an interrogation message. If an authorized CID is within the transmission range of the interrogation message, the CID responds with an identification code to the vehicle. The vehicle checks the received identification code to verify the user identity. The communication time between the vehicle and the CID, the verification process and the unlocking process, all have to be completed in a short period of time such that a normal door handle lift will not cause a mechanical lock jam or interference. While the main objective of the passive entry system is to provide the user with a high level of convenience, the system must also meet or exceed the current RKE security. One of the most technical challenges in designing a secure system is the communication protocol between the CID and the vehicle. The protocol has to meet the communication timing imposed by the system requirements. A fast protocol is important to ensure that the vehicle will unlock before the door handle reaches its full travel, or a mechanical jam

15 4 may occur. Other challenges in designing the protocol includes but not limited to, support of multiple CIDs to the same vehicle, synchronization between the CID and the vehicle, program and deprogram a new CID in case of lost or stolen CID, and most importantly vehicle security. On the security side, the battle between the system designer and the system attackers is an on going process. It is an unfortunate and unfair battle against the system designers. System designers are considered successful in their design if they design a system that is secure against any possible attack. On the other side, system attackers are considered successful if they find one method only to break the system. This leaves a huge burden on the system designers. They have to think not only as system designers, but also as system attackers. Their job goes beyond the system design to identify all possible methods to break the system, regardless of whether these methods are available today or they may be developed in the future. It is important on one hand to recognize the fact that there are criminal organizations that have the skills and capability to design and build electronics to attack RKE and passive access systems. On the other hand, a highly secure system might be cost prohibitive for automotive use. For these reasons analyzing the different security threats against the system is a crucial part in meeting the overall system requirements and design tradeoffs. Security consideration is important at an early stage of the system design phases. Adding security after the system design may be expensive

16 5 and difficult to implement. Design for security can be split into three different steps. First, identify the different security weaknesses and possible threats against the system. Second, analyze and measure each of the security threats identified and its impact on the overall system design. Third, provide solution based on analysis that balances between security aspect and other system design parameters. It is the objective of this research work to go through these three steps in order to provide a reliable and secure system for passive access vehicle. This dissertation is organized in six chapters. Chapter 1 is an introduction. Background material is presented in Chapter 2. This material includes an overview of cryptology, current available systems in the vehicle for access and security, and identification of the security threats against the passive access system. Analysis of different attacks, security measures and random challenge model is presented in Chapter 3. Solutions to the dictionary and relay attacks are given in Chapter 4. Conclusions are presented in Chapter 5, and future research directions are presented in Chapter 6.

17 6 CHAPTER 2 BACKGROUND MATERIAL Passive access system for vehicles is a new technology. A secure and reliable communication protocol for passive vehicle access systems is still under development. Several authentication protocols have been investigated in the past for other systems in the vehicle. Systems such as RKE and immobilizer are rapidly evolving to increase user convenience and vehicle security. It is important to understand how these systems work. What are the existing security weaknesses against these systems? What kind of security measures has been implemented to prohibit an unauthorized access? What are the different variations? Understanding the current technology and the challenges involved, provide a valuable guidance toward the development of a secure and reliable protocol for passive access system. This chapter is divided into seven sections. An overview of the use of cryptology in information security is presented in Section 2.1. Available communication protocols and authentication techniques for unidirectional and bi-directional RKE are shown in Section 2.2 and Section 2.3, respectively. Several authentication methods used in the immobilizer system are shown in Section 2.4. Communication links for passive access system between the vehicle and the CID are presented in Section 2.5. Random number generator is one important component of the authentication protocol. An overview of

18 7 random number generators is shown in Section 2.6. Different security threats against the passive access system are presented in Section CRYPTOLOGY Cryptology is one field of mathematics that deals with information security. It consists of two branches, cryptography and cryptanalysis. The people who practice cryptography are called cryptographer while the people who practice cryptanalysis are called cryptanalysts. Cryptographers main objective is to build a cryptosystem that secures information communicated over a public channel (e.g. wireless communication). Cryptanalysts represent the enemy side; their main mission is to break the security of the communicated information. A cryptosystem normally consists of an encryption algorithm and a matching decryption algorithm. An encryption algorithm, represented by E(), is a mathematical transformation that takes a plain-text P and produces a cipher-text (encrypted text) C using an encryption key K E. A Decryption algorithm, represented by D(), is a mathematical transformation that takes a cipher-text C and produces a plain-text P using a decryption key K D. The encryption key K E and the decryption key K D may have the same value or they may have different values. This mainly depends on the encryption and decryption algorithms used. For simplicity of illustration, we use the same symbol for both encryption and decryption keys (i.e. K E = K D = K). Figure 1 shows the information transformation.

19 8 P E K (P) C D K (C) P K K Figure 1 : An example of a cryptosystem data transformation Different encryption algorithms provide different degree of security. While some algorithms maintain their security by keeping the details of encryption and decryption transformation secret, other algorithms are available to the general public. The security of a public domain algorithm is maintained in the encryption and decryption keys. The encryption and decryption keys are assigned at a later phase in the design process. Public domain algorithms are available to the general public for review, analysis, and use. Their strength is drawn from the complexity to calculate the inverse of the algorithm without knowing the key. The use of public domain algorithms provides a system that is secure by design not by trust. The system maintains its security without concerns of any type of threats against the system. One threat example may be possible from one of the members of a design team who was frustrated and left the organization. A second threat example may be possible form some criminal organizations with advanced technology in reverse engineering. They may have the power and tools to read and de-assemble the ROM content. Even though some of the processors provide a security bit against reading the ROM once it is

20 9 programmed, several techniques are available to erase the security bit for some of the known processors [2]. The strength of an encryption algorithm is normally measured by the time and space complexity needed to break the encryption algorithm. The use of the phrase break the algorithm means to find a method either to recover the plaintext or the encryption key that has been used. From a mathematical point of view, an encryption algorithm may be classified as: - i) Unconditionally secure:- The encryption algorithm is said to be unconditionally secure if the amount of information available to the outside is insufficient to figure out the encryption and decryption transformation. This is true regardless of the amount of time and tools available to a cryptanalyst. Encryption algorithms that are based on one-time-pad [19] techniques belong to this category. In this technique different encryption key is used every time the system is used. Of course, the sequence of encryption keys has to be known to both communicating parties ahead of time. This might not be possible for all systems or it might be as difficult as sending the messages themselves. ii) Mathematically insecure:- The encryption algorithm is said to be mathematically insecure if the encryption algorithm can be broken in a short period of time. By a short period of time, we mean that the value

21 10 of information obtained - in a short period of time - is much more than the cost and effort involved to break the algorithm. iii) Mathematically secure: - The encryption algorithm is said to be mathematically secure if the time required to break the algorithm is much more than the value of information obtained. The development of new technology always tends to replace an old one. In general, the information communicated over a public channel will have less value in the future than its current value. If the amount of time and cost needed to break an encryption algorithm is more than the future value of the information obtained, we say that the algorithm is mathematically secure. 2.2 REMOTE KEYLESS ENTRY The communication protocol for the RKE systems has been under development since it was first introduced in the early 1980 [9]. Most of the current RKE systems available in the market are based on unidirectional communication links. The communication starts when one of the fob buttons is pressed. The fob sends a digital signal message that is received by a controller mounted inside the vehicle. Two major variations of RKE authentication that uses a unidirectional communication link exist. These are described in the following two subsections

22 FIXED CODE In the early version of RKE, the message contains a fixed identification code (ID) and a function code. The function code defines the user s intent to lock or unlock the vehicle. The fixed ID code is intended to discriminate between different fobs programmed for different vehicles. When the vehicle receives the message, it compares the received ID code with a stored ID in the vehicle s memory. If the IDs match, the vehicle then executes the user s request as defined by the function code bits. Fixed code system is vulnerable to several attacks. The most widely known attack is the code grabbing or playback attack [31]. A thief with a radio receiver can learn or record the digital signal message when transmitted by an authorized fob. He can then playback the recorded message to gain an unauthorized access to the vehicle while the user is not around ROLLING CODE To improve the system security against playback attack, recent RKE systems provide a cryptographic rolling code protocol. The protocol is based on changing the transmitted message every time the fob button is pressed. Once the vehicle recognizes a message, the vehicle can t use the same message till a huge number of valid transmissions occur. The technique is based on a sequence counter that is stored and initialized to the same value in the vehicle and the fob upon manufacturing. The sequence counter is incremented according to a predefined algorithm every time a fob button is pressed. The new sequence counter number is stored in place of the

23 12 previous value and then transmitted to the vehicle. When the vehicle receives the transmitted message, it retrieves the sequence counter from its memory. The vehicle then starts a verification process before authenticating the message. To ensure the system reliability when the fob buttons are pressed while it is not within the vehicle reception range, a synchronization mechanism is implemented in the protocol. Synchronization between the fob and the vehicle is described in more detail in Section For example, one of the techniques used in rolling code is shown in Figure 2. The fob serial number is a unique number assigned to each fob at manufacturing time. The serial number is stored in the vehicle memory when the fob is programmed for the vehicle. Similarly, each fob is assigned an encryption key and an initial value to the sequence counter. The encryption key and the sequence counter are stored in the vehicle memory during the learning process. Since it is possible to have multiple fobs programmed for the vehicle, the vehicle maintains a memory block for each fob. Each block consists of three components, a serial number, an encryption key, and a sequence counter.

24 13 Basic Fob Operation Fob Memory Serial Number Encryption Key Sequence Counter Encryption Algorithm Encrypted Field Serial Number Pressed Button Transmitted Message Basic Vehicle Operation Vehicle Memory Serial Number Match? 1 Y 2 Encryption Key Decryption Algorithm Encrypted Field Serial Number Pressed Button Sequence Counter Sequence Counter Match? Y 3 4 Process Request Figure 2: Example of rolling code authentication for unidirectional RKE Figure 2 shows two main sections. The upper section represents the fob operation when a button is pressed. The fob sends a message that consists of an encrypted field, a fob serial number, and information about the button pressed. The lower section in the figure represents the vehicle operation as it receives a transmitted message from the fob.

25 14 When the fob button is pressed, the fob controller reads the sequence counter, increments the sequence counter by one (not shown in the figure), and stores the result back in place of the previous value. The incremented sequence counter is then used as one input to the encryption algorithm. The encryption algorithm reads the encryption key from the memory and encrypts the sequence counter. The output is an encrypted field that is sent to the vehicle along with the fob serial number and button press information. When the vehicle receives the message, it performs the following steps to verify the authenticity of the received message. 1. Compares the received fob serial number to the serial number in every memory block stored in the memory. If a match is found, the corresponding memory block content is used for further processing. In this case the vehicle proceeds to Step 2. If the received serial number did not match with any of the stored serial numbers, the vehicle identifies the message as an invalid message. 2. In this step the vehicle decrypts the received encrypted field using the encryption key from the memory block that has the matching serial number. The result is a decrypted sequence counter. 3. The decrypted sequence counter (from Step 2) is then compared with the stored sequence counter form the corresponding memory block. If the received decrypted sequence counter has a newer value within a predefined window, shown as match in the figure, the vehicle identifies

26 15 the message as a valid message. In this case the vehicle updates the sequence counter by storing the received value in place of the current value. This concludes the authentication process. The vehicle then proceeds to Step At this point the vehicle identifies the message as a valid message. The controller translates the button press information and commands the appropriate hardware to execute the requested function, i.e. door lock, unlock. Several variations of this technique are possible. One implementation is to include the button press information as part of the encrypted field. Other implementation is to use a fixed discriminator in addition to the sequence counter and button press information in the encrypted field [34]. Adding a discriminator to the encrypted message increases the number of possible combinations. Increasing the number of possible combinations reduce the risk of possible attacks such as the scan attack that will be discussed in a later section. When the vehicle receives the message and decrypts its content, it verifies whether the discriminator field matches with the one stored in the memory. If they match, the vehicle then tests the sequence counter value according to the procedure described earlier SYNCHRONIZATION It is possible that the fob buttons may accidentally been pressed when the fob was beyond the vehicle reception range. In this case the sequence

27 16 counter is updated in the fob only. As a consequence the sequence counter in the fob will not match the sequence counter in the vehicle for the next button press. This problem is known as the synchronization problem. To solve the synchronization problem, the vehicle defines an operation window (OW) for the sequence counter value. The OW is defined as the number of next consecutive values of the sequence counter stored in the vehicle s memory. In other words, it is the set of consecutive counts that is greater than (signed comparison) the current value of the sequence counter, but less than the current value plus the OW size. Signed comparison is required to allow for counter overflow as the counter reaches its absolute maximum value. If the received sequence counter is within the OW, the vehicle recognizes the message. The OW is updated continuously for every valid message received. The update is done simply by storing the received sequence counter in place of the current value in the memory. If the received sequence counter is beyond the OW, due to multiple presses of the button, the vehicle recognizes the message as an invalid message. Figure 3 illustrates the sequence counter OW.

28 17 Vehicle's Sequence Counter Current Value Increment Direction OW Valid Sequence Counter Invalid Sequence Counter Figure 3: Sequence Counter Operation Window More sophisticated synchronization mechanisms are also available if the fob button is accidentally pressed a number of times beyond the OW. One solution is based on the reception of two consecutive valid messages for re-synchronization to occur [35]. 2.3 BI-DIRECTIONAL RKE A bi-directional communications protocols for RKE, also known as Two-Way RKE [9], has been investigated in the past. Two-Way RKE provides the user with a feedback regarding the status of the vehicle. The feedback adds more value to the system especially for functions such as remote engine start, or vehicle intrusion. One of the communication protocols for bi-directional RKE is presented in [41]. The communication starts when the user presses one of the fob buttons. Initially both controllers in the fob and the vehicle are in a low power consumption mode, also known as sleep mode. When a user presses a button on the fob, the fob wakes up from its sleep mode. The fob then

29 18 sends an initial message. The initial message consists of a wake up signal and a fob identification code. The wake up signal wakes up all vehicles within the fob transmission range from their sleep mode. The fob identification code is a unique code for each fob manufactured. Each vehicle that wakes up compares the received fob identification code against an initially stored one in the memory. The vehicles that woke up but do not have a matching fob identification code go back to sleep. The vehicle with a matching code is then engaged with the fob in a sequence of steps to further identify the validity of the fob. The authentication process is shown in Figure 4. The process can be summarized as follows: 1. After the vehicle validates the identification code, it generates a random challenge. The random challenge is then transmitted to the fob. At the same time the vehicle encrypts the random challenge using the same encryption key stored in the fob. The vehicle saves the encrypted output of the random challenge as the expectedresponse. 2. When the fob receives the random challenge, it encrypts the challenge. The encrypted challenge is then transmitted as the challenge-response. 3. When the vehicle receives the challenge-response, it compares the challenge-response against the expected-response calculated in step 1. If the two match, the vehicle then identifies the fob as a valid fob.

30 19 Fob Operation Vehicle Operation Sleep Fob Button Pressed Sleep Transmit Initial Code Wakeup Circuit Y Time-out N Receive Random Challenge Send Random Challenge Generate Random Challenge Encrypt Random Challenge Encrypt Random Challenge Send Encrypted Challenge Receive Encrypted Challenge Compare Match? Y N Invalid Fob Valid Fob Figure 4: Example of rolling code for bi-directional RKE

31 IMMOBILIZER The immobilizer system provides the vehicle with additional level of security. The main functionality of an immobilizer system is to electronically verify the key when inserted in the ignition cylinder. The verification shall be completed prior to engine start. To verify a valid key form others, a batteryless Radio Frequency Identification Device (RFID), known as transponder, is embedded in the head of the key. The ignition cylinder is equipped with a loop antenna that communicates with the transponder via Low Frequency (LF) magnetic field. When the user inserts the key in the ignition cylinder the authentication protocol is started between the loop antenna and the transponder. The authentication protocol for the immobilizer system has been through several development stages. Different types of transponders are required to support each protocol [12]. The authentication protocols provide different security levels that can be summarized in the following four subsections FIXED CODE Fixed code is based on a read only transponder [21]. Each transponder has an ID that is stored in its memory. The vehicle initially learns the ID when the key is assigned to the vehicle. When the user inserts the key in the ignition, the vehicle generates an interrogation field to read the fixed code from the transponder. The vehicle then verifies the received code with the one in its memory. If the two codes match, the vehicle recognizes the key as a valid key. In response to a valid key, the vehicle authorizes the engine

32 21 to start. Two types of fixed code transponders are presented in [12]. The flexibility and security levels are different for each type. One type is based on a unique ID that is assigned to each transponder at the manufacturing time. The other type is based on the write-once transponder. The write-once transponder provides the capability to someone with a read/write device capability to duplicate the key without the need for the vehicle. This provides additional level of flexibility to duplicate the key, however, the problem is if that someone belongs to a criminal group who had access to the key during valet parking or vehicle service ROLLING CODE Rolling code system provides a higher level of security compared to the fixed code transponder. It is based on a read-write transponder. The vehicle controller has the ability to read and write the transponder s memory. It works similar to the fixed code except that the transponder sends a new code to the vehicle every time the key is placed in the ignition cylinder. The new code is uploaded and stored in the transponder memory during the previous ignition cycle. Though rolling code immobilizer system provides a higher level of security than a fixed code, it is more expensive, and requires synchronization method in the event that the write to the transponder fails during the previous ignition cycle

33 PASSWORD PROTECTION In this type of authentication the transponder is protected by a password. The transponder requires the reader to send a password every time the reader requests the transponder ID. If the reader sends the correct password, the transponder then responds back with its ID code. This is a simple mutual authentication process. Both parties have to identify themselves. Though, this type of authentication provides a higher level of security compared to the fixed code, it is still vulnerable to an attack. An intruder with read capability equipment could read the vehicle password and the transponder ID during valet parking or vehicle service. He could then build an emulation circuit to bypass the password sent by the vehicle and always respond with the transponder ID code CHALLENGE RESPONSE Challenge response, also known as Identify Friend or Foo (IFF) [35],[36], or digital signature [11],[12], provides a more secure and reliable protocol. The protocol is based on cryptography. Typically, the transponder has an encryption algorithm built into it. The same algorithm is also implemented in the vehicle. Both the vehicle s controller and the transponder share the same encryption key that is initially stored in their memory. The protocol starts when the user places the key in the ignition cylinder; the vehicle sends an interrogation message that contains a random number, called the challenge or the question. The transponder then encrypts the challenge and sends the result back to the vehicle, normally referred to as

34 23 the challenge-response or the answer. While the vehicle is waiting for the response, it calculates the expected response using the same encryption key in the transponder. If the received response matches the expected response, the vehicle then identifies the key as a valid key. To ensure security, the vehicle sends a new random challenge every time the key is inserted in the ignition cylinder. One of the requirements for the immobilizer system is to support multiple keys for the same vehicle. In this case, the vehicle has to calculate the expected response from each transponder programmed in the system. This is because each transponder might be programmed with different encryption key and the vehicle does not know which transponder has been used during that ignition cycle. Calculating all possible responses may have some security issues as well as increasing the system response time. One approach is to have all transponders programmed with the same encryption key. In this case one response is expected from all transponders. This might be an issue if one of the transponders is lost. A different approach is to have the transponder identify itself prior to the challenge signal. The vehicle then looks up the corresponding encryption key to calculate the expected response. This is very similar to the RKE bi-directional protocol described earlier It is interesting to mention at this point that the immobilizer system is one of several applications based on RFID technology. Other applications for RFID technology such as automatic retail fueling system [45], smart labels

35 24 for baggage, super security access control, and many other applications are available in the market or been advertised for [46]. 2.5 PASSIVE ACCESS SYSTEM The passive access system was introduced to the market as a convenient feature. It eliminates the users need to reach for a fob or a mechanical key to access their vehicles. The users are not required to take any actions to identify themselves to the vehicle. The vehicle automatically recognizes an authorized user from others by the possession of a CID. Any user who carries an authorized CID is recognized as an authorized user to the vehicle. Since the passive access system is installed on more than one vehicle, each vehicle shall recognize a uniquely coded CID. This requires a communication protocol to take place prior to any access to the vehicle. The main purpose of the communication protocol is to validate the identity of the CID held by the user. One of the major problems in a passive access system is to start and establish the communication between the CID and the vehicle. Several techniques were investigated to establish the communication without the user interaction. One technique is to have the CID transmit an access code message continuously. When the CID is within the vehicle reception range, the vehicle receives the message. If the access code in the message is valid, the vehicle unlocks the doors. This technique requires a unidirectional communication link from the CID to the vehicle. The CID battery consumption and security are major concerns in this technique. The unidirectional link will be investigated in more detailed in Section A

36 25 different technique to establish the communication is to have the vehicle continuously send an interrogation message. A CID within the vehicle s interrogation message range responds with an access code. If the access code is valid, the vehicle unlocks the doors. This technique requires a bidirectional communication link between the CID and the vehicle. The bidirectional link is investigated in detail, with different trigger mechanisms, in Section UNIDIRECTIONAL LINK The first passive keyless entry system was introduced on the 1993 corvette [42]. It was designed and patented by Lectron Products [49],[50]. Lectron s system was based on a unidirectional communication link from the CID to the vehicle. The CID continuously transmits an access code message while a user is carrying it. To save the power consumption of the CID battery, a motion sensor is integrated inside the CID. In this system, the CID can be in one of two different states: Active state: In this state, the CID continuously transmits access code messages. The CID enters this state when the motion sensor detects a motion. Sleep state: The CID enters this state when it is stationary. In this state, the CID stops transmitting any messages in order to save power consumption.

37 26 A user walking with a CID causes the motion sensor to trigger the CID to send its access code message. If the user is walking toward his vehicle, the vehicle receives the CID s message. If a valid message is received, the vehicle then unlocks the doors. In addition to transparent unlocking feature, the system is capable of automatically locking the vehicle when the CID s message is not received within a predefined time window. There are several problems with this technique, such as: i) If the user accidentally left the CID inside the vehicle, then there could be some problem like the user might be locked out. Or some intruders may come and shake the vehicle for the CID to transmit the access code message. This will cause the vehicle to unlock the doors and allow the intruders to get into the vehicle. ii) Since the CID continuously transmits while the user is moving, power consumption of the CID s battery remains an issue. iii) Collision of multiple signals may occur when multiple CIDs are moving. As a result the vehicle may deny access since the received signal might be corrupted due to collision. This situation may occur, for example, when a user and a spouse, each carrying a different CID, are approaching their vehicle. The collision of signals is also possible at the sport arena parking lot where everybody is walking toward his or her vehicle at the same time.

38 27 iv) A thief can easily break the security of the system by grabbing the code transmitted from the CID and then playing the code back next to the vehicle when the authorized user is not around BI-DIRECTIONAL LINK Even though Lectron s system provides a user with a transparent mechanism to access the vehicle, the security and reliability issues remain as major concerns. Additionally, the system still requires the user to reach for a key to start the engine. In order to provide the user with additional security and comfort levels, Mercedes S-Class has introduced a different type of passive keyless system [8],[33],[52]. Similar to the Corvette system, the Mercedes system requires the user to carry a CID as a proof of identity. When a user tries to open the vehicle s doors or trunk or start the engine either by pulling a door handle or pressing a button on the vehicle, the vehicle sends an interrogation message. If an authorized CID is present within the vehicle s operating range, the CID responds with an access code message. After receiving a valid access code message from the CID, the vehicle performs the necessary operation based on the trigger source. For example, unlocks the door if the door handle is pulled, or starts the engine if a button is pressed inside the vehicle. Different mechanisms have been investigated to initiate the interrogation message. One approach is to use a mechanical switch installed in the door handle assembly unit. The triggering switch could be a push

39 28 button [15], or integrated with the door handle [51], or touch-sensitive switch [16]. A second approach is the use of an infrared movement detector that is positioned in the door handle region [28]. A third approach is to continuously send an interrogation message to recognize the presence or absence of an authorized user and automatically lock or unlock the vehicle [48]. The generic term vehicle trigger will be used throughout this dissertation to indicate one of the mechanisms that starts the communication from the vehicle side. Regardless of the triggering mechanism, the communication protocol starts from the vehicle side. The vehicle starts the communication by transmitting an interrogation message. A CID within the vehicle s transmission range responds back with a message response. The Interrogation message is sent via a Low Frequency (LF) magnetic field link. The CID sends a response via a Radio Frequency signal (RF). The communication links between the vehicle and the CID are shown in Figure 5 Veh T R LF RF CID T Figure 5: Communication between the vehicle and the CID To support the LF communication link, the vehicle is equipped with a loop antenna in each door handle. The operating range between the CID and the loop antenna as suggested in [38] is about 2 to 2.6 meters. The LF link is

40 29 used in order to have a better range control between the interior and exterior of the vehicle [18]. This is due to the fact that the intensity of a magnetic field generated by an LF coil decreases at a rate proportional to the cube of the distance [16]. This property of LF signals allows for a better control of the coverage boundary within the vehicle interior. It also provides better control over the operating range of the signals outside the vehicle. The RF link is used in the return communication link (i.e. from the CID to the vehicle) due to the following reasons: An RF signal needs less power than an LF signal to transmit a message within the same range. This is due to the fact that the strength of an RF signal decreases with the square of the distance as opposed to the cube of the distance for an LF signal. The CID runs from a small battery power supply, so the use of an RF signal from the CID to the vehicle will have less impact on the CID battery power consumption compared to an LF signal in order to cover the same communication range. A high bit rate can be achieved if a message is transmitted using an RF signal as opposed to LF signals. Only one RF receiver is necessary inside the vehicle as opposed to multiple LF receivers needed to cover the entire operating range of the system.

41 30 An authentication process starts as soon as the vehicle is triggered. The vehicle starts the communication by sending an LF interrogation message. One portion of the LF interrogation message is a wake-up signal. This signal is used to wake up all CIDs within the operating range from their sleep mode. The interrogation message may also include some coded bits for security purposes. Once a CID wakes up from its sleep mode, it decodes the information received if any, and responds back to the vehicle with an access code. The entire bi-directional authentication process has to be completed before a door handle reaches its full travel. If the control unit in the vehicle receives a valid message from the CID, it unlocks the doors and allows the user to access its compartment. The use of the bi-directional communication link for passive access systems provides several variations to implement an authentication process between the CID and the vehicle. Similar protocols like the one used for immobilizer systems may also be used for passive access systems. However, there are several important requirement differences between immobilizer systems and passive access systems. These differences are summarized as follows: i) The passive access system has a longer range than the immobilizer system. This may introduce an easy method for an attacker to grab the code and analyze it.

42 31 ii) Access to the immobilizer interrogation message requires an attacker to be inside the vehicle compartment. This is not the case for the passive access system where an attacker can access the interrogation message by simply pulling the door handle. iii) The protocol for the passive system has to provide means to coordinate among two or more units involved in the protocol (multiple CIDs in the working range when the vehicle is triggered). This is not the case for the immobilizer system where only the vehicle and one key are engaged in the protocol. iv) The timing requirements to complete the authentication process for a passive access system is more restrict than the timing requirements for an immobilizer system. In summary, the use of bi-directional communication links between the vehicle and the CID allows several protocol variations. Table 1 shows some of those variations.

43 32 Protocol Name LF RF Trigger-Fixed Trigger Fixed code Trigger-Rolling Trigger Rolling Code Fixed-Fixed Fixed code Fixed code Fixed-Rolling Fixed code Rolling Code Variable-Variable Rolling Code Rolling Code Challenge-Response Challenge Response Table 1: Summary of available authentication using a bi-directional link for passive vehicle i) Trigger-Fixed: In this protocol, the vehicle sends an LF trigger. The trigger contains no information. The CID senses the LF trigger and responds back with its fixed code. One advantage of using a noncoded LF trigger is to reduce the cost of an LF demodulator circuitry in the CID ii) Trigger-Rolling: In this protocol, the vehicle sends an LF trigger. The trigger contains no information. When the CID senses the LF trigger it responds back with a rolling code. The system works exactly as a rolling code RKE. However, the user s action of pressing a button on the fob is replaced by sensing an LF trigger from the vehicle.

44 33 iii) Fixed-Fixed: This is similar to the password protection method used in the immobilizer system. One implementation of this approach can be found in [37]. iv) Fixed-Rolling: This is similar to the Trigger-Rolling method except that the CID checks if the received fixed code matches a preset code in the CID memory before the CID responds back with its rolling code. v) Variable-Variable: This is similar to the rolling code described in Section vi) Challenge-Response: This is also similar to the challenge-response described in Section RANDOM NUMBER GENERATORS One of the suggested protocols in Table 1 is the use of a challenge response protocol. The protocol starts when the vehicle sends a challenge that is a random code and different for every activation. The heart of the random challenge is a random number. A random number provides the challenge with its randomness property. Random numbers are commonly used for simulation purposes. They form the basic tool for any stochastic modeling. Good simulation results mainly depend on the selection of the random number generator. A good generator provides a sequence of random numbers that are non-deterministic and completely independent from each other. On a computing machine, a completely independent random numbers