Keeloq 25C3
Messing around with Garage Doors Breaking KeeLoq with Power Analysis
Thomas Eisenbarth & Timo Kasper Embedded Securityyp Group EMSEC (Prof. Paar ) Horst Görtz Institute for IT Security Ruhr-University Bochum, Germany
Berlin, 27. December 2008 Why are we here ?
nothing to hide.
Thomas Eisenbarth & Timo Kasper @ 25C3 Agenda
• Remote Keyless Entry (RKE) Systems
• KeeLoq Block Cipher
• Side-Channel Attacking KeeLoq
• Results and Implications
Thomas Eisenbarth & Timo Kasper @ 25C3 How do Keyyyyless Entry Systems work?
early access controls: fixed code (“password”)
code
eavesdropper duplicates key (cloning)
but the industry learned …
Thomas Eisenbarth & Timo Kasper @ 25C3 Modern Keyless Entry Systems
advanced theft control: rolling code
code = ek(ni)
rolling code (or hopping code) protects against replay attacks: ek() is often a block cipher 1. code = ek(()n) 2. code = ek(n+1) 3. code = ek(n+2) ….
Thomas Eisenbarth & Timo Kasper @ 25C3 Alternative: Challenge - Response
challenge
Ci
ek(Ci) = Ri
response
• again, ek() is often a block cipher 1. Computes: R’ = e (C ) • also protects against replay attack i k i ? • € drawback: requires bidirectional 2. Verifies: R’ = R devices on either side i i • In most real-world car and building access control systems: rolling code
Thomas Eisenbarth & Timo Kasper @ 25C3 Popular Remote Keyless Entry Cipher: KeeLoq
• KeeLoq is used in rolling code mode or in a challenge-response protocol • active remote control for access control • KeeLoq chip embedded in passive RFID – transponder (e.g. for car immobilizer) • Wikipedia (?): Chrysler, Daewoo, Fiat, GM, Honda, Toyota, Volvo, VW, Jaguar, ... • widely used for garage doors in US & Europe
Q: How secure is KeeLoq?
Thomas Eisenbarth & Timo Kasper @ 25C3 KeeLoq Rolling Code Scheme
r te n u o s e c u d l li a a v V Counter: n+1
Discrimination Synchronization Counter Func. Value 32 Receiver decrypts & checks Device 64 KEELOQ validity o f coun ter va lue Key Encryption
32
Hopping Code Func. Serial Number. Hopping Code not encrypted encrypted
Thomas Eisenbarth & Timo Kasper @ 25C3 Key Management
OEM get s MMftKanufacturer Key kM assigned (b urned i n all its rece ivers)
1) Creation of new remote (in secure environment)
#ser
kdev = f(#ser , kM) Key derivation kM
2) Key Learning Phase of receiver (keys are never sent in clear) kM #ser
1. compute kdev =f(#ser= f(#ser, kM) 2. store #ser and kdev Thomas Eisenbarth & Timo Kasper @ 25C3 Key Derivation Schemes
1. Weak Key()y Derivation (XOR) 2. Strongyg Key Derivation (KeeLo q)
Serial Number/SEED Serial Number/SEED
1 2 1 2 32 32 32 32 Manufacturer 64 Key Manufacturer 64 64 64 Key 64 32 32 Device Key Device Key
In either case, the Device Key is derived from – Manufacturer key – Serial number and/or a random seed (32…60 bits)
Thomas Eisenbarth & Timo Kasper @ 25C3 Key Derivation: Attacker ‘ s Assessment
1. Weak Key()y Derivation (XOR) 2. Strongyg Key Derivation (KeeLo q)
Serial Number/SEED Serial Number/SEED
1 2 1 2 32 32 32 32 Manufacturer 64 Key Manufacturer 64 64 64 Key 64 32 32 Device Key Device Key
If we h ave th e D evi ce Key, If we have the Device Key, we getting the Manufacturer Key is still have to break KeeLoq trivial (and vice versa)
Thomas Eisenbarth & Timo Kasper @ 25C3 Rise and Fall of KeeLoq
wide spread adoption as RKE
Jun07 mid-1980s 1995 ca. 2006 (?)
Cipher appears creation in in the Internet South Africa Mathem. attacks by 1. Bogdanov KeeLoq sold 2. Courtois et al. to Microchip 3. Indesteege et al.
Thomas Eisenbarth & Timo Kasper @ 25C3 Mathematical Attacks: RfMftKRecovery of Manufacturer Key
XOR KKLeeLoq Key Derivation Key Derivation Challenge- Response Y N Rolling Code N N
Mathematical attacks are cryptanalytically very impressive: • Device Key is recovered from 216 known plain-/ciphertext pairs • But: Rolling code mode does not provide plaintext!
• Q: How dangerous are physical attacks?
Thomas Eisenbarth & Timo Kasper @ 25C3 Rise and Fall of KeeLoq
wide spread adoption as RKE
Jun07 mid-1980s 1995 ca. 2006 (?) Dec07
Cipher appears creation in in the Internet South Africa Side-channel attack b y Mathem. attacks by Bochum team 1. Bogdanov KeeLoq sold 2. Courtois et al. to Microchip 3. Indesteege et al.
Thomas Eisenbarth & Timo Kasper @ 25C3 Power Analysis of a Remote Control
?
secretkt key of remot e cont rol (HCS XXX Chip ) !
Thomas Eisenbarth & Timo Kasper @ 25C3 History of Side-Channel Attacks (1-slide version)
• Existence of side-channels on cryptographic devices known for several decades, (e.g., “TEMPEST“) • Few concrete results / poor understanding prior to 1996 (at least outside intelligence community) • 2nd half of 1990s: golden years of SCA – Fault attack (RSA CRT), 1996 – Timing attacks, 1996 – SPA, DPA, 1998 • Since 1999: 100‘ s of SCA research papers, e.g . in CHES • But: so far very few (if any) documented real-world attacks
Thomas Eisenbarth & Timo Kasper @ 25C3 Performing the Side-Channel Attack
1. Find a suited predictable intermediate value in the cipher
2. Measure the pppower consumption
3. Align and reduce size of acquired data
4. Correlate measurements with model
Thomas Eisenbarth & Timo Kasper @ 25C3 KeeLoq – Algorithm
State Register, y 703 2402 1 110
NLF
XOR
Key Register, k 7 6 5 4 3 2 1 0 0
• 64 bit key, 32 bit block length • NLFSR compr is ing a 5x 1 non-linear func tion • Simple key management: key is rotated in every clock cycle • 528 rounds, each round one key bit is read Æ Lightweight cipher – cheap and efficient in hardware
Thomas Eisenbarth & Timo Kasper @ 25C3 KeeLoq – Power Model
State Register, y 703 2402 1 110
NLF
XOR
Key Register, k 7 6 5 4 3 2 1 0 0
Power Consumption: – logic is negligible – depends on number of (toggling) 0s and 1s of the registers – power consumption of Key Register is constant Æ Variations of power consumption are related to the State Register
Thomas Eisenbarth & Timo Kasper @ 25C3 KeeLoq – Attack
State Register, y 703 2402 1 110
NLF
XOR
Key Register, k 7 6 5 4 3 2 1 0 0
Æ knowing the state directly reveals one key bit per clock cycle
Æ Anal yz ing var ia tions of th e st at e will revea l th e secre t k ey
Thomas Eisenbarth & Timo Kasper @ 25C3 Performing the Side-Channel Attack
1. Find a suited predictable intermediate value in the cipher
2. Measure the pppower consumption
3. Align and reduce size of acquired data
4. Correlate measurements with model
Thomas Eisenbarth & Timo Kasper @ 25C3 Measuring the Power Consumption
• Digital oscilloscope (max. 1 GS/s sample rate) • Measure electric current or electromagnetic field
Thomas Eisenbarth & Timo Kasper @ 25C3 Measuring the Power Consumption
• Digital oscilloscope (max. 1 GS/s sample rate) • Measure electric current or electromagnetic field
Thomas Eisenbarth & Timo Kasper @ 25C3 Power Trace of a remote control: Finding the KEELOQ - Encryption
write EEPROM
KEELOQ send hopping code
press button
Thomas Eisenbarth & Timo Kasper @ 25C3 Performing the Side-Channel Attack
1. Find a suited predictable intermediate value in the cipher
2. Perform power measurements
3. Align and reduce size of acquired data
4. Correlate measurements with model
Thomas Eisenbarth & Timo Kasper @ 25C3 Performing the Side-Channel Attack Post Processing
Main problems: • Alignment • Clock jitter introduces noise • Traces are very large
Peak detection takes care of alignment and reduces size of traces!
Thomas Eisenbarth & Timo Kasper @ 25C3 Performing the Side-Channel Attack
1. Find a suited predictable intermediate value in the cipher
2. Perform power measurements
3. Align and reduce size of acquired data
4. Correlate measurements with model
Thomas Eisenbarth & Timo Kasper @ 25C3 Performing the Side-Channel Attack Key Recovery
• Correlate real power consumption Ii 1 with predicted value D = f (Xi, Kh) 0.8 • Divide and conquer approach • Let the best-matching 0.6 key candidates “survive“ 0.4 Correlation
0.2
0
0 10 20 30 40 50 60 70 80 90 round
Thomas Eisenbarth & Timo Kasper @ 25C3 DPA Workshop @ 25C3
Learn to perform your own DPA !!!
Recover Keys from: – KeeLoq Transmitter IC (HCS Chip) – Smart Card featuring an AES Implementation
Further information: http://events.ccc.de/congress/2008/wiki/DPA_Workshop 0.6
0.5
0.4
0.3
0.2
Correlation 0.1
0
-0.1
-0.2 2000 4000 6000 8000 10000 12000 Thomas Eisenbarth & Timo Kasper @ 25C3 Power Analysis of the Receiver
?
secret key of manufacturer! Thomas Eisenbarth & Timo Kasper @ 25C3 Side-Channel Attack Results for KeeLoq
A) Hardware implementation (“car key“) • Total attack time (for known device family): 5-30 traces, ≈ minutes
B) Soft ware i mpl ement ati on (“ car d oor“) • Total attack time (for known device family): 1000-5000 traces, ≈ hours • reveals Manufacturer Key for ALL key derivation modes
Thomas Eisenbarth & Timo Kasper @ 25C3 Comparison of Packages & Sample Rates
< 10 traces < 30 traces
< 100MS/s No expensive equipment needed for key recovery !
Thomas Eisenbarth & Timo Kasper @ 25C3 Microchip about KeeLoq:
Thomas Eisenbarth & Timo Kasper @ 25C3 So what can we do now (1) ?
1. If we have access to a remote:
Recover Device Key and clone the remote
2. If we have access to a receiver:
Recover Manufacturer Keyyg & generate new remotes
Thomas Eisenbarth & Timo Kasper @ 25C3 So what can we do now (2) ?
3. After step 2 ( i.e., possessing the Manufacturer Key): Remotely eavesdrop on 1-2 communications & clone remote!
#ser, KeeLoq(n+1)
• works for all key derivation schemes • iittlnstantly ffkor key d ditiferivation from seri ilal numb er www.copacobana.org • otherwise use PC (short seed) or COPACOBANA (long seed) Thomas Eisenbarth & Timo Kasper @ 25C3 Details on Eavesdropping Attack
Possessing the Manufacturer Key: Remotely eavesdrop on 1-2 communications, and clone Device Key! known(Serial) or brute -forced(Seed)
Serial Number/SEED
1 2 32 32 Manufacturer Key 64 known64 32 32 Device Key …easy. 1. Recover Device Key 2. Decrypt Rolling Code Æ obtain counter etc . 3. Clone the remote control Thomas Eisenbarth & Timo Kasper @ 25C3 Details on Eavesdropping Attack
Possessing the Manufacturer Key: Remotely eavesdrop on 1-2 communications, and clone Device Key! known(Serial) or brute -forced(Seed)
Serial Number/SEED
1 2 32 32 Manufacturer Key 64 known64 32 32 Device Key …easy. 1. Recover Device Key Side-channel step (one-time recovery of manufacturer key), 2. Decrypt Rolling Code Æ obtain counter etc . difficult, can be outsourced to criminal cryptographers ! 3. Clone the remote control Thomas Eisenbarth & Timo Kasper @ 25C3 Taking over a KeeLoq System
• Receiver updates its internal counter according In crem to the last received valid Rolling Code ent cou nter
r te n u o c es u d l li a a v V
Block Window Counter Space
Thomas Eisenbarth & Timo Kasper @ 25C3 Taking over a KeeLoq System
• Receiver updates its internal counter according In crem to the last received valid Rolling Code ent cou nter
r te n u o c es u d l li a a v • Generate valid Rolling Code with chosen V counter value Counter Space x
• Counter of original remote control is in the block window Æ Door will not open. Block Window ! • Attacker can still access the secured object !
Thomas Eisenbarth & Timo Kasper @ 25C3 Summary
• “Securit y onl y b y Ob scurit y“ mak es i nsecure systems • DPA works for commercial access control system • some severe attacks can be done by non-specialists
• side-channel attacks are a real threat for all unprotected imppylementations of crypptography (ECC, AES, …) • though SCA is well-known for more than a decade, many embedded / consumer-style applications are still not side-channel resistant
Disclaimer: Our attacks do not imply that real-world systems have actually been attacked via SCA by criminals (merely by researchers). Thomas Eisenbarth & Timo Kasper @ 25C3 Literature
Thomas Eisenbarth & Timo Kasper @ 25C3 Conferences & Workshops
CHES 2009, September 6-9, Lausanne, Switzerland
Eurocrypt 2009, April 26-30, Cologne, Germany
Thomas Eisenbarth & Timo Kasper @ 25C3 Thomas Eisenbarth & Timo Kasper contact: keeloq@crypto.rub.de
Embedded Security Group (C. Paar) Ruhr-University Bochum www.crypto.rub.de Thomas Eisenbarth & Timo Kasper @ 25C3 A Namingg() Tale (2005)
possible abbrevations for„Cost-optimized Parallel Code-Breaker“
CPCB? COPCOB? COPCOBRA? COOPACOB? COPACOBRA? …
► COPACOBANA
Thomas Eisenbarth & Timo Kasper @ 25C3 A Naming Tale
… Easy to remember: Copacabana…
Thomas Eisenbarth & Timo Kasper @ 25C3 COPACOBANA
• Cost-Optimized PArallel COde Breaker • FPGA-based reconfigurable machine for cryptanalysis • Parallel architecture built out of 120 Xilinx Spartan3 FPGAs • MdlModular des ign: - Backplane with FPGA modules (each with 6 low-cost FPGAs) - Controller card with USB interface or TCP/IP Interface
Thomas Eisenbarth & Timo Kasper @ 25C3 To break DES in 6. 4 days in average • You need
32,640 PCs or 1 COPACOBANA
Thomas Eisenbarth & Timo Kasper @ 25C3 Breaking the A5/1
• Guess complete content of R1, R2 • Derive content of R3 step-by-step: a. Derive MSB of R3 from R1, R2, and known KS b. Guess C3 (clocking bit of R3) until R3 is completely determined. • Continue clocking A5/1 & compare generated KS against known KS • If 64 bits of generated KS match, then CANDIDATE FOUND
R1
KS R2
C3 R3
Thomas Eisenbarth & Timo Kasper @ 25C3 Break electronic passports
• weak keys in Basic Access Control (BAC)
• possible real-time attack with COPACOBANA
… steal identities, track people, trigger alarms, …
Thomas Eisenbarth & Timo Kasper @ 25C3 Break KeeLoq with COPACOBANA
After extractingyg the Manufacturer Key (y(needs to be done only once) if SEED is used → brute force SEED space
Serial Number/SEED
1 2 32 32 Manufacturer Key 64 64 32 32 Device Key • 110 million keys / second verified in 1 FPGA Spartan 3-1000 • 32 bit seed: 39 seconds / 1 FPGA • 48 bit seed: 5.9 hours / 1 COPACOBANA • 60 bit seed: 101 days / 10 COPACOBANAs Æ 60 bit res is ts bru te force - btbut we haven‘t seen it use d
Thomas Eisenbarth & Timo Kasper @ 25C3