Quick viewing(Text Mode)

Keeloq 25C3

Keeloq 25C3

Messing around with Garage Doors Breaking KeeLoq with

Thomas Eisenbarth & Timo Kasper Embedded Securityyp Group EMSEC (Prof. Paar ) Horst Görtz Institute for IT Security Ruhr-University Bochum, Germany

Berlin, 27. December 2008 Why are we here ?

nothing to hide.

Thomas Eisenbarth & Timo Kasper @ 25C3 Agenda

• Remote Keyless Entry (RKE) Systems

• KeeLoq Block

• Side-Channel Attacking KeeLoq

• Results and Implications

Thomas Eisenbarth & Timo Kasper @ 25C3 How do Keyyyyless Entry Systems work?

early access controls: fixed code (“password”)

code

eavesdropper duplicates (cloning)

but the industry learned …

Thomas Eisenbarth & Timo Kasper @ 25C3 Modern Keyless Entry Systems

advanced theft control: rolling code

code = ek(ni)

rolling code (or hopping code) protects against replay attacks: ek() is often a 1. code = ek(()n) 2. code = ek(n+1) 3. code = ek(n+2) ….

Thomas Eisenbarth & Timo Kasper @ 25C3 Alternative: Challenge - Response

challenge

Ci

ek(Ci) = Ri

response

• again, ek() is often a block cipher 1. Computes: R’ = e (C ) • also protects against i k i ? • € drawback: requires bidirectional 2. Verifies: R’ = R devices on either side i i • In most real-world car and building access control systems: rolling code

Thomas Eisenbarth & Timo Kasper @ 25C3 Popular Remote Keyless Entry Cipher: KeeLoq

• KeeLoq is used in rolling code mode or in a challenge-response protocol • active remote control for access control • KeeLoq chip embedded in passive RFID – transponder (e.g. for car immobilizer) • Wikipedia (?): Chrysler, Daewoo, Fiat, GM, Honda, Toyota, Volvo, VW, Jaguar, ... • widely used for garage doors in US & Europe

Q: How secure is KeeLoq?

Thomas Eisenbarth & Timo Kasper @ 25C3 KeeLoq Rolling Code Scheme

r te n u o s e c u d l li a a v V Counter: n+1

Discrimination Synchronization Counter Func. Value 32 Receiver decrypts & checks Device 64 KEELOQ validity o f coun ter va lue Key

32

Hopping Code Func. Serial Number. Hopping Code not encrypted encrypted

Thomas Eisenbarth & Timo Kasper @ 25C3 Key Management

OEM get s MMftKanufacturer Key kM assigned (b urned i n all its rece ivers)

1) Creation of new remote (in secure environment)

#ser

kdev = f(#ser , kM) Key derivation kM

2) Key Learning Phase of receiver (keys are never sent in clear) kM #ser

1. compute kdev =f(#ser= f(#ser, kM) 2. store #ser and kdev Thomas Eisenbarth & Timo Kasper @ 25C3 Key Derivation Schemes

1. ()y Derivation (XOR) 2. Strongyg Key Derivation (KeeLo )

Serial Number/SEED Serial Number/SEED

1 2 1 2 32 32 32 32 Manufacturer 64 Key Manufacturer 64 64 64 Key 64 32 32 Device Key Device Key

In either case, the Device Key is derived from – Manufacturer key – Serial number and/or a random (32…60 bits)

Thomas Eisenbarth & Timo Kasper @ 25C3 Key Derivation: Attacker ‘ s Assessment

1. Weak Key()y Derivation (XOR) 2. Strongyg Key Derivation (KeeLo q)

Serial Number/SEED Serial Number/SEED

1 2 1 2 32 32 32 32 Manufacturer 64 Key Manufacturer 64 64 64 Key 64 32 32 Device Key Device Key

If we h ave th e D evi ce Key, If we have the Device Key, we getting the Manufacturer Key is still have to break KeeLoq trivial (and vice versa)

Thomas Eisenbarth & Timo Kasper @ 25C3 Rise and Fall of KeeLoq

wide spread adoption as RKE

Jun07 mid-1980s 1995 ca. 2006 (?)

Cipher appears creation in in the Internet South Africa Mathem. attacks by 1. Bogdanov KeeLoq sold 2. Courtois et al. to Microchip 3. Indesteege et al.

Thomas Eisenbarth & Timo Kasper @ 25C3 Mathematical Attacks: RfMftKRecovery of Manufacturer Key

XOR KKLeeLoq Key Derivation Key Derivation Challenge- Response Y N Rolling Code N N

Mathematical attacks are cryptanalytically very impressive: • Device Key is recovered from 216 known plain-/ pairs • But: Rolling code mode does not provide !

• Q: How dangerous are physical attacks?

Thomas Eisenbarth & Timo Kasper @ 25C3 Rise and Fall of KeeLoq

wide spread adoption as RKE

Jun07 mid-1980s 1995 ca. 2006 (?) Dec07

Cipher appears creation in in the Internet South Africa Side-channel attack b y Mathem. attacks by Bochum team 1. Bogdanov KeeLoq sold 2. Courtois et al. to Microchip 3. Indesteege et al.

Thomas Eisenbarth & Timo Kasper @ 25C3 Power Analysis of a Remote Control

?

secretkt key of remot e cont rol (HCS XXX Chip ) !

Thomas Eisenbarth & Timo Kasper @ 25C3 History of Side-Channel Attacks (1-slide version)

• Existence of side-channels on cryptographic devices known for several decades, (e.g., “TEMPEST“) • Few concrete results / poor understanding prior to 1996 (at least outside intelligence community) • 2nd half of 1990s: golden years of SCA – Fault attack (RSA CRT), 1996 – Timing attacks, 1996 – SPA, DPA, 1998 • Since 1999: 100‘ s of SCA research papers, e.g . in CHES • But: so far very few (if any) documented real-world attacks

Thomas Eisenbarth & Timo Kasper @ 25C3 Performing the Side-Channel Attack

1. Find a suited predictable intermediate value in the cipher

2. Measure the pppower consumption

3. Align and reduce size of acquired data

4. Correlate measurements with model

Thomas Eisenbarth & Timo Kasper @ 25C3 KeeLoq – Algorithm

State Register, y 703 2402 1 110

NLF

XOR

Key Register, k 7 6 5 4 3 2 1 0 0

• 64 bit key, 32 bit block length • NLFSR compr is ing a 5x 1 non-linear func tion • Simple key management: key is rotated in every clock cycle • 528 rounds, each round one key bit is read Æ Lightweight cipher – cheap and efficient in hardware

Thomas Eisenbarth & Timo Kasper @ 25C3 KeeLoq – Power Model

State Register, y 703 2402 1 110

NLF

XOR

Key Register, k 7 6 5 4 3 2 1 0 0

Power Consumption: – logic is negligible – depends on number of (toggling) 0s and 1s of the registers – power consumption of Key Register is constant Æ Variations of power consumption are related to the State Register

Thomas Eisenbarth & Timo Kasper @ 25C3 KeeLoq – Attack

State Register, y 703 2402 1 110

NLF

XOR

Key Register, k 7 6 5 4 3 2 1 0 0

Æ knowing the state directly reveals one key bit per clock cycle

Æ Anal yz ing var ia tions of th e st at e will revea l th e secre t k ey

Thomas Eisenbarth & Timo Kasper @ 25C3 Performing the Side-Channel Attack

1. Find a suited predictable intermediate value in the cipher

2. Measure the pppower consumption

3. Align and reduce size of acquired data

4. Correlate measurements with model

Thomas Eisenbarth & Timo Kasper @ 25C3 Measuring the Power Consumption

• Digital oscilloscope (max. 1 GS/s sample rate) • Measure electric current or electromagnetic field

Thomas Eisenbarth & Timo Kasper @ 25C3 Measuring the Power Consumption

• Digital oscilloscope (max. 1 GS/s sample rate) • Measure electric current or electromagnetic field

Thomas Eisenbarth & Timo Kasper @ 25C3 Power Trace of a remote control: Finding the KEELOQ - Encryption

write EEPROM

KEELOQ send hopping code

press button

Thomas Eisenbarth & Timo Kasper @ 25C3 Performing the Side-Channel Attack

1. Find a suited predictable intermediate value in the cipher

2. Perform power measurements

3. Align and reduce size of acquired data

4. Correlate measurements with model

Thomas Eisenbarth & Timo Kasper @ 25C3 Performing the Side-Channel Attack Post Processing

Main problems: • Alignment • Clock jitter introduces noise • Traces are very large

Peak detection takes care of alignment and reduces size of traces!

Thomas Eisenbarth & Timo Kasper @ 25C3 Performing the Side-Channel Attack

1. Find a suited predictable intermediate value in the cipher

2. Perform power measurements

3. Align and reduce size of acquired data

4. Correlate measurements with model

Thomas Eisenbarth & Timo Kasper @ 25C3 Performing the Side-Channel Attack Key Recovery

• Correlate real power consumption Ii 1 with predicted value D = f (Xi, Kh) 0.8 • Divide and conquer approach • Let the best-matching 0.6 key candidates “survive“ 0.4 Correlation

0.2

0

0 10 20 30 40 50 60 70 80 90 round

Thomas Eisenbarth & Timo Kasper @ 25C3 DPA Workshop @ 25C3

Learn to perform your own DPA !!!

Recover Keys from: – KeeLoq Transmitter IC (HCS Chip) – Smart Card featuring an AES Implementation

Further information: http://events.ccc.de/congress/2008/wiki/DPA_Workshop 0.6

0.5

0.4

0.3

0.2

Correlation 0.1

0

-0.1

-0.2 2000 4000 6000 8000 10000 12000 Thomas Eisenbarth & Timo Kasper @ 25C3 Power Analysis of the Receiver

?

secret key of manufacturer! Thomas Eisenbarth & Timo Kasper @ 25C3 Side-Channel Attack Results for KeeLoq

A) Hardware implementation (“car key“) • Total attack time (for known device family): 5-30 traces, ≈ minutes

B) Soft ware i mpl ement ati on (“ car d oor“) • Total attack time (for known device family): 1000-5000 traces, ≈ hours • reveals Manufacturer Key for ALL key derivation modes

Thomas Eisenbarth & Timo Kasper @ 25C3 Comparison of Packages & Sample Rates

< 10 traces < 30 traces

< 100MS/s No expensive equipment needed for key recovery !

Thomas Eisenbarth & Timo Kasper @ 25C3 Microchip about KeeLoq:

Thomas Eisenbarth & Timo Kasper @ 25C3 So what can we do now (1) ?

1. If we have access to a remote:

Recover Device Key and clone the remote

2. If we have access to a receiver:

Recover Manufacturer Keyyg & generate new remotes

Thomas Eisenbarth & Timo Kasper @ 25C3 So what can we do now (2) ?

3. After step 2 ( i.e., possessing the Manufacturer Key): Remotely eavesdrop on 1-2 communications & clone remote!

#ser, KeeLoq(n+1)

• works for all key derivation schemes • iittlnstantly ffkor key d ditiferivation from seri ilal numb er www.copacobana.org • otherwise use PC (short seed) or COPACOBANA (long seed) Thomas Eisenbarth & Timo Kasper @ 25C3 Details on Eavesdropping Attack

Possessing the Manufacturer Key: Remotely eavesdrop on 1-2 communications, and clone Device Key! known(Serial) or brute -forced(Seed)

Serial Number/SEED

1 2 32 32 Manufacturer Key 64 known64 32 32 Device Key …easy. 1. Recover Device Key 2. Decrypt Rolling Code Æ obtain counter etc . 3. Clone the remote control Thomas Eisenbarth & Timo Kasper @ 25C3 Details on Eavesdropping Attack

Possessing the Manufacturer Key: Remotely eavesdrop on 1-2 communications, and clone Device Key! known(Serial) or brute -forced(Seed)

Serial Number/SEED

1 2 32 32 Manufacturer Key 64 known64 32 32 Device Key …easy. 1. Recover Device Key Side-channel step (one-time recovery of manufacturer key), 2. Decrypt Rolling Code Æ obtain counter etc . difficult, can be outsourced to criminal cryptographers ! 3. Clone the remote control Thomas Eisenbarth & Timo Kasper @ 25C3 Taking over a KeeLoq System

• Receiver updates its internal counter according In crem to the last received valid Rolling Code ent cou nter

r te n u o c es u d l li a a v V

Block Window Counter Space

Thomas Eisenbarth & Timo Kasper @ 25C3 Taking over a KeeLoq System

• Receiver updates its internal counter according In crem to the last received valid Rolling Code ent cou nter

r te n u o c es u d l li a a v • Generate valid Rolling Code with chosen V counter value Counter Space x

• Counter of original remote control is in the block window Æ Door will not open. Block Window ! • Attacker can still access the secured object !

Thomas Eisenbarth & Timo Kasper @ 25C3 Summary

• “Securit y onl y b y Ob scurit y“ mak es i nsecure systems • DPA works for commercial access control system • some severe attacks can be done by non-specialists

• side-channel attacks are a real threat for all unprotected imppylementations of crypptography (ECC, AES, …) • though SCA is well-known for more than a decade, many embedded / consumer-style applications are still not side-channel resistant

Disclaimer: Our attacks do not imply that real-world systems have actually been attacked via SCA by criminals (merely by researchers). Thomas Eisenbarth & Timo Kasper @ 25C3 Literature

Thomas Eisenbarth & Timo Kasper @ 25C3 Conferences & Workshops

CHES 2009, September 6-9, Lausanne, Switzerland

Eurocrypt 2009, April 26-30, Cologne, Germany

Thomas Eisenbarth & Timo Kasper @ 25C3 Thomas Eisenbarth & Timo Kasper contact: @crypto.rub.de

Embedded Security Group (C. Paar) Ruhr-University Bochum www.crypto.rub.de Thomas Eisenbarth & Timo Kasper @ 25C3 A Namingg() Tale (2005)

possible abbrevations for„Cost-optimized Parallel Code-Breaker“

CPCB? COPCOB? COPCOBRA? COOPACOB? COPACOBRA? …

► COPACOBANA

Thomas Eisenbarth & Timo Kasper @ 25C3 A Naming Tale

… Easy to remember: Copacabana…

Thomas Eisenbarth & Timo Kasper @ 25C3 COPACOBANA

• Cost-Optimized PArallel COde Breaker • FPGA-based reconfigurable machine for • Parallel architecture built out of 120 Xilinx Spartan3 FPGAs • MdlModular des ign: - Backplane with FPGA modules (each with 6 low-cost FPGAs) - Controller card with USB interface or TCP/IP Interface

Thomas Eisenbarth & Timo Kasper @ 25C3 To break DES in 6. 4 days in average • You need

32,640 PCs or 1 COPACOBANA

Thomas Eisenbarth & Timo Kasper @ 25C3 Breaking the A5/1

• Guess complete content of R1, R2 • Derive content of R3 step-by-step: a. Derive MSB of R3 from R1, R2, and known KS b. Guess C3 (clocking bit of R3) until R3 is completely determined. • Continue clocking A5/1 & compare generated KS against known KS • If 64 bits of generated KS match, then CANDIDATE FOUND

R1

KS R2

C3 R3

Thomas Eisenbarth & Timo Kasper @ 25C3 Break electronic passports

• weak keys in Basic Access Control (BAC)

• possible real-time attack with COPACOBANA

… steal identities, track people, trigger alarms, …

Thomas Eisenbarth & Timo Kasper @ 25C3 Break KeeLoq with COPACOBANA

After extractingyg the Manufacturer Key (y(needs to be done only once) if SEED is used → brute force SEED space

Serial Number/SEED

1 2 32 32 Manufacturer Key 64 64 32 32 Device Key • 110 million keys / second verified in 1 FPGA Spartan 3-1000 • 32 bit seed: 39 seconds / 1 FPGA • 48 bit seed: 5.9 hours / 1 COPACOBANA • 60 bit seed: 101 days / 10 COPACOBANAs Æ 60 bit res is ts bru te force - btbut we haven‘t seen it use d

Thomas Eisenbarth & Timo Kasper @ 25C3