WingNews logo WingNews
top | item 44832260

(no title)

kj4ips | 6 months ago

Tons of the rolling key systems on the market are based on KeyLoq, and keyloq is a fairly well designed system with a big lynch pin.

It has something called a 'manufacturer key', which needs to be available to any device that allows field pairing of remotes. If that manufacturer key is known, it only takes two samples from an authenticator to determine the sequence key.

Absent the manufacturer key, jamming+replay attacks work, but brute forcing a sequence key is generally prohibitively costly.

However, since any receiver that supports field programming needs the magic "manufacturer key", one could purchase such a unit, and may be able to extract said key.

discuss

order

userbinator|6 months ago

They could've designed a system that doesn't require a fixed secret master key, but instead generates a unique random key for each receiver and requires a physical connection between the fob and the receiver (located inside the locked part of the car) to pair them. Of course such a generic system would be against manufacturer's interests in controlling the repair and aftermarket industry.

phire|6 months ago

You don't even need a physical connection.

As long as you have two-way wireless communication (which any keyless entry/start system does), then you can simply do a Diffie-Hellman key exchange during the pairing process.

Diffie-Hellman is designed for exactly this usecase, allowing two parties to derive a shared secret key over a public channel without exposing it.

garaetjjte|6 months ago

>If that manufacturer key is known, it only takes two samples from an authenticator to determine the sequence key.

Not if seed with appropriate length is used. Though I don't know how common that is, back in 2008 authors noted that "We would like to mention that none of the real-world KeeLoq systems we analyzed used any seed" (https://www.iacr.org/archive/crypto2008/51570204/51570204.pd..., section 4.3)

nroets|6 months ago

Correct. While the original KeeLog cipher is most likely no longer secure, Microchip moved on to AES.

KeeLoq is also used for garage door openers.

Some KeeLoq receivers have a "learning mode" where it adds the next KeeLoq transmitter it hears provided it uses the same manufacturer key.

Learn mode is activated either with a button often on the PCB or with a "master" transmitter.

https://en.wikipedia.org/wiki/KeeLoq