Kee Loq - Side-channel Attacks

Side-channel Attacks

In March 2008, researchers from the Chair for Embedded Security of Ruhr University Bochum, Germany, presented a complete break of remote keyless entry systems based on the KeeLoq RFID technology. Their attack works on all known car and building access control systems that rely on the KeeLoq cipher.

The attack by the Bochum team allows recovering the secret cryptographic keys embedded in both the receiver and the remote control. It is based on measuring the electric power consumption of a device during an encryption. Applying what is called side-channel analysis methods to the power traces, the researchers can extract the manufacturer key from the receivers, which can be regarded as a master key for generating valid keys for the remote controls of one particular manufacturer. Unlike the cryptanalytic attack described above which requires about 65536 chosen plaintext-ciphertext pairs and days of calculation on a PC to recover the key, the side-channel attack can also be applied to the so-called KeeLoq Code Hopping mode of operation (AKA rolling code) that is widely used for keyless entry systems (cars, garages, buildings, etc.).

The most devastating practical consequence of the side-channel analysis is an attack in which an attacker, having previously learned the system's master key, can clone any legitimate encoder by intercepting only two messages from this encoder from a distance of up to 100 metres (330 ft). Another attack allows to re-set the internal counter of the receiver (garage door, car door, etc.) which makes it impossible for a legitimate user to open the door.

Microchip introduced in 1996 a version of KeeLoq ICs which use a 60-bit seed. If a 60-bit seed is being used, an attacker would require approximately 100 days of processing on a dedicated parallel brute force attacking machine before the system is broken.