Wireless systems for keyless entry into buildings and automobiles are increasing in popularity. However, most systems provide inadequate security against both accidental activations and intentional break-ins. To ensure a protected system, you must address these two problems.
An example of accidental activation occurs when your garage-door opener’s transmitter also opens your neighbor’s garage door. You can avoid or minimize accidental activation using different codes for every system. You can also use a large number of randomly assigned codes to diminish the likelihood of accidental activation.
Preventing an intruder from gaining access through a determined attack on the system is a more serious security concern. Many coding schemes for wireless-access security are possible (see box, "Basic coding schemes for wireless-access security"). However, the widespread fixed-coding-wireless schemes are easily defeated by a code scanner or grabber.
Defeating fixed-code systems
A code scanner transmits all possible codes until the device receives the proper one. A code scanner easily accesses systems without a large number of codes. For example, an intruder could scan all the possible codes of a garage-door opener with an 8-bit fixed code in 32 sec at eight codes/sec. A 16-bit fixed code increases the time to 2.3 hours. And, a 32-bit code requires more than 17 years to scan all the codes. The effectiveness of a code-scanning attack depends not only on the number of codes, but also on the rate at which the system accepts codes.
Intruders can use code-scanning attacks against fixed- or rolling-code systems. As with a fixed-code system, the best defense for your rolling-code system is to make the number of possible codes large enough to discourage a code-scanning attack.
The other method of attacking a fixed-code system is with a code grabber. A code grabber enables an intruder to defeat fixed-code systems by recording the code when someone uses a legitimate transmitter. The intruder can replay the code to gain access later. Code-grabbing attacks, although possible, are much more difficult against rolling-code systems (see box, "Basic coding schemes for wireless-access security").
A company with the resources can develop a security system that uses encryption and decryption. A system requires much testing to determine whether it is relatively secure from an intended attack. Cryptography is a relatively mature science. However, the only way that you can determine how easily a system can be broken into is to break into it. Experts suggest hiring an experienced lab to see how difficult it is to break into your system (Reference 1). The cryptographic community is littered with stories of protected encryption and decryption systems that were accessed- - in some cases relatively quickly.
A commercial rolling-code generator can’t guarantee absolute security, but it can offer a system that won’t be defeated by simple attacks. Currently, National Semiconductor and Exel offer ICs designed specifically for rolling-code systems. Each system is considerably different.
Basic coding schemes for wireless-access securityFixed-coding systems, such as a mechanical combination lock, have been used for many years. The system provides reasonable security if the combination is kept secure and if the number of possible combinations makes systematically testing all combinations impractical. Fixed-coding schemes provide almost no security in wireless systems, however. Each time you use the system, you broadcast the code and allow an unauthorized person to intercept it. The next level in secure access is a code that varies with time. Rolling-code systems are one approach to time-varying coding systems. Each time you transmit, you use a different code so that the system cannot be defeated by simply intercepting the transmission and repeating it later. Rolling-code systems The typical approach to the rolling-code problem consists of a nonlinear algorithm and a secret key. According to Reference 1, a fundamental principle in the communications security field for more than 100 years is that security must not depend on keeping secret any of the design details. The design details may get out through a disgruntled employee or through an office raid. In addition, designers may be bribed or threatened and hardware may be successfully reverse-engineered. Limiting detailed information about the encryption algorithm to only those people who need to know it helps secure the system. However, you should assume that an attacker will eventually access the information. The secret key is the one thing you need to keep from falling into the attackers hands. Using a different code key for each system helps to guarantee that learning the code for one system does not compromise all units in the field. The secret code keys must be highly random in nature, not just incremented as serial numbers. Rolling-code systems also have to address synchronization issues. The transmitter and receiver have to be synchronized initially so that both start on the same code. If a transmitter is operated out of range of the receiver (a blind transmission), it rolls to the next code while the receiver continues to wait for the last code. A child playing with the transmitter might increment the system many times before a legitimate operation. If the code generator and decoder do not keep the code in nonvolatile memory, then a depleted battery also requires re-synchronization. Another problem is using multiple transmitters with a single receiver and the need to be able to add additional transmitters to a system. Typically, windowing schemes allow several blind transmissions with automatic resynchronization. Synchronizing new transmitters typically requires a special resynchronizing or learning mode. Because the security of the system is most vulnerable during synchronizing operations, the operations must be carefully thought out. Time-based coding systems Rolling-code-access security systems aren’t the only type of time-varying security method. You can also design time-based systems, in which the codes change based on time, perhaps several times a second. The disadvantage is that both receiver and transmitter need reasonably accurate real-time clocks that must be continuously powered. The advantage is the systems can guard against the possibility of an attacker using a code grabber to intercept a blind transmission. If an attacker can trick a person with a transmitter to operate it in the blind and can record the transmission, the attacker can play back the code in the presence of the receiver and gain access. Time-based systems require immediate transmission of the code in the presence of the receiver, otherwise the code expires. Challenge-and-response systems Another approach to access security is a challenge-and-response system. Challenge-and-response systems are applicable to a wide range of security applications and are probably best known as Identify-Friend-or-Foe (IFF) systems for military aircraft. A keyless-entry system operates in the following manner: Both systems contain the same encryption system and secret key code. The remote key device transmits a signal indicating the user’s desire to perform some function. The remote system, in response to the initial signal, sends out a fixed-length, random digital value. The remote key receives the digital value, generates an encrypted version, and transmits it back to the remote system. The remote system has also simultaneously encrypted the random value. The remote system compares the two values. If the values are identical, the system authorizes the desired action. For maximum security, the system generating the random number should never use the same number twice. Otherwise, an attacker might gain access after recording a number of attempts. The advantage of challenge-and-response systems is that they don’t suffer from synchronization problems. The systems are potentially the most secure approach for remote keyless-entry systems. The disadvantage in cost-sensitive applications is that the systems require both transmit and receive on both the key device and on the remote system.
|
The HiSeC’s data frame
National Semiconductor’s HiSeC rolling-code generator transmits two frame types: data and sync (Figure 1). The data frame has up to seven fields with lengths ranging from 29 to 92 bits.
The preamble field is optional. If selected, it provides an easily recognized bit pattern, which gives the decoder a chance to wake from low-power states and prepare to receive and verify the transmission. The device transmits the preamble field only once in the first frame of a data transmission. The optional user-programmable sync field provides a bit-timing reference for receiver synchronization.
| ||||||||||||||
|
The 4-bit-long data field primarily indicates which key the user has pressed. The data field can also transmit a low-battery message. The low-battery signal consists of alternately transmitting the normal field and a 1111 code when the NM95HS01/02 measures a low-voltage level.
The dynamic-code field is either 24 or 36 bits long. This field contains the rolling-code value that changes each time you use the transmitter. The unit never sequentially transmits the same code twice, although codes may randomly repeat. A repeated code should be infrequent, however. The code generator combines user-programmable, factory-programmable, and randomized data in a nonlinear manner to generate the encoded output.
When enabled, the optional 8-bit parity field is transmitted with every frame to ensure data integrity. All data frames use a stop bit to indicate the end.
During normal operation, the key device transmits data frames when a button is depressed. The remote device receives the transmission and decodes the dynamic-code field to determine if the code matches the current rolling-code value. The decoder can be either an MM57H01 rolling-code and fixed-code decoder, or you can use the company’s COP8 8-bit microcontroller and a decoding software algorithm. If the rolling code matches the current value, the desired action is performed.
| Representative rolling-code devices for keyless-entry systems | ||||||
|---|---|---|---|---|---|---|
| Manufacturer | Device part number | Applications | Package | Voltage range | Price | Notes |
| National Semiconductor | NM95HS01 | Rolling-code generator for IR and RF | Eight- and 14-pin DIP or SO | 2.5 to 6.5V | $1.72 (1000) | Clocked with RC circuit; eight- pin device has two key functions; 14-pin device has four. |
| NM95HS02 Semiconductor | Rolling-code generator for IR | Eight- and 14-pin and RF | 2.5 to 6.5V DIP or SO | $1.72 (1000) | Clocked with crystal oscillator; eight-pin device has two key functions; 14-pin device has four. | |
| NM57HS01 | Rolling-and-fixed-code decoder | 20-pin DIP or SO | 5V | $1.25 (1000) | ||
| Exel | XL106 | Rolling-code encoder for IR, microwave, and RF transmitters; decoder coprocessor | Eight-pin DIP or SO | 2.7 to 6.2V | $1.10 (1000) | Up to seven key functions; you can use device to implement challenge-and-response systems. |
| XL109 | Decoder controller with parallel I/O | 22-pin DIP or SO | 5V | $1.10 (1000) | ||
| XL110 | Decoder controller with serial I/O | 22-pin DIP or SO | 5V | $1.10 (1000) | ||
| XL114 | Similar to XL106, but has 28-bit serial number | Eight-pin DIP or SO | 2.0 to 6.2V | $0.85 (1000) | Available in the second quarter, up to 15 key functions. | |
| XL124 | Similar to XL106, but has 32-bit serial number | Eight-pin DIP or SO | 2.0 to 6.2V | $0.75 (1000) | Up to seven key functions. | |
| XL138 | Token controller for use with XL106 | 22-pin DIP or SO | 5V | $1.10 (1000) | ||
Staying synchronized
In "blind" transmissions, the generator rolls to the next code, but the decoder, being out of range, does not. To accommodate this transmission, you can use a decoder window. The decoder accepts future values within the window and synchronizes to them. The size of the window depends on the number of blind transmissions you want to accommodate. The window is typically implemented in two ways: You can let the decoder compute ahead and store the values in memory. Or, you can compute ahead whenever you don’t have a match. Typically, the method you select depends on the speed of the microcontroller, the required speed of response, and the size of the window.
A remote device, such as car’s locking system, might be accessed by multiple key devices. In this case, the decoding system must store the current rolling-code value for each transmitter that the system has learned. In addition, if the device provides window memory for blind transmissions, you must allot each transmitter its own window memory to accommodate the different rolling-code sequences.
The sync frame
Before using a transmitter and receiver together for the first time, you must use a sync frame to synchronize them. The sync frame also synchronizes a generator that is outside the decoder’s window or a rolling-code generator after battery replacement. Like the data frame, the sync frame has up to seven fields (Figure 1). Two of the fields are different. Instead of the 4-bit data field that indicates which key is depressed, the sync frame has a sync code of 0000 indicating that the frame is a sync frame. Instead of the dynamic code of the data frame, the sync frame sends a 40-bit start code that enables the decoder to sync with the rolling-code generator.
The sync frame, unless disabled, is sent when a key is held down for more than 10 sec or when the system is powered up with a new battery. Synchronization operations are typically when rolling-code systems are most vulnerable to attack. The sync frame makes the system vulnerable in two ways. If an attacker can obtain a transmitter that matches the same characteristics as a legitimate one, that person could send a sync frame and sync the decoder to his/her transmitter. Or, if an attacker could intercept a sync frame transmission and has access to a decoder or the decoding algorithm, then he/she could generate future codes to gain access to the system. Although obtaining the information to take advantage of these weaknesses is difficult, you should give it some consideration in your system design.
You can disable the sync frame and avoid these weaknesses, but some synchronizing capability must initially be available. Disabling the synchronization feature after initial synchronization provides maximum security; however, loss of synchronization prevents resynchronization. Perhaps the best compromise for security and convenience is to gate the sync frame by other activities such as manually entering a secret code or other functions.
During normal data-frame operation, a 36-bit rolling-code value requires about 272 years to try every code at 8 codes/sec. Using a window size of 16, the average time needed to guess one of the acceptable codes is approximately 8.5 years.
Exel’s rolling-code-encoding-and-decoding system is significantly different from National Semiconductor’s. Instead of sending a code that must match the next sequence (or fall within a window), Exel’s Keeloq system sends an encoded message, which the receiver decodes. The full transmission of a frame is 56 bits. A rolling-code-encoded message comprises 32 bits, and a fixed-code identifying the serial number of the transmitter uses 24 bits. During a normal transmission, the decoder first checks to see if the transmitter’s serial number is one of the learned transmitters. If the serial number matches, the device decodes the 32-bit message to determine which key was depressed and to check the validity of the message-synchronization information.
Staying in sync
Synchronization information is primarily a message number. The system numbers messages with a 16-bit counter. Once decoded, the 16-bit message number is compared with the last message received from that transmitter. The previous 32,768 message numbers are blocked out. If the message number is within the next 16 message numbers expected from that transmitter, the desired action is carried out. If the message number is between 16 and 32,767 future message numbers, the decoder waits for a second transmission. If the second transmission is the next consecutive message number, the decoder carries out the desired action and re-synchronizes.
Even if the remote system has had more than 16 blind transmissions, the two-transmission re-synchronization scheme provides high security with a fast response. Because the device stores synchronization data in EEPROM, power interruptions do not require re-synchronization.
Looking ahead
|
Keeping it secret
Internally, the rolling-code generator uses a 64-bit secret key to generate the code. Even if you were able to gain access to the design details of an encoder, you would need the specific 64-bit secret key for that particular transmitter. This key is generated by a nonlinear algorithm using the 24-bit serial number and manufacturer’s keys as inputs. The secret key is not readable and is never transmitted.
The manufacturer’s key distinguishes the system from those of other manufacturers using the same device. The keys are in on-chip EEPROM, which is read protected. According to Excel, you can’t defeat all the systems in the field by analyzing one transmitter.
An XL106 stores data for one unerasable master transmitter and five learnable transmitters that are erasable. Once the decoder is placed in the learn mode, it waits for a valid message from a transmitter. After receiving a valid message, the decoder generates a temporary secret key from the transmitter’s serial number. The secret key is never available outside the IC. The device performs other checks on the received word and waits to receive a second message. After performing the same functions on the second message, the device determines if the two messages are consecutive. If the messages are consecutive, the decoder has learned the transmitters and stores the necessary information.
A button on the decoder system could initiate the self-learn mode. Or, for more security, the system might require the master transmitter to enable it for some brief self-learn period.
A maximum-security design that only accepts one code for entry instead of a window of 16 future transmissions means a random guess would have one chance in 232 of success. An attacker would need about 17 years to try all the codes at eight attempts per sec or an average time of 8.5 years to guess the correct code. The re-synchronization algorithm requires two successive correct codes and makes the success of a random guess one in 237 for the least secure system.
Although it is possible that an attacker can gain access through a lucky guess, a determined attack using technical details of the system is more likely. To preserve security against the determined attacker, each transmitter has a unique key. Even if the coding algorithm is reverse-engineered, a thief cannot access the system unless the key for that particular transmitter is known. Furthermore, the learning algorithm requires you to program the transmitter and decoder with the same manufacturer’s key. Pirate transmitters from outside parties, even with same encoders, are useless.
Both National Semiconductor’s and Exel’s rolling-code systems provide much greater security for wireless systems than fixed-code systems. The systems also provide the functions at minimal additional cost over a fixed-code system and without inconveniencing the end user. Both systems interface easily with IR or RF transmitters and receivers. In addition, you can use Exel’s XL106 device in challenge-and- response security systems, as well.
Other companies will be offering rolling-code systems. Microchip Technology (Chandler, AZ) recently acquired the Keeloq rolling-code technology from Nanoteq (South Africa). Microchip plans to introduce a product family in February. Motorola (Tempe, AZ) also has plans for commercial products with rolling-code generators. According to Jerry Michnal, strategic-market-development manager for Motorola’s automotive segment, the company plans to offer a higher level of integration for access security systems. One IC contains the code-generation circuitry and RF transmitter. A second IC contains the receiver/decoder, an RF tag or a token system using challenge-and-response-type security, and vehicle immobilization capability. The company expects to have silicon in late 1996.
| For free information . . . | |
|---|---|
| Exel Microelectronics San Jose, CA (408) 432-0500 | National Semiconductor Corp Santa Clara, CA (800) 272-9959 |