Abstract
AUT64 is a 64-bit automotive block cipher with a 120-bit secret key used in a number of security sensitive applications such as vehicle immobilization and remote keyless entry systems. In this paper, we present for the first time full details of AUT64 including a complete specification and analysis of the block cipher, the associated authentication protocol, and its implementation in a widely-used vehicle immobiliser system that we have reverse engineered. Secondly, we reveal a number of cryptographic weaknesses in the block cipher design. Finally, we study the concrete use of AUT64 in a real immobiliser system, and pinpoint severe weaknesses in the key diversification scheme employed by the vehicle manufacturer. We present two key-recovery attacks based on the cryptographic weaknesses that, combined with the implementation flaws, break both the 8 and 24 round configurations of AUT64. Our attack on eight rounds requires only 512 plaintext-ciphertext pairs and, in the worst case, just 237.3 offline encryptions. In most cases, the attack can be executed within milliseconds on a standard laptop. Our attack on 24 rounds requires 2 plaintext-ciphertext pairs and 248.3 encryptions to recover the 120-bit secret key in the worst case. We have strong indications that a large part of the key is kept constant across vehicles, which would enable an attack using a single communication with the transponder and negligible offline computation.
Highlights
Since 1995, it has been mandatory for vehicle manufacturers who wish to sell their Make ModelsYears vehicles inside the EU to fit them with an Mazda 3231999-2003 electronic immobiliser [Com95]
The contribution made in this paper is threefold: First, we present the results of reverse engineering AUT64 from a Mazda immobiliser system
We identify significant weaknesses in the AUT64 automotive block cipher and its associated immobiliser protocol
Summary
Since 1995, it has been mandatory for vehicle manufacturers who wish to sell their Make. When the driver starts the vehicle, the immobiliser authenticates the transponder before starting the engine, preventing hot-wiring. We reverse engineer a widely used vehicle immobiliser system based on the Atmel TK5561 transponder and the AUT64 cipher [Atm06]. The TK5561 is based on a patented method of cryptographic authentication [BF03], which uses the AUT64 block cipher and a proprietary authentication protocol. AUT64 is a 64-bit Feistel network block cipher with a 120-bit secret key. It is used in a number of automotive applications, which include the remote keyless entry system used by most Volkswagen Group vehicles sold between 2004 and 2009 [GOKP16]. The TK5561 transponder uses AUT64 with either 8 or 24 rounds, depending on a configuration bit set in the transponder’s memory
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: IACR Transactions on Cryptographic Hardware and Embedded Systems
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
