Dr.-Ing.Thomas Giesler

Transcription

The First International Workshop on IT-Solutions for
Physical Security:
State of the Art Car Access Security Systems
Dr.-Ing.Thomas Giesler
Customer Application Support Hamburg; BL Identification
Car Access and Immobilization
31.03.2006
BLID CAI
Immobilization
Keyless Enty/Go
Remote Keyless Entry
Tire Pressure Monitoring
Philips Semiconductors, BL Identification, 31.03.2006, Dr.-Ing.Thomas Giesler
2
Product Focus
• Immobilizer: Transponders and Basestations
– high security anti-theft system
– even with a perfect mechanical copy of the car key, the
vehicle can not be started because several essential
functions are blocked electronically
– more than 250,000,000 parts sold
• Remote Keyless Entry: Combined Systems with
Immobilizer
– unlock and lock the car by remote control
– combined with Immobilizer = security & comfort
3
Product Focus
• Passive Entry / Passive Go: Fully integrated Systems
– access your car by just pulling the door handle and start by
pressing a button: the highest level of comfort
– highly integrated 3-dimensional active LF-front-end with
UHF-downlink
• Tire Pressure: Wireless tire pressure- and
temperature- sensor signal conditioning and data
transfer with 3D-LF-wakeup and UHF downlink
– long live time (>6 years)
– individual tire addressing
4
1st Generation
Immobilizer
5
Vehicle Theft Rate in Germany
160000
reported
not recovered
140000
120000
100000
80000
60000
40000
20000
0
1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000
play video
Source: VDA
6
Vehicle Theft Rate in Germany
Philips Semiconductors starts production of car immobilizer transponder
160000
140000
reported
not recovered
120000
100000
80000
60000
40000
20000
0
1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000
Source: VDA
7
Immobilizer System Configuration
Body Control
Unit
Transceiver Coil
Ignition
Switch
Lock Barrel
Transponder
LF Transceiver
8
Mechanical Setup
9
Immobilizer System Detail
.
Transceiver
Transponder
Demodulator
Data
Modulator
EEPROM
Driver &
Modulator
LF Clock
Control
Energy
Ferrite Coil
LF Supply
Demodulator
10
Energy Transfer: Basestation → Transponder
It
Ib
Ub
Energy
Ut
6V
U
in
11
Data Transfer: Basestation → Transponder
Demodulator
Data
It
Ib
Ub
Energy
Ut
6V
V
Data
12
Data Transfer: Transponder → Basisstation
Demodulator
Tap Punkt
Ib
It
Data
Energy
Ub
Ut
6V
Data
13
First Transponder Generation: Read-Only
Copy
Base Station
Fixed Code
PCF 7931
Transponder Copy
14
2nd Transponder Generation: Rolling Code
Listen
Basestation
Rolling Code
Password protected writing of next Code
PCF 7930
Copy Station
Transponder Copy
15
3rd Transponder Generation: Challenge Response
Car
Base station
Challenge (random)
Encrypted response
PCF 7935
16
Copy Station
Challenge 1 .. N
PCF 7935
Response 1 .. N
Transponder
Emulator
Data Base
with many
C/R-pairs
17
Basestation
Challenge
Response
Transponder
Emulator
Data Base
with many
C/R-pairs
Challenge (second try)
Response (second try)
18
Fake
base station
Challenge 1 .. N
PCF 7935
Response 1 .. N
Brute-Force
attack
Try all possible
keys
Executed on competitor device
19
4th Transponder Generation: Mutual Authentication
Challenge (random)
Car
Base station
Encrypted signature
PCF 7936
Encrypted response
20
Mutual Authentication Overview Hitag 2
Transponder (HITAG2 comp.)
Base station / Motor Control Unit
Random Number
Generator
Crypto Unit
(Microcontroller)
Transponder Signature (24+8 bit)
Base station Signature (32 bit)
PRN + MAC
RES
Encrypted Transmission
Identifier
(32 bit)
Crypto Unit
(Hardwired /
Micro-controller)
Immo Secret Key
(48 bit)
Immo Secret Key
(48 bit)
Identifier
Transponder Signature (24+8 bit)
Base station Signature (32 bit)
21
4th Transponder Generation: Mutual Authentication
Basestation
PRN + MAC 1..N
PCF 7936
Response 1..N
Listen
Fast PC pool
or special HW
Brute Force Attack Secret Key
programmable
Transponder
or Emulator
22
5th Generation Mutual Authentication Overview
Base station
Transponder (AES-128)
Secret Key
(128 bit)
Secret Key
(128 bit)
Identifier
PRN + MAC
Microcontroller
Crypto
Function
Pseudo
Random
Number
Generator
Identifier
(32 bit)
RES
Microcontroller
Encrypted Transmission
AES
Co-Processor
23
2nd Generation
Combi Key
Immobilizer + RKE
24
Product Focus
• Immobilizer: Transponders and Basestations
– high security anti-theft system
– even with a perfect mechanical copy of the car key, the
vehicle can not be started because several essential
functions are blocked electronically
• Remote Keyless Entry: Combined Systems with
Immobilizer
– unlock and lock the car by remote control
– combined with Immobilizer = security & comfort
25
1st RKE Generation: Fixed Code
Car
Base Station
UHF Receiver
Fixed Code
Listen
Copy Receiver
RKE Emulator
26
2nd RKE Generation: Rolling Code
Car
Base Station
UHF Receiver
Rolling Code
Jam
Listen
Disturbing
UHF Transmitter
Copy Receiver
& Transmitter
OPEN DOOR
27
2nd RKE Generation: Rolling Code + Key Code
Car
Base Station
UHF Receiver
Rolling Code with
encrypted Key code
PCF7941
PCF7961
PCF7900 frac-N transmitter
(development)
28
3rd RKE Generation: Mutual Authentication
Wakeup
UHF
Base
Transceiver
Station
Challenge (random)
PCF7945 +
“Lopster” transceiver
(development)
Encrypted signature
“Lopster” transceiver
(development)
Encrypted response
29
Typical Application, SMART, PCF7x61
Single Chip Transponder, Remote Keyless Entry and UHF Transmitter Solution
CVFLD
15 nF
VFLD
MSDA MSCL
VBAT VDDA
XT1
XT2
VDDPA
IN2
E-ROM (ROM)
8 Bit RISC (MRK II)
IN1
Contactless Interface
PCF7961 (PCF7361)
4K
ROM
192 Byte
RAM
EEPROM
512 Byte
PAOUT
Calculation
Unit
UHF
Transmitter
Interrupt
Control
Timer
Modulator
315 -434MHz
P22 1
P21
P16
RC
Oscillator
I/O
P15
P14
P11
Power Management
Note
1. Button inputs or generic I/O, however
external p’up resp. p’down required
VSS
VSSA
P10
VSSPA
Buttons
Li
3V
30
1-Chip Immobilizer/RKE-Combisystem
31
RKE Demosystem with SMART
32
3rd Generation
Passive Keyless
Entry / Go
33
Product Focus
• Passive Entry / Passive Go: Fully integrated Systems
– access your car by just pulling the door handle and start by
pressing a button: the highest level of comfort
– highly integrated 3-dimensional active LF-front-end with
UHF-downlink
• Tire Pressure: Wireless tire pressure- and
temperature- sensor signal conditioning and data
transfer with 3D-LF-wakeup and UHF downlink
– long live time (>6 years)
– individual tire addressing
34
Passive Keyless Entry / Start
Security Tag
Driver Door Detection Range
Trunk Area
Detection Range
Driver Interior
Detection Range
Passenger Door Detection Range
35
36
System Configuration
Door Handles
Trunk Handle
Engine Start/Stop
Body Control
Unit
LF Transceiver
(Back up)
LF Transmitter
UHF Receiver
37
Block diagram
Tag
Base station
up-link: wake-up,
data (inductive)
125kHz
inductive
transmitter
µC
back-up transponder
125kHz inductive
receiver
(3-D)
up to 2,5 m
PCF7952
PCF7953
wakeup
pattern
detector
µC
UHF transmitter
UHF
receiver
PCF7900
downlink: data (UHF)
38
Data Telegram Exchange
1 - Wake Up Pattern
LF Transmitter
2 - Challenge (random)
3 - Signature (encrypted)
PCF7952
PCF7953
UHF Receiver
4 - Response (encrypted)
39
Inside/Outside Detection
AI
Min(H I,IN )
HI(log)
x
40
LF Transmitter
Two-way
high speed
UHF / VHF link
UHF Receiver
Relay 2
Challenge
Relay 1
Possible Threat: Relay Attack
Response
41
Position Detection of PKE Tag
Vehicle
1 (LF)
LF-Transmitter 1
UHF-Receiver
Control
circuitry
PKE-Tag
Control
Steuerund
3 (UHF)
circuitry
Auswerteelektronik
3D-LF-Receiver
UHF Transmitter
2 (LF)
LF-Transmitter N
42
Time Of Flight Measurement
UHF
Transmitter
UHF
Receiver
A
B
t=s/c
≅ 3.3 ns / m!
• Sole 100% resistant countermeasure
43
PKE Tag
40 mm
55 mm
44
Research:
Capacitve / Electrostatic
Communication
•Body Area Networks
•Capacitve Access Systems
•Capacitive Tire Pressure Monitoring
45
Principle Circuitry (1)
Inductively shielded (optional)
Tag
Basestation
transmitter electrode
capacitive coupling
Lres, B
receiver electrode
CCON
modulator
Cres,B
demodulator
Cres,T
Lres,T
capacitive coupling (or ohmic connected)
46
Principle Circuitry (2)
transmitting
electrode in
wheel box
steel belt
ACTIClite
+
base station
magneticaly
shielded
-
tire pressure sensor
wheel
conducting stripe
on inner tire side
chassis /
room / ground potential
47
Intra Body Communication (1)
generator
field
receiver
minimal current
48
Intra Body Communication (2)
field
minimal current
49
ADA in Wireless Patient Monitoring
ID
Data
50
Connectivity
51
As shown at CRE 2005
52
53

Dr.-Ing.Thomas Giesler

Transcription

Similar documents

English - Elo Touch Solutions