Abstract | ||
---|---|---|
AUT64 is a 64-bit automotive block cipher with a 120-bit secret key used in a number of security sensitive applications such as vehicle immobilization and remote keyless entry systems. In this paper, we present for the first time full details of AUT64 including a complete specification and analysis of the block cipher, the associated authentication protocol, and its implementation in a widely-used vehicle immobiliser system that we have reverse engineered. Secondly, we reveal a number of cryptographic weaknesses in the block cipher design. Finally, we study the concrete use of AUT64 in a real immobiliser system, and pinpoint severe weaknesses in the key diversification scheme employed by the vehicle manufacturer. We present two key-recovery attacks based on the cryptographic weaknesses that, combined with the implementation flaws, break both the 8 and 24 round configurations of AUT64. Our attack on eight rounds requires only 512 plaintext-ciphertext pairs and, in the worst case, just 2 37.3 offline encryptions. In most cases, the attack can be executed within milliseconds on a standard laptop. Our attack on 24 rounds requires 2 plaintext-ciphertext pairs and 2 48.3 encryptions to recover the 120-bit secret key in the worst case. We have strong indications that a large part of the key is kept constant across vehicles, which would enable an attack using a single communication with the transponder and negligible offline computation. |
Year | Venue | Field |
---|---|---|
2018 | IACR Trans. Cryptogr. Hardw. Embed. Syst. | Immobiliser,Cipher,Block cipher,Computer science,Cryptography,Parallel computing,Reverse engineering,Transponder (aeronautics),Authentication protocol,Embedded system,Automotive industry |
DocType | Volume | Issue |
Journal | 2018 | 2 |
Citations | PageRank | References |
0 | 0.34 | 0 |
Authors | ||
3 |
Name | Order | Citations | PageRank |
---|---|---|---|
Christopher Hicks | 1 | 2 | 1.04 |
Flavio D. Garcia | 2 | 438 | 33.08 |
David Oswald | 3 | 17 | 4.63 |