Dismantling the AUT64 Automotive Cipher

Research output: Contribution to journalConference articlepeer-review

Standard

Dismantling the AUT64 Automotive Cipher. / Hicks, Christopher; Garcia, Flavio D.; Oswald, David.

In: IACR Transactions on Cryptographic Hardware and Embedded Systems, Vol. 2018, No. 2, 08.05.2018, p. 46-69.

Research output: Contribution to journalConference articlepeer-review

Harvard

APA

Vancouver

Author

Bibtex

@article{c7b88488513c496188650f9e2fa53077,
title = "Dismantling the AUT64 Automotive Cipher",
abstract = "AUT64 is a 64-bit automotive block cipher with a 120-bit secret key used in a number of security sensitive applications such as vehicle immobilisation and remote keyless entry systems. In this paper, we present for the first time full details of AUT64 including a complete specification and analysis of the block cipher, the associated authentication protocol, and its implementation in a widely-used vehicle immobiliser system that we have reverse engineered. Secondly, we reveal a number of cryptographic weaknesses in the block cipher design. Finally, we study the concrete use of AUT64 in a real immobiliser system, and pinpoint severe weaknesses in the key diversification scheme employed by the vehicle manufacturer. We present two key-recovery attacks based on the cryptographic weaknesses that, combined with the implementation flaws, break both the 8 and 24 round configurations of AUT64. Our attack on eight rounds requires only 512 plaintext-ciphertext pairs and, in the worst case, just 237.3 offline encryptions. In most cases, the attack can be executed within milliseconds on a standard laptop. Our attack on 24 rounds requires 2 plaintext-ciphertext pairs and 248.3 encryptions to recover the 120-bit secret key in the worst case. We have strong indications that a large part of the key is kept constant across vehicles, which would enable an attack using a single communication with the transponder and negligible offline computation. ",
keywords = "Automotive security , Hardware and software reverse engineering ",
author = "Christopher Hicks and Garcia, {Flavio D.} and David Oswald",
year = "2018",
month = may,
day = "8",
doi = "10.13154/tches.v2018.i2.46-69",
language = "English",
volume = "2018",
pages = "46--69",
journal = "IACR Transactions on Cryptographic Hardware and Embedded Systems",
issn = "2569-2925",
number = "2",
note = "Conference on Cryptographic Hardware and Embedded Systems 2018 ; Conference date: 09-09-2018 Through 12-09-2018",

}

RIS

TY - JOUR

T1 - Dismantling the AUT64 Automotive Cipher

AU - Hicks, Christopher

AU - Garcia, Flavio D.

AU - Oswald, David

PY - 2018/5/8

Y1 - 2018/5/8

N2 - AUT64 is a 64-bit automotive block cipher with a 120-bit secret key used in a number of security sensitive applications such as vehicle immobilisation and remote keyless entry systems. In this paper, we present for the first time full details of AUT64 including a complete specification and analysis of the block cipher, the associated authentication protocol, and its implementation in a widely-used vehicle immobiliser system that we have reverse engineered. Secondly, we reveal a number of cryptographic weaknesses in the block cipher design. Finally, we study the concrete use of AUT64 in a real immobiliser system, and pinpoint severe weaknesses in the key diversification scheme employed by the vehicle manufacturer. We present two key-recovery attacks based on the cryptographic weaknesses that, combined with the implementation flaws, break both the 8 and 24 round configurations of AUT64. Our attack on eight rounds requires only 512 plaintext-ciphertext pairs and, in the worst case, just 237.3 offline encryptions. In most cases, the attack can be executed within milliseconds on a standard laptop. Our attack on 24 rounds requires 2 plaintext-ciphertext pairs and 248.3 encryptions to recover the 120-bit secret key in the worst case. We have strong indications that a large part of the key is kept constant across vehicles, which would enable an attack using a single communication with the transponder and negligible offline computation.

AB - AUT64 is a 64-bit automotive block cipher with a 120-bit secret key used in a number of security sensitive applications such as vehicle immobilisation and remote keyless entry systems. In this paper, we present for the first time full details of AUT64 including a complete specification and analysis of the block cipher, the associated authentication protocol, and its implementation in a widely-used vehicle immobiliser system that we have reverse engineered. Secondly, we reveal a number of cryptographic weaknesses in the block cipher design. Finally, we study the concrete use of AUT64 in a real immobiliser system, and pinpoint severe weaknesses in the key diversification scheme employed by the vehicle manufacturer. We present two key-recovery attacks based on the cryptographic weaknesses that, combined with the implementation flaws, break both the 8 and 24 round configurations of AUT64. Our attack on eight rounds requires only 512 plaintext-ciphertext pairs and, in the worst case, just 237.3 offline encryptions. In most cases, the attack can be executed within milliseconds on a standard laptop. Our attack on 24 rounds requires 2 plaintext-ciphertext pairs and 248.3 encryptions to recover the 120-bit secret key in the worst case. We have strong indications that a large part of the key is kept constant across vehicles, which would enable an attack using a single communication with the transponder and negligible offline computation.

KW - Automotive security

KW - Hardware and software reverse engineering

U2 - 10.13154/tches.v2018.i2.46-69

DO - 10.13154/tches.v2018.i2.46-69

M3 - Conference article

VL - 2018

SP - 46

EP - 69

JO - IACR Transactions on Cryptographic Hardware and Embedded Systems

JF - IACR Transactions on Cryptographic Hardware and Embedded Systems

SN - 2569-2925

IS - 2

T2 - Conference on Cryptographic Hardware and Embedded Systems 2018

Y2 - 9 September 2018 through 12 September 2018

ER -