Rolling Code

May 16, 2014

In the early days of automatic garage door openers, all openers shared a single code, so that every garage door opener worked with every garage door; you could open your neighbor’s garage door and walk into his garage whenever you wanted to. The next generation of garage door openers had 8 DIP switches, and thus 256 codes, which solved the problem of casually preventing your neighbor from opening your garage but was hardly a deterrent to thieves.

Nowadays garage door openers and car lock keychain fobs use rolling codes, sometimes called hopping codes, for security. Each fob has a unique serial number; each garage door opener or car lock is programmed to recognize only signals from specific fobs. The signals themselves are randomized and encrypted by the rolling code.

It works like this: Each time a button on the fob is pressed, the requested signal is sent to the receiver along with the serial number of the fob and the rolling code, which is an encrypted random number. The receiver ensures the fob has a recognized serial number, decrypts the rolling code, compares it to the receiver’s synchronized random number generator, and performs the requested action if everything agrees or denies the requested action if it doesn’t.

It’s possible for the fob to send a signal when it is out of range of the receiver. To allow that, the receiver checks the next 256 numbers in the random sequence, instead of just one number, and accepts the signal if any of the 256 numbers agree. Additionally, in case the fob sends more than 256 consecutive signals out of range, the receiver performs the requested action and resynchronizes its copy of the random number sequence if the fob sends two successive numbers from the random sequence.

Your task is to write programs that simulate the actions of the fob and the receiver. When you are finished, you are welcome to read or run a suggested solution, or to post your own solution or discuss the exercise in the comments below.

About these ads

Pages: 1 2

2 Responses to “Rolling Code”

  1. matthew said

    Do key fob systems really reset if they get two successive numbers from the sequence? Sounds like an easy replay attack there.

  2. programmingpraxis said

    Some do. Some don’t. Those that don’t require the whole “turn the key eight times and …” reset sequence whenever they get out of sync.

    Auto manufacturers are walking a fine line here. If they make their system too secure, then too many people will mess things up, and get mad at them, and buy their next car from a different manufacturer. If they make it too weak, too many cars get stolen, and people get mad at them, and buy their next car from a different manufacturer.

    Look at the WikiPedia article for KeeLoq to learn about replay attacks and side-channel attacks, which are a significant problem for the protocol that most auto manufacturers use.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 629 other followers

%d bloggers like this: