Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2009-10-02 13:00:37

cybergibbons
Member
Registered: 2009-10-02
Posts: 9

Differential/Simple Power Analysis of Keeloq

These two papers:
http://www.crypto.rub.de/imperia/md/con … keeloq.pdf
http://www.crypto.rub.de/imperia/md/con … keeloq.pdf

Both describe practical attacks on Keeloq devices using DPA (differential power analysis) and SPA (simple power analysis). It's a very interesting application of side channel attacks, but there seems to be relatively literature about it.

I guess the same is true of fault injection.

I know that this is primarily an RFID board, but I can imagine others will be interested in this as well.

Has anyone got any interesting reading material on the matter?

Offline

#2 2009-10-02 19:48:52

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Differential/Simple Power Analysis of Keeloq

yes i´ve been looking for some solution to intercept keeloq trace and get the secret key.
i wan´t to used to duplicate the remote control from my garage.

Offline

#3 2009-10-02 20:04:39

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Differential/Simple Power Analysis of Keeloq

i think this could help:

/*
;==========================================================================
; File name: klq_demo.c
;==========================================================================

; C Source code for the Keeloq decryption algorithm

;==========================================================================
; Copyright Notice
;==========================================================================

; (C) Microchip Technology Inc.
; Microchip Technology Inc. retains copyright of this source code.  The
; code is distributed to authorised system developers using Keeloq (R)
; code hopping products.  The decryption algorithm is regarded as a trade
; secret and may only be used with the written consent of Microchip
; Technology Inc.

;==========================================================================
; Disclaimer
;==========================================================================

;  The information contained in this Application Note is for suggestion
;  only.  It is your responsibility to ensure that your application meets
;  with your specifications.  No representation or warranty is given and
;  no liability is assumed by Microchip Technology Incorporated with
;  respect to the accuracy or use of such information or infringement of
;  patents or other intellectual property arising from such use or
;  otherwise.

;==========================================================================
; Revision History
;==========================================================================

; 1.1 First release Jan van Niekerk Sept 94

;==========================================================================
*/

#define revision "1.1"

#include <stdio.h>
#include <conio.h>
#include <ctype.h>
#include <stdlib.h>

/* create a byte data type */

typedef unsigned char byte;
typedef unsigned int word;

/* function definitions */

void display_shfreg    (void); /* to display 32-bit data */
void display_keyreg    (void); /* to display 64-bit key */
void load_key        (void); /* to initialise secret 64-bit key */

byte ggetbit         (byte *s, byte n); /* returns a bit's value */
void ssetbit         (byte *s, byte n); /* sets a single bit */
void lright_shift_carry     (byte *s); /* right shift through carry */

void decrypt        (void); /* to decrypt 32-bit data */
void lleft_shift_carry     (byte *s); /* left shift through carry */

/* global variables */

byte keyreg[8]; /* 64-bit secret decryption key */
byte shfreg[4]; /* 32-bit data */
byte carry;     /* used as a carry bit */
char ch=0;
word n;
FILE *fl1,*fl2,*fl3;
unsigned long val;

/* defines */

#define left_shift_carry(x)  lleft_shift_carry(&(x)) /* inserts the & */
#define right_shift_carry(x)  lright_shift_carry(&(x)) /* inserts the & */
#define setbit(x,y)  ssetbit(&(x),y)        /* inserts the & operator */
#define getbit(x,y)  ggetbit(&(x),y)        /* inserts the & operator */
#define ifbit(x,y)   if (ggetbit(&(x),y))   /* bit test using getbit */
#define XOR ^                    /* for those */

/*ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ*/
/* main: demonstrates decryption
/*ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ*/

void main()

{
  word  i;
  clrscr();
  fl2=fopen("dec.txt","wt");
  load_key(); /* load the secret 64-bit decryption key */
  do
  {
    printf("Keeloq  Demo\n");
    printf("============\n\n");
    printf("Current key = ");
    display_keyreg();
    printf("\nD. Decrypt\n");
    printf("K. Change key\n\n");
    printf("ESC to quit\n");
    ch=toupper(getch());
    switch (ch)
    {
      case 'K' :  printf("Enter most significant 32 bits of key in hex  : ");
                    scanf("%lX",&val);
                    keyreg[7]=(byte)(val>>24);
                    keyreg[6]=(byte)(val>>16);
                    keyreg[5]=(byte)(val>>8);
                  keyreg[4]=(byte)(val>>0);
                  printf("Enter least significant 32 bits of key in hex : ");
                    scanf("%lX",&val);
                    keyreg[3]=(byte)(val>>24);
                    keyreg[2]=(byte)(val>>16);
                    keyreg[1]=(byte)(val>>8);
                  keyreg[0]=(byte)(val>>0);
                  break;
      case 'D' :  printf("Enter encrypted 32 bit hex value : ");
                    scanf("%lX",&val);
                    shfreg[3]=(byte)(val>>24);
                    shfreg[2]=(byte)(val>>16);
                    shfreg[1]=(byte)(val>>8);
                  shfreg[0]=(byte)(val>>0);
                    display_shfreg(); printf("=>");
                    decrypt();
                    display_shfreg();
                    printf("\n\n");
                  break;
    }
  }
  while (ch!=27);
  fcloseall();
}


/*ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ*/
/* ggetbit: get the n-th bit in a byte
/*ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ*/

byte ggetbit(byte *s, byte n)

{
  return (*s & (((byte)1)<<n)) ? (byte)1 : (byte)0 ;
}

/*ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ*/
/* ssetbit: sets the n-th bit in a byte
/*ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ*/

void ssetbit(byte *s, byte n)

{
  *s|=(((byte)1)<<n);
}

/*ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ*/
/* right_shift_carry: right "rotate" through carry
/*ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ*/

void lright_shift_carry(byte *s)

{
  byte temp;
  temp = getbit(*s,0); /* grab the rightmost bit */
  *s >>= 1; /* shift 1 right */
  *s |= carry<<7; /* move the carry into leftmost */
  carry = temp; /* carry now becomes the bit that shifted out */
}

/*ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ*/
/* load_key: load a key into the key register
/*ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ*/

void load_key(void)

{
  /* the secret key is 2f197b2e cd1f92c9 Hex */
  keyreg[7] = 0x2f;
  keyreg[6] = 0x19;
  keyreg[5] = 0x7b;
  keyreg[4] = 0x2e;
  keyreg[3] = 0xcd;
  keyreg[2] = 0x1f;
  keyreg[1] = 0x92;
  keyreg[0] = 0xc9;
}

/*ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ*/
/* display_shfreg: display the data shift register
/*ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ*/

void display_shfreg(void)
{
  printf(" ");
  printf("%02X",shfreg[3]&0xff);
  printf("%02X",shfreg[2]&0xff);
  printf("%02X",shfreg[1]&0xff);
  printf("%02X  ",shfreg[0]&0xff);
}

/*ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ*/
/* display_keyreg: display the data shift register
/*ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ*/

void display_keyreg(void)
{
  printf("%02X", keyreg[7]&0xff);
  printf("%02X", keyreg[6]&0xff);
  printf("%02X", keyreg[5]&0xff);
  printf("%02X ", keyreg[4]&0xff);
  printf("%02X", keyreg[3]&0xff);
  printf("%02X", keyreg[2]&0xff);
  printf("%02X", keyreg[1]&0xff);
  printf("%02X", keyreg[0]&0xff);
}

/*ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ*/
/* decrypt: 32-bit decryption
/*ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ*/

void decrypt(void)

{

  byte index;
  int count;

  byte table[32] = /* a lookup table */
  { 0,1,1,1,0,1,0,0,0,0,1,0,1,1,1,0,0,0,1,1,1,0,1,0,0,1,0,1,1,1,0,0 };


  for(count=0; count < (528+48); count++)
  {

    if (count>=528) goto rotate_key; /* last 48 rotates restore the key */

    fprintf(fl2,"%04d ",count);
    fprintf(fl2,"%02X",shfreg[3]&0xff);
    fprintf(fl2,"%02X",shfreg[2]&0xff);
    fprintf(fl2,"%02X",shfreg[1]&0xff);
    fprintf(fl2,"%02X\n",shfreg[0]&0xff);

    index = 0;
    ifbit (shfreg[0],0) setbit(index,0);
    ifbit (shfreg[1],0) setbit(index,1);
    ifbit (shfreg[2],3) setbit(index,2);
    ifbit (shfreg[3],1) setbit(index,3);
    ifbit (shfreg[3],6) setbit(index,4); /* prepare for lookup table */

    carry =  getbit(shfreg[1],7)  XOR  getbit(shfreg[3],7)  XOR
         getbit(keyreg[1],7)  XOR  table[index];

    left_shift_carry(shfreg[0]); /* shift in the new bit */
    left_shift_carry(shfreg[1]);
    left_shift_carry(shfreg[2]);
    left_shift_carry(shfreg[3]);

rotate_key:

    carry = getbit(keyreg[7],7); /* get the leftmost key bit */
    left_shift_carry(keyreg[0]);
    left_shift_carry(keyreg[1]);
    left_shift_carry(keyreg[2]);
    left_shift_carry(keyreg[3]);
    left_shift_carry(keyreg[4]);
    left_shift_carry(keyreg[5]);
    left_shift_carry(keyreg[6]);
    left_shift_carry(keyreg[7]); /* left-rotate the 64-bit key */

    /* the key is rotated 576 times, which is a multiple of 64 */
    /* the key therefore remains unchanged */

  }

    fprintf(fl2,"0528 ");
    fprintf(fl2,"%02X",shfreg[3]&0xff);
    fprintf(fl2,"%02X",shfreg[2]&0xff);
    fprintf(fl2,"%02X",shfreg[1]&0xff);
    fprintf(fl2,"%02X\n",shfreg[0]&0xff);

}

/*ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ*/
/* left_shift_carry: left "rotate" through carry
/*ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ*/

void lleft_shift_carry(byte *s)

{
  byte temp;
  temp = getbit(*s,7); /* grab the leftmost bit */
  *s <<= 1; /* shift 1 left */
  *s |= carry; /* move the carry into rightmost */
  carry = temp; /* carry now becomes the bit that shifted out */
}


/*ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ*/
/* end of file klq_demo.c
/*ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ*/

Offline

#4 2009-10-03 08:27:44

cybergibbons
Member
Registered: 2009-10-02
Posts: 9

Re: Differential/Simple Power Analysis of Keeloq

I'm wondering what kind of equipment you need to work in this area.

Some papers talk of top-of-the-range 10GS/s scopes with huge memory buffers, and expensive near field probes, and others much more basic, PC based oscilloscopes. I can imagine that noise is probably a big factor.

The most common way of measuring the power seems to be a low valued resistor in the path to ground, and then measure the voltage across it. I might just try it out with basic equipment and see if anything can be cleaned.

There are some commercial solutions to this kicking about:
* Inspector: http://www.riscure.com/inspector/produc … a-new.html
* DPA Workstation: http://www.cryptography.com/technology/ … ation.html

I can't see a ready-made software application being flexible enough to perform effective DPA for a range of devices though.

Offline

#5 2009-10-03 10:00:10

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Differential/Simple Power Analysis of Keeloq

the garage remote control used to work in 433mhz or 2xx mhz so i think proxmark could intercept the signal with a new frimware

Offline

#6 2009-10-03 11:14:34

cybergibbons
Member
Registered: 2009-10-02
Posts: 9

Re: Differential/Simple Power Analysis of Keeloq

Hmm, I think you might have the wrong end of the stick.

Power Analysis is when you measure the power that a cryptographic processor or system is using. If you have prior knowledge of the algorithm, then you can infer certain information from this, such as private keys.

It's not hard to receive or transmit the raw bitsteam on 433Mhz - you can buy the transmitters and receivers in pretty much any electronics shop. Modifying Proxmark would be a very odd way of going about this - at the moment there aren't any attacks on Keeloq which require the tight timing constraints in the same way that Mifare does.

Offline

#7 2009-10-14 16:25:29

cybergibbons
Member
Registered: 2009-10-02
Posts: 9

Re: Differential/Simple Power Analysis of Keeloq

Just a quick follow up on this - I'm now using a 1GS/S scope with a 2MSample buffer, and a logic analyzer to look into rolling code RF devices.

I've come up against one major issue - it seems that nearly all of the RF devices I have found don't use any form of encryption or rolling code, and are vulnerable to simple replay attacks. Reading the sales literature would have you believe they do though.

I'm currently looking at a wireless PIR in a popular alarm system. It has an Elan microprocessor in it running at 32.78kHz. I'm currently setting up a test rig to see if I can read the code out of the processor. The microprocessor is a very cheap Chinese clone of a Microchip PIC, so it's highly likely to be susceptible to the glitching attacks that worked on older PICs.

Offline

Board footer

Powered by FluxBB