Re: AES MAC security question

From: Andrew Swallow (am.swallow_at_btopenworld.com)
Date: 07/02/05 

Date: Sat, 2 Jul 2005 19:55:02 +0000 (UTC)

Rein Anders Apeland wrote:
[snip]

>
> Since the RF packet is so small that it fits inside one AES block,
> I am thinking of padding the packet to full 128 bits, encrypt it
> and then truncate the result to e.g. 32 bits and use that as a MAC.
> Bacause of the low bandwidth of the system, I believe truncating is
> ok in this case.

32 bits!!!!

This lock is pickable.

Time required = (2**32 * packet length) / data rate

For a packet size of 128 bits and a 5 megabit rate

Time = ( 4294967296 * 128 ) / 5000000 = 109951.1627776 seconds
      = 30.54 hours

A thief could steal the car in a weekend.

Method - hide a transmitter in a cigarette packet.
Listen out for the Transmitter ID when the car is parked.
Plant naughty transmitter near the car.
Set it to go through all possible values of the MAC.
Come back the next evening, pick up transmitter and drive car away.

A simple enhancement is to limit the number of rejected packets,
due to a faulty MAC with a valid Transmitter ID, to 100. Then
inhibit that Transmitter ID.

Replacement ID from manufacture via authorised dealers.

It is not accidental that the crypto community has standardised
on 128 bit key Variables. They have to be that long to be
secure.

If all cars use the same AES Key Variable the MAC can be
calculated, the thief can open the car faster than its owner.
Either every car should use a different Key Variable or every
Transmitter ID should use a different Key Variable, which are
inserted during production. With thought giving each car a
unique and random set of key Variables it should not cost
more than £1 a car.

It is cheaper to get this right first time than to spend
millions of dollars retrofitting all the locks. Just
imagine the embarrassment of being the *** of the joke
by every comedian in the country.

Andrew Swallow

Quantcast