Design and safety considerations of passive anti-t

  • Detail

Automotive passive anti-theft system design and safety considerations


over the years, consumers have been accustomed to relying on the convenience and enhanced security provided by passive automotive anti-theft systems. This system consists of a key fob carried by the driver and a base station installed in the car. The two work together to judge whether the driver has the right to start the car; More importantly, the system can prevent illegal users from using cars. Although on the surface, the functionality of the car anti-theft device is very simple, its basic implementation technology is very complex and interesting. This paper discusses the hardware and software problems of automobile anti-theft device, and gives a comment worthy of attention on the considerations of design and safety


at present, in the passive car anti-theft system, the main communication method between the key card and the car is to use the modulated magnetic field, which is generated by the car's anti-theft base station from low-frequency (generally 125 kHz) AC. The magnetic field is mainly used for three purposes: a) the energy source of the key card, so it is called "passive"; B) The carrier that transmits information from the base station to the key card (i.e. "downlink"); C) The carrier that transmits information from the key card to the base station (i.e. "uplink")

since the car anti-theft system needs to work completely passive (such as without battery), the magnetic field characteristics of the key card are particularly suitable for this application. Both "downlink" field detection and "uplink" field modulation can be realized by using circuits with minimal power consumption. In addition, it is easy to use the field energy of saturated magnetic field to power these circuits in the key card

in the system design stage, we must carefully consider some key parameters, such as the energy requirements of the key card (which will affect the geometry and driving level of the antenna coil), as well as the security of the verification process (which has a direct impact on the response time). This will be described in detail one by one below

system interface

the system architecture of automobile anti-theft device is divided into several extraction layers, each of which represents different system interfaces. Figure 1 shows a visual representation of these layers

Figure 1 interface layering of automobile anti-theft device

physical layer

the bottom layer of automobile anti-theft system is the physical layer, which contains an antenna coil installed on the vehicle, which can generate enough magnetic field to enable the antenna coil installed in the user key card to detect and modulate

magnetic field generation and modulation

according to the different ways in which magnetic fields support data transmission, automotive anti-theft systems can be divided into two categories: half duplex and full duplex. In the half duplex system, the on-board antenna coil changes between the energy transmission and data transmission cycles, and the data modulation adopts frequency shift keying (FSK) mode. An illustration of this communication method is shown in Figure 2. Two points can be clearly seen from Figure 2: first, due to the need to repeatedly perform energy transmission, such as charging the key card, the data transmission rate is greatly reduced; Second, compared with the magnetic field during energy transmission, the modulated signal is very small, so it is more vulnerable to the interference of surrounding environmental noise, resulting in the reduction of transmission distance. These characteristics make the half duplex system gradually decline

at present, full duplex system is mainly used. In this system, the on-board antenna coil synchronously performs energy transmission and data transmission, and the data modulation adopts amplitude shift keying (ask) mode. Figure 3 shows an illustration of this communication method. Obviously, the data transmission rate of this method is much better than that of half duplex system because it can synchronously transmit data and power or charge the key card. Moreover, a constant carrier field can often shield interference and ensure the robustness and reliability of communication during data transmission. In addition, this scheme can be realized by a simple envelope detection circuit. In view of the current popularity of full duplex car anti-theft systems on the market, this kind of system will be specially discussed below

system interface: logic layer

above the physical layer is the logic layer. This layer involves the characteristics and requirements of data transmission and coding on magnetic field. It is suitable for two-way data transmission from car to key card (commonly referred to as "downlink") and from key card to car (referred to as "uplink")


the information of downlink adopts pulse length modulation method: generally binary pulse length modulation (bplm) or quad pulse length modulation (qplm)) to encode. This method is based on inserting a fixed length carrier field time slot "TGAP", and setting the time interval from time slot to time slot to determine the number of times in advance: t0 corresponds to logic "0", T1 corresponds to logic "1". The advantage of this scheme is that it embeds the energy transmission from the car to the key card into the data coding, and ensures that the key card has enough power to process the encoded data. However, this encoding method also has a disadvantage, that is, the baud rate of data transmission must depend on the logical value of the data bit stream being sent, because the transmission time of each binary state is different. Figure 4 shows a more detailed illustration of this encoding method

Figure 4 bplm coding method

qplm is a variant of bplm. With this modulation method, two bits are transmitted after a time slot, so more energy is available at the transceiver. In addition, its average baud rate is higher than that of bplm. This coding method is the same as the basic implementation principle of bplm, except that the number of allowed states is extended from 2 to 4, and the predetermined time slot interval is extended to cover more states. Figure 5 shows a visual representation of qplm

Figure 5 qplm coding method


information communication from user key card to vehicle mounted base station generally adopts Manchester or Bi phase coding. These coding methods share some characteristics different from the downlink: a) the average duty cycle of the encoded bit stream is always 50%; B) The time to send encoded data depends only on the baud rate. Both of the above coding techniques can extract the clock from the encoded data stream, because all time periods in the encoded bit stream are quantized into t or 2T (t stands for "half a bit"). The data rate is fixed at 1/(2t). Clock extraction only needs to detect the minimum time period factor T and synchronize its phase with the encoded bit stream

Figure 6. Manchester and Bi phase coding

protocol layer

protocol layer defines the grouping of each data bit to realize the communication between the vehicle base station and the key card. It defines how many bits there are and in what order they are transmitted between the reader and the transceiver. For a simple example, this is similar to the grammatical rules of using words to form sentences. The protocol layer is like a sentence composed of a logic layer, which is equivalent to a word. It forms a set of fixed commands and their allowed responses


verification is a term used to describe the process of judging whether the driver has the right to start the car. The simplest form of authentication is called unilateral authentication. In this case, the car "tests" the key card to determine whether it matches the car. If another step is added in this process, that is, let the key also "test" the car to determine whether it matches, then it becomes a two-way or interactive verification. Obviously, this additional step improves the security intensity, but at the cost of longer verification time

one way authentication

generally speaking, the one-way authentication protocol is initiated by the car and includes the following steps:

1) the car reads the unique ID of the key card (it will not be confused with the key)

2) the car generates a random number challenge and sends it to the key card

3) the key card encrypts the query (using the key), Then send a response to the car

4) the car's response to the key card is compared with the response calculated by itself (using the same key and inquiry)

note: the car must have the key of the key card to complete this process successfully. The process of sharing keys is called "key learn", which will be described in detail in the next section

Figure 7 one way verification

key learn: public/private

ke to prevent the two arms from opening infinitely y learn protocol refers to the process of enabling the car to set up a key and share it with the key card. The key can be public or private according to the restrictions and security settings of the key learn session initiated by the car

a public key learn process generally includes the following steps (as shown in Figure 8):

1) the car generates a key according to the random number and submits it to the key card

2) the key card "accepts" the key, saves it in the memory, and makes an acknowledge response

3) after successfully receiving the response of the key card, the car saves the key in the memory

if the key learn protocol cannot stop the eavesdropper, Or protect the car from illegal use. At this time, it is necessary to adopt the private key learn process

key learn

bi directional or quasi interactive verification disclosed in Figure 8

quasi interactive or bi-directional verification is a more complex verification process. The verification implemented in ATMEL anti-theft system is not completely interactive, because it does not use random generators at both ends of the system (cars and key cards). This implementation scheme uses a message authentication code (MAC) to verify whether the car matches the key

moreover, in the case of two-way authentication, the authentication protocol is initiated by the car and includes the following steps (as shown in Figure 9):

1) the car reads the unique ID of the key card

2) the car generates a random number query and sends it to the key card

3) the car encrypts the random number and then attaches it to the query

4) the key card encrypts the query (using key 1), And compare it with the received encryption query (MAC)

5) if the result matches, the key card encrypts it (using key 2), and sends a response to the car

6) the car compares the response of the key card with the response calculated by itself (using the same key and query)

Figure 9 two-way verification

encryption layer

the top layer is the encryption layer. This layer contains mathematical functions that convert plain text information into encrypted information. This function should ideally have two characteristics:

1 Uniqueness: for each plain text input, it must correspond to a unique encrypted text output

2 Unpredictability: plain text to encrypted text pairs must be unpredictable, even if there is a large sample of known plain text to encrypted text pairs for analysis

public and private

private encryption algorithms have been popular for many years. However, the privacy algorithm has several shortcomings: a) the strength of the algorithm is uncertain; B) Lack of key code peer-to-peer evaluation mechanism; C) If the algorithm is leaked, it may cause a wide range of security damage. In recent years, many remarkable examples have been reported in succession, which is enough to illustrate the existence of these shortcomings. Perhaps the more striking disadvantage is that the system lacks interoperability and cannot share the same physical and logical layer. This hinders the basic market competitiveness, and in many cases promotes the rise of system costs

in order to solve these problems, people began to accept the public domain encryption algorithm - Advanced Encryption Standard (often called AES). This algorithm originated from the initiative of soliciting public domain encryption algorithms launched by the National Institute of standards and Technology (NIST) in 1997. That year, a total of

Copyright © 2011 JIN SHI