Dragonii

all very nice but what about confort access? Read somewhere about a study by some university guys about RF remote controls used on a lot of car brands and their main dependance on a Texas Instruments encryption chip using 40-bits DES keys. They went to prove that this was easily broken on this paper.

So my question is, to anyone who's familiar to this topic, what's the authentication and encryption mechanism used by BMW for the confort access?

dlevi67

You are the one who brought up permutations without repetition... which have little to do with the structure of the problem here. How would you structure the formula you are using if you had two keys to use? Naive application of "your" logic, would mean that the number of permutations decreases.

The permutation formula you have used applies to cases where you want to identify the number of subsets that can be extracted from one set without repetition, hence the restriction on "cannot use the same symbol". It was originally developed by Pascal to work out gambling probabilities - amongst other things, and in a pack of cards you only have one ace of spades. But here you have two sets: left and right halves, so you can choose the same element (in the 1111 to 2222 sequence) on either side.

dlevi67

Yes, you can break down a 40-bit code easily. Assuming each 40-bit code cycle takes 10us, then in about 60 days on average you'll get there by brute force...

Which is great in a lab, but not so great on the street. Don't know about you, but I rarely leave my car parked in the same spot for 60 days in a row... and if you open it, the code changes, so it's back to square one.

aybeesea

Nope. If you had 4 "key sides" then the number of options would be 16^4.

Indeed. And that's what we have to do with EACH half key. None can be reused. (16 P 1) gives 16 options; 2 sides so 16^2 options.

I still find the last bit of "This gives exactly 240 permutations + 16 cases where the same "sequence" is picked twice, once for left, once for right." impenetrable. But that's just my feeble brain.

ABC

aybeesea

What I've never understood is how does a second key work in these cases.

eg my wife doesn't use my e60 for say 20 of my lock/open sequences, then her key can open it.

And it doesn't take it 60 days.

ABC

Dragonii

Care to elaborate a bit more on how the whole thing works? I'm considering confort access as an option on my future 5 series and, even if it's full insured, I'm not willing to get my car stolen that easily (or should I say stealthy).

dlevi67

No it's not. This is the first time you mention (16 P 1).

To begin with you came up with a nPr proposition of (16, 2). Which would mean out of one set of 16 keys, how many pairs can we pick. Answer: 240 useless pairs, because they are all left or right halves. Then you proposed (32, 2), which would mean out of 32 keys, how many pairs can we have. Answer: 992, of which 752 are not physically workable in the lock because they are either pairings of lefts or rights, or they are a "wrong" pair with the left on the right or viceversa. Neither of which is the right answer.

To wriggle your way out and keep some nPr formula in there, now you propose to use a banal case (16, 1), but you still need to use an exponent to make things work out, as there are two halves to each key. And it still does not explain where the "16" came from. How did the tool makers know to make 16 keys? The problem is not how to select the keys. It's how to pick the lock.

Yep. Interesting problem. I don't know for sure, but I suspect the key actually sends two signals: one that says "I'm key number xxxx", and a second one that says "This is my code yyyy". A bit like user ID and password.

colejl

And what if you push the button out of range? I presume the codes change each time you press the button...?

I always presumed they worked on some sort of public/private key combination like RSA SecurID's? (But that would need some form of time base on the key?)

andy545

The German company selling the KIT

KAF

There are legitimate uses for this kit, motoring organisations, breakdown companies, locksmiths etc.

Trouble is, the bad guys get to use them as well.

A bit like the old American saying, 'guns don't kill people, people kill people'.