2002 Microchip Technology Inc.
Preliminary
DS41099C-page 3
HCS412
1.1
Encoder Overview
The HCS412 code hopping transcoder is designed
specifically for passive entry systems; primarily vehicle
access. The transcoder portion of a passive entry sys-
tem is integrated into a transmitter, carried by the user
and operated to gain access to a vehicle or restricted
area. The HCS412 is meant to be a cost-effective yet
secure solution to such systems, requiring very few
external components (Figure 2-6).
1.1.1
LOW-END SYSTEM SECURITY RISKS
Most low-end keyless entry transmitters are given a
fixed identification code that is transmitted every time a
button is pushed. The number of unique identification
codes in a low-end system is usually a relatively small
number. These shortcomings provide an opportunity
for a sophisticated thief to create a device that ‘grabs’
a transmission and retransmits it later, or a device that
quickly ‘scans’ all possible identification codes until the
correct one is found.
1.1.2
HCS412 SECURITY
The HCS412, on the other hand, employs the K
EE
L
OQ
code hopping technology coupled with a transmission
length of 69 bits to virtually eliminate the use of code
‘grabbing’ or code ‘scanning’. The high security level of
the HCS412 is based on the patented K
EE
L
OQ
technol-
ogy. A block cipher based on a block length of 32 bits
and a key length of 64 bits is used. The algorithm
obscures the information in such a way that even if the
transmission information (before coding) differs by only
one bit from that of the previous transmission, statisti-
cally greater than 50 percent of the next transmission’s
encrypted bits will change.
1.1.3
HCS412 HOPPING CODE
The 16-bit synchronization counter is the basis behind
the transmitted code word changing for each transmis-
sion; it increments each time a button is pressed.
Once the device detects a button press, it reads the
button inputs and updates the synchronization counter.
The synchronization counter and crypt key are input to
the encryption algorithm and the output is 32 bits of
encrypted information. This encrypted data will change
with every button press, its value appearing externally
to ‘randomly hop around’, hence it is referred to as the
hopping portion of the code word. The 32-bit hopping
code is combined with the button information and serial
number to form the code word transmitted to the
receiver. The code word format is explained in greater
detail in Section 3.2.
FIGURE 1-1:
BUILDING THE TRANSMITTED CODE WORD (ENCODER)
1.2
Identify Friend or Foe (IFF) Overview
Validation of a token first involves an authentication
device sending a random challenge to the token. The
token then replies with a calculated response that is a
function of the received challenge and the stored crypt
key. The authentication device, transponder reader,
performs the same calculation and compares it to the
token’s response. If they match, the token is identified
as valid and the transponder reader can take appropri-
ate action.
The HCS412’s 32-bit IFF response is generated using
one of two possible encryption algorithms and one of
two possible crypt keys; four combinations total. The
authenticating device precedes the challenge with a
five bit command word dictating which algorithm and
key to use in calculating the response.
The bi-directional communication path required for IFF
is typically inductive for short range (<10cm) transpon-
der applications and an inductive challenge, RF
response for longer range (~1.5m) passive entry appli-
cations.
Button Press
Information
EEPROM Array
32 Bits of
Encrypted Data
Serial Number
Transmitted Information
Crypt Key
Sync Counter
Serial Number
K
EE
L
OQ
Encryption
Algorithm