Rolling code

Rolling Code Techniques
– Common PRNG (pseudorandom number generator) is used in both transmitter and receiver, preferably cryptographically secure.
– Transmitter sends the next code in sequence.
– Receiver compares the next code to its calculated next code.
– Implementation typically compares within the next 256 codes in case the receiver missed some transmitted keypresses.
– HMAC-based one-time password employed widely in multi-factor authentication uses a similar approach, but with a pre-shared secret key and HMAC instead of PRNG and pre-shared random seed.

Application in RF Remote Control
– A rolling code transmitter is used to improve the security of radio frequency (RF) transmission in a security system.
– It consists of an interleaved trinary bit fixed code and rolling code.
– A receiver demodulates the encrypted RF transmission and recovers the fixed code and rolling code.
– The fixed and rolling codes are compared with stored codes and undergo algorithmic checks.
– If the codes pass the checks, a signal is generated to actuate an electric motor to open or close a movable component.

Rolling Code vs. Fixed Code RF Remote Control
– Remote controls send a digital code word to the receiver.
– Simple remote control systems use a fixed code word that remains the same over time.
– More sophisticated remote control systems use a rolling code that changes for every use.
– Rolling code systems use cryptographic methods to share codewords between the remote control and receiver.
– Rolling code systems make it difficult for attackers to break the cryptography and gain unauthorized access.

– The Microchip HCS301 was widely used in garage and gate remote control systems.
– The HCS301 chip uses the KeeLoq algorithm.
– It transmits 66 data bits, with 34 bits not encrypted and 32 bits encrypted (the rolling code).
– The encrypted 32 bits include button information, OVR (used to extend counter value), DISC (discrimination value), and a 16-bit counter.
– KeeLoq has been shown to be vulnerable to various attacks and has been completely broken.

Rolljam Vulnerability
– A rolling code transmitted by radio signal can be vulnerable to falsification.
– In 2015, Samy Kamkar demonstrated a device that could capture a single keyless entry code for later use in unlocking a vehicle.
– The device blocks the vehicle’s reception of rolling code signals while recording the signals from the owner’s key fob.
– The recorded codes are replayed to the vehicle to unlock it.
– This vulnerability had been known for years but was previously undemonstrated.Sources: