Jefferson's Wheel

Karsten Nohl is in the news again, this time for demonstrating how bad the proprietary crypto used for car immobilizers is. Here are a few articles:

• NewScientist, Criminals find the key to car immobilisers, 6 December 2010. (Note that the criminals in the title refers to evidence that actual car theft is increasing, after many years of steady decline, not to Karsten!)
• Schneier on Security, Proprietary Encryption in Car Immobilizers Cracked, 23 December 2010.
• The Register, Car immobilisers easily circumvented by crafty carjackers: Crap crypto to blame, 20 December 2010. (British publications as so much better at titling than American ones!)

Karsten presented the technical aspects in a talk at the 8th Embedded Security in Cars conference in Berlin.

Even if car manufacturers get the crypto right, relay attacks pose a serious threat, especially for modern cars that do away with the mechanical key completely. See the upcoming NDSS paper by Aurelien Francillon, Boris Danev, and Srdjan Capkun: Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars.

We’ve released our code and paper on efficient privacy-preserving biometric identification:

Yan Huang (University of Virginia), Lior Malka (Intel/University of Maryland), David Evans (University of Virginia), and Jonathan Katz (University of Maryland). Efficient Privacy-Preserving Biometric Identification. To appear in 18^th Network and Distributed System Security Conference (NDSS 2011), 6-9 February 2011. [PDF, 14 pages]

We present an efficient matching protocol that can be used in many privacy-preserving biometric identification systems in the semi-honest setting. Our most general technical contribution is a new backtracking protocol that uses the by-product of evaluating a garbled circuit to enable efficient oblivious information retrieval. We also present a more efficient protocol for computing the Euclidean distances of vectors, and optimized circuits for finding the closest match between a point held by one party and a set of points held by another. We evaluate our protocols by implementing a practical privacy-preserving fingerprint matching system.

Yan will present the paper at NDSS in February. The code for our system is available under the MIT open source license.

flickr cc: didbygraham