M
Author:
AN665
THE “HOPPING” ADVANTAGE
Password-based access control systems are very pop-
ular today, but the level of security they provide are
often overestimated. Being basically a unidirectional
transmission, a password-based system has two very
important shortcomings which can lead to unautho-
rized access: the code is fixed, and the number of pos-
sible combinations is relatively low.
The growing speed of communication lines and the
computing power of available systems increases the
chance of a brute force attack or “code scanning.” The
use of unsecure means of transmission, where code
“grabbing” is possible (i.e., a typical modem connection
over phone lines), can make the use of a fixed code
highly undesirable. Note that these are the same situa-
tion that led to the introduction of the “code hopping”
concept in the remote control market.
The basic idea is to have the access code change each
time it is used through a sequence where the new
codes cannot be predicted even knowing a very large
number of previously used ones. Producing such a
sequence requires the use of a solid encryption engine.
Microchip Technology is currently offering a broad
range of encoders based on the proprietary K
EE
L
OQ
code hopping technology. These encoders make pro-
ducing a code hopping remote control easy, but as we
will see, can also be conveniently used to add the hop-
ping advantage to old password based access control
systems in a transparent way.
Using K
EE
L
OQ¨
to Generate Hopping Passwords
Lucio Di Jasio
Arizona Microchip Technology, Italy
INTRODUCTION
The purpose of this application note is to demonstrate
how K
EE
L
OQ
Ò
code hopping technology can be conve-
niently employed to implement an automatic code hop-
ping password generator/keypad. Using a PIC12C508,
the hopping code produced by an HCS300 is converted
to a string of 16 hex digits. This string is then trans-
ferred to the PC via the keyboard line, thereby emulat-
ing the actual pressure of a sequence of keys on a
standard PC/AT
®
keyboard. Since this conversion pro-
cess is transparent to any application, it appears as if
the user is simply typing on a PC/AT-type keyboard.
An ideal situation for implementing this application
would be in creating a “super password” for general,
access-control secure logins when transmitting infor-
mation onto the internet (i.e., through a browser) or a
Java applet.
FIGURE 1: HCS300 AND PIC12C508 PINOUT DIAGRAMS
HCS300
S0
S1
S2
S3
1
2
3
4
8
7
6
5
V
DD
LED
PWM
V
SS
HCS300
PIC12C508
V
DD
GP5/OSC1/CLKIN
GP4/OSC2
GP3/MCLR/V
PP
1
2
3
4
8
7
6
5
V
SS
GP0
GP1
GP2/T0CKI
PIC12C508
K
EELOQ
is a registered trademark of Microchip Technology, Inc.
Microchip’s Secure Data Products are covered by some or all of the following patents:
Code hopping encoder patents issued in Europe, U.S.A., and R.S.A. — U.S.A.: 5,517,187; Europe: 0459781; R.S.A.: ZA93/4726
Secure learning patents issued in the U.S.A. and R.S.A. — U.S.A.: 5,686,904; R.S.A.: 95/5429
IBM PC-AT, IBM and AT are registered trademarks of International Business Machines Corporation
ã
1997 Microchip Technology Inc.
DS00665A-page 1
AN665
INTRODUCTION TO K
EE
L
OQ
ENCODERS
All K
EE
L
OQ
encoders use the K
EE
L
OQ
code hopping
technology to make each transmission by an encoder
unique. The encoder transmissions have two parts. The
first part changes each time the encoder is activated
and is called the code hopping part and is encrypted.
The second part is the unencrypted part of the trans-
mission, principally containing the encoder serial num-
ber identifying it to a decoder.
The code hopping contains function information, a dis-
crimination value, and a synchronization counter. This
information is encrypted by an encryption algorithm
before being transmitted. A 64-bit encryption key is
used by the encryption algorithm. If one bit in the data
that is encrypted changes, the result is that an average
of half the bits in the output will change. As a result, the
code hopping changes dramatically for each transmis-
sion and can not be predicted.
The synchronization information is used at the decoder
to determine whether a transmission is valid or is a rep-
etition of a previous transmission. Previous codes are
rejected to safeguard against code grabbers.
The HSC300 and HCS301 encoders transmit two over-
flow bits which may be used to extend the range of the
synchronization counter from 65,536 to 196,608 button
operations. The HCS300 and HCS301 encoders
include provision for four bits of function information
and two status bits in the fixed code portion of its trans-
mission. The two status bits indicate whether a
repeated transmission is being sent, and whether the
battery voltage is low.
The Microchip HCSXXX encoders all have the ability to
transmit a fixed seed. The seed value is programmed
into the encoder when the encoder is first initialized
along with the counters, key, serial number, and other
information. The seed length differs from encoder to
encoder, with the HCS300 and HCS301 having a 32-bit
seed.
FIGURE 2: K
EE
L
OQ
ENCODER CODE WORD TRANSMISSION FORMAT
LOGIC ‘0’
LOGIC ‘1’
Bit
Period
Preamble
T
P
Header
T
H
Encrypted Portion
of Transmission
T
HOP
Fixed Portion of
Transmission
T
FIX
Guard
Time
T
G
FIGURE 3: K
EE
L
OQ
ENCODER CODE WORD ORGANIZATION
Fixed Code Data
VLOW and
Button
Repeat Status Status
(4 bits)
(2 bits)
28-bit Serial Number
Encrypted Code Data
Button Overflow Discrimination
bits
bits
Status
(10 bits)
(4 bits) (2 bits)
Encrypted using
B
LOCK
C
IPHER
Algorithm
2 bits
of Status
16-bit
Sync Value
+
Serial Number and Button
Status (32 bits)
+
32 bits of Encrypted Data
Transmission Direction
DS00665A-page 2
ã
1997 Microchip Technology Inc.
AN665
FIGURE 4: HCS300 BLOCK DIAGRAM
Oscillator
Reset circuit
LED
LED driver
Controller
Power
latching
and
switching
The IBM PC-AT
®
Keyboard Protocol
IBM
®
was the first to introduce the synchronous serial
protocol most of today’s PC-ATs use to communicate
with a keyboard. This now-standard, 5-pole shielding
connector (Figure 5) carries the clock line, data line,
ground, and +5V power supply in order to transmit data
bidirectionally from the keyboard to the PC.
Typically, data travelling from the keyboard to the PC is
accomplished by either key pressure or release infor-
mation. However, some configuration data (i.e., repeat,
delay, and rate) can flow in the opposite direction – for
example, during a system boot. The keyboard drives
the clock line by using open collector drivers. To disable
the keyboard, the PC can keep the clock line low. If the
data line is held low by the PC while the clock line is
high, the computer transmits a requests to send, and
the keyboard goes into receive mode. The keyboard is
only allowed to send data when both the clock line and
data line are high.
EEPROM
Encoder
PWM
32-bit shift register
V
SS
V
DD
Button input port
S
3
S
2
S
1
S
0
FIGURE 5: STANDARD 5-POLE CONNECTOR
1
4
2
5
3
1 = Clock
2 = Data
3 = GND
4 = GND
5 = +5V
FIGURE 6: AT
®
KEYBOARD PROTOCOL
Keyboard
Clock
1
Start
Bit
LSB
Start
Bit
2
3
4
5
6
7
8
9
10
11
Stop
Bit
Keyboard
Data
PC
Data
LSB
MSB
Parity
Stop
Bit
MSB
Parity
Keyboard pulls low
ã
1997 Microchip Technology Inc.
DS00665A-page 3
AN665
Keyboard Transmission
The keyboard pulls the data line low (start bit) and
starts the clock. The eight data bits (least significant bit
first) are shifted out, followed by the parity (odd), and
stop bit (high). Data is valid after the falling edge of the
clock and changes after the rising edge of the clock. If
no data is transmitted, both the clock line and data line
are high. If the computer pulls the clock line low for at
least 60
m
s before the tenth bit is transmitted, the key-
board stops the transmission and stores the aborted
data in a buffer for retransmission at a later time.
Key Pressure Release Encoding
Key pressure is communicated to the PC by sending a
scan code. Table 1 lists the scan codes corresponding
to keys ‘0’…’F’. Release is communicated by sending
the break code (0F0), followed by the previous scan
code.
TABLE 1:
Codes
45
16
1E
26
25
2E
36
3D
3E
46
1C
32
21
23
24
2B
SCAN CODES
Key
‘0’
‘1’
‘2’
‘3’
‘4’
‘5’
‘6’
‘7’
‘8’
‘9’
‘A’
‘B’
‘C’
‘D’
‘E’
‘F’
Keyboard Receiving
The computer pulls the data line low (start bit), after
which the keyboard starts to shift out 11 clock pulses
within 15 ms. Transmission has to be completed within
2 ms. Data from the computer changes after the falling
edge of the clock line, and is valid before the rising
edge of the clock. After the start bit, eight data bits
(least significant bit first), followed by the parity bit
(odd), and the stop bit (high) are shifted out by the com-
puter with the clock signal provided by the keyboard.
The keyboard pulls the stop bit low in order to acknowl-
edge the receipt of the data. If a transmission error
occurs (parity error or similar) the keyboard issues a
“RESEND” command to the PC.
DS00665A-page 4
ã
1997 Microchip Technology Inc.
AN665
Proposing a Demo Keypad/Dongle
Implementation
The password generator fits between the keyboard and
the PC. A 5-pin plug connects to the PC, supplying
power to our device, and the keyboard plugs into the
5-pin socket (Figure 7). The clock and data lines are
passed between the PC and keyboard, allowing normal
keyboard operations. When S1 is activated, the
PIC12C508 receives the new message (16 hex digits)
produced by the K
EELOQ
HCS300 Encoder. The
PIC12C508 will then emulate the keyboard, sending
the appropriate sequence of key press and key release
messages to the PC. To prevent the keyboard from
interpreting this transmission as a ‘request to send’
from the PC, it is necessary to isolate the keyboard
from the clock line and data line during the transmis-
sion.
The K
EE
L
OQ
HCS300 Encoder can be part of the don-
gle or can be removable, like a key, in order to allow dif-
ferent encoders with different encryption keys or serial
numbers to be easily exchanged.
Power consumption has to be the lowest possible in
order not to excessively load the line. Size and compo-
nent count should also be kept to the possible minimum
in order to allow for a very small package. Ideally, the
whole circuit should fit into a small gap between the two
connectors.
In the implementation we are proposing, an HCS300
K
EE
L
OQ
code hopping encoder is used together with a
PIC12C508 microcontroller.For simplicity, a standard
CMOS quadruple switch (4066) is used to alternatively
connect the dongle or the keyboard to the PC line. The
HCS300 and the PIC12C508 (both available in 8-pin
DIP or SOIC packages), draw extremely low currents
as well as internally produce the clock required to oper-
ate the dongle. Beside a couple of pull-up resistors
required for the clock line and data line, no other com-
ponents are required to obtain a fully functional hop-
ping password dongle (Figure 7).
FIGURE 7: KEYPAD/DONGLE SCHEMATIC
To PC keyboard socket
5
1
2
3
5V
5V
5K6
5K6
100 nF
1 S0
2 S1
3 S2
4 S3
V
DD
8
LED 7
PWM 6
V
SS
5
1 V
DD
2 LED
3 HCSIN
4 NU
V
SS
8
CLK 7
DATA 6
SWITCH 5
1K
2
4066
1
5V
3
4
GND
HCS300
PIC12C508
5,13
GND
5
1
2
3
From keyboard
ã
1997 Microchip Technology Inc.
DS00665A-page 5
PCB设计
京公网安备 11010802033920号
Copyright © 2005-2026 EEWORLD.com.cn, Inc. All rights reserved
电子工程世界
