What a very strange statement. The electronic elements of a modern car key are proprietary and undocumented, although the wireless fob is clearly doing some form of crypto challenge-response, which is at least the same general category of authentication that u2f does.
The physical component of a car key has 10^4 possible combinations, as you’ll learn if you ever replace one. On many cars, though, the lock will not accept the physical key unless it is also able to authenticate via a small chip embedded near the head of it. This, also, is proprietary and undocumented, and it’s unclear whether it’s authenticating the specific user, or simply authenticating that the key was cut from one of that manufacturer’s official blanks. The latter seems more likely, since the four decimal digits are sufficient to have any licensed shop make a replacement key, as long as you don’t also want the wireless fob - so any user-specific part of the digital authentication can’t be stronger than that.
That says nothing about the strength of the wireless fob, though.
So, one could pessimistically say that the quoted statement is suggesting that the security is quite weak! But I think it was probably only intending to suggest that both are challenge-response authentication - the same strategy, not necessarily a similar bit strength. I’d imagine the only people who know what the security level of a modern car key is are experienced car thieves.
Still waiting for firefox to support u2f and for chromium to not crash on openbsd when using u2f.
What does that mean?
What a very strange statement. The electronic elements of a modern car key are proprietary and undocumented, although the wireless fob is clearly doing some form of crypto challenge-response, which is at least the same general category of authentication that u2f does.
The physical component of a car key has 10^4 possible combinations, as you’ll learn if you ever replace one. On many cars, though, the lock will not accept the physical key unless it is also able to authenticate via a small chip embedded near the head of it. This, also, is proprietary and undocumented, and it’s unclear whether it’s authenticating the specific user, or simply authenticating that the key was cut from one of that manufacturer’s official blanks. The latter seems more likely, since the four decimal digits are sufficient to have any licensed shop make a replacement key, as long as you don’t also want the wireless fob - so any user-specific part of the digital authentication can’t be stronger than that.
That says nothing about the strength of the wireless fob, though.
So, one could pessimistically say that the quoted statement is suggesting that the security is quite weak! But I think it was probably only intending to suggest that both are challenge-response authentication - the same strategy, not necessarily a similar bit strength. I’d imagine the only people who know what the security level of a modern car key is are experienced car thieves.
From their wiki (hosted on the github):