Hi barleyguy, while I agree with you that the very advanced keyfobs, have two-way communication, and can thus performe a "handshake", as you describe.
Most keyfobs will however only use one-way communication.
----
The very simple versions simply send out a number.
Some garage door openers may still use this method. This makes them rather easy to copy/hack.
All you need to do, is be close by, and listen on the right frequency, and pick up the number, and at any later time you can send that number, and the garage door will open.
On these very simple systems, it is also possible to have a device that will simply blast all numbers/keys.
And within a few seconds (or a minute or so) you may see several garage doors (all the way down the street) opening.
So this method is no longer used in cars. It will only be used in very inexpensive garage door systems, or super low cost after-marked motorcycle/scooter alarms.
----
The slightly more advanced one-way-communication keyfobs will use a method with a 'rolling key'.
So both the keyfob and the receiver (the door) will contain a long sequence/list of keys. There will typically be a sequence of 1000-8000 keys. And this list will be stored in both the keyfob and the door. This way only about 1000-8000 keys out of possibly a 100 million (or more) keys, can be used.
So the method where you simply send all keys, will take way too long. So the very simple attack can not be done, within a reasonable length of time.
Some keyfobs may also have a limit to how many keys a door will try out every hour. So maybe 1000 keys an hour. So even if the car is a very crowded carpark, where dozens of people open their doors, this safety feature will not prevent the right keyfob to open the door.
Either way, both the keyfob and the door will keep track of which key, from the list, was used last time.
As you might however randomly press the keyfob butten, while being away from the car, and thus be a little ahead in the list, compared to what the door expects, then the door will actually check the next 250 keys. To see if it was one of those keys that the keyfob did send. And then open the door.
After a successul opening, then the door and the keyfob has again synchronized which key was used last time.
If a hacker/thief can however listen in on the sending of a key from the keyfob, and prevent that key to be received by the door, then the hacker has a usable key stored.
And since the car door did not open when you pressed the keyfob, then you may press again to send the next key. And if the hacker can interfere again, then the hacker now has two keys stored.
If the hacker then sends the first key, the door will open, and the hacker still has the second key in store for later use.
So even though this keyfob is only a one-way communication, it is still quite difficult (not impossible, but still difficult), to 'break'/hack this method.
And thus this method a rolling-key, has been used for decades. And by now, the chips are very, very cheap.
----
Producing/developing hacker gadgets that out-of-the box, can be used to intercept the rolling-key-method, has however also become very inexpensive to produce. So by now, such devices are available on the underground-markets.
Another "weakness" in this method is the secret list of those 1000-8000 selected keys that are (somewhat) unique to each keyfob/door combination.
If an organization could somehow get access to those lists, then it would pose one more angle of attack.
---
Also, a dealership needs to have a method to deal with those "secret" lists, each time they make a set of keys/keyfobs for a car.
Usually the safety here is, that the dealer needs to plug-in, somewhere inside the car (and have the keyfob in hand), in order to do the initial sync of the listes between a new keyfob and a car/door.
But again, an organization might find a weak point in the dealer system, and take advantage, so they can randomly open car doors.
---
And thus it somewhat becomes an arms race, of how to continue to securely produce and distribute one-way-communication keyfobs (adding new simple tweaks to the rolling-key method), without organizations finding ways to intercept.
Because one-way-communication keyfobs are still so lovely inexpensive to produce and use.
