Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device!

You are not logged in.

#1 2012-03-24 22:34:58

spookyman166
Member
Registered: 2011-06-20
Posts: 15

Mifare 4k Being emulated by SmartMX

Hi there,

I have a Mifare SmartMX card card that is emulating a Mifare Classic 4K. I tried to run it with MFOC but it fails. This is due to the card requiring AES Auth.
Is there anyway to sniff the keys with a proxmark?

Offline

#2 2012-03-25 09:19:42

rule
Administrator
Registered: 2008-05-21
Posts: 410

Re: Mifare 4k Being emulated by SmartMX

It doesn't work since the Pseudo Random Number Generator (PRNG) is better, with 32 bits of entropy in stead of only 16 bits. It has nothing to do with AES (keys).

And yes, you can recover the (MIFARE Classic) key the same as before, within milliseconds computation after eavesdropping only one authentication trace.

Offline

#3 2012-04-22 07:37:13

spookyman166
Member
Registered: 2011-06-20
Posts: 15

Re: Mifare 4k Being emulated by SmartMX

so now its only a matter of computational Complexity to retrieve the keys?

Would it be possible with a beowulf or such type cluster?

Offline

#4 2012-05-18 18:53:11

merlok
Contributor
Registered: 2011-05-16
Posts: 108

Re: Mifare 4k Being emulated by SmartMX

just sniff a succesfull authentication and you have the keys

Offline

#5 2012-06-04 01:50:34

spookyman166
Member
Registered: 2011-06-20
Posts: 15

Re: Mifare 4k Being emulated by SmartMX

Merlok. Is there anyway to do this without proxmark? I cant afford 300USD for one. I do have a SCM 3711 reader. Could i somehow get it to sniff for me?

Offline

#6 2012-06-04 20:26:17

rule
Administrator
Registered: 2008-05-21
Posts: 410

Re: Mifare 4k Being emulated by SmartMX

You can set the SCM 3711 into a tag emulation mode and force it to receive multiple frames (for eavesdropping). The features are mostly available through libnfc. With this you could eavesdrop a reader challenge. Then you need the reader answer (aR) which still contains the original encrypted 32-bit successor of nT, generated by the 16-bit weak tag-PRNG. Using the eavesdropped nR and aR and some mild computation (<2^32) you should be able to recover the key.

Offline

#7 2012-06-05 21:22:06

edo1
Contributor
Registered: 2012-05-02
Posts: 18

Re: Mifare 4k Being emulated by SmartMX

roel wrote:

You can set the SCM 3711 into a tag emulation mode and force it to receive multiple frames (for eavesdropping). The features are mostly available through libnfc. With this you could eavesdrop a reader challenge

can you provide more details - how to do this?

another question:
pn53x-based reader can listen only one side (reader or card), while proxmark3 can eavesdrops both. right?

Offline

#8 2012-06-06 12:51:44

vivat
Contributor
Registered: 2010-10-26
Posts: 321

Re: Mifare 4k Being emulated by SmartMX

You can't listen the data sent over air using libnfc. You can perform MITM attack using two libnfc readers by relaying the frames.
Genuine reader<=>First LibNFC reader set into relay mode<=>PC<=>Second LibNFC reader set into relay mode<=>Genuine tag
It's very important to comply the timings!
Proxmark3 can passively listen communication between reader and tag.

Offline

#9 2012-06-06 19:07:20

YoungJules
Member
Registered: 2012-01-29
Posts: 41

Re: Mifare 4k Being emulated by SmartMX

> just sniff a succesfull authentication and you have the keys

Also very interested in getting a few more details... I have a proxmark, a SmartMx card to test with, and a healthy dose of curiosity... big_smile

Offline

#10 2012-06-06 22:55:09

edo1
Contributor
Registered: 2012-05-02
Posts: 18

Re: Mifare 4k Being emulated by SmartMX

vivat wrote:

You can't listen the data sent over air using libnfc

AFAIK it is possible to eavesdrop using libnfc, but no one has published the source code yet.

Offline

#11 2012-06-07 05:40:59

spookyman166
Member
Registered: 2011-06-20
Posts: 15

Re: Mifare 4k Being emulated by SmartMX

roel wrote:

You can set the SCM 3711 into a tag emulation mode and force it to receive multiple frames (for eavesdropping). The features are mostly available through libnfc. With this you could eavesdrop a reader challenge. Then you need the reader answer (aR) which still contains the original encrypted 32-bit successor of nT, generated by the 16-bit weak tag-PRNG. Using the eavesdropped nR and aR and some mild computation (<2^32) you should be able to recover the key.


Roel, can you please go into a bit more detail of how this is achieved.

Does Source code exist for forcing the SCM into tag emulation and receiving multiple frames?

What would be the complexity of the method required to do computation? Like if it takes 1 second per computation then thats more than 136 years. (ideally it would have to be a fast computation possibly a max time of .001 and that would take around 50 days of crunching. Perhaps one could rent some cloud time and plough through in an hour or so... ideally the computation would take only .0001 seconds, and done in 5days. But maybe it can be run on a GPU which could increase the number of computations. Would it be a more complex computation that for example mining bitcoins, i can get around 2.6m hashes a second on my netbook GPU)

The recovered Key, would that be the session key or the actual key the card uses in operation (ie doesnt change)

Offline

Board footer

Powered by FluxBB