Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

Pages: 1

#1 2009-02-28 07:27:45

rfider
Member
Registered: 2009-01-04
Posts: 15

anyone decrypted the trace on the paper

              Initialization values
         UID: c2  a8  2d  f4
         KEY: xx  xx  xx  xx  xx  xx

              Mifare Classic trace, []=Encrypted
    Auth(30): 60 30 76 4a
          Nt: 42 97 c0 a4
    [Nr,Nt']: 7d db 9b 83 67 eb 5d 83
      [Nt'']: 8b d4 10 08

I want to know what is the secret key and nonce of reader.

anyone can recover it?

Offline

#2 2009-03-01 17:56:57

rule
Member
Registered: 2008-05-21
Posts: 417

Re: anyone decrypted the trace on the paper

Well you can just fill the values in the test2.c code that I posted in this message:
http://www.proxmark.org/forum/viewtopic … d=404#p404

uint32_t uid                = 0xc2a82df4;
uint32_t tag_challenge      = 0x4297c0a4;
uint32_t nr_enc             = 0x7ddb9b83;
uint32_t reader_response    = 0x67eb5d83;
uint32_t tag_response       = 0x8bd41008;

And the key rolls out:

./test2
nt': 90f14a44
nt'': f367ce41
ks2: f71a17c7
ks3: 78b3de49
Found Key: [d8 48 69 42 ee d3]

I hope this helps, it has now succesfully recovered the MIFARE Classic key from your info.

Offline

#3 2009-03-01 21:42:23

joker
Contributor
Registered: 2008-11-17
Posts: 34

Re: anyone decrypted the trace on the paper

he also asked for

ks1: a85761de
nr: d58cfa5d

Last edited by joker (2009-03-01 22:13:28)

Offline

#4 2009-03-01 22:18:59

rule
Member
Registered: 2008-05-21
Posts: 417

Re: anyone decrypted the trace on the paper

Aaah, sorry, I understand. Thanks for helping!

Offline

#5 2009-03-01 22:24:18

joker
Contributor
Registered: 2008-11-17
Posts: 34

Re: anyone decrypted the trace on the paper

It's curious though because the nr, doesn't seem to be generated by the 16bit prng. Would the reader in this case be using 32bit entropy nonces, or am i just verifying it incorrectly.

Offline

#6 2009-03-01 22:31:38

rule
Member
Registered: 2008-05-21
Posts: 417

Re: anyone decrypted the trace on the paper

You are totally right. The reader nonce generated for example by the RC632 chip has an
entropy of >16 bits (maybe even the full 32 bits).

We could not found a simple LFSR structure in the samples we have taken.
Interesting though is that the it iterates by invocations in stead of a looping timer (like the tag-nonces).
This means that when you re-power-up the reader-chip you will get the same sequence of nonces.

Secondly this means that the following quote from the paper Cryptanalysis of Crypto-1 seems incorrect!

Our attack assumes that we can recover the first bit of the key stream.
This bit is combined with a random bit that is generated on the reader.
We have shown previously that the random numbers are known to an attacker
since they are generated deterministically [3]. The attacker needs knowledge of a single key that can,
for example, be found using a brute-force attack on the entire key space. Once one key is known,
an attacker can learn enough about a given reader to predict the random numbers it will generate,
so any number of keys can be recovered using our statistical attack.

The proposed attack in this paper seems not to be as easy feasible as described.

Offline

#7 2009-03-15 19:03:48

touf
Contributor
Registered: 2008-12-11
Posts: 27

Re: anyone decrypted the trace on the paper

Joker, how do you get Ks1 and Nr ?

can you also explain me the way to get Ks4 & Ks5 ?

Offline

#8 2009-03-16 12:54:34

joker
Contributor
Registered: 2008-11-17
Posts: 34

Re: anyone decrypted the trace on the paper

i really don't see why you are interested in Nr but hey...

adjusting roel's demo code

// Test-file: test2.c
#include "crapto1.h"
#include <stdio.h>

int main (void)
{
  struct Crypto1State *revstate;
  uint64_t lfsr;
  unsigned char* plfsr = (unsigned char*)&lfsr;

  uint32_t uid                = 0xc108416a;
  uint32_t tag_challenge      = 0xabcd1949;
  uint32_t nr_enc             = 0x59d5920f;
  uint32_t reader_response    = 0x15b9d553;
  uint32_t tag_response       = 0xa79a3fee;
  uint32_t ks2                = reader_response ^ prng_successor(tag_challenge, 64);
  uint32_t ks3                = tag_response ^ prng_successor(tag_challenge, 96);
+uint32_t ks4,ks5, ks1, nr;

  printf("nt': %08x\n",prng_successor(tag_challenge, 64));
  printf("nt'': %08x\n",prng_successor(tag_challenge, 96));

  printf("ks2: %08x\n",ks2);
  printf("ks3: %08x\n",ks3);

  revstate = lfsr_recovery(ks2, ks3);


+ks4 = crypto1_word(revstate,0,0);
+ks5 = crypto1_word(revstate,0,0);
+lfsr_rollback(revstate, 0, 0);
+lfsr_rollback(revstate, 0, 0);

  lfsr_rollback(revstate, 0, 0);
  lfsr_rollback(revstate, 0, 0);
  lfsr_rollback(revstate, nr_enc, 1);
+ks1= crypto1_word(revstate, nr_enc, 1);
+nr = nr_enc ^ ks1;
+lfsr_rollback(revstate, nr, 0);
  lfsr_rollback(revstate, uid ^ tag_challenge, 0);
  crypto1_get_lfsr(revstate, &lfsr);
  printf("Found Key: [%02x %02x %02x %02x %02x %02x]\n\n",plfsr[0],plfsr[1],plfsr[2],plfsr[3],plfsr[4],plfsr[5]);

  return 0;
}

Offline

#9 2009-03-17 07:41:03

touf
Contributor
Registered: 2008-12-11
Posts: 27

Re: anyone decrypted the trace on the paper

i just want to understand the all thing :-)

thanks a lot joker

Offline

Pages: 1

Board footer

Powered by FluxBB