Proxmark3 community

schwa226

Contributor

Registered: 2009-09-17

Posts: 17

Decrypted random nonces

Hi,

nice board with good informations!

I just entered the area of RFID so I have a question.

With my test app and crypto1 2.4 I can get the same results like this post:
http://www.proxmark.org/forum/post/143/#p143

The value Nt is right after 32 bits of Auth(xx).
But I still don't know how to get the numbers Nt', Nt'' and Nr.

From where they are coming or how to calculate them?
I'm sure there is somewhere a description about it but I didn't find it yet!

thx for help and info!

schwa226

Contributor

Registered: 2009-09-17

Posts: 17

Re: Decrypted random nonces

Ok,

I found some pdf's to read.

My situation is now, that I have a tag which is using for most of the sectors the standard KeyA/B A0 A1 A2 A3 A4 A5, B0 B1 B2 B3 B4 B5.

But for one sector KeyA: A0 A1 A2 A3 A4 A5 and KeyB is unknown.
With KeyA I just can read block 0 & 3, block 1 & 2 only read/write by KeyB

Access bits 1E 11 EE:

Block 0: MOD4: Read: KeyA|B, Write: KeyB, Increment: -, Decrement: -
Block 1: MOD3: Read: KeyB, Write: KeyB, Increment: -, Decrement: -
Block 2: MOD3: Read: KeyB, Write: KeyB, Increment: -, Decrement: -
SectorTrailer MOD3: KeyA: w-KeyB, AccessBits: r-KeyA|B w-KeyB, KeyB: w-KeyB

What is here the best method to recover these two blocks?
Would it be the nested authentication attack?

Or log a original logging in with KeyB.
Reproduce the randome response of the tag with my reader and send recorded encryptet authentication and then modifiy the access bits that KeyA can be used to read/write?
But I can't encrypt my write-4-byte command.
I can't write 16 bytes because of unknown KeyB.

phadom

Member

Registered: 2009-03-30

Posts: 14

Re: Decrypted random nonces

did u try these default keys  ffffffffffff  a0a1a2a3a4a5   b0b1b2b3b4b5  4d3a99c351dd 1a982c7e459a  000000000000 d3f7d3f7d3f7  aabbccddeeff?? it might be the case that KeyB is one of them.

rule

Member

Registered: 2008-05-21

Posts: 417

Re: Decrypted random nonces

2- send an auth() request 0x61 [sector] [CHECK]

Did you mean 0x6? [block] [crc-byte1] [crc-byte2]
Where ? (Key) = (1 for A) and (2 for B)

schwa226

Contributor

Registered: 2009-09-17

Posts: 17

Re: Decrypted random nonces

@phadom

thx, but no key fits!

@roel

0x6X 0xYY 0xZZ 0xZZ

X: 0...KeyA, 1...KeyB
YY: Block number

ZZ ZZ: two bytes checksum

@hat
thx for this info!

Do you mean I can do the second authentication also with a "dummy" like FF FF FF FF FF key? Just the encrypted NT is the primary tarket?
So I don't need the genuine reader and can do the tests offline.

After 0x61 0xYY 0xZZ 0xZZ the next 4 bytes are a new encrypted NT.

But I almost don't have an idea how to calculate of these encrypted NTs the Key. Can this done also by crapto?
I used the last version 2.4 for my test app. Is there any practical application example for this?

I have an RFID reader/writer with the PN53x chip.
Does somebody have infos what registers have to be seted to use the reader to sniff.

phadom

Member

Registered: 2009-03-30

Posts: 14

Re: Decrypted random nonces

Do you mean I can do the second authentication also with a "dummy" like FF FF FF FF FF key? Just the encrypted NT is the primary tarket?
So I don't need the genuine reader and can do the tests offline.
.

Basically once u know the key for one sector, call it exploit sector then you can launch a nested auth attack. What you do is first authenticate succesfully for that exploit sector and then without breaking the communication authenticate sequentialy for a sector that you dont know the key. The tag will reply with a new nT(nonce) that is however encrypted with the new key. Now because of the parity weakness in MIFARE and the fact that all the nonces are 2^16(^ is power not xoring) you can start cutting down the list of valid nonces that generated that parity. you can then rollback the register in order to get the keys that could generate the encrypted nonce. Repeating the process again and comparing the two lists will usually give u the key.

another variation is to use timing and nonce distance since the nonces are quite predictable and u can calculate what the next nonce will be.

rule

Member

Registered: 2008-05-21

Posts: 417

Re: Decrypted random nonces

LoL hat, I was just remembering a confused moment where I also mixed notations using sectors in stead of blocks

schwa226

Contributor

Registered: 2009-09-17

Posts: 17

Re: Decrypted random nonces

Thanks again!

I already had take a look to the nfclib source.

Didn't tried it yet but it looks like i can modifiy the nfc-anticol source to send also an encryted key.

Just to understand:
After i successfully have done one authentication I have to send the second auth request (0x6X 0xYY + CRC) also encrypted, isn't it!?

Because the first 0x6X 0xYY + CRC get send plain.

Also a question for the nested procedure. What keys are getting recovered? KeyA or KeyB or both?
Because for the sector I have only KeyA (first auth) and will ask for a second encrypted NT for the same block.

Last edited by schwa226 (2009-09-22 11:42:46)

TomBu

Contributor

From: Delft, The Netherlands

Registered: 2008-10-27

Posts: 55

Website

Re: Decrypted random nonces

Given *ANY* key you can find *ANY* other key of the card.

This sort of thing makes me wonder if the mistakes made in designing Mifare were honest engineering mistakes, or not... Then again, every morning I'm saying hello to the 10 ghosts that have been accompanying me during my life.

rule

Member

Registered: 2008-05-21

Posts: 417

Re: Decrypted random nonces

I'm pretty sure your reader is supported by roel's libnfc (libnfc.org).

For confirmation you can always check out this example code.