Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2010-12-14 19:05:13

fixje
Member
Registered: 2010-12-14
Posts: 2

Mifare Classic 1k "recursive" authentication

Hi there,

I was able to recover the key and decrypt a communication, sniffed with proxmark. In the following you can see an excerpt:

Decrypted trace:
READER    30 01 8B B9 
TAG    01 02 03 04 05 00 00 00 09 0A 0B 0C 0D 0E 80 79 85 A4 
READER    30 02 10 8B 
TAG    01 03 10 20 01 12 01 A7 43 25 9F 0A 07 66 08 E2 6C 11 
READER    30 03 99 9A 
TAG    00 00 00 00 00 00 63 C7 89 00 00 00 00 00 00 00 27 6C 
READER    60 0C 99 B1 
TAG    79 B2 27 D7 
READER    9F 17 D7 DB A5 14 2D B8 
TAG    10 82 30 8C 
READER    8B 7B E0 D4 
TAG    95 50 98 F3 9A 95 05 0C 30 D0 EF 1F AF EF 42 26 74 44 
READER    90 C5 25 21 
TAG    A7 08 1F C6 20 6B 9A 79 4C 89 65 41 69 C0 AE 5F 9F DD 
READER    9E 53 93 D4 
...

One can see that block 1,2 and 3 are read. Then another authentication starts with

READER    60 0C 99 B1 

and I don't know how to handle it.
I just tried to treat the following messages as tag nonce, reader response (including reader challenge) and tag response to compute the key. I have taken the decrypted messages which you see here as well as the encrypted messages from the original trace to reveal the key.
Using crapto1 I get something which could be the key, but if I replay the authentication phase with henryk's crypto1 implementation the mutual2 authentication fails.

Maybe you have some ideas?

Offline

#2 2010-12-15 16:53:39

fixje
Member
Registered: 2010-12-14
Posts: 2

Re: Mifare Classic 1k "recursive" authentication

Well, this is a typical case of nested authentication. So I had a look at the forum and a bunch of documents which didn't reveal the answer to my question: "how does it work?"

What I got:
1. during an encrypted data transfer the 60 auth request is sent following
2. the encrypted tag nonce

So, now there is the problem that I try to recover the key with the following code:

 struct Crypto1State *revstate;
  uint64_t lfsr;
  unsigned char* plfsr = (unsigned char*) &lfsr;

  uint32_t ks2 = reader_response ^ prng_successor(tag_challenge, 64);
  uint32_t ks3 = tag_response ^ prng_successor(tag_challenge, 96);

  revstate = lfsr_recovery64(ks2, ks3);
  lfsr_rollback_word(revstate, 0, 0);
  lfsr_rollback_word(revstate, 0, 0);
  lfsr_rollback_word(revstate, nr_enc, 1);
  lfsr_rollback_word(revstate, uid ^ tag_challenge, 0);
  crypto1_get_lfsr(revstate, &lfsr);

  uint64_t key = plfsr[5];
  key = (key << 8) | plfsr[4];
  key = (key << 8) | plfsr[3];
  key = (key << 8) | plfsr[2];
  key = (key << 8) | plfsr[1];
  key = (key << 8) | plfsr[0];

where nr_enc is the encoded reader nonce and the rest of the variables should be self-explaining.
This code expects uid, tag challenge, reader challenge, reader response and tag response to be fed in.

Are reader challenge, reader response and tag response sent in plaintext?

Offline

#3 2010-12-20 02:16:53

hat
Contributor
Registered: 2009-04-12
Posts: 160

Re: Mifare Classic 1k "recursive" authentication

>>Are reader challenge, reader response and tag response sent in plaintext?

no.

reader response and tag response are poorly named. it requires the encypted versions of the reader respone and tag response. as they are "on the metaphorical" wire.

the tag challenge however is a different matter.

the tag challenge is unknown. we have to brute force it.

since there are only 2^16 minus 1 valid nonces. and you can execute the code you provided several times per second, it would only take a matter of hours.


for(tagchal = 1; ;tagchal=prng_successor(tagchal)){ try it}

you can however do better. using the parity bits. however your log doesn't seem to include them (those are the exclamation marks you see in the standard output of some tools). more details on that are in the documents. however iirc there are about 10 usable parity bits which each half the search space leaving you with only 64 tag challenges to try. iirc2 the latest crapto releases have code that does that.

Offline

#4 2012-07-12 15:53:11

merlok
Contributor
Registered: 2011-05-16
Posts: 132

Re: Mifare Classic 1k "recursive" authentication

Hi,

Do anyone wrote code to decode nested authentication?
Or it needs to write from scratch?

	if (!traceCrypto1) {
// here all ok
		ks2 = ar_enc ^ prng_successor(nt, 64);
		ks3 = at_enc ^ prng_successor(nt, 96);
		revstate = lfsr_recovery64(ks2, ks3);
		lfsr_rollback_word(revstate, 0, 0);
		lfsr_rollback_word(revstate, 0, 0);
		lfsr_rollback_word(revstate, nr_enc, 1);
		lfsr_rollback_word(revstate, uid ^ nt, 0);
	}else{
// here nt_enc instead of nt
		ks2 = ar_enc ^ prng_successor(nt, 64);
		ks3 = at_enc ^ prng_successor(nt, 96);
		revstate = lfsr_recovery64(ks2, ks3);
		lfsr_rollback_word(revstate, 0, 0);
		lfsr_rollback_word(revstate, 0, 0);
		lfsr_rollback_word(revstate, nr_enc, 1);
		lfsr_rollback_word(revstate, uid ^ nt, 0);
	}
	crypto1_get_lfsr(revstate, &lfsr);
	printf("\nFound Key: [%02x %02x %02x %02x %02x %02x]\n\n",plfsr[5],plfsr[4],plfsr[3],plfsr[2],plfsr[1],plfsr[0]);

Offline

Board footer

Powered by FluxBB