Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2013-03-31 14:05:26

vos
Member
Registered: 2013-02-28
Posts: 2

Mifare Classic - Nested auth - key recovery from snoop log

Hey guys.

Anyone worked with Mifare1 nested authentication protocol?

There exists a snoop log that was captured between a card and a reader that first auths one sector, reads it, and then nested-auths another without HALTing the card.

We can retrieve the key for the first authenticated sector using crapto1 tools (crapto1gui), but that doesn't work for nested auth since the protocol is slight different.

Now I'm trying to figure out how the key recovery algorithm can be modified to work for nested auth.
My google skills didn't give me any nested auth specification, so I'm relying on proxmark3 source.

This is how it is implemented in card emulator code (armsrc/iso14443a.c):

if (cardAUTHKEY == 0xff) {
                    // first authentication
                    <...>
                        crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
                        ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0);
                        num_to_bytes(nonce, 4, rAUTH_AT);   // transmits plain Tag Nonce
                } else {
                    // nested authentication
                    <...>
                        crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
                        ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0);
                        num_to_bytes(ans, 4, rAUTH_AT);   // transmits Tag Nonce xord with first 32 bits to come from stream cipher
                }

And this is how the reader gets the plain tag nonce according to proxmark3 mifare reader code (armsrc/mifareutil.c):

// Init cipher with key
    crypto1_create(pcs, ui64Key);

    if (isNested == AUTH_NESTED) {
        // decrypt nt with help of new key
        nt = nt ^ crypto1_word(pcs, nt ^ uid, 1);
    } else {
        // Load (plain) uid^nt into the cipher
        crypto1_word(pcs, nt ^ uid, 0);
    }

And THIS is how crapto1gui gets the key from five captures dwords (main.cpp):

unsigned int ks2 = reader_response ^ prng_successor(tag_nonce, 64);
    unsigned int ks3 = tag_response ^ prng_successor(tag_nonce, 96);

    revstate = lfsr_recovery(ks2, ks3);
    lfsr_rollback(revstate, 0, 0);
    lfsr_rollback(revstate, 0, 0);
    lfsr_rollback(revstate, reader_nonce, 1);
    lfsr_rollback(revstate, uid ^ tag_nonce, 0);
    crypto1_get_lfsr(revstate, &lfsr);

So the basis for cipher state depends on plain tag nonce, and then we roll it back to the initial state where we can get the key.
And now, when we have captured nested auth, the plain tag nonce isn't in the logs, it's encrypted using target sector key.

I'm wondering, is there any way to abuse the crypto1 cipher in this case and get the key?
(if not, then is using nested auth a mitigation against snooped key recovery?)

Do you guys have any better information on the protocol or maybe already analyzed the nested auth key recovery?

Offline

#2 2014-02-03 22:02:15

clayer
Contributor
Registered: 2013-12-22
Posts: 45

Re: Mifare Classic - Nested auth - key recovery from snoop log

http://www.proxmark.org/forum/viewtopic.php?id=71
i think it helps
But i`m interesting too getting nested keys

Offline

#3 2016-02-11 10:31:43

jbf
Contributor
Registered: 2015-06-25
Posts: 22

Re: Mifare Classic - Nested auth - key recovery from snoop log

Has anyone succeeded in recovering the second key used in a nested auth from a snoop ?

Last edited by jbf (2016-02-11 10:32:15)

Offline

#4 2016-02-13 14:11:00

jbf
Contributor
Registered: 2015-06-25
Posts: 22

Re: Mifare Classic - Nested auth - key recovery from snoop log

For those looking for the same answer :

This is possible but definitly harder than an non nested authentication.
The problem is that the tag's nonce (nT) is in the case of nested auth encrypted and not in plain text.
It is explained in Dismantling Mifare Classic on part 8.

So if you wan't to make things harder for the attacker, you can perform several nested authentication before accessing to the sector you really want to access.

Offline

#5 2016-02-15 09:15:19

J-Run
Contributor
Registered: 2014-11-13
Posts: 24

Re: Mifare Classic - Nested auth - key recovery from snoop log

Actually a little bit harder for the attacker  wink
http://www.proxmark.org/forum/viewtopic.php?id=2167

Offline

#6 2016-02-15 12:14:12

jbf
Contributor
Registered: 2015-06-25
Posts: 22

Re: Mifare Classic - Nested auth - key recovery from snoop log

Still harder that a single auth smile

I had the trace from which the reader did 3 "useless" authentication before getting to the right sector !

Offline

#7 2016-04-18 19:12:12

osys
Contributor
From: Nearby
Registered: 2016-03-28
Posts: 62

Re: Mifare Classic - Nested auth - key recovery from snoop log

They just keep on thinking that they use AES on SL1 smile

Offline

Board footer

Powered by FluxBB