1 /*****************************************************************************
4 * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY.
6 * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL
7 * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL,
8 * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES.
10 * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS.
12 *****************************************************************************
14 * This file is part of loclass. It is a reconstructon of the cipher engine
15 * used in iClass, and RFID techology.
17 * The implementation is based on the work performed by
18 * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and
19 * Milosch Meriac in the paper "Dismantling IClass".
21 * Copyright (C) 2014 Martin Holst Swende
23 * This is free software: you can redistribute it and/or modify
24 * it under the terms of the GNU General Public License version 2 as published
25 * by the Free Software Foundation, or, at your option, any later version.
27 * This file is distributed in the hope that it will be useful,
28 * but WITHOUT ANY WARRANTY; without even the implied warranty of
29 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
30 * GNU General Public License for more details.
32 * You should have received a copy of the GNU General Public License
33 * along with loclass. If not, see <http://www.gnu.org/licenses/>.
36 ****************************************************************************/
41 From "Dismantling iclass":
42 This section describes in detail the built-in key diversification algorithm of iClass.
43 Besides the obvious purpose of deriving a card key from a master key, this
44 algorithm intends to circumvent weaknesses in the cipher by preventing the
45 usage of certain ‘weak’ keys. In order to compute a diversified key, the iClass
46 reader first encrypts the card identity id with the master key K, using single
47 DES. The resulting ciphertext is then input to a function called hash0 which
48 outputs the diversified key k.
50 k = hash0(DES enc (id, K))
52 Here the DES encryption of id with master key K outputs a cryptogram c
53 of 64 bits. These 64 bits are divided as c = x, y, z [0] , . . . , z [7] ∈ F 82 × F 82 × (F 62 ) 8
54 which is used as input to the hash0 function. This function introduces some
55 obfuscation by performing a number of permutations, complement and modulo
56 operations, see Figure 2.5. Besides that, it checks for and removes patterns like
57 similar key bytes, which could produce a strong bias in the cipher. Finally, the
58 output of hash0 is the diversified card key k = k [0] , . . . , k [7] ∈ (F 82 ) 8 .
69 #include "fileutils.h"
70 #include "cipherutils.h"
71 #include "mbedtls/des.h"
73 uint8_t pi
[35] = {0x0F,0x17,0x1B,0x1D,0x1E,0x27,0x2B,0x2D,0x2E,0x33,0x35,0x39,0x36,0x3A,0x3C,0x47,0x4B,0x4D,0x4E,0x53,0x55,0x56,0x59,0x5A,0x5C,0x63,0x65,0x66,0x69,0x6A,0x6C,0x71,0x72,0x74,0x78};
75 static mbedtls_des_context ctx_enc
= { {0} };
76 static mbedtls_des_context ctx_dec
= { {0} };
78 static int debug_print
= 0;
81 * @brief The key diversification algorithm uses 6-bit bytes.
82 * This implementation uses 64 bit uint to pack seven of them into one
83 * variable. When they are there, they are placed as follows:
84 * XXXX XXXX N0 .... N7, occupying the lsat 48 bits.
86 * This function picks out one from such a collection
91 uint8_t getSixBitByte(uint64_t c
, int n
)
93 return (c
>> (42-6*n
)) & 0x3F;
97 * @brief Puts back a six-bit 'byte' into a uint64_t.
99 * @param z the value to place there
100 * @param n bitnumber.
102 void pushbackSixBitByte(uint64_t *c
, uint8_t z
, int n
)
104 //0x XXXX YYYY ZZZZ ZZZZ ZZZZ
106 //z0: 1111 1100 0000 0000
108 uint64_t masked
= z
& 0x3F;
109 uint64_t eraser
= 0x3F;
122 * @brief Swaps the z-values.
123 * If the input value has format XYZ0Z1...Z7, the output will have the format
124 * XYZ7Z6...Z0 instead
128 uint64_t swapZvalues(uint64_t c
)
131 pushbackSixBitByte(&newz
, getSixBitByte(c
,0),7);
132 pushbackSixBitByte(&newz
, getSixBitByte(c
,1),6);
133 pushbackSixBitByte(&newz
, getSixBitByte(c
,2),5);
134 pushbackSixBitByte(&newz
, getSixBitByte(c
,3),4);
135 pushbackSixBitByte(&newz
, getSixBitByte(c
,4),3);
136 pushbackSixBitByte(&newz
, getSixBitByte(c
,5),2);
137 pushbackSixBitByte(&newz
, getSixBitByte(c
,6),1);
138 pushbackSixBitByte(&newz
, getSixBitByte(c
,7),0);
139 newz
|= (c
& 0xFFFF000000000000);
144 * @return 4 six-bit bytes chunked into a uint64_t,as 00..00a0a1a2a3
146 uint64_t ck(int i
, int j
, uint64_t z
)
149 if(i
== 1 && j
== -1)
151 // ck(1, −1, z [0] . . . z [3] ) = z [0] . . . z [3]
156 // ck(i, −1, z [0] . . . z [3] ) = ck(i − 1, i − 2, z [0] . . . z [3] )
157 return ck(i
-1,i
-2, z
);
160 if(getSixBitByte(z
,i
) == getSixBitByte(z
,j
))
163 //ck(i, j − 1, z [0] . . . z [i] ← j . . . z [3] )
166 for(c
= 0; c
< 4 ;c
++)
168 uint8_t val
= getSixBitByte(z
,c
);
171 pushbackSixBitByte(&newz
, j
, c
);
174 pushbackSixBitByte(&newz
, val
, c
);
177 return ck(i
,j
-1,newz
);
186 Let the function check : (F 62 ) 8 → (F 62 ) 8 be defined as
187 check(z [0] . . . z [7] ) = ck(3, 2, z [0] . . . z [3] ) · ck(3, 2, z [4] . . . z [7] )
189 where ck : N × N × (F 62 ) 4 → (F 62 ) 4 is defined as
191 ck(1, −1, z [0] . . . z [3] ) = z [0] . . . z [3]
192 ck(i, −1, z [0] . . . z [3] ) = ck(i − 1, i − 2, z [0] . . . z [3] )
193 ck(i, j, z [0] . . . z [3] ) =
194 ck(i, j − 1, z [0] . . . z [i] ← j . . . z [3] ), if z [i] = z [j] ;
195 ck(i, j − 1, z [0] . . . z [3] ), otherwise
200 uint64_t check(uint64_t z
)
202 //These 64 bits are divided as c = x, y, z [0] , . . . , z [7]
204 // ck(3, 2, z [0] . . . z [3] )
205 uint64_t ck1
= ck(3,2, z
);
207 // ck(3, 2, z [4] . . . z [7] )
208 uint64_t ck2
= ck(3,2, z
<< 24);
210 //The ck function will place the values
211 // in the middle of z.
212 ck1
&= 0x00000000FFFFFF000000;
213 ck2
&= 0x00000000FFFFFF000000;
215 return ck1
| ck2
>> 24;
219 void permute(BitstreamIn
*p_in
, uint64_t z
,int l
,int r
, BitstreamOut
* out
)
221 if(bitsLeft(p_in
) == 0)
225 bool pn
= tailBit(p_in
);
228 uint8_t zl
= getSixBitByte(z
,l
);
230 push6bits(out
, zl
+1);
231 permute(p_in
, z
, l
+1,r
, out
);
234 uint8_t zr
= getSixBitByte(z
,r
);
237 permute(p_in
,z
,l
,r
+1,out
);
245 prnlog(" | x| y|z0|z1|z2|z3|z4|z5|z6|z7|");
248 void printState(char* desc
, uint64_t c
)
253 printf("%s : ", desc
);
254 uint8_t x
= (c
& 0xFF00000000000000 ) >> 56;
255 uint8_t y
= (c
& 0x00FF000000000000 ) >> 48;
256 printf(" %02x %02x", x
,y
);
258 for(i
=0 ; i
< 8 ; i
++)
260 printf(" %02x", getSixBitByte(c
,i
));
267 *Definition 11. Let the function hash0 : F 82 × F 82 × (F 62 ) 8 → (F 82 ) 8 be defined as
268 * hash0(x, y, z [0] . . . z [7] ) = k [0] . . . k [7] where
269 * z'[i] = (z[i] mod (63-i)) + i i = 0...3
270 * z'[i+4] = (z[i+4] mod (64-i)) + i i = 0...3
273 * @param k this is where the diversified key is put (should be 8 bytes)
276 void hash0(uint64_t c
, uint8_t k
[8])
281 printState("origin",c
);
282 //These 64 bits are divided as c = x, y, z [0] , . . . , z [7]
285 // z0-z7 6 bits each : 48 bits
286 uint8_t x
= (c
& 0xFF00000000000000 ) >> 56;
287 uint8_t y
= (c
& 0x00FF000000000000 ) >> 48;
289 uint8_t zn
, zn4
, _zn
, _zn4
;
292 for(n
= 0; n
< 4 ; n
++)
294 zn
= getSixBitByte(c
,n
);
296 zn4
= getSixBitByte(c
,n
+4);
298 _zn
= (zn
% (63-n
)) + n
;
299 _zn4
= (zn4
% (64-n
)) + n
;
302 pushbackSixBitByte(&zP
, _zn
,n
);
303 pushbackSixBitByte(&zP
, _zn4
,n
+4);
306 printState("0|0|z'",zP
);
308 uint64_t zCaret
= check(zP
);
309 printState("0|0|z^",zP
);
312 uint8_t p
= pi
[x
% 35];
314 if(x
& 1) //Check if x7 is 1
319 if(debug_print
>= 2) prnlog("p:%02x", p
);
321 BitstreamIn p_in
= { &p
, 8,0 };
322 uint8_t outbuffer
[] = {0,0,0,0,0,0,0,0};
323 BitstreamOut out
= {outbuffer
,0,0};
324 permute(&p_in
,zCaret
,0,4,&out
);//returns 48 bits? or 6 8-bytes
326 //Out is now a buffer containing six-bit bytes, should be 48 bits
328 //Shift z-values down onto the lower segment
330 uint64_t zTilde
= x_bytes_to_num(outbuffer
,8);
334 printState("0|0|z~", zTilde
);
338 for(i
=0 ; i
< 8 ; i
++)
341 // the key on index i is first a bit from y
342 // then six bits from z,
347 // First, place yi leftmost in k
348 //k[i] |= (y << i) & 0x80 ;
350 // First, place y(7-i) leftmost in k
351 k
[i
] |= (y
<< (7-i
)) & 0x80 ;
355 uint8_t zTilde_i
= getSixBitByte(zTilde
, i
);
356 // zTildeI is now on the form 00XXXXXX
357 // with one leftshift, it'll be
359 // So after leftshift, we can OR it into k
360 // However, when doing complement, we need to
361 // again MASK 0XXXXXX0 (0x7E)
364 //Finally, add bit from p or p-mod
365 //Shift bit i into rightmost location (mask only after complement)
366 uint8_t p_i
= p
>> i
& 0x1;
370 //printf("k[%d] +1\n", i);
371 k
[i
] |= ~zTilde_i
& 0x7E;
377 k
[i
] |= zTilde_i
& 0x7E;
387 * @brief Performs Elite-class key diversification
392 void diversifyKey(uint8_t csn
[8], uint8_t key
[8], uint8_t div_key
[8])
395 // Prepare the DES key
396 mbedtls_des_setkey_enc( &ctx_enc
, key
);
398 uint8_t crypted_csn
[8] = {0};
400 // Calculate DES(CSN, KEY)
401 mbedtls_des_crypt_ecb(&ctx_enc
,csn
, crypted_csn
);
403 //Calculate HASH0(DES))
404 uint64_t crypt_csn
= x_bytes_to_num(crypted_csn
, 8);
405 //uint64_t crypted_csn_swapped = swapZvalues(crypt_csn);
407 hash0(crypt_csn
,div_key
);
418 pushbackSixBitByte(&x
,0x00,0);
419 pushbackSixBitByte(&x
,0x01,1);
420 pushbackSixBitByte(&x
,0x02,2);
421 pushbackSixBitByte(&x
,0x03,3);
422 pushbackSixBitByte(&x
,0x04,4);
423 pushbackSixBitByte(&x
,0x05,5);
424 pushbackSixBitByte(&x
,0x06,6);
425 pushbackSixBitByte(&x
,0x07,7);
427 uint8_t mres
[8] = { getSixBitByte(x
, 0),
434 getSixBitByte(x
, 7)};
435 printarr("input_perm", mres
,8);
438 BitstreamIn p_in
= { &p
, 8,0 };
439 uint8_t outbuffer
[] = {0,0,0,0,0,0,0,0};
440 BitstreamOut out
= {outbuffer
,0,0};
442 permute(&p_in
, x
,0,4, &out
);
444 uint64_t permuted
= x_bytes_to_num(outbuffer
,8);
445 //printf("zTilde 0x%"PRIX64"\n", zTilde);
448 uint8_t res
[8] = { getSixBitByte(permuted
, 0),
449 getSixBitByte(permuted
, 1),
450 getSixBitByte(permuted
, 2),
451 getSixBitByte(permuted
, 3),
452 getSixBitByte(permuted
, 4),
453 getSixBitByte(permuted
, 5),
454 getSixBitByte(permuted
, 6),
455 getSixBitByte(permuted
, 7)};
456 printarr("permuted", res
, 8);
459 //These testcases are
460 //{ UID , TEMP_KEY, DIV_KEY} using the specific key
469 int testDES(Testcase testcase
, mbedtls_des_context ctx_enc
, mbedtls_des_context ctx_dec
)
471 uint8_t des_encrypted_csn
[8] = {0};
472 uint8_t decrypted
[8] = {0};
473 uint8_t div_key
[8] = {0};
474 int retval
= mbedtls_des_crypt_ecb(&ctx_enc
,testcase
.uid
,des_encrypted_csn
);
475 retval
|= mbedtls_des_crypt_ecb(&ctx_dec
,des_encrypted_csn
,decrypted
);
477 if(memcmp(testcase
.uid
,decrypted
,8) != 0)
480 prnlog("Encryption <-> Decryption FAIL");
481 printarr("Input", testcase
.uid
, 8);
482 printarr("Decrypted", decrypted
, 8);
486 if(memcmp(des_encrypted_csn
,testcase
.t_key
,8) != 0)
489 prnlog("Encryption != Expected result");
490 printarr("Output", des_encrypted_csn
, 8);
491 printarr("Expected", testcase
.t_key
, 8);
494 uint64_t crypted_csn
= x_bytes_to_num(des_encrypted_csn
,8);
495 hash0(crypted_csn
, div_key
);
497 if(memcmp(div_key
, testcase
.div_key
,8) != 0)
499 //Key diversification fail
500 prnlog("Div key != expected result");
501 printarr(" csn ", testcase
.uid
,8);
502 printarr("{csn} ", des_encrypted_csn
,8);
503 printarr("hash0 ", div_key
, 8);
504 printarr("Expected", testcase
.div_key
, 8);
510 bool des_getParityBitFromKey(uint8_t key
)
511 {//The top 7 bits is used
512 bool parity
= ((key
& 0x80) >> 7)
513 ^ ((key
& 0x40) >> 6) ^ ((key
& 0x20) >> 5)
514 ^ ((key
& 0x10) >> 4) ^ ((key
& 0x08) >> 3)
515 ^ ((key
& 0x04) >> 2) ^ ((key
& 0x02) >> 1);
520 void des_checkParity(uint8_t* key
)
524 for(i
=0 ; i
< 8 ; i
++)
526 bool parity
= des_getParityBitFromKey(key
[i
]);
527 if(parity
!= (key
[i
] & 0x1))
530 prnlog("[+] parity1 fail, byte %d [%02x] was %d, should be %d",i
,key
[i
],(key
[i
] & 0x1),parity
);
535 prnlog("[+] parity fails: %d", fails
);
538 prnlog("[+] Key syntax is with parity bits inside each byte");
542 Testcase testcases
[] ={
544 {{0x8B,0xAC,0x60,0x1F,0x53,0xB8,0xED,0x11},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x05,0x07}},
545 {{0xAE,0x51,0xE5,0x62,0xE7,0x9A,0x99,0x39},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01},{0x04,0x02,0x06,0x08,0x01,0x03,0x05,0x07}},
546 {{0x9B,0x21,0xE4,0x31,0x6A,0x00,0x29,0x62},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02},{0x06,0x04,0x02,0x08,0x01,0x03,0x05,0x07}},
547 {{0x65,0x24,0x0C,0x41,0x4F,0xC2,0x21,0x93},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04},{0x0A,0x04,0x06,0x08,0x01,0x03,0x05,0x07}},
548 {{0x7F,0xEB,0xAE,0x93,0xE5,0x30,0x08,0xBD},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x08},{0x12,0x04,0x06,0x08,0x01,0x03,0x05,0x07}},
549 {{0x49,0x7B,0x70,0x74,0x9B,0x35,0x1B,0x83},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x10},{0x22,0x04,0x06,0x08,0x01,0x03,0x05,0x07}},
550 {{0x02,0x3C,0x15,0x6B,0xED,0xA5,0x64,0x6C},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20},{0x42,0x04,0x06,0x08,0x01,0x03,0x05,0x07}},
551 {{0xE8,0x37,0xE0,0xE2,0xC6,0x45,0x24,0xF3},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40},{0x02,0x06,0x04,0x08,0x01,0x03,0x05,0x07}},
552 {{0xAB,0xBD,0x30,0x05,0x29,0xC8,0xF7,0x12},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x80},{0x02,0x08,0x06,0x04,0x01,0x03,0x05,0x07}},
553 {{0x17,0xE8,0x97,0xF0,0x99,0xB6,0x79,0x31},{0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00},{0x02,0x0C,0x06,0x08,0x01,0x03,0x05,0x07}},
554 {{0x49,0xA4,0xF0,0x8F,0x5F,0x96,0x83,0x16},{0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00},{0x02,0x14,0x06,0x08,0x01,0x03,0x05,0x07}},
555 {{0x60,0xF5,0x7E,0x54,0xAA,0x41,0x83,0xD4},{0x00,0x00,0x00,0x00,0x00,0x00,0x04,0x00},{0x02,0x24,0x06,0x08,0x01,0x03,0x05,0x07}},
556 {{0x1D,0xF6,0x3B,0x6B,0x85,0x55,0xF0,0x4B},{0x00,0x00,0x00,0x00,0x00,0x00,0x08,0x00},{0x02,0x44,0x06,0x08,0x01,0x03,0x05,0x07}},
557 {{0x1F,0xDC,0x95,0x1A,0xEA,0x6B,0x4B,0xB4},{0x00,0x00,0x00,0x00,0x00,0x00,0x10,0x00},{0x02,0x04,0x08,0x06,0x01,0x03,0x05,0x07}},
558 {{0xEC,0x93,0x72,0xF0,0x3B,0xA9,0xF5,0x0B},{0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00},{0x02,0x04,0x0A,0x08,0x01,0x03,0x05,0x07}},
559 {{0xDE,0x57,0x5C,0xBE,0x2D,0x55,0x03,0x12},{0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00},{0x02,0x04,0x0E,0x08,0x01,0x03,0x05,0x07}},
560 {{0x1E,0xD2,0xB5,0xCE,0x90,0xC9,0xC1,0xCC},{0x00,0x00,0x00,0x00,0x00,0x00,0x80,0x00},{0x02,0x04,0x16,0x08,0x01,0x03,0x05,0x07}},
561 {{0xD8,0x65,0x96,0x4E,0xE7,0x74,0x99,0xB8},{0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00},{0x02,0x04,0x26,0x08,0x01,0x03,0x05,0x07}},
562 {{0xE3,0x7A,0x29,0x83,0x31,0xD5,0x3A,0x54},{0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00},{0x02,0x04,0x46,0x08,0x01,0x03,0x05,0x07}},
563 {{0x3A,0xB5,0x1A,0x34,0x34,0x25,0x12,0xF0},{0x00,0x00,0x00,0x00,0x00,0x04,0x00,0x00},{0x02,0x04,0x06,0x0A,0x01,0x03,0x05,0x07}},
564 {{0xF2,0x88,0xEE,0x6F,0x70,0x6F,0xC2,0x52},{0x00,0x00,0x00,0x00,0x00,0x08,0x00,0x00},{0x02,0x04,0x06,0x0C,0x01,0x03,0x05,0x07}},
565 {{0x76,0xEF,0xEB,0x80,0x52,0x43,0x83,0x57},{0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00},{0x02,0x04,0x06,0x10,0x01,0x03,0x05,0x07}},
566 {{0x1C,0x09,0x8E,0x3B,0x23,0x23,0x52,0xB5},{0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00},{0x02,0x04,0x06,0x18,0x01,0x03,0x05,0x07}},
567 {{0xA9,0x13,0xA2,0xBE,0xCF,0x1A,0xC4,0x9A},{0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00},{0x02,0x04,0x06,0x28,0x01,0x03,0x05,0x07}},
568 {{0x25,0x56,0x4B,0xB0,0xC8,0x2A,0xD4,0x27},{0x00,0x00,0x00,0x00,0x00,0x80,0x00,0x00},{0x02,0x04,0x06,0x48,0x01,0x03,0x05,0x07}},
569 {{0xB1,0x04,0x57,0x3F,0xA7,0x16,0x62,0xD4},{0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x03,0x01,0x05,0x07}},
570 {{0x45,0x46,0xED,0xCC,0xE7,0xD3,0x8E,0xA3},{0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x05,0x03,0x01,0x07}},
571 {{0x22,0x6D,0xB5,0x35,0xE0,0x5A,0xE0,0x90},{0x00,0x00,0x00,0x00,0x04,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x09,0x03,0x05,0x07}},
572 {{0xB8,0xF5,0xE5,0x44,0xC5,0x98,0x4A,0xBD},{0x00,0x00,0x00,0x00,0x08,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x11,0x03,0x05,0x07}},
573 {{0xAC,0x78,0x0A,0x23,0x9E,0xF6,0xBC,0xA0},{0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x21,0x03,0x05,0x07}},
574 {{0x46,0x6B,0x2D,0x70,0x41,0x17,0xBF,0x3D},{0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x41,0x03,0x05,0x07}},
575 {{0x64,0x44,0x24,0x71,0xA2,0x56,0xDF,0xB5},{0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x05,0x03,0x07}},
576 {{0xC4,0x00,0x52,0x24,0xA2,0xD6,0x16,0x7A},{0x00,0x00,0x00,0x00,0x80,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x07,0x05,0x03}},
577 {{0xD8,0x4A,0x80,0x1E,0x95,0x5B,0x70,0xC4},{0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x0B,0x05,0x07}},
578 {{0x08,0x56,0x6E,0xB5,0x64,0xD6,0x47,0x4E},{0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x13,0x05,0x07}},
579 {{0x41,0x6F,0xBA,0xA4,0xEB,0xAE,0xA0,0x55},{0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x23,0x05,0x07}},
580 {{0x62,0x9D,0xDE,0x72,0x84,0x4A,0x53,0xD5},{0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x43,0x05,0x07}},
581 {{0x39,0xD3,0x2B,0x66,0xB8,0x08,0x40,0x2E},{0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x07,0x05}},
582 {{0xAF,0x67,0xA9,0x18,0x57,0x21,0xAF,0x8D},{0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x09,0x07}},
583 {{0x34,0xBC,0x9D,0xBC,0xC4,0xC2,0x3B,0xC8},{0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x0D,0x07}},
584 {{0xB6,0x50,0xF9,0x81,0xF6,0xBF,0x90,0x3C},{0x00,0x00,0x00,0x80,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x15,0x07}},
585 {{0x71,0x41,0x93,0xA1,0x59,0x81,0xA5,0x52},{0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x25,0x07}},
586 {{0x6B,0x00,0xBD,0x74,0x1C,0x3C,0xE0,0x1A},{0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x45,0x07}},
587 {{0x76,0xFD,0x0B,0xD0,0x41,0xD2,0x82,0x5D},{0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x05,0x09}},
588 {{0xC6,0x3A,0x1C,0x25,0x63,0x5A,0x2F,0x0E},{0x00,0x00,0x08,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x05,0x0B}},
589 {{0xD9,0x0E,0xD7,0x30,0xE2,0xAD,0xA9,0x87},{0x00,0x00,0x10,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x05,0x0F}},
590 {{0x6B,0x81,0xC6,0xD1,0x05,0x09,0x87,0x1E},{0x00,0x00,0x20,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x05,0x17}},
591 {{0xB4,0xA7,0x1E,0x02,0x54,0x37,0x43,0x35},{0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x05,0x27}},
592 {{0x45,0x14,0x7C,0x7F,0xE0,0xDE,0x09,0x65},{0x00,0x00,0x80,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x05,0x47}},
593 {{0x78,0xB0,0xF5,0x20,0x8B,0x7D,0xF3,0xDD},{0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00},{0xFE,0x04,0x06,0x08,0x01,0x03,0x05,0x07}},
594 {{0x88,0xB3,0x3C,0xE1,0xF7,0x87,0x42,0xA1},{0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0xFC,0x06,0x08,0x01,0x03,0x05,0x07}},
595 {{0x11,0x2F,0xB2,0xF7,0xE2,0xB2,0x4F,0x6E},{0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0xFA,0x08,0x01,0x03,0x05,0x07}},
596 {{0x25,0x56,0x4E,0xC6,0xEB,0x2D,0x74,0x5B},{0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0xF8,0x01,0x03,0x05,0x07}},
597 {{0x7E,0x98,0x37,0xF9,0x80,0x8F,0x09,0x82},{0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0xFF,0x03,0x05,0x07}},
598 {{0xF9,0xB5,0x62,0x3B,0xD8,0x7B,0x3C,0x3F},{0x00,0x20,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0xFD,0x05,0x07}},
599 {{0x29,0xC5,0x2B,0xFA,0xD1,0xFC,0x5C,0xC7},{0x00,0x40,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0xFB,0x07}},
600 {{0xC1,0xA3,0x09,0x71,0xBD,0x8E,0xAF,0x2F},{0x00,0x80,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x05,0xF9}},
601 {{0xB6,0xDD,0xD1,0xAD,0xAA,0x15,0x6F,0x29},{0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x01,0x03,0x05,0x02,0x07,0x04,0x06,0x08}},
602 {{0x65,0x34,0x03,0x19,0x17,0xB3,0xA3,0x96},{0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x01,0x06,0x08,0x03,0x05,0x07}},
603 {{0xF9,0x38,0x43,0x56,0x52,0xE5,0xB1,0xA9},{0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x01,0x02,0x04,0x06,0x08,0x03,0x05,0x07}},
605 {{0xA4,0xA0,0xAF,0xDA,0x48,0xB0,0xA1,0x10},{0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x01,0x02,0x04,0x06,0x03,0x08,0x05,0x07}},
606 {{0x55,0x15,0x8A,0x0D,0x48,0x29,0x01,0xD8},{0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x01,0x06,0x03,0x05,0x08,0x07}},
607 {{0xC4,0x81,0x96,0x7D,0xA3,0xB7,0x73,0x50},{0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x01,0x02,0x03,0x05,0x04,0x06,0x08,0x07}},
608 {{0x36,0x73,0xDF,0xC1,0x1B,0x98,0xA8,0x1D},{0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x01,0x02,0x03,0x04,0x05,0x06,0x08,0x07}},
609 {{0xCE,0xE0,0xB3,0x1B,0x41,0xEB,0x15,0x12},{0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x01,0x02,0x03,0x04,0x06,0x05,0x08,0x07}},
614 int testKeyDiversificationWithMasterkeyTestcases()
620 uint8_t empty
[8]={0};
621 prnlog("[+} Testing encryption/decryption");
623 for (i
= 0; memcmp(testcases
+i
,empty
,8) ; i
++) {
624 error
+= testDES(testcases
[i
],ctx_enc
, ctx_dec
);
628 prnlog("[+] %d errors occurred (%d testcases)", error
, i
);
631 prnlog("[+] Hashing seems to work (%d testcases)", i
);
637 void print64bits(char*name
, uint64_t val
)
639 printf("%s%08x%08x\n",name
,(uint32_t) (val
>> 32) ,(uint32_t) (val
& 0xFFFFFFFF));
642 uint64_t testCryptedCSN(uint64_t crypted_csn
, uint64_t expected
)
645 uint8_t result
[8] = {0};
646 if(debug_print
) prnlog("debug_print %d", debug_print
);
647 if(debug_print
) print64bits(" {csn} ", crypted_csn
);
649 uint64_t crypted_csn_swapped
= swapZvalues(crypted_csn
);
651 if(debug_print
) print64bits(" {csn-revz} ", crypted_csn_swapped
);
653 hash0(crypted_csn
, result
);
654 uint64_t resultbyte
= x_bytes_to_num(result
,8 );
655 if(debug_print
) print64bits(" hash0 " , resultbyte
);
657 if(resultbyte
!= expected
)
661 prnlog("\n[+] FAIL!");
662 print64bits(" expected " , expected
);
668 if(debug_print
) prnlog(" [OK]");
673 int testDES2(uint64_t csn
, uint64_t expected
)
675 uint8_t result
[8] = {0};
676 uint8_t input
[8] = {0};
678 print64bits(" csn ", csn
);
679 x_num_to_bytes(csn
, 8,input
);
681 mbedtls_des_crypt_ecb(&ctx_enc
,input
, result
);
683 uint64_t crypt_csn
= x_bytes_to_num(result
, 8);
684 print64bits(" {csn} ", crypt_csn
);
685 print64bits(" expected ", expected
);
687 if( expected
== crypt_csn
)
698 * These testcases come from http://www.proxmark.org/forum/viewtopic.php?pid=10977#p10977
699 * @brief doTestsWithKnownInputs
702 int doTestsWithKnownInputs()
705 // KSel from http://www.proxmark.org/forum/viewtopic.php?pid=10977#p10977
707 prnlog("[+] Testing DES encryption");
708 // uint8_t key[8] = {0x6c,0x8d,0x44,0xf9,0x2a,0x2d,0x01,0xbf};
709 prnlog("[+] Testing foo");
710 uint8_t key
[8] = {0x6c,0x8d,0x44,0xf9,0x2a,0x2d,0x01,0xbf};
712 mbedtls_des_setkey_enc( &ctx_enc
, key
);
713 testDES2(0xbbbbaaaabbbbeeee,0xd6ad3ca619659e6b);
715 prnlog("[+] Testing hashing algorithm");
717 errors
+= testCryptedCSN(0x0102030405060708,0x0bdd6512073c460a);
718 errors
+= testCryptedCSN(0x1020304050607080,0x0208211405f3381f);
719 errors
+= testCryptedCSN(0x1122334455667788,0x2bee256d40ac1f3a);
720 errors
+= testCryptedCSN(0xabcdabcdabcdabcd,0xa91c9ec66f7da592);
721 errors
+= testCryptedCSN(0xbcdabcdabcdabcda,0x79ca5796a474e19b);
722 errors
+= testCryptedCSN(0xcdabcdabcdabcdab,0xa8901b9f7ec76da4);
723 errors
+= testCryptedCSN(0xdabcdabcdabcdabc,0x357aa8e0979a5b8d);
724 errors
+= testCryptedCSN(0x21ba6565071f9299,0x34e80f88d5cf39ea);
725 errors
+= testCryptedCSN(0x14e2adfc5bb7e134,0x6ac90c6508bd9ea3);
729 prnlog("[+] %d errors occurred (9 testcases)", errors
);
732 prnlog("[+] Hashing seems to work (9 testcases)" );
737 int readKeyFile(uint8_t key
[8])
741 f
= fopen("iclass_key.bin", "rb");
745 if (fread(key
, sizeof(uint8_t), 8, f
) == 8) {
752 int doKeyTests(uint8_t debuglevel
)
754 debug_print
= debuglevel
;
756 prnlog("[+] Checking if the master key is present (iclass_key.bin)...");
757 uint8_t key
[8] = {0};
760 prnlog("[+] Master key not present, will not be able to do all testcases");
764 //Test if it's the right key...
767 for(i
=0 ; i
< sizeof(key
) ; i
++)
772 prnlog("[+] A key was loaded, but it does not seem to be the correct one. Aborting these tests");
775 prnlog("[+] Key present");
777 prnlog("[+] Checking key parity...");
778 des_checkParity(key
);
779 mbedtls_des_setkey_enc( &ctx_enc
, key
);
780 mbedtls_des_setkey_dec( &ctx_dec
, key
);
781 // Test hashing functions
782 prnlog("[+] The following tests require the correct 8-byte master key");
783 testKeyDiversificationWithMasterkeyTestcases();
786 prnlog("[+] Testing key diversification with non-sensitive keys...");
787 doTestsWithKnownInputs();
793 void checkParity2(uint8_t* key)
796 uint8_t stored_parity = key[7];
797 printf("Parity byte: 0x%02x\n", stored_parity);
801 BitstreamIn bits = {key, 56, 0};
805 for(i =0 ; i < 56; i++)
808 if ( i > 0 && i % 7 == 0)
811 bool pbit = stored_parity & (0x80 >> (byte));
814 printf("parity2 fail byte %d, should be %d, was %d\n", (i / 7), parity, pbit);
820 parity = parity ^ headBit(&bits);
824 printf("parity2 fails: %d\n", fails);
827 printf("Key syntax is with parity bits grouped in the last byte!\n");
830 void modifyKey_put_parity_last(uint8_t * key, uint8_t* output)
832 uint8_t paritybits = 0;
834 BitstreamOut out = { output, 0,0};
835 unsigned int bbyte, bbit;
836 for(bbyte=0; bbyte <8 ; bbyte++ )
838 for(bbit =0 ; bbit< 7 ; bbit++)
840 bool bit = *(key+bbyte) & (1 << (7-bbit));
844 bool paritybit = *(key+bbyte) & 1;
845 paritybits |= paritybit << (7-bbyte);
849 output[7] = paritybits;
850 printf("Parity byte: %02x\n", paritybits);
853 * @brief Modifies a key with parity bits last, so that it is formed with parity
854 * bits inside each byte
858 void modifyKey_put_parity_allover(uint8_t * key, uint8_t* output)
861 BitstreamOut out = { output, 0,0};
862 BitstreamIn in = {key, 0,0};
863 unsigned int bbyte, bbit;
864 for(bbit =0 ; bbit < 56 ; bbit++)
867 if( bbit > 0 && bbit % 7 == 0)
869 pushBit(&out,!parity);
872 bool bit = headBit(&in);
877 pushBit(&out, !parity);
880 if( des_key_check_key_parity(output))
882 printf("modifyKey_put_parity_allover fail, DES key invalid parity!");