]> git.zerfleddert.de Git - proxmark3-svn/blame - client/loclass/ikeys.c
FIX: had to make it clientside only
[proxmark3-svn] / client / loclass / ikeys.c
CommitLineData
a66fca86 1/*****************************************************************************
d60418a0
MHS
2 * WARNING
3 *
4 * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY.
5 *
6 * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL
7 * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL,
8 * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES.
9 *
10 * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS.
11 *
12 *****************************************************************************
13 *
14 * This file is part of loclass. It is a reconstructon of the cipher engine
a66fca86
AD
15 * used in iClass, and RFID techology.
16 *
17 * The implementation is based on the work performed by
18 * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and
19 * Milosch Meriac in the paper "Dismantling IClass".
20 *
21 * Copyright (C) 2014 Martin Holst Swende
22 *
23 * This is free software: you can redistribute it and/or modify
24 * it under the terms of the GNU General Public License version 2 as published
25 * by the Free Software Foundation.
26 *
27 * This file is distributed in the hope that it will be useful,
28 * but WITHOUT ANY WARRANTY; without even the implied warranty of
29 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
30 * GNU General Public License for more details.
31 *
32 * You should have received a copy of the GNU General Public License
d60418a0
MHS
33 * along with loclass. If not, see <http://www.gnu.org/licenses/>.
34 *
35 *
36 *
a66fca86
AD
37 ****************************************************************************/
38/**
3ad48540 39
a66fca86
AD
40From "Dismantling iclass":
41 This section describes in detail the built-in key diversification algorithm of iClass.
42 Besides the obvious purpose of deriving a card key from a master key, this
43 algorithm intends to circumvent weaknesses in the cipher by preventing the
44 usage of certain ‘weak’ keys. In order to compute a diversified key, the iClass
45 reader first encrypts the card identity id with the master key K, using single
46 DES. The resulting ciphertext is then input to a function called hash0 which
47 outputs the diversified key k.
48
49 k = hash0(DES enc (id, K))
50
51 Here the DES encryption of id with master key K outputs a cryptogram c
52 of 64 bits. These 64 bits are divided as c = x, y, z [0] , . . . , z [7] ∈ F 82 × F 82 × (F 62 ) 8
53 which is used as input to the hash0 function. This function introduces some
54 obfuscation by performing a number of permutations, complement and modulo
55 operations, see Figure 2.5. Besides that, it checks for and removes patterns like
56 similar key bytes, which could produce a strong bias in the cipher. Finally, the
57 output of hash0 is the diversified card key k = k [0] , . . . , k [7] ∈ (F 82 ) 8 .
58
a66fca86 59**/
a66fca86
AD
60#include <stdint.h>
61#include <stdbool.h>
62#include <string.h>
a66fca86 63#include <stdio.h>
a66fca86 64#include <inttypes.h>
3ad48540
MHS
65#include "fileutils.h"
66#include "cipherutils.h"
67#include "des.h"
a66fca86
AD
68
69uint8_t pi[35] = {0x0F,0x17,0x1B,0x1D,0x1E,0x27,0x2B,0x2D,0x2E,0x33,0x35,0x39,0x36,0x3A,0x3C,0x47,0x4B,0x4D,0x4E,0x53,0x55,0x56,0x59,0x5A,0x5C,0x63,0x65,0x66,0x69,0x6A,0x6C,0x71,0x72,0x74,0x78};
70
71static des_context ctx_enc = {DES_ENCRYPT,{0}};
72static des_context ctx_dec = {DES_DECRYPT,{0}};
73
3ad48540 74static int debug_print = 0;
a66fca86
AD
75
76/**
77 * @brief The key diversification algorithm uses 6-bit bytes.
78 * This implementation uses 64 bit uint to pack seven of them into one
79 * variable. When they are there, they are placed as follows:
197c8f3f 80 * XXXX XXXX N0 .... N7, occupying the last 48 bits.
a66fca86
AD
81 *
82 * This function picks out one from such a collection
83 * @param all
84 * @param n bitnumber
85 * @return
86 */
87uint8_t getSixBitByte(uint64_t c, int n)
88{
89 return (c >> (42-6*n)) & 0x3F;
a66fca86
AD
90}
91
92/**
93 * @brief Puts back a six-bit 'byte' into a uint64_t.
94 * @param c buffer
95 * @param z the value to place there
96 * @param n bitnumber.
97 */
98void pushbackSixBitByte(uint64_t *c, uint8_t z, int n)
99{
100 //0x XXXX YYYY ZZZZ ZZZZ ZZZZ
101 // ^z0 ^z7
102 //z0: 1111 1100 0000 0000
103
104 uint64_t masked = z & 0x3F;
105 uint64_t eraser = 0x3F;
106 masked <<= 42-6*n;
107 eraser <<= 42-6*n;
108
109 //masked <<= 6*n;
110 //eraser <<= 6*n;
111
112 eraser = ~eraser;
113 (*c) &= eraser;
114 (*c) |= masked;
115
116}
3ad48540
MHS
117/**
118 * @brief Swaps the z-values.
119 * If the input value has format XYZ0Z1...Z7, the output will have the format
120 * XYZ7Z6...Z0 instead
121 * @param c
122 * @return
123 */
a66fca86
AD
124uint64_t swapZvalues(uint64_t c)
125{
126 uint64_t newz = 0;
127 pushbackSixBitByte(&newz, getSixBitByte(c,0),7);
128 pushbackSixBitByte(&newz, getSixBitByte(c,1),6);
129 pushbackSixBitByte(&newz, getSixBitByte(c,2),5);
130 pushbackSixBitByte(&newz, getSixBitByte(c,3),4);
131 pushbackSixBitByte(&newz, getSixBitByte(c,4),3);
132 pushbackSixBitByte(&newz, getSixBitByte(c,5),2);
133 pushbackSixBitByte(&newz, getSixBitByte(c,6),1);
134 pushbackSixBitByte(&newz, getSixBitByte(c,7),0);
135 newz |= (c & 0xFFFF000000000000);
136 return newz;
137}
138
139/**
140* @return 4 six-bit bytes chunked into a uint64_t,as 00..00a0a1a2a3
141*/
142uint64_t ck(int i, int j, uint64_t z)
143{
197c8f3f 144 if (i == 1 && j == -1) {
a66fca86
AD
145 // ck(1, −1, z [0] . . . z [3] ) = z [0] . . . z [3]
146 return z;
197c8f3f 147 } else if( j == -1) {
a66fca86
AD
148 // ck(i, −1, z [0] . . . z [3] ) = ck(i − 1, i − 2, z [0] . . . z [3] )
149 return ck(i-1,i-2, z);
150 }
151
197c8f3f 152 if (getSixBitByte(z,i) == getSixBitByte(z,j))
a66fca86 153 {
a66fca86
AD
154 //ck(i, j − 1, z [0] . . . z [i] ← j . . . z [3] )
155 uint64_t newz = 0;
156 int c;
197c8f3f 157 for(c = 0; c < 4; c++) {
a66fca86 158 uint8_t val = getSixBitByte(z,c);
197c8f3f 159 if (c == i)
a66fca86 160 pushbackSixBitByte(&newz, j, c);
197c8f3f 161 else
a66fca86 162 pushbackSixBitByte(&newz, val, c);
a66fca86
AD
163 }
164 return ck(i,j-1,newz);
197c8f3f 165 } else {
a66fca86
AD
166 return ck(i,j-1,z);
167 }
a66fca86
AD
168}
169/**
170
171 Definition 8.
172 Let the function check : (F 62 ) 8 → (F 62 ) 8 be defined as
173 check(z [0] . . . z [7] ) = ck(3, 2, z [0] . . . z [3] ) · ck(3, 2, z [4] . . . z [7] )
174
175 where ck : N × N × (F 62 ) 4 → (F 62 ) 4 is defined as
176
177 ck(1, −1, z [0] . . . z [3] ) = z [0] . . . z [3]
178 ck(i, −1, z [0] . . . z [3] ) = ck(i − 1, i − 2, z [0] . . . z [3] )
179 ck(i, j, z [0] . . . z [3] ) =
180 ck(i, j − 1, z [0] . . . z [i] ← j . . . z [3] ), if z [i] = z [j] ;
181 ck(i, j − 1, z [0] . . . z [3] ), otherwise
182
183 otherwise.
184**/
185
186uint64_t check(uint64_t z)
187{
188 //These 64 bits are divided as c = x, y, z [0] , . . . , z [7]
189
190 // ck(3, 2, z [0] . . . z [3] )
191 uint64_t ck1 = ck(3,2, z );
192
193 // ck(3, 2, z [4] . . . z [7] )
194 uint64_t ck2 = ck(3,2, z << 24);
3ad48540
MHS
195
196 //The ck function will place the values
197 // in the middle of z.
a66fca86
AD
198 ck1 &= 0x00000000FFFFFF000000;
199 ck2 &= 0x00000000FFFFFF000000;
200
201 return ck1 | ck2 >> 24;
202
203}
204
205void permute(BitstreamIn *p_in, uint64_t z,int l,int r, BitstreamOut* out)
206{
207 if(bitsLeft(p_in) == 0)
a66fca86 208 return;
9945a928 209
a66fca86
AD
210 bool pn = tailBit(p_in);
211 if( pn ) // pn = 1
212 {
213 uint8_t zl = getSixBitByte(z,l);
3ad48540 214
a66fca86
AD
215 push6bits(out, zl+1);
216 permute(p_in, z, l+1,r, out);
217 }else // otherwise
218 {
219 uint8_t zr = getSixBitByte(z,r);
3ad48540 220
a66fca86
AD
221 push6bits(out, zr);
222 permute(p_in,z,l,r+1,out);
223 }
224}
9945a928 225void printbegin() {
226 if (debug_print < 2)
227 return;
a66fca86 228
3ad48540 229 prnlog(" | x| y|z0|z1|z2|z3|z4|z5|z6|z7|");
a66fca86
AD
230}
231
3ad48540 232void printState(char* desc, uint64_t c)
a66fca86 233{
3ad48540 234 if(debug_print < 2)
9945a928 235 return;
a66fca86
AD
236
237 printf("%s : ", desc);
3ad48540
MHS
238 uint8_t x = (c & 0xFF00000000000000 ) >> 56;
239 uint8_t y = (c & 0x00FF000000000000 ) >> 48;
a66fca86 240 printf(" %02x %02x", x,y);
9945a928 241 int i;
242 for(i = 0; i < 8; i++)
a66fca86 243 printf(" %02x", getSixBitByte(c,i));
a66fca86
AD
244 printf("\n");
245}
246
247/**
248 * @brief
249 *Definition 11. Let the function hash0 : F 82 × F 82 × (F 62 ) 8 → (F 82 ) 8 be defined as
250 * hash0(x, y, z [0] . . . z [7] ) = k [0] . . . k [7] where
251 * z'[i] = (z[i] mod (63-i)) + i i = 0...3
252 * z'[i+4] = (z[i+4] mod (64-i)) + i i = 0...3
253 * ẑ = check(z');
254 * @param c
255 * @param k this is where the diversified key is put (should be 8 bytes)
256 * @return
257 */
3ad48540 258void hash0(uint64_t c, uint8_t k[8])
a66fca86 259{
3ad48540
MHS
260 c = swapZvalues(c);
261
a66fca86 262 printbegin();
3ad48540 263 printState("origin",c);
a66fca86
AD
264 //These 64 bits are divided as c = x, y, z [0] , . . . , z [7]
265 // x = 8 bits
266 // y = 8 bits
267 // z0-z7 6 bits each : 48 bits
268 uint8_t x = (c & 0xFF00000000000000 ) >> 56;
269 uint8_t y = (c & 0x00FF000000000000 ) >> 48;
a66fca86
AD
270 int n;
271 uint8_t zn, zn4, _zn, _zn4;
272 uint64_t zP = 0;
273
274 for(n = 0; n < 4 ; n++)
275 {
276 zn = getSixBitByte(c,n);
3ad48540 277
a66fca86
AD
278 zn4 = getSixBitByte(c,n+4);
279
280 _zn = (zn % (63-n)) + n;
281 _zn4 = (zn4 % (64-n)) + n;
282
283 pushbackSixBitByte(&zP, _zn,n);
284 pushbackSixBitByte(&zP, _zn4,n+4);
a66fca86 285 }
9945a928 286
3ad48540 287 printState("0|0|z'",zP);
a66fca86
AD
288
289 uint64_t zCaret = check(zP);
3ad48540 290 printState("0|0|z^",zP);
a66fca86 291
a66fca86
AD
292 uint8_t p = pi[x % 35];
293
294 if(x & 1) //Check if x7 is 1
a66fca86 295 p = ~p;
3ad48540
MHS
296
297 if(debug_print >= 2) prnlog("p:%02x", p);
a66fca86
AD
298
299 BitstreamIn p_in = { &p, 8,0 };
300 uint8_t outbuffer[] = {0,0,0,0,0,0,0,0};
301 BitstreamOut out = {outbuffer,0,0};
302 permute(&p_in,zCaret,0,4,&out);//returns 48 bits? or 6 8-bytes
303
304 //Out is now a buffer containing six-bit bytes, should be 48 bits
305 // if all went well
a66fca86
AD
306 //Shift z-values down onto the lower segment
307
3ad48540 308 uint64_t zTilde = x_bytes_to_num(outbuffer,8);
a66fca86 309
a66fca86 310 zTilde >>= 16;
3ad48540
MHS
311
312 printState("0|0|z~", zTilde);
a66fca86
AD
313
314 int i;
315 int zerocounter =0 ;
9945a928 316 for(i = 0; i < 8; i++)
a66fca86 317 {
a66fca86
AD
318 // the key on index i is first a bit from y
319 // then six bits from z,
320 // then a bit from p
321
322 // Init with zeroes
323 k[i] = 0;
324 // First, place yi leftmost in k
325 //k[i] |= (y << i) & 0x80 ;
326
327 // First, place y(7-i) leftmost in k
328 k[i] |= (y << (7-i)) & 0x80 ;
329
3ad48540 330
a66fca86
AD
331
332 uint8_t zTilde_i = getSixBitByte(zTilde, i);
a66fca86
AD
333 // zTildeI is now on the form 00XXXXXX
334 // with one leftshift, it'll be
335 // 0XXXXXX0
336 // So after leftshift, we can OR it into k
337 // However, when doing complement, we need to
338 // again MASK 0XXXXXX0 (0x7E)
339 zTilde_i <<= 1;
340
341 //Finally, add bit from p or p-mod
342 //Shift bit i into rightmost location (mask only after complement)
343 uint8_t p_i = p >> i & 0x1;
344
345 if( k[i] )// yi = 1
346 {
347 //printf("k[%d] +1\n", i);
348 k[i] |= ~zTilde_i & 0x7E;
349 k[i] |= p_i & 1;
350 k[i] += 1;
351
352 }else // otherwise
353 {
354 k[i] |= zTilde_i & 0x7E;
355 k[i] |= (~p_i) & 1;
356 }
197c8f3f 357 if ((k[i] & 1 )== 0)
a66fca86 358 {
197c8f3f 359 zerocounter++;
a66fca86
AD
360 }
361 }
3ad48540
MHS
362}
363/**
364 * @brief Performs Elite-class key diversification
365 * @param csn
366 * @param key
367 * @param div_key
368 */
369void diversifyKey(uint8_t csn[8], uint8_t key[8], uint8_t div_key[8])
370{
3ad48540
MHS
371 // Prepare the DES key
372 des_setkey_enc( &ctx_enc, key);
373
374 uint8_t crypted_csn[8] = {0};
a66fca86 375
3ad48540
MHS
376 // Calculate DES(CSN, KEY)
377 des_crypt_ecb(&ctx_enc,csn, crypted_csn);
378
379 //Calculate HASH0(DES))
9b82de75
MHS
380 uint64_t crypt_csn = x_bytes_to_num(crypted_csn, 8);
381 //uint64_t crypted_csn_swapped = swapZvalues(crypt_csn);
3ad48540
MHS
382
383 hash0(crypt_csn,div_key);
a66fca86
AD
384}
385
3ad48540 386void testPermute()
a66fca86 387{
3ad48540
MHS
388 uint64_t x = 0;
389 pushbackSixBitByte(&x,0x00,0);
390 pushbackSixBitByte(&x,0x01,1);
391 pushbackSixBitByte(&x,0x02,2);
392 pushbackSixBitByte(&x,0x03,3);
393 pushbackSixBitByte(&x,0x04,4);
394 pushbackSixBitByte(&x,0x05,5);
395 pushbackSixBitByte(&x,0x06,6);
396 pushbackSixBitByte(&x,0x07,7);
397
398 uint8_t mres[8] = { getSixBitByte(x, 0),
399 getSixBitByte(x, 1),
400 getSixBitByte(x, 2),
401 getSixBitByte(x, 3),
402 getSixBitByte(x, 4),
403 getSixBitByte(x, 5),
404 getSixBitByte(x, 6),
405 getSixBitByte(x, 7)};
406 printarr("input_perm", mres,8);
407
408 uint8_t p = ~pi[0];
409 BitstreamIn p_in = { &p, 8,0 };
410 uint8_t outbuffer[] = {0,0,0,0,0,0,0,0};
411 BitstreamOut out = {outbuffer,0,0};
412
413 permute(&p_in, x,0,4, &out);
414
415 uint64_t permuted = x_bytes_to_num(outbuffer,8);
416 //printf("zTilde 0x%"PRIX64"\n", zTilde);
417 permuted >>= 16;
418
419 uint8_t res[8] = { getSixBitByte(permuted, 0),
420 getSixBitByte(permuted, 1),
421 getSixBitByte(permuted, 2),
422 getSixBitByte(permuted, 3),
423 getSixBitByte(permuted, 4),
424 getSixBitByte(permuted, 5),
425 getSixBitByte(permuted, 6),
426 getSixBitByte(permuted, 7)};
427 printarr("permuted", res, 8);
a66fca86
AD
428}
429
3ad48540
MHS
430//These testcases are
431//{ UID , TEMP_KEY, DIV_KEY} using the specific key
432typedef struct
433{
434 uint8_t uid[8];
435 uint8_t t_key[8];
436 uint8_t div_key[8];
437} Testcase;
438
3ad48540
MHS
439int testDES(Testcase testcase, des_context ctx_enc, des_context ctx_dec)
440{
441 uint8_t des_encrypted_csn[8] = {0};
442 uint8_t decrypted[8] = {0};
443 uint8_t div_key[8] = {0};
444 int retval = des_crypt_ecb(&ctx_enc,testcase.uid,des_encrypted_csn);
445 retval |= des_crypt_ecb(&ctx_dec,des_encrypted_csn,decrypted);
446
447 if(memcmp(testcase.uid,decrypted,8) != 0)
448 {
449 //Decryption fail
450 prnlog("Encryption <-> Decryption FAIL");
451 printarr("Input", testcase.uid, 8);
452 printarr("Decrypted", decrypted, 8);
453 retval = 1;
454 }
455
456 if(memcmp(des_encrypted_csn,testcase.t_key,8) != 0)
457 {
458 //Encryption fail
459 prnlog("Encryption != Expected result");
460 printarr("Output", des_encrypted_csn, 8);
461 printarr("Expected", testcase.t_key, 8);
462 retval = 1;
463 }
464 uint64_t crypted_csn = x_bytes_to_num(des_encrypted_csn,8);
465 hash0(crypted_csn, div_key);
a66fca86 466
3ad48540
MHS
467 if(memcmp(div_key, testcase.div_key ,8) != 0)
468 {
469 //Key diversification fail
470 prnlog("Div key != expected result");
471 printarr(" csn ", testcase.uid,8);
472 printarr("{csn} ", des_encrypted_csn,8);
473 printarr("hash0 ", div_key, 8);
474 printarr("Expected", testcase.div_key, 8);
475 retval = 1;
3ad48540
MHS
476 }
477 return retval;
478}
a66fca86
AD
479bool des_getParityBitFromKey(uint8_t key)
480{//The top 7 bits is used
481 bool parity = ((key & 0x80) >> 7)
482 ^ ((key & 0x40) >> 6) ^ ((key & 0x20) >> 5)
483 ^ ((key & 0x10) >> 4) ^ ((key & 0x08) >> 3)
484 ^ ((key & 0x04) >> 2) ^ ((key & 0x02) >> 1);
485 return !parity;
486}
3ad48540 487
9945a928 488void des_checkParity(uint8_t* key) {
a66fca86 489 int i;
9945a928 490 int fails = 0;
491 for(i = 0; i < 8; i++) {
a66fca86 492 bool parity = des_getParityBitFromKey(key[i]);
9945a928 493 if (parity != (key[i] & 0x1)) {
a66fca86 494 fails++;
9945a928 495 prnlog("[+] parity1 fail, byte %d [%02x] was %d, should be %d", i, key[i], (key[i] & 0x1), parity);
a66fca86
AD
496 }
497 }
498 if(fails)
3ad48540 499 prnlog("[+] parity fails: %d", fails);
9945a928 500 else
3ad48540 501 prnlog("[+] Key syntax is with parity bits inside each byte");
a66fca86
AD
502}
503
3ad48540
MHS
504Testcase testcases[] ={
505
506 {{0x8B,0xAC,0x60,0x1F,0x53,0xB8,0xED,0x11},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x05,0x07}},
507 {{0xAE,0x51,0xE5,0x62,0xE7,0x9A,0x99,0x39},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01},{0x04,0x02,0x06,0x08,0x01,0x03,0x05,0x07}},
508 {{0x9B,0x21,0xE4,0x31,0x6A,0x00,0x29,0x62},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02},{0x06,0x04,0x02,0x08,0x01,0x03,0x05,0x07}},
509 {{0x65,0x24,0x0C,0x41,0x4F,0xC2,0x21,0x93},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04},{0x0A,0x04,0x06,0x08,0x01,0x03,0x05,0x07}},
510 {{0x7F,0xEB,0xAE,0x93,0xE5,0x30,0x08,0xBD},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x08},{0x12,0x04,0x06,0x08,0x01,0x03,0x05,0x07}},
511 {{0x49,0x7B,0x70,0x74,0x9B,0x35,0x1B,0x83},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x10},{0x22,0x04,0x06,0x08,0x01,0x03,0x05,0x07}},
512 {{0x02,0x3C,0x15,0x6B,0xED,0xA5,0x64,0x6C},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20},{0x42,0x04,0x06,0x08,0x01,0x03,0x05,0x07}},
513 {{0xE8,0x37,0xE0,0xE2,0xC6,0x45,0x24,0xF3},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40},{0x02,0x06,0x04,0x08,0x01,0x03,0x05,0x07}},
514 {{0xAB,0xBD,0x30,0x05,0x29,0xC8,0xF7,0x12},{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x80},{0x02,0x08,0x06,0x04,0x01,0x03,0x05,0x07}},
515 {{0x17,0xE8,0x97,0xF0,0x99,0xB6,0x79,0x31},{0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00},{0x02,0x0C,0x06,0x08,0x01,0x03,0x05,0x07}},
516 {{0x49,0xA4,0xF0,0x8F,0x5F,0x96,0x83,0x16},{0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00},{0x02,0x14,0x06,0x08,0x01,0x03,0x05,0x07}},
517 {{0x60,0xF5,0x7E,0x54,0xAA,0x41,0x83,0xD4},{0x00,0x00,0x00,0x00,0x00,0x00,0x04,0x00},{0x02,0x24,0x06,0x08,0x01,0x03,0x05,0x07}},
518 {{0x1D,0xF6,0x3B,0x6B,0x85,0x55,0xF0,0x4B},{0x00,0x00,0x00,0x00,0x00,0x00,0x08,0x00},{0x02,0x44,0x06,0x08,0x01,0x03,0x05,0x07}},
519 {{0x1F,0xDC,0x95,0x1A,0xEA,0x6B,0x4B,0xB4},{0x00,0x00,0x00,0x00,0x00,0x00,0x10,0x00},{0x02,0x04,0x08,0x06,0x01,0x03,0x05,0x07}},
520 {{0xEC,0x93,0x72,0xF0,0x3B,0xA9,0xF5,0x0B},{0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00},{0x02,0x04,0x0A,0x08,0x01,0x03,0x05,0x07}},
521 {{0xDE,0x57,0x5C,0xBE,0x2D,0x55,0x03,0x12},{0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00},{0x02,0x04,0x0E,0x08,0x01,0x03,0x05,0x07}},
522 {{0x1E,0xD2,0xB5,0xCE,0x90,0xC9,0xC1,0xCC},{0x00,0x00,0x00,0x00,0x00,0x00,0x80,0x00},{0x02,0x04,0x16,0x08,0x01,0x03,0x05,0x07}},
523 {{0xD8,0x65,0x96,0x4E,0xE7,0x74,0x99,0xB8},{0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00},{0x02,0x04,0x26,0x08,0x01,0x03,0x05,0x07}},
524 {{0xE3,0x7A,0x29,0x83,0x31,0xD5,0x3A,0x54},{0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00},{0x02,0x04,0x46,0x08,0x01,0x03,0x05,0x07}},
525 {{0x3A,0xB5,0x1A,0x34,0x34,0x25,0x12,0xF0},{0x00,0x00,0x00,0x00,0x00,0x04,0x00,0x00},{0x02,0x04,0x06,0x0A,0x01,0x03,0x05,0x07}},
526 {{0xF2,0x88,0xEE,0x6F,0x70,0x6F,0xC2,0x52},{0x00,0x00,0x00,0x00,0x00,0x08,0x00,0x00},{0x02,0x04,0x06,0x0C,0x01,0x03,0x05,0x07}},
527 {{0x76,0xEF,0xEB,0x80,0x52,0x43,0x83,0x57},{0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00},{0x02,0x04,0x06,0x10,0x01,0x03,0x05,0x07}},
528 {{0x1C,0x09,0x8E,0x3B,0x23,0x23,0x52,0xB5},{0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00},{0x02,0x04,0x06,0x18,0x01,0x03,0x05,0x07}},
529 {{0xA9,0x13,0xA2,0xBE,0xCF,0x1A,0xC4,0x9A},{0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00},{0x02,0x04,0x06,0x28,0x01,0x03,0x05,0x07}},
530 {{0x25,0x56,0x4B,0xB0,0xC8,0x2A,0xD4,0x27},{0x00,0x00,0x00,0x00,0x00,0x80,0x00,0x00},{0x02,0x04,0x06,0x48,0x01,0x03,0x05,0x07}},
531 {{0xB1,0x04,0x57,0x3F,0xA7,0x16,0x62,0xD4},{0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x03,0x01,0x05,0x07}},
532 {{0x45,0x46,0xED,0xCC,0xE7,0xD3,0x8E,0xA3},{0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x05,0x03,0x01,0x07}},
533 {{0x22,0x6D,0xB5,0x35,0xE0,0x5A,0xE0,0x90},{0x00,0x00,0x00,0x00,0x04,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x09,0x03,0x05,0x07}},
534 {{0xB8,0xF5,0xE5,0x44,0xC5,0x98,0x4A,0xBD},{0x00,0x00,0x00,0x00,0x08,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x11,0x03,0x05,0x07}},
535 {{0xAC,0x78,0x0A,0x23,0x9E,0xF6,0xBC,0xA0},{0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x21,0x03,0x05,0x07}},
536 {{0x46,0x6B,0x2D,0x70,0x41,0x17,0xBF,0x3D},{0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x41,0x03,0x05,0x07}},
537 {{0x64,0x44,0x24,0x71,0xA2,0x56,0xDF,0xB5},{0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x05,0x03,0x07}},
538 {{0xC4,0x00,0x52,0x24,0xA2,0xD6,0x16,0x7A},{0x00,0x00,0x00,0x00,0x80,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x07,0x05,0x03}},
539 {{0xD8,0x4A,0x80,0x1E,0x95,0x5B,0x70,0xC4},{0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x0B,0x05,0x07}},
540 {{0x08,0x56,0x6E,0xB5,0x64,0xD6,0x47,0x4E},{0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x13,0x05,0x07}},
541 {{0x41,0x6F,0xBA,0xA4,0xEB,0xAE,0xA0,0x55},{0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x23,0x05,0x07}},
542 {{0x62,0x9D,0xDE,0x72,0x84,0x4A,0x53,0xD5},{0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x43,0x05,0x07}},
543 {{0x39,0xD3,0x2B,0x66,0xB8,0x08,0x40,0x2E},{0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x07,0x05}},
544 {{0xAF,0x67,0xA9,0x18,0x57,0x21,0xAF,0x8D},{0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x09,0x07}},
545 {{0x34,0xBC,0x9D,0xBC,0xC4,0xC2,0x3B,0xC8},{0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x0D,0x07}},
546 {{0xB6,0x50,0xF9,0x81,0xF6,0xBF,0x90,0x3C},{0x00,0x00,0x00,0x80,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x15,0x07}},
547 {{0x71,0x41,0x93,0xA1,0x59,0x81,0xA5,0x52},{0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x25,0x07}},
548 {{0x6B,0x00,0xBD,0x74,0x1C,0x3C,0xE0,0x1A},{0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x45,0x07}},
549 {{0x76,0xFD,0x0B,0xD0,0x41,0xD2,0x82,0x5D},{0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x05,0x09}},
550 {{0xC6,0x3A,0x1C,0x25,0x63,0x5A,0x2F,0x0E},{0x00,0x00,0x08,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x05,0x0B}},
551 {{0xD9,0x0E,0xD7,0x30,0xE2,0xAD,0xA9,0x87},{0x00,0x00,0x10,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x05,0x0F}},
552 {{0x6B,0x81,0xC6,0xD1,0x05,0x09,0x87,0x1E},{0x00,0x00,0x20,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x05,0x17}},
553 {{0xB4,0xA7,0x1E,0x02,0x54,0x37,0x43,0x35},{0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x05,0x27}},
554 {{0x45,0x14,0x7C,0x7F,0xE0,0xDE,0x09,0x65},{0x00,0x00,0x80,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x05,0x47}},
555 {{0x78,0xB0,0xF5,0x20,0x8B,0x7D,0xF3,0xDD},{0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00},{0xFE,0x04,0x06,0x08,0x01,0x03,0x05,0x07}},
556 {{0x88,0xB3,0x3C,0xE1,0xF7,0x87,0x42,0xA1},{0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0xFC,0x06,0x08,0x01,0x03,0x05,0x07}},
557 {{0x11,0x2F,0xB2,0xF7,0xE2,0xB2,0x4F,0x6E},{0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0xFA,0x08,0x01,0x03,0x05,0x07}},
558 {{0x25,0x56,0x4E,0xC6,0xEB,0x2D,0x74,0x5B},{0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0xF8,0x01,0x03,0x05,0x07}},
559 {{0x7E,0x98,0x37,0xF9,0x80,0x8F,0x09,0x82},{0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0xFF,0x03,0x05,0x07}},
560 {{0xF9,0xB5,0x62,0x3B,0xD8,0x7B,0x3C,0x3F},{0x00,0x20,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0xFD,0x05,0x07}},
561 {{0x29,0xC5,0x2B,0xFA,0xD1,0xFC,0x5C,0xC7},{0x00,0x40,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0xFB,0x07}},
562 {{0xC1,0xA3,0x09,0x71,0xBD,0x8E,0xAF,0x2F},{0x00,0x80,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x06,0x08,0x01,0x03,0x05,0xF9}},
563 {{0xB6,0xDD,0xD1,0xAD,0xAA,0x15,0x6F,0x29},{0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x01,0x03,0x05,0x02,0x07,0x04,0x06,0x08}},
564 {{0x65,0x34,0x03,0x19,0x17,0xB3,0xA3,0x96},{0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x01,0x06,0x08,0x03,0x05,0x07}},
565 {{0xF9,0x38,0x43,0x56,0x52,0xE5,0xB1,0xA9},{0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x01,0x02,0x04,0x06,0x08,0x03,0x05,0x07}},
566
567 {{0xA4,0xA0,0xAF,0xDA,0x48,0xB0,0xA1,0x10},{0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x01,0x02,0x04,0x06,0x03,0x08,0x05,0x07}},
568 {{0x55,0x15,0x8A,0x0D,0x48,0x29,0x01,0xD8},{0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x04,0x01,0x06,0x03,0x05,0x08,0x07}},
569 {{0xC4,0x81,0x96,0x7D,0xA3,0xB7,0x73,0x50},{0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x01,0x02,0x03,0x05,0x04,0x06,0x08,0x07}},
570 {{0x36,0x73,0xDF,0xC1,0x1B,0x98,0xA8,0x1D},{0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x01,0x02,0x03,0x04,0x05,0x06,0x08,0x07}},
571 {{0xCE,0xE0,0xB3,0x1B,0x41,0xEB,0x15,0x12},{0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00},{0x01,0x02,0x03,0x04,0x06,0x05,0x08,0x07}},
572 {{0},{0},{0}}
573};
574
9945a928 575int testKeyDiversificationWithMasterkeyTestcases() {
3ad48540
MHS
576 int error = 0;
577 int i;
3ad48540 578 uint8_t empty[8]={0};
9945a928 579
3ad48540
MHS
580 prnlog("[+} Testing encryption/decryption");
581
9945a928 582 for (i = 0; memcmp(testcases+i, empty, 8); i++)
583 error += testDES(testcases[i], ctx_enc, ctx_dec);
584
585 if (error)
3ad48540 586 prnlog("[+] %d errors occurred (%d testcases)", error, i);
9945a928 587 else
3ad48540 588 prnlog("[+] Hashing seems to work (%d testcases)", i);
3ad48540
MHS
589 return error;
590}
591
9945a928 592void print64bits(char*name, uint64_t val) {
3ad48540
MHS
593 printf("%s%08x%08x\n",name,(uint32_t) (val >> 32) ,(uint32_t) (val & 0xFFFFFFFF));
594}
595
596uint64_t testCryptedCSN(uint64_t crypted_csn, uint64_t expected)
597{
598 int retval = 0;
599 uint8_t result[8] = {0};
600 if(debug_print) prnlog("debug_print %d", debug_print);
601 if(debug_print) print64bits(" {csn} ", crypted_csn );
602
603 uint64_t crypted_csn_swapped = swapZvalues(crypted_csn);
604
605 if(debug_print) print64bits(" {csn-revz} ", crypted_csn_swapped);
606
607 hash0(crypted_csn, result);
608 uint64_t resultbyte = x_bytes_to_num(result,8 );
609 if(debug_print) print64bits(" hash0 " , resultbyte );
610
9945a928 611 if(resultbyte != expected ) {
3ad48540
MHS
612 if(debug_print) {
613 prnlog("\n[+] FAIL!");
614 print64bits(" expected " , expected );
615 }
616 retval = 1;
9945a928 617 } else {
618 if (debug_print) prnlog(" [OK]");
3ad48540
MHS
619 }
620 return retval;
621}
622
9945a928 623int testDES2(uint64_t csn, uint64_t expected) {
3ad48540
MHS
624 uint8_t result[8] = {0};
625 uint8_t input[8] = {0};
626
627 print64bits(" csn ", csn);
628 x_num_to_bytes(csn, 8,input);
629
630 des_crypt_ecb(&ctx_enc,input, result);
631
632 uint64_t crypt_csn = x_bytes_to_num(result, 8);
633 print64bits(" {csn} ", crypt_csn );
634 print64bits(" expected ", expected );
635
9945a928 636 if( expected == crypt_csn ) {
3ad48540
MHS
637 prnlog("[+] OK");
638 return 0;
9945a928 639 } else {
3ad48540
MHS
640 return 1;
641 }
642}
643
644/**
645 * These testcases come from http://www.proxmark.org/forum/viewtopic.php?pid=10977#p10977
646 * @brief doTestsWithKnownInputs
647 * @return
648 */
9945a928 649int doTestsWithKnownInputs() {
3ad48540
MHS
650 // KSel from http://www.proxmark.org/forum/viewtopic.php?pid=10977#p10977
651 int errors = 0;
652 prnlog("[+] Testing DES encryption");
3ad48540
MHS
653 uint8_t key[8] = {0x6c,0x8d,0x44,0xf9,0x2a,0x2d,0x01,0xbf};
654
655 des_setkey_enc( &ctx_enc, key);
656 testDES2(0xbbbbaaaabbbbeeee,0xd6ad3ca619659e6b);
657
658 prnlog("[+] Testing hashing algorithm");
659
660 errors += testCryptedCSN(0x0102030405060708,0x0bdd6512073c460a);
661 errors += testCryptedCSN(0x1020304050607080,0x0208211405f3381f);
662 errors += testCryptedCSN(0x1122334455667788,0x2bee256d40ac1f3a);
663 errors += testCryptedCSN(0xabcdabcdabcdabcd,0xa91c9ec66f7da592);
664 errors += testCryptedCSN(0xbcdabcdabcdabcda,0x79ca5796a474e19b);
665 errors += testCryptedCSN(0xcdabcdabcdabcdab,0xa8901b9f7ec76da4);
666 errors += testCryptedCSN(0xdabcdabcdabcdabc,0x357aa8e0979a5b8d);
667 errors += testCryptedCSN(0x21ba6565071f9299,0x34e80f88d5cf39ea);
668 errors += testCryptedCSN(0x14e2adfc5bb7e134,0x6ac90c6508bd9ea3);
669
9945a928 670 if (errors)
3ad48540 671 prnlog("[+] %d errors occurred (9 testcases)", errors);
9945a928 672 else
3ad48540 673 prnlog("[+] Hashing seems to work (9 testcases)" );
3ad48540
MHS
674 return errors;
675}
676
9945a928 677int readKeyFile(uint8_t key[8]) {
97d582a6 678 int retval = 1;
9945a928 679 FILE *f = fopen("iclass_key.bin", "rb");
680 if (!f)
841d7af0 681 return 0;
841d7af0 682
683 size_t bytes_read = fread(key, sizeof(uint8_t), 8, f);
9945a928 684 if ( bytes_read == 1)
841d7af0 685 retval = 0;
9945a928 686
197c8f3f 687 if (f)
2dcf60f3 688 fclose(f);
97d582a6 689 return retval;
3ad48540
MHS
690}
691
692
693int doKeyTests(uint8_t debuglevel)
694{
695 debug_print = debuglevel;
696
697 prnlog("[+] Checking if the master key is present (iclass_key.bin)...");
698 uint8_t key[8] = {0};
9945a928 699 if (readKeyFile(key)) {
3ad48540 700 prnlog("[+] Master key not present, will not be able to do all testcases");
841d7af0 701 } else {
3ad48540
MHS
702
703 //Test if it's the right key...
704 uint8_t i;
705 uint8_t j = 0;
9945a928 706 for (i = 0; i < sizeof(key); i++)
3ad48540 707 j += key[i];
9945a928 708
709 if (j != 185) {
3ad48540 710 prnlog("[+] A key was loaded, but it does not seem to be the correct one. Aborting these tests");
9945a928 711 } else {
3ad48540 712 prnlog("[+] Key present");
3ad48540
MHS
713 prnlog("[+] Checking key parity...");
714 des_checkParity(key);
715 des_setkey_enc( &ctx_enc, key);
716 des_setkey_dec( &ctx_dec, key);
717 // Test hashing functions
718 prnlog("[+] The following tests require the correct 8-byte master key");
719 testKeyDiversificationWithMasterkeyTestcases();
720 }
721 }
722 prnlog("[+] Testing key diversification with non-sensitive keys...");
723 doTestsWithKnownInputs();
724 return 0;
a66fca86 725}
3ad48540
MHS
726
727/**
728
729void checkParity2(uint8_t* key)
730{
731
732 uint8_t stored_parity = key[7];
733 printf("Parity byte: 0x%02x\n", stored_parity);
734 int i;
735 int byte;
736 int fails =0;
737 BitstreamIn bits = {key, 56, 0};
738
739 bool parity = 0;
740
741 for(i =0 ; i < 56; i++)
742 {
743
744 if ( i > 0 && i % 7 == 0)
745 {
746 parity = !parity;
747 bool pbit = stored_parity & (0x80 >> (byte));
748 if(parity != pbit)
749 {
750 printf("parity2 fail byte %d, should be %d, was %d\n", (i / 7), parity, pbit);
751 fails++;
752 }
753 parity =0 ;
754 byte = i / 7;
755 }
756 parity = parity ^ headBit(&bits);
757 }
758 if(fails)
759 {
760 printf("parity2 fails: %d\n", fails);
761 }else
762 {
763 printf("Key syntax is with parity bits grouped in the last byte!\n");
764 }
765}
766void modifyKey_put_parity_last(uint8_t * key, uint8_t* output)
767{
768 uint8_t paritybits = 0;
769 bool parity =0;
770 BitstreamOut out = { output, 0,0};
771 unsigned int bbyte, bbit;
772 for(bbyte=0; bbyte <8 ; bbyte++ )
773 {
774 for(bbit =0 ; bbit< 7 ; bbit++)
775 {
776 bool bit = *(key+bbyte) & (1 << (7-bbit));
777 pushBit(&out,bit);
778 parity ^= bit;
779 }
780 bool paritybit = *(key+bbyte) & 1;
781 paritybits |= paritybit << (7-bbyte);
782 parity = 0;
783
784 }
785 output[7] = paritybits;
786 printf("Parity byte: %02x\n", paritybits);
787}
788
789 * @brief Modifies a key with parity bits last, so that it is formed with parity
790 * bits inside each byte
791 * @param key
792 * @param output
793
794void modifyKey_put_parity_allover(uint8_t * key, uint8_t* output)
795{
796 bool parity =0;
797 BitstreamOut out = { output, 0,0};
798 BitstreamIn in = {key, 0,0};
799 unsigned int bbyte, bbit;
9945a928 800 for(bbit =0 ; bbit < 56 ; bbit++) {
801 if( bbit > 0 && bbit % 7 == 0) {
3ad48540
MHS
802 pushBit(&out,!parity);
803 parity = 0;
804 }
805 bool bit = headBit(&in);
806 pushBit(&out,bit );
807 parity ^= bit;
3ad48540
MHS
808 }
809 pushBit(&out, !parity);
810
3ad48540 811 if( des_key_check_key_parity(output))
3ad48540 812 printf("modifyKey_put_parity_allover fail, DES key invalid parity!");
3ad48540 813}
3ad48540
MHS
814*/
815
816
Impressum, Datenschutz