]> git.zerfleddert.de Git - proxmark3-svn/blame - client/loclass/elite_crack.h
Merge pull request #638 from grauerfuchs/master
[proxmark3-svn] / client / loclass / elite_crack.h
CommitLineData
d60418a0
MHS
1/*****************************************************************************
2 * WARNING
3 *
4 * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY.
5 *
6 * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL
7 * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL,
8 * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES.
9 *
10 * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS.
11 *
12 *****************************************************************************
13 *
14 * This file is part of loclass. It is a reconstructon of the cipher engine
15 * used in iClass, and RFID techology.
16 *
17 * The implementation is based on the work performed by
18 * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and
19 * Milosch Meriac in the paper "Dismantling IClass".
20 *
21 * Copyright (C) 2014 Martin Holst Swende
22 *
23 * This is free software: you can redistribute it and/or modify
24 * it under the terms of the GNU General Public License version 2 as published
26f202e2 25 * by the Free Software Foundation, or, at your option, any later version.
d60418a0
MHS
26 *
27 * This file is distributed in the hope that it will be useful,
28 * but WITHOUT ANY WARRANTY; without even the implied warranty of
29 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
30 * GNU General Public License for more details.
31 *
32 * You should have received a copy of the GNU General Public License
33 * along with loclass. If not, see <http://www.gnu.org/licenses/>.
34 *
35 *
d60418a0
MHS
36 ****************************************************************************/
37
38
3ad48540
MHS
39#ifndef ELITE_CRACK_H
40#define ELITE_CRACK_H
41void permutekey(uint8_t key[8], uint8_t dest[8]);
42/**
43 * Permutes a key from iclass specific format to NIST format
44 * @brief permutekey_rev
45 * @param key
46 * @param dest
47 */
48void permutekey_rev(uint8_t key[8], uint8_t dest[8]);
49//Crack status, see below
50#define CRACKED 0x0100
51#define BEING_CRACKED 0x0200
52#define CRACK_FAILED 0x0400
53
54/**
55 * Perform a bruteforce against a file which has been saved by pm3
56 *
57 * @brief bruteforceFile
58 * @param filename
59 * @param keytable an arrah (128 x 16 bit ints). This is where the keydata is stored.
60 * OBS! the upper part of the 16 bits store crack-status,
61 * @return
62 */
63int bruteforceFile(const char *filename, uint16_t keytable[]);
64/**
65 *
66 * @brief Same as above, if you don't care about the returned keytable (results only printed on screen)
67 * @param filename
68 * @return
69 */
70int bruteforceFileNoKeys(const char *filename);
71/**
72 * @brief Same as bruteforcefile, but uses a an array of dumpdata instead
73 * @param dump
74 * @param dumpsize
75 * @param keytable
76 * @return
77 */
78int bruteforceDump(uint8_t dump[], size_t dumpsize, uint16_t keytable[]);
79
80/**
81 This is how we expect each 'entry' in a dumpfile to look
82**/
83typedef struct {
84 uint8_t csn[8];
85 uint8_t cc_nr[12];
86 uint8_t mac[4];
87
88}dumpdata;
89
90/**
91 * @brief Performs brute force attack against a dump-data item, containing csn, cc_nr and mac.
92 *This method calculates the hash1 for the CSN, and determines what bytes need to be bruteforced
93 *on the fly. If it finds that more than three bytes need to be bruteforced, it aborts.
94 *It updates the keytable with the findings, also using the upper half of the 16-bit ints
95 *to signal if the particular byte has been cracked or not.
96 *
97 * @param dump The dumpdata from iclass reader attack.
98 * @param keytable where to write found values.
99 * @return
100 */
101int bruteforceItem(dumpdata item, uint16_t keytable[]);
102/**
103 * Hash1 takes CSN as input, and determines what bytes in the keytable will be used
104 * when constructing the K_sel.
105 * @param csn the CSN used
106 * @param k output
107 */
108void hash1(uint8_t csn[] , uint8_t k[]);
9b82de75 109void hash2(uint8_t *key64, uint8_t *outp_keytable);
3ad48540
MHS
110/**
111 * From dismantling iclass-paper:
112 * Assume that an adversary somehow learns the first 16 bytes of hash2(K_cus ), i.e., y [0] and z [0] .
113 * Then he can simply recover the master custom key K_cus by computing
114 * K_cus = ~DES(z[0] , y[0] ) .
115 *
116 * Furthermore, the adversary is able to verify that he has the correct K cus by
117 * checking whether z [0] = DES enc (K_cus , ~K_cus ).
118 * @param keytable an array (128 bytes) of hash2(kcus)
119 * @param master_key where to put the master key
120 * @return 0 for ok, 1 for failz
121 */
122int calculateMasterKey(uint8_t first16bytes[], uint64_t master_key[] );
123
124/**
125 * @brief Test function
126 * @return
127 */
128int testElite();
129
130/**
131 Here are some pretty optimal values that can be used to recover necessary data in only
132 eight auth attempts.
133// CSN HASH1 Bytes recovered //
134{ {0x00,0x0B,0x0F,0xFF,0xF7,0xFF,0x12,0xE0} , {0x01,0x01,0x00,0x00,0x45,0x01,0x45,0x45 } ,{0,1 }},
135{ {0x00,0x13,0x94,0x7e,0x76,0xff,0x12,0xe0} , {0x02,0x0c,0x01,0x00,0x45,0x01,0x45,0x45} , {2,12}},
136{ {0x2a,0x99,0xac,0x79,0xec,0xff,0x12,0xe0} , {0x07,0x45,0x0b,0x00,0x45,0x01,0x45,0x45} , {7,11}},
137{ {0x17,0x12,0x01,0xfd,0xf7,0xff,0x12,0xe0} , {0x03,0x0f,0x00,0x00,0x45,0x01,0x45,0x45} , {3,15}},
138{ {0xcd,0x56,0x01,0x7c,0x6f,0xff,0x12,0xe0} , {0x04,0x00,0x08,0x00,0x45,0x01,0x45,0x45} , {4,8}},
139{ {0x4b,0x5e,0x0b,0x72,0xef,0xff,0x12,0xe0} , {0x0e,0x06,0x08,0x00,0x45,0x01,0x45,0x45} , {6,14}},
140{ {0x00,0x73,0xd8,0x75,0x58,0xff,0x12,0xe0} , {0x0b,0x09,0x0f,0x00,0x45,0x01,0x05,0x45} , {9,5}},
141{ {0x0c,0x90,0x32,0xf3,0x5d,0xff,0x12,0xe0} , {0x0d,0x0f,0x0a,0x00,0x45,0x01,0x05,0x45} , {10,13}},
142
143**/
144
145
146#endif
Impressum, Datenschutz