]> git.zerfleddert.de Git - proxmark3-svn/blame_incremental - client/loclass/ikeys.c
Increased Mifare Esave & Eload filename array to 255 from 20
[proxmark3-svn] / client / loclass / ikeys.c
... / ...
CommitLineData
1/*****************************************************************************
2 * This file is part of iClassCipher. It is a reconstructon of the cipher engine
3 * used in iClass, and RFID techology.
4 *
5 * The implementation is based on the work performed by
6 * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and
7 * Milosch Meriac in the paper "Dismantling IClass".
8 *
9 * Copyright (C) 2014 Martin Holst Swende
10 *
11 * This is free software: you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2 as published
13 * by the Free Software Foundation.
14 *
15 * This file is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License
21 * along with IClassCipher. If not, see <http://www.gnu.org/licenses/>.
22 ****************************************************************************/
23/**
24From "Dismantling iclass":
25 This section describes in detail the built-in key diversification algorithm of iClass.
26 Besides the obvious purpose of deriving a card key from a master key, this
27 algorithm intends to circumvent weaknesses in the cipher by preventing the
28 usage of certain ‘weak’ keys. In order to compute a diversified key, the iClass
29 reader first encrypts the card identity id with the master key K, using single
30 DES. The resulting ciphertext is then input to a function called hash0 which
31 outputs the diversified key k.
32
33 k = hash0(DES enc (id, K))
34
35 Here the DES encryption of id with master key K outputs a cryptogram c
36 of 64 bits. These 64 bits are divided as c = x, y, z [0] , . . . , z [7] ∈ F 82 × F 82 × (F 62 ) 8
37 which is used as input to the hash0 function. This function introduces some
38 obfuscation by performing a number of permutations, complement and modulo
39 operations, see Figure 2.5. Besides that, it checks for and removes patterns like
40 similar key bytes, which could produce a strong bias in the cipher. Finally, the
41 output of hash0 is the diversified card key k = k [0] , . . . , k [7] ∈ (F 82 ) 8 .
42
43
44**/
45
46
47#include <stdint.h>
48#include <stdbool.h>
49#include <string.h>
50#include "cipherutils.h"
51#include "cipher.h"
52#include "../util.h"
53#include <stdio.h>
54#include "des.h"
55#include <inttypes.h>
56
57uint8_t pi[35] = {0x0F,0x17,0x1B,0x1D,0x1E,0x27,0x2B,0x2D,0x2E,0x33,0x35,0x39,0x36,0x3A,0x3C,0x47,0x4B,0x4D,0x4E,0x53,0x55,0x56,0x59,0x5A,0x5C,0x63,0x65,0x66,0x69,0x6A,0x6C,0x71,0x72,0x74,0x78};
58
59static des_context ctx_enc = {DES_ENCRYPT,{0}};
60static des_context ctx_dec = {DES_DECRYPT,{0}};
61
62static bool debug_print = false;
63
64/**
65 * @brief The key diversification algorithm uses 6-bit bytes.
66 * This implementation uses 64 bit uint to pack seven of them into one
67 * variable. When they are there, they are placed as follows:
68 * XXXX XXXX N0 .... N7, occupying the lsat 48 bits.
69 *
70 * This function picks out one from such a collection
71 * @param all
72 * @param n bitnumber
73 * @return
74 */
75uint8_t getSixBitByte(uint64_t c, int n)
76{
77 return (c >> (42-6*n)) & 0x3F;
78 //return (c >> n*6) & 0x3f;
79}
80
81/**
82 * @brief Puts back a six-bit 'byte' into a uint64_t.
83 * @param c buffer
84 * @param z the value to place there
85 * @param n bitnumber.
86 */
87void pushbackSixBitByte(uint64_t *c, uint8_t z, int n)
88{
89 //0x XXXX YYYY ZZZZ ZZZZ ZZZZ
90 // ^z0 ^z7
91 //z0: 1111 1100 0000 0000
92
93 uint64_t masked = z & 0x3F;
94 uint64_t eraser = 0x3F;
95 masked <<= 42-6*n;
96 eraser <<= 42-6*n;
97
98 //masked <<= 6*n;
99 //eraser <<= 6*n;
100
101 eraser = ~eraser;
102 (*c) &= eraser;
103 (*c) |= masked;
104
105}
106
107uint64_t swapZvalues(uint64_t c)
108{
109 uint64_t newz = 0;
110 pushbackSixBitByte(&newz, getSixBitByte(c,0),7);
111 pushbackSixBitByte(&newz, getSixBitByte(c,1),6);
112 pushbackSixBitByte(&newz, getSixBitByte(c,2),5);
113 pushbackSixBitByte(&newz, getSixBitByte(c,3),4);
114 pushbackSixBitByte(&newz, getSixBitByte(c,4),3);
115 pushbackSixBitByte(&newz, getSixBitByte(c,5),2);
116 pushbackSixBitByte(&newz, getSixBitByte(c,6),1);
117 pushbackSixBitByte(&newz, getSixBitByte(c,7),0);
118 newz |= (c & 0xFFFF000000000000);
119 return newz;
120}
121
122/**
123* @return 4 six-bit bytes chunked into a uint64_t,as 00..00a0a1a2a3
124*/
125uint64_t ck(int i, int j, uint64_t z)
126{
127
128// printf("ck( i=%d, j=%d), zi=[%d],zj=[%d] \n",i,j,getSixBitByte(z,i),getSixBitByte(z,j) );
129
130 if(i == 1 && j == -1)
131 {
132 // ck(1, −1, z [0] . . . z [3] ) = z [0] . . . z [3]
133 return z;
134
135 }else if( j == -1)
136 {
137 // ck(i, −1, z [0] . . . z [3] ) = ck(i − 1, i − 2, z [0] . . . z [3] )
138 return ck(i-1,i-2, z);
139 }
140
141 if(getSixBitByte(z,i) == getSixBitByte(z,j))
142 {
143 // TODO, I dont know what they mean here in the paper
144 //ck(i, j − 1, z [0] . . . z [i] ← j . . . z [3] )
145 uint64_t newz = 0;
146 int c;
147 //printf("z[i]=z[i] (0x%02x), i=%d, j=%d\n",getSixBitByte(z,i),i,j );
148 for(c = 0; c < 4 ;c++)
149 {
150 uint8_t val = getSixBitByte(z,c);
151 if(c == i)
152 {
153 //printf("oops\n");
154 pushbackSixBitByte(&newz, j, c);
155 }else
156 {
157 pushbackSixBitByte(&newz, val, c);
158 }
159 }
160 return ck(i,j-1,newz);
161 }else
162 {
163 return ck(i,j-1,z);
164 }
165
166}
167/**
168
169 Definition 8.
170 Let the function check : (F 62 ) 8 → (F 62 ) 8 be defined as
171 check(z [0] . . . z [7] ) = ck(3, 2, z [0] . . . z [3] ) · ck(3, 2, z [4] . . . z [7] )
172
173 where ck : N × N × (F 62 ) 4 → (F 62 ) 4 is defined as
174
175 ck(1, −1, z [0] . . . z [3] ) = z [0] . . . z [3]
176 ck(i, −1, z [0] . . . z [3] ) = ck(i − 1, i − 2, z [0] . . . z [3] )
177 ck(i, j, z [0] . . . z [3] ) =
178 ck(i, j − 1, z [0] . . . z [i] ← j . . . z [3] ), if z [i] = z [j] ;
179 ck(i, j − 1, z [0] . . . z [3] ), otherwise
180
181 otherwise.
182**/
183
184uint64_t check(uint64_t z)
185{
186 //These 64 bits are divided as c = x, y, z [0] , . . . , z [7]
187
188 // ck(3, 2, z [0] . . . z [3] )
189 uint64_t ck1 = ck(3,2, z );
190
191 // ck(3, 2, z [4] . . . z [7] )
192 uint64_t ck2 = ck(3,2, z << 24);
193 ck1 &= 0x00000000FFFFFF000000;
194 ck2 &= 0x00000000FFFFFF000000;
195
196 return ck1 | ck2 >> 24;
197
198}
199
200void permute(BitstreamIn *p_in, uint64_t z,int l,int r, BitstreamOut* out)
201{
202 if(bitsLeft(p_in) == 0)
203 {
204 return;
205 }
206 bool pn = tailBit(p_in);
207 if( pn ) // pn = 1
208 {
209 uint8_t zl = getSixBitByte(z,l);
210 //printf("permute pushing, zl=0x%02x, zl+1=0x%02x\n", zl, zl+1);
211 push6bits(out, zl+1);
212 permute(p_in, z, l+1,r, out);
213 }else // otherwise
214 {
215 uint8_t zr = getSixBitByte(z,r);
216 //printf("permute pushing, zr=0x%02x\n", zr);
217 push6bits(out, zr);
218 permute(p_in,z,l,r+1,out);
219 }
220}
221void testPermute()
222{
223
224 uint64_t x = 0;
225 pushbackSixBitByte(&x,0x00,0);
226 pushbackSixBitByte(&x,0x01,1);
227 pushbackSixBitByte(&x,0x02,2);
228 pushbackSixBitByte(&x,0x03,3);
229 pushbackSixBitByte(&x,0x04,4);
230 pushbackSixBitByte(&x,0x05,5);
231 pushbackSixBitByte(&x,0x06,6);
232 pushbackSixBitByte(&x,0x07,7);
233
234 uint8_t mres[8] = { getSixBitByte(x, 0),
235 getSixBitByte(x, 1),
236 getSixBitByte(x, 2),
237 getSixBitByte(x, 3),
238 getSixBitByte(x, 4),
239 getSixBitByte(x, 5),
240 getSixBitByte(x, 6),
241 getSixBitByte(x, 7)};
242 printarr("input_perm", mres,8);
243
244 uint8_t p = ~pi[0];
245 BitstreamIn p_in = { &p, 8,0 };
246 uint8_t outbuffer[] = {0,0,0,0,0,0,0,0};
247 BitstreamOut out = {outbuffer,0,0};
248
249 permute(&p_in, x,0,4, &out);
250
251 uint64_t permuted = bytes_to_num(outbuffer,8);
252 //printf("zTilde 0x%"PRIX64"\n", zTilde);
253 permuted >>= 16;
254
255 uint8_t res[8] = { getSixBitByte(permuted, 0),
256 getSixBitByte(permuted, 1),
257 getSixBitByte(permuted, 2),
258 getSixBitByte(permuted, 3),
259 getSixBitByte(permuted, 4),
260 getSixBitByte(permuted, 5),
261 getSixBitByte(permuted, 6),
262 getSixBitByte(permuted, 7)};
263 printarr("permuted", res, 8);
264}
265void printbegin()
266{
267 if(! debug_print)
268 return;
269
270 printf(" | x| y|z0|z1|z2|z3|z4|z5|z6|z7|\n");
271}
272
273void printState(char* desc, int x,int y, uint64_t c)
274{
275 if(! debug_print)
276 return;
277
278 printf("%s : ", desc);
279 //uint8_t x = (c & 0xFF00000000000000 ) >> 56;
280 //uint8_t y = (c & 0x00FF000000000000 ) >> 48;
281 printf(" %02x %02x", x,y);
282 int i ;
283 for(i =0 ; i < 8 ; i++)
284 {
285 printf(" %02x", getSixBitByte(c,i));
286 }
287 printf("\n");
288}
289
290/**
291 * @brief
292 *Definition 11. Let the function hash0 : F 82 × F 82 × (F 62 ) 8 → (F 82 ) 8 be defined as
293 * hash0(x, y, z [0] . . . z [7] ) = k [0] . . . k [7] where
294 * z'[i] = (z[i] mod (63-i)) + i i = 0...3
295 * z'[i+4] = (z[i+4] mod (64-i)) + i i = 0...3
296 * ẑ = check(z');
297 * @param c
298 * @param k this is where the diversified key is put (should be 8 bytes)
299 * @return
300 */
301void hash0(uint64_t c, uint8_t *k)
302{
303 printbegin();
304 //These 64 bits are divided as c = x, y, z [0] , . . . , z [7]
305 // x = 8 bits
306 // y = 8 bits
307 // z0-z7 6 bits each : 48 bits
308 uint8_t x = (c & 0xFF00000000000000 ) >> 56;
309 uint8_t y = (c & 0x00FF000000000000 ) >> 48;
310 printState("origin",x,y,c);
311 int n;
312 uint8_t zn, zn4, _zn, _zn4;
313 uint64_t zP = 0;
314
315 for(n = 0; n < 4 ; n++)
316 {
317 zn = getSixBitByte(c,n);
318 zn4 = getSixBitByte(c,n+4);
319
320 _zn = (zn % (63-n)) + n;
321 _zn4 = (zn4 % (64-n)) + n;
322
323 pushbackSixBitByte(&zP, _zn,n);
324 pushbackSixBitByte(&zP, _zn4,n+4);
325
326 }
327 printState("x|y|z'",x,y,zP);
328
329 uint64_t zCaret = check(zP);
330 printState("x|y|z^",x,y,zP);
331
332
333 uint8_t p = pi[x % 35];
334
335 if(x & 1) //Check if x7 is 1
336 {
337 p = ~p;
338 }
339 printState("p|y|z^",p,y,zP);
340 //if(debug_print) printf("p:%02x\n", p);
341
342 BitstreamIn p_in = { &p, 8,0 };
343 uint8_t outbuffer[] = {0,0,0,0,0,0,0,0};
344 BitstreamOut out = {outbuffer,0,0};
345 permute(&p_in,zCaret,0,4,&out);//returns 48 bits? or 6 8-bytes
346
347 //Out is now a buffer containing six-bit bytes, should be 48 bits
348 // if all went well
349 //printf("Permute output is %d num bits (48?)\n", out.numbits);
350 //Shift z-values down onto the lower segment
351
352 uint64_t zTilde = bytes_to_num(outbuffer,8);
353
354 //printf("zTilde 0x%"PRIX64"\n", zTilde);
355 zTilde >>= 16;
356 //printf("z~ 0x%"PRIX64"\n", zTilde);
357 printState("p|y|z~", p,y,zTilde);
358
359 int i;
360 int zerocounter =0 ;
361 for(i =0 ; i < 8 ; i++)
362 {
363
364 // the key on index i is first a bit from y
365 // then six bits from z,
366 // then a bit from p
367
368 // Init with zeroes
369 k[i] = 0;
370 // First, place yi leftmost in k
371 //k[i] |= (y << i) & 0x80 ;
372
373 // First, place y(7-i) leftmost in k
374 k[i] |= (y << (7-i)) & 0x80 ;
375
376 //printf("y%d = %d\n",i,(y << i) & 0x80);
377
378 uint8_t zTilde_i = getSixBitByte(zTilde, i);
379 //printf("zTilde_%d 0x%02x (should be <= 0x3F)\n",i, zTilde_i);
380 // zTildeI is now on the form 00XXXXXX
381 // with one leftshift, it'll be
382 // 0XXXXXX0
383 // So after leftshift, we can OR it into k
384 // However, when doing complement, we need to
385 // again MASK 0XXXXXX0 (0x7E)
386 zTilde_i <<= 1;
387
388 //Finally, add bit from p or p-mod
389 //Shift bit i into rightmost location (mask only after complement)
390 uint8_t p_i = p >> i & 0x1;
391
392 if( k[i] )// yi = 1
393 {
394 //printf("k[%d] +1\n", i);
395 k[i] |= ~zTilde_i & 0x7E;
396 k[i] |= p_i & 1;
397 k[i] += 1;
398
399 }else // otherwise
400 {
401 k[i] |= zTilde_i & 0x7E;
402 k[i] |= (~p_i) & 1;
403 }
404 if((k[i] & 1 )== 0)
405 {
406 zerocounter ++;
407 }
408 }
409 //printf("zerocounter=%d (should be 4)\n",zerocounter);
410 //printf("permute fin, y:0x%02x, x: 0x%02x\n", y, x);
411
412 //return k;
413}
414
415void reorder(uint8_t arr[8])
416{
417 uint8_t tmp[4] = {arr[3],arr[2],arr[1], arr[0]};
418 arr[0] = arr[7];
419 arr[1] = arr[6];
420 arr[2] = arr[5];
421 arr[3] = arr[4];
422 arr[4] = tmp[0];//arr[3];
423 arr[5] = tmp[1];//arr[2];
424 arr[6] = tmp[2];//arr[3];
425 arr[7] = tmp[3];//arr[1]
426}
427
428//extern void printarr(char * name, uint8_t* arr, int len);
429
430bool des_getParityBitFromKey(uint8_t key)
431{//The top 7 bits is used
432 bool parity = ((key & 0x80) >> 7)
433 ^ ((key & 0x40) >> 6) ^ ((key & 0x20) >> 5)
434 ^ ((key & 0x10) >> 4) ^ ((key & 0x08) >> 3)
435 ^ ((key & 0x04) >> 2) ^ ((key & 0x02) >> 1);
436 return !parity;
437}
438void des_checkParity(uint8_t* key)
439{
440 int i;
441 int fails =0;
442 for(i =0 ; i < 8 ; i++)
443 {
444 bool parity = des_getParityBitFromKey(key[i]);
445 if(parity != (key[i] & 0x1))
446 {
447 fails++;
448 printf("parity1 fail, byte %d [%02x] was %d, should be %d\n",i,key[i],(key[i] & 0x1),parity);
449 }
450 }
451 if(fails)
452 {
453 printf("parity fails: %d\n", fails);
454 }else
455 {
456 printf("Key syntax is with parity bits inside each byte\n");
457 }
458}
459
460void printarr2(char * name, uint8_t* arr, int len)
461{
462 int i ;
463 printf("%s :", name);
464 for(i =0 ; i< len ; i++)
465 {
466 printf("%02x",*(arr+i));
467 }
468 printf("\n");
469}
Impressum, Datenschutz