aczid
commented
4 years ago The attack can't work with a constant nonce. There is a thread about this problem here.
Closed xtigmh closed 4 years ago
aczid
commented
4 years ago The attack can't work with a constant nonce. There is a thread about this problem here.
xtigmh
commented
4 years ago Thanks! If nt is constant, then nt and [nt] in nested auth is also known, maybe another attack will work! samples:nt=0x01200145, [nt]=0x8190c7dc
| Start | End | Src | Data (! denotes parity error, ' denotes short bytes) | CRC | Annotation |
|---|---|---|---|---|---|
| 0 | 992 | Rdr | 52' | WUPA | |
| 2228 | 4596 | Tag | 04 00 | ||
| 7040 | 9504 | Rdr | 93 20 | ANTICOLL | |
| 10676 | 16564 | Tag | b9 4f da 14 38 | ||
| 19072 | 29600 | Rdr | 93 70 b9 4f da 14 38 7d c1 | ok | SELECT_UID |
| 30772 | 34292 | Tag | 08 b6 dd | ||
| 35968 | 40672 | Rdr | 60 00 f5 7b | ok | AUTH-A(0) |
| 42676 | 47412 | Tag | 01 20 01 45 | ||
| 57088 | 66464 | Rdr | f3! 48 21! 0c a8! cb 46 c7 | !crc | ? |
| 67636 | 72372 | Tag | a1! c1! 4f! cf! | ||
| 78208 | 82912 | Rdr | 57 77 38 1e | !crc | ? |
| 84916 | 89652 | Tag | 81! 90! c7! dc | ||
| 90880 | 92128 | Rdr | 00 | ? | |
| 106496 | 107488 | Rdr | 52' | WUPA | |
| 108724 | 111092 | Tag | 04 00 | ||
| 113664 | 124192 | Rdr | 93 70 b9 4f da 14 38 7d c1 | ok | SELECT_UID |
| 125364 | 128884 | Tag | 08 b6 dd | ||
| 130560 | 135264 | Rdr | 60 00 f5 7b | ok | AUTH-A(0) |
| 137268 | 142004 | Tag | 01 20 01 45 | ||
| 151680 | 161056 | Rdr | f3! 48 21! 0c a8! cb 46 c7 | !crc | ? |
| 162228 | 166964 | Tag | a1! c1! 4f! cf! | ||
| 172800 | 177504 | Rdr | 57 77 38 1e | !crc | ? |
| 179508 | 184244 | Tag | 81! 90! c7! dc | ||
| 185472 | 186720 | Rdr | 00 | ? | |
| 201088 | 202080 | Rdr | 52' | WUPA |
xtigmh
commented
4 years ago I study this card, the nonce is constant, there are only 2 nonces for all sector, distance is 160,so we only can get 32bit keystream.But nested auth attack needs 64 bit keystream.If only know 32 bits keystream,the candidate keys is between 2^15~2^17.Online bruteforce is also avaiable in 4 hours. Has any idea to speedup? proxmark3> hf mf nested o 0 a ffffffffffff 4 a --nested. sectors: 1, block no: 0, key type:A, eml:n, dmp=n checktimeout=471 us --target block no: 4, target key type:A uid:295ad814 trgbl=4 trgkey=0 nt=7eef3586, ks1=ffff93b7 statelist[0].len=155091 after intersection: statelist[0].len=155091 i=155090 Found valid key:ffffffffffff
Some mifare card always send the same nt, so we can't crack this card? libnfc_crypto1_crack will never stop for this type of card. Here is contents of nonces.bin gathered by Proxmark3: B94FDA1404008190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC228190C7DC8190C7DC22……