About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Telenot Complex: Insecure AES Key Generation- 747

X41 D-SecPosted 4 Years Ago
  • The complex alarm system uses Mifare DESFire EV1 and EV2 NFC tags to authorize users. Using a software called compasX, it is possible to remotely access these alarms via the VdS 2465 protocol. The software communicates via TCP/IP.
  • While looking to automate the pulling of logs off the device from compasX, the authors decided to open up the client in a disassembler. While learning all about the system, they noticed that srand(time()) was being used to generate AES key material. Can this be exploited?
  • The authors wrote a program that sets the PRNG seed with srand(time()). Then, it gets 16 bytes via rand(). They then compare the bytes of the real key to the one they generated to see if it matches. If this is the case, then we can prove that this key was generated insecurely. And, unsuprisingly, they got a hit.
  • The protocol is as follows for this NFC card authentication process:
    1. Reads signals the tag to start authentication process using AES keys known to both of the reader and card.
    2. The tag generates a 16 byte number encrypted with the AES key.
    3. The reader decrypts the number. This is then rotated one step to the left.
    4. The reader generates is own random number to the shifted value and appends it to the original random number. This value is encrypted and sent back to the tag.
    5. The tag decrypts the data. It then verifies that their random number is shifted properly. The reader random number is shifted, encrypted and sent back to the reader.
  • If an attacker has an emulated tag, such as a Proxmark, a complex attack can be ran on this. In step 3, an arbitrary piece of data can be sent. Then, when this is shifted and encrypted going back to the user, we have encrypted data that we KNOW the value of. Using the script from above, a large amount of AES keys can be tried until the expected value is found!
  • What makes this attack so interesting, is that quirks of the DESFire protocol make it possible to brute force the key offline! To me, this is a design flaw in the protocol. The authors wrote up actual code to do this with a Proxmark and were able to bypass the security of this!
  • What makes this attack so interesting, is that quirks of the DESFire protocol make it possible to brute force the key offline! To me, this is a design flaw in the protocol. The authors wrote up actual code to do this with a Proxmark and were able to bypass the security of this!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed