Re: [A51] Finding Kc with Kraken (dotting the i's)

2010-07-22 Thread javier falbo 

More info on BlackHat

Caesars Palace Las Vegas, NV • July 28-29 - Day 2
Karsten Nohl
Attacking phone privacy

Our most popular phone technologies use decade-old proprietary 
cryptography. GSM's 64bit A5/1 cipher, for instance, is vulnerable to 
time memory trade-offs but commercial cracking hardware costs hundreds 
of thousands of dollars. We discuss how cryptographic improvements and 
the power of the community created an open GSM decrypt solution that 
runs on commodity hardware. Besides GSM we discuss weaknesses in DECT 
cordless phones. The talk concludes with an overview of mitigation steps
 for GSM and DECT in response to our research, some of which are already
 being implemented. 

Suggestion: US law consider interception devices as prohibited to be sold 
without a government authorization. So, i recommend to use only theoretical 
approach on the exhibition :)

Javier


 Date: Wed, 21 Jul 2010 16:56:18 +0200
 From: n...@virginia.edu
 To: a51@lists.reflextor.com
 Subject: Re: [A51] Finding Kc with Kraken (dotting the i's)
 
 List,
 
 Please stay tuned for BlackHat where all your questions on hardware and
 software setup should be answered.
 
 Cheers,
 
   -Karsten
 ___
 A51 mailing list
 A51@lists.reflextor.com
 http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
  
_
En Hotmail estamos reinventando un nuevo correo. Preparate para lo que se 
viene. Ver más
http://www.nuevohotmail.com___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51

Re: [A51] Finding Kc with Kraken (dotting the i's)

2010-07-21 Thread Karsten Nohl 
List,

Please stay tuned for BlackHat where all your questions on hardware and
software setup should be answered.

Cheers,

  -Karsten
___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51

[A51] Finding Kc with Kraken (dotting the i's)

2010-07-18 Thread Frank A. Stevenson 
I made a very simple command line interface to Kraken, which has only 1
useful command (crack). Once fired up, you can then try to crack
multiple bursts without reloading the tables every time.

If you have some bursts that you want to crack such as:

3811417:
011100101011101011101101011010011101011101011011100100101100010111101000110101100101011100

3811424:
11100011000100011110001101010101110001101000100111010001111011101110000001

The first number is the frame COUNT used for mixing into A5/1 - it can
be derived from the frame number in the following way:

unsigned int fn2count(unsigned int fn) {
unsigned int t1 = fn/1326;
unsigned int t2 = fn % 26;
unsigned int t3 = fn % 51;
return (t111)|(t35)|t2;
}


The second burst can be cracked, and the command to and output from
Kraken looks like this:

Kraken crack
11100011000100011110001101010101110001101000100111010001111011101110000001

Cracking
11100011000100011110001101010101110001101000100111010001111011101110000001
Found a56290409b507d75 @ 37

Kraken 

This means a56290409b507d75 is the key that produces the output at
postion 37 after 100 clockings. These numbers can then be fed into my
latest tool: find_kc. This program will perform the backclocking,
reverses the frame count mix, and the key setup mixing (based on some
earlier programs that I wrote) - finally it can as an option take a
second frame count together with the burst data as input, and use that
to eliminate the wrong candidate Kcs from the backclocking. Example:

fr...@quant:~/gsm/tmto-svn/tinkering/A5Util$ ./find_kc a56290409b507d75
37 3811424 3811417
011100101011101011101101011010011101011101011011100100101100010111101000110101100101011100
 Found potential key (bits: 37)
db18a071e4d1f057 - db18a071e4d1f057
Framecount is 3811424
KC(0): 2e 61 10 5e 80 93 5e 1c  *** MATCHED ***
KC(1): bc 44 48 ed 03 04 02 53  mismatch
KC(2): d4 37 41 cf 3d 04 05 a5  mismatch
KC(3): da 74 09 51 60 07 7b c7  mismatch
KC(4): f3 f7 a8 3b f6 76 e6 5a  mismatch

The correct Kc is here: 2e 61 10 5e 80 93 5e 1c , and will produce both
cipherstreams correctly, as well as all other cipherstreams, and can
consequently be used to decrypt the entire call or SMS. (Byte order may
have to be changed, depending on your other tools)

How many more nails are needed for A5/1s coffin?  :-)

Frank


___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51