Re: [A51] Finding Kc with Kraken (dotting the i's)
More info on BlackHat Caesars Palace Las Vegas, NV • July 28-29 - Day 2 Karsten Nohl Attacking phone privacy Our most popular phone technologies use decade-old proprietary cryptography. GSM's 64bit A5/1 cipher, for instance, is vulnerable to time memory trade-offs but commercial cracking hardware costs hundreds of thousands of dollars. We discuss how cryptographic improvements and the power of the community created an open GSM decrypt solution that runs on commodity hardware. Besides GSM we discuss weaknesses in DECT cordless phones. The talk concludes with an overview of mitigation steps for GSM and DECT in response to our research, some of which are already being implemented. Suggestion: US law consider interception devices as prohibited to be sold without a government authorization. So, i recommend to use only "theoretical" approach on the exhibition :) Javier > Date: Wed, 21 Jul 2010 16:56:18 +0200 > From: n...@virginia.edu > To: a51@lists.reflextor.com > Subject: Re: [A51] Finding Kc with Kraken (dotting the i's) > > List, > > Please stay tuned for BlackHat where all your questions on hardware and > software setup should be answered. > > Cheers, > > -Karsten > ___ > A51 mailing list > A51@lists.reflextor.com > http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51 _ En Hotmail estamos reinventando un nuevo correo. Preparate para lo que se viene. Ver más http://www.nuevohotmail.com___ A51 mailing list A51@lists.reflextor.com http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
Re: [A51] Finding Kc with Kraken (dotting the i's)
List, Please stay tuned for BlackHat where all your questions on hardware and software setup should be answered. Cheers, -Karsten ___ A51 mailing list A51@lists.reflextor.com http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
Re: [A51] Finding Kc with Kraken (dotting the i's)
I read somewhere that USRP1 has only 1 channel and USRP2 has more
The speed is very important (especially for demoing)
So a USRP2,
I guess the WBX is a TX and RX module?
Has anyone here set this combo up on a ubuntu 10.04 LTS?
On 7/19/2010 12:38 PM, Abdalaleem Andy James Potter wrote:
> Well the USRP2 is gigabit ethernet vs USB for USRP1.
>
> If you want to do more advanced things in the future I would go for
> the USRP2...
>
> If you just want to demonstrate then go for USRP1...
>
>
> On 19 Jul 2010, at 10:36, Dino Pastos wrote:
>
>> Yes but what cant I do with USRP1 in regards to USRP 2 ?
>>
>> On
>>
>> 7/19/2010 12:31 PM, Abdalaleem Andy James Potter wrote:
>>> Double check my maths !
>>>
>>> I haven't yet tested this set-up but I would suggest:
>>>
>>> - USRP2 $1400
>>> - WBX $450
>>> - Antenna for GSM frequencies... $35
>>>
>>> $1885
>>>
>>>
>>> Or you could go for a less expensive option:
>>>
>>> - USRP 1 $700
>>> - DBSRX $150
>>> - Antenna for GSM frequencies... $35
>>>
>>> $885
>>>
>>>
>>>
>>> On 18 Jul 2010, at 12:57, Dinos Pastos wrote:
>>>
it will only be buried correctly if the media is informed.
I am attempting to build a wokring USRP 1 or 2 setup in order to
demonstrate it in Cyprus
I need some assistance in selecting the right stuff to save time.
Please post your tested setup if you have time.
Regards
dinopio
On Sun, Jul 18, 2010 at 12:25 PM, Frank A. Stevenson
wrote:
> I made a very simple command line interface to Kraken, which has
> only 1
> useful command (crack). Once fired up, you can then try to crack
> multiple bursts without reloading the tables every time.
>
> If you have some bursts that you want to crack such as:
>
> 3811417:
> 011100101011101011101101011010011101011101011011100100101100010111101000110101100101011100
>
>
>
> 3811424:
> 11100011000100011110001101010101110001101000100111010001111011101110000001
>
>
>
> The first number is the frame COUNT used for mixing into A5/1 - it
> can
> be derived from the frame number in the following way:
>
> unsigned int fn2count(unsigned int fn) {
> unsigned int t1 = fn/1326;
> unsigned int t2 = fn % 26;
> unsigned int t3 = fn % 51;
> return (t1<<11)|(t3<<5)|t2;
> }
>
>
> The second burst can be cracked, and the command to and output from
> Kraken looks like this:
>
> Kraken> crack
> 11100011000100011110001101010101110001101000100111010001111011101110000001
>
>
>
> Cracking
> 11100011000100011110001101010101110001101000100111010001111011101110000001
>
>
> Found a56290409b507d75 @ 37
>
> Kraken>
>
> This means a56290409b507d75 is the key that produces the output at
> postion 37 after 100 clockings. These numbers can then be fed into my
> latest tool: find_kc. This program will perform the backclocking,
> reverses the frame count mix, and the key setup mixing (based on some
> earlier programs that I wrote) - finally it can as an option take a
> second frame count together with the burst data as input, and use
> that
> to eliminate the wrong candidate Kcs from the backclocking. Example:
>
> fr...@quant:~/gsm/tmto-svn/tinkering/A5Util$ ./find_kc
> a56290409b507d75
> 37 3811424 3811417
> 011100101011101011101101011010011101011101011011100100101100010111101000110101100101011100
>
>
> Found potential key (bits: 37)
> db18a071e4d1f057 -> db18a071e4d1f057
> Framecount is 3811424
> KC(0): 2e 61 10 5e 80 93 5e 1c *** MATCHED ***
> KC(1): bc 44 48 ed 03 04 02 53 mismatch
> KC(2): d4 37 41 cf 3d 04 05 a5 mismatch
> KC(3): da 74 09 51 60 07 7b c7 mismatch
> KC(4): f3 f7 a8 3b f6 76 e6 5a mismatch
>
> The correct Kc is here: 2e 61 10 5e 80 93 5e 1c , and will produce
> both
> cipherstreams correctly, as well as all other cipherstreams, and can
> consequently be used to decrypt the entire call or SMS. (Byte
> order may
> have to be changed, depending on your other tools)
>
> How many more nails are needed for A5/1s coffin? :-)
>
> Frank
>
>
> ___
> A51 mailing list
> A51@lists.reflextor.com
> http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
>
___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
>>>
>>
>
___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
Re: [A51] Finding Kc with Kraken (dotting the i's)
it will only be buried correctly if the media is informed.
I am attempting to build a wokring USRP 1 or 2 setup in order to
demonstrate it in Cyprus
I need some assistance in selecting the right stuff to save time.
Please post your tested setup if you have time.
Regards
dinopio
On Sun, Jul 18, 2010 at 12:25 PM, Frank A. Stevenson wrote:
> I made a very simple command line interface to Kraken, which has only 1
> useful command (crack). Once fired up, you can then try to crack
> multiple bursts without reloading the tables every time.
>
> If you have some bursts that you want to crack such as:
>
> 3811417:
> 011100101011101011101101011010011101011101011011100100101100010111101000110101100101011100
>
> 3811424:
> 11100011000100011110001101010101110001101000100111010001111011101110000001
>
> The first number is the frame COUNT used for mixing into A5/1 - it can
> be derived from the frame number in the following way:
>
> unsigned int fn2count(unsigned int fn) {
> unsigned int t1 = fn/1326;
> unsigned int t2 = fn % 26;
> unsigned int t3 = fn % 51;
> return (t1<<11)|(t3<<5)|t2;
> }
>
>
> The second burst can be cracked, and the command to and output from
> Kraken looks like this:
>
> Kraken> crack
> 11100011000100011110001101010101110001101000100111010001111011101110000001
>
> Cracking
> 11100011000100011110001101010101110001101000100111010001111011101110000001
> Found a56290409b507d75 @ 37
>
> Kraken>
>
> This means a56290409b507d75 is the key that produces the output at
> postion 37 after 100 clockings. These numbers can then be fed into my
> latest tool: find_kc. This program will perform the backclocking,
> reverses the frame count mix, and the key setup mixing (based on some
> earlier programs that I wrote) - finally it can as an option take a
> second frame count together with the burst data as input, and use that
> to eliminate the wrong candidate Kcs from the backclocking. Example:
>
> fr...@quant:~/gsm/tmto-svn/tinkering/A5Util$ ./find_kc a56290409b507d75
> 37 3811424 3811417
> 011100101011101011101101011010011101011101011011100100101100010111101000110101100101011100
> Found potential key (bits: 37)
> db18a071e4d1f057 -> db18a071e4d1f057
> Framecount is 3811424
> KC(0): 2e 61 10 5e 80 93 5e 1c *** MATCHED ***
> KC(1): bc 44 48 ed 03 04 02 53 mismatch
> KC(2): d4 37 41 cf 3d 04 05 a5 mismatch
> KC(3): da 74 09 51 60 07 7b c7 mismatch
> KC(4): f3 f7 a8 3b f6 76 e6 5a mismatch
>
> The correct Kc is here: 2e 61 10 5e 80 93 5e 1c , and will produce both
> cipherstreams correctly, as well as all other cipherstreams, and can
> consequently be used to decrypt the entire call or SMS. (Byte order may
> have to be changed, depending on your other tools)
>
> How many more nails are needed for A5/1s coffin? :-)
>
> Frank
>
>
> ___
> A51 mailing list
> A51@lists.reflextor.com
> http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
>
___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
[A51] Finding Kc with Kraken (dotting the i's)
I made a very simple command line interface to Kraken, which has only 1
useful command (crack). Once fired up, you can then try to crack
multiple bursts without reloading the tables every time.
If you have some bursts that you want to crack such as:
3811417:
011100101011101011101101011010011101011101011011100100101100010111101000110101100101011100
3811424:
11100011000100011110001101010101110001101000100111010001111011101110000001
The first number is the frame COUNT used for mixing into A5/1 - it can
be derived from the frame number in the following way:
unsigned int fn2count(unsigned int fn) {
unsigned int t1 = fn/1326;
unsigned int t2 = fn % 26;
unsigned int t3 = fn % 51;
return (t1<<11)|(t3<<5)|t2;
}
The second burst can be cracked, and the command to and output from
Kraken looks like this:
Kraken> crack
11100011000100011110001101010101110001101000100111010001111011101110000001
Cracking
11100011000100011110001101010101110001101000100111010001111011101110000001
Found a56290409b507d75 @ 37
Kraken>
This means a56290409b507d75 is the key that produces the output at
postion 37 after 100 clockings. These numbers can then be fed into my
latest tool: find_kc. This program will perform the backclocking,
reverses the frame count mix, and the key setup mixing (based on some
earlier programs that I wrote) - finally it can as an option take a
second frame count together with the burst data as input, and use that
to eliminate the wrong candidate Kcs from the backclocking. Example:
fr...@quant:~/gsm/tmto-svn/tinkering/A5Util$ ./find_kc a56290409b507d75
37 3811424 3811417
011100101011101011101101011010011101011101011011100100101100010111101000110101100101011100
Found potential key (bits: 37)
db18a071e4d1f057 -> db18a071e4d1f057
Framecount is 3811424
KC(0): 2e 61 10 5e 80 93 5e 1c *** MATCHED ***
KC(1): bc 44 48 ed 03 04 02 53 mismatch
KC(2): d4 37 41 cf 3d 04 05 a5 mismatch
KC(3): da 74 09 51 60 07 7b c7 mismatch
KC(4): f3 f7 a8 3b f6 76 e6 5a mismatch
The correct Kc is here: 2e 61 10 5e 80 93 5e 1c , and will produce both
cipherstreams correctly, as well as all other cipherstreams, and can
consequently be used to decrypt the entire call or SMS. (Byte order may
have to be changed, depending on your other tools)
How many more nails are needed for A5/1s coffin? :-)
Frank
___
A51 mailing list
A51@lists.reflextor.com
http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
