Re: [A51] Finding Kc with Kraken (dotting the i's)
More info on BlackHat Caesars Palace Las Vegas, NV • July 28-29 - Day 2 Karsten Nohl Attacking phone privacy Our most popular phone technologies use decade-old proprietary cryptography. GSM's 64bit A5/1 cipher, for instance, is vulnerable to time memory trade-offs but commercial cracking hardware costs hundreds of thousands of dollars. We discuss how cryptographic improvements and the power of the community created an open GSM decrypt solution that runs on commodity hardware. Besides GSM we discuss weaknesses in DECT cordless phones. The talk concludes with an overview of mitigation steps for GSM and DECT in response to our research, some of which are already being implemented. Suggestion: US law consider interception devices as prohibited to be sold without a government authorization. So, i recommend to use only "theoretical" approach on the exhibition :) Javier > Date: Wed, 21 Jul 2010 16:56:18 +0200 > From: n...@virginia.edu > To: a51@lists.reflextor.com > Subject: Re: [A51] Finding Kc with Kraken (dotting the i's) > > List, > > Please stay tuned for BlackHat where all your questions on hardware and > software setup should be answered. > > Cheers, > > -Karsten > ___ > A51 mailing list > A51@lists.reflextor.com > http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51 _ En Hotmail estamos reinventando un nuevo correo. Preparate para lo que se viene. Ver más http://www.nuevohotmail.com___ A51 mailing list A51@lists.reflextor.com http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
Re: [A51] Finding Kc with Kraken (dotting the i's)
List, Please stay tuned for BlackHat where all your questions on hardware and software setup should be answered. Cheers, -Karsten ___ A51 mailing list A51@lists.reflextor.com http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
Re: [A51] Finding Kc with Kraken (dotting the i's)
I read somewhere that USRP1 has only 1 channel and USRP2 has more The speed is very important (especially for demoing) So a USRP2, I guess the WBX is a TX and RX module? Has anyone here set this combo up on a ubuntu 10.04 LTS? On 7/19/2010 12:38 PM, Abdalaleem Andy James Potter wrote: > Well the USRP2 is gigabit ethernet vs USB for USRP1. > > If you want to do more advanced things in the future I would go for > the USRP2... > > If you just want to demonstrate then go for USRP1... > > > On 19 Jul 2010, at 10:36, Dino Pastos wrote: > >> Yes but what cant I do with USRP1 in regards to USRP 2 ? >> >> On >> >> 7/19/2010 12:31 PM, Abdalaleem Andy James Potter wrote: >>> Double check my maths ! >>> >>> I haven't yet tested this set-up but I would suggest: >>> >>> - USRP2 $1400 >>> - WBX $450 >>> - Antenna for GSM frequencies... $35 >>> >>> $1885 >>> >>> >>> Or you could go for a less expensive option: >>> >>> - USRP 1 $700 >>> - DBSRX $150 >>> - Antenna for GSM frequencies... $35 >>> >>> $885 >>> >>> >>> >>> On 18 Jul 2010, at 12:57, Dinos Pastos wrote: >>> it will only be buried correctly if the media is informed. I am attempting to build a wokring USRP 1 or 2 setup in order to demonstrate it in Cyprus I need some assistance in selecting the right stuff to save time. Please post your tested setup if you have time. Regards dinopio On Sun, Jul 18, 2010 at 12:25 PM, Frank A. Stevenson wrote: > I made a very simple command line interface to Kraken, which has > only 1 > useful command (crack). Once fired up, you can then try to crack > multiple bursts without reloading the tables every time. > > If you have some bursts that you want to crack such as: > > 3811417: > 011100101011101011101101011010011101011101011011100100101100010111101000110101100101011100 > > > > 3811424: > 11100011000100011110001101010101110001101000100111010001111011101110000001 > > > > The first number is the frame COUNT used for mixing into A5/1 - it > can > be derived from the frame number in the following way: > > unsigned int fn2count(unsigned int fn) { > unsigned int t1 = fn/1326; > unsigned int t2 = fn % 26; > unsigned int t3 = fn % 51; > return (t1<<11)|(t3<<5)|t2; > } > > > The second burst can be cracked, and the command to and output from > Kraken looks like this: > > Kraken> crack > 11100011000100011110001101010101110001101000100111010001111011101110000001 > > > > Cracking > 11100011000100011110001101010101110001101000100111010001111011101110000001 > > > Found a56290409b507d75 @ 37 > > Kraken> > > This means a56290409b507d75 is the key that produces the output at > postion 37 after 100 clockings. These numbers can then be fed into my > latest tool: find_kc. This program will perform the backclocking, > reverses the frame count mix, and the key setup mixing (based on some > earlier programs that I wrote) - finally it can as an option take a > second frame count together with the burst data as input, and use > that > to eliminate the wrong candidate Kcs from the backclocking. Example: > > fr...@quant:~/gsm/tmto-svn/tinkering/A5Util$ ./find_kc > a56290409b507d75 > 37 3811424 3811417 > 011100101011101011101101011010011101011101011011100100101100010111101000110101100101011100 > > > Found potential key (bits: 37) > db18a071e4d1f057 -> db18a071e4d1f057 > Framecount is 3811424 > KC(0): 2e 61 10 5e 80 93 5e 1c *** MATCHED *** > KC(1): bc 44 48 ed 03 04 02 53 mismatch > KC(2): d4 37 41 cf 3d 04 05 a5 mismatch > KC(3): da 74 09 51 60 07 7b c7 mismatch > KC(4): f3 f7 a8 3b f6 76 e6 5a mismatch > > The correct Kc is here: 2e 61 10 5e 80 93 5e 1c , and will produce > both > cipherstreams correctly, as well as all other cipherstreams, and can > consequently be used to decrypt the entire call or SMS. (Byte > order may > have to be changed, depending on your other tools) > > How many more nails are needed for A5/1s coffin? :-) > > Frank > > > ___ > A51 mailing list > A51@lists.reflextor.com > http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51 > ___ A51 mailing list A51@lists.reflextor.com http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51 >>> >> > ___ A51 mailing list A51@lists.reflextor.com http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
Re: [A51] Finding Kc with Kraken (dotting the i's)
it will only be buried correctly if the media is informed. I am attempting to build a wokring USRP 1 or 2 setup in order to demonstrate it in Cyprus I need some assistance in selecting the right stuff to save time. Please post your tested setup if you have time. Regards dinopio On Sun, Jul 18, 2010 at 12:25 PM, Frank A. Stevenson wrote: > I made a very simple command line interface to Kraken, which has only 1 > useful command (crack). Once fired up, you can then try to crack > multiple bursts without reloading the tables every time. > > If you have some bursts that you want to crack such as: > > 3811417: > 011100101011101011101101011010011101011101011011100100101100010111101000110101100101011100 > > 3811424: > 11100011000100011110001101010101110001101000100111010001111011101110000001 > > The first number is the frame COUNT used for mixing into A5/1 - it can > be derived from the frame number in the following way: > > unsigned int fn2count(unsigned int fn) { > unsigned int t1 = fn/1326; > unsigned int t2 = fn % 26; > unsigned int t3 = fn % 51; > return (t1<<11)|(t3<<5)|t2; > } > > > The second burst can be cracked, and the command to and output from > Kraken looks like this: > > Kraken> crack > 11100011000100011110001101010101110001101000100111010001111011101110000001 > > Cracking > 11100011000100011110001101010101110001101000100111010001111011101110000001 > Found a56290409b507d75 @ 37 > > Kraken> > > This means a56290409b507d75 is the key that produces the output at > postion 37 after 100 clockings. These numbers can then be fed into my > latest tool: find_kc. This program will perform the backclocking, > reverses the frame count mix, and the key setup mixing (based on some > earlier programs that I wrote) - finally it can as an option take a > second frame count together with the burst data as input, and use that > to eliminate the wrong candidate Kcs from the backclocking. Example: > > fr...@quant:~/gsm/tmto-svn/tinkering/A5Util$ ./find_kc a56290409b507d75 > 37 3811424 3811417 > 011100101011101011101101011010011101011101011011100100101100010111101000110101100101011100 > Found potential key (bits: 37) > db18a071e4d1f057 -> db18a071e4d1f057 > Framecount is 3811424 > KC(0): 2e 61 10 5e 80 93 5e 1c *** MATCHED *** > KC(1): bc 44 48 ed 03 04 02 53 mismatch > KC(2): d4 37 41 cf 3d 04 05 a5 mismatch > KC(3): da 74 09 51 60 07 7b c7 mismatch > KC(4): f3 f7 a8 3b f6 76 e6 5a mismatch > > The correct Kc is here: 2e 61 10 5e 80 93 5e 1c , and will produce both > cipherstreams correctly, as well as all other cipherstreams, and can > consequently be used to decrypt the entire call or SMS. (Byte order may > have to be changed, depending on your other tools) > > How many more nails are needed for A5/1s coffin? :-) > > Frank > > > ___ > A51 mailing list > A51@lists.reflextor.com > http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51 > ___ A51 mailing list A51@lists.reflextor.com http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
[A51] Finding Kc with Kraken (dotting the i's)
I made a very simple command line interface to Kraken, which has only 1 useful command (crack). Once fired up, you can then try to crack multiple bursts without reloading the tables every time. If you have some bursts that you want to crack such as: 3811417: 011100101011101011101101011010011101011101011011100100101100010111101000110101100101011100 3811424: 11100011000100011110001101010101110001101000100111010001111011101110000001 The first number is the frame COUNT used for mixing into A5/1 - it can be derived from the frame number in the following way: unsigned int fn2count(unsigned int fn) { unsigned int t1 = fn/1326; unsigned int t2 = fn % 26; unsigned int t3 = fn % 51; return (t1<<11)|(t3<<5)|t2; } The second burst can be cracked, and the command to and output from Kraken looks like this: Kraken> crack 11100011000100011110001101010101110001101000100111010001111011101110000001 Cracking 11100011000100011110001101010101110001101000100111010001111011101110000001 Found a56290409b507d75 @ 37 Kraken> This means a56290409b507d75 is the key that produces the output at postion 37 after 100 clockings. These numbers can then be fed into my latest tool: find_kc. This program will perform the backclocking, reverses the frame count mix, and the key setup mixing (based on some earlier programs that I wrote) - finally it can as an option take a second frame count together with the burst data as input, and use that to eliminate the wrong candidate Kcs from the backclocking. Example: fr...@quant:~/gsm/tmto-svn/tinkering/A5Util$ ./find_kc a56290409b507d75 37 3811424 3811417 011100101011101011101101011010011101011101011011100100101100010111101000110101100101011100 Found potential key (bits: 37) db18a071e4d1f057 -> db18a071e4d1f057 Framecount is 3811424 KC(0): 2e 61 10 5e 80 93 5e 1c *** MATCHED *** KC(1): bc 44 48 ed 03 04 02 53 mismatch KC(2): d4 37 41 cf 3d 04 05 a5 mismatch KC(3): da 74 09 51 60 07 7b c7 mismatch KC(4): f3 f7 a8 3b f6 76 e6 5a mismatch The correct Kc is here: 2e 61 10 5e 80 93 5e 1c , and will produce both cipherstreams correctly, as well as all other cipherstreams, and can consequently be used to decrypt the entire call or SMS. (Byte order may have to be changed, depending on your other tools) How many more nails are needed for A5/1s coffin? :-) Frank ___ A51 mailing list A51@lists.reflextor.com http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51