Conclusion on "RFID cracking"

Source: Internet
Author: User

Related: There are three things about RFID cracking. Three things about RFID cracking.

I slept on the train for one night last night. I just got home and didn't wash my face. I saw too many visits and comments in the article. radiowar was in my article comment and his article comment, when talking about cainiao, Tom, and my articles with incorrect content, and misleading people, I thought I had to come up and clarify that I was wondering if the articles were wrong, the article must be deleted, so I read my article carefully and still did not find any major problems.
I carefully read the comment article of radiowar, mainly considering the different directions of the problem, or radiowar did not carefully read the meaning I wanted to express. I wanted to reply directly and finally replied too much content, so I will organize it into an article to respond:
1: ID Card Problems
I have limited knowledge and hope that radiowar can solve the problem,
I understand that the ID card number does not have a key security authentication mechanism. like reading the UID of an IC card, the card number can be directly read without cracking, please also ask radiowar to give you a paper for details.
2: ICCard Problems
First, I explained in advance that the IC card I mentioned in the article refers to the M1 S50 card. Therefore, what other chips radiowar said are not the same as my article.
Then let's talk about it in detail:
1) radiowar attributed em4100 series and HID series to the IC card, so now I don't know how to define the ID card and IC. You can search for the differences between the IC card and the idcard online.
2) I have never said that UID is the UID that runs from nfc-list, so this is a problem we understand. The UID that runs from nfc-list requires an exclusive or operation, and block 0 also contains the manufacturer code, which can be called the ID card number (UID) of a card. Of course, I may not define this definition accurately, I used the ID card number to describe such a thing. A UID can be written into a card and can be written into a block of 0.
3) IC card full-card copy, I mean to use mfoc (also including the GUI version of mfoc), crack the password and export the dump file, we can change the dump file through UE, then, you can write data into the new card without changing it. I call it card copy, not the NFC analog tag mentioned by radiowar.
4) for Key A and keyB problems, radiowar thinks that I am not familiar with the technical principles of IC cards, so I can't do it either, I think I can write an article about the read/write control byte. In order to make the article simple and clear, I will directly use the IC card password later, even KeyA and KeyB will not mention it.
5) My article focuses on darkside attacks and nested authentication attacks. Domestic articles refer to using the predictable random number Vulnerability (PRNG vulnerability) to crack the M1 card, is it interesting to say this? I was disappointed to see this discussion.
Is the PRNG vulnerability exploited to crack the key? The PRNG vulnerability combines some other problems (some encryption BITs do not need to be exhaustive, reducing the amount of effort in geometric multiples) to ensure that keys can be cracked from encrypted data. What I'm talking about is why the tag sends encrypted data streams. the encrypted data streams are not sent from tags. How can this problem be solved? So I am talking about the first half, and radiowar is about the second half.
We all know that during the three verification processes, verification is stopped when any error occurs. When we use a card reader to tag, the second verification will definitely fail.The first time we crackedTagThe plaintext random number is sent. The second timeReaderSends an encrypted random numberTag,TagWhen an error is found, the response is stopped,TagOnly one plaintext random number is sent, noKeyThe relevant ciphertext is sent, so how to crack it?? I didn't see radiowar's article about technical principles. In fact, I didn't see radiowar's article about this issue. (I still need to apologize for this. I should not mention radiowar ).
In addition, the nested authentication attack, I would like to tell you why the tag sent a ciphertext containing its own key, which is why the password for one sector needs to be known, because the plaintext random number is used for the first verification, and then each slice is re-verified, the encrypted random number is directly used, and the encrypted random number takes the key out, in fact, mfoc has passed the default password and the so-called nested Vulnerability (in fact, I don't think this is a vulnerability. Originally, encryption is safer, but here encryption is used to bring the key out) the explanation is clear.
6) concerning the random number nt, This is the issue that needs to be discussed in the PRNG vulnerability. Through the PRNG vulnerability, we can say that nt is not random, but can be considered as known, so replace NT, I didn't say how to replace it. Instead, I retried the cracking steps, restarted the device, or recognized the card, the comment of radiowar is different from what I want to express.
7) concerning USB and serial port monitoring, this is the topic I have discussed in this article. No one has mentioned it. I have proposed a new direction and I can already question it, however, radiowar believes that my image is fraudulent. Please test it and comment again.
8) Finally, I would like to thank radiowar for the problem of Z in the default password. I did not take it into consideration. I posted it directly in a foreign forum.
So to sum up, radiowar did not read my article carefully and did not understand what I meant to express. The two people discussed it in different ways.
Finally, I will send three articles to you. Let's take a look at the English language. I will be clear about the Crypto-1 Algorithm Vulnerability and how the tool is used, you may also find that what I said is not completely correct. You are welcome to give me some advice. I also read the information and summarize it myself. The level of English is normal, and there may be problems with understanding it.
Http://dl.vmall.com/c0r6a6nmam
Http://dl.vmall.com/c0d3qnpwpb
Http://dl.vmall.com/c0luvoz9dq
 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.