Cryptography Reference
In-Depth Information
11. Match two corresponding victim half-nonces(e.g.
n
(
j
)
l
,n
(
j
)
).
r
12. Output the victim nonce (
n
(
j
)
=
n
(
j
)
l
n
(
j
r
).
||
4.3 Phase III: Key Recovery
In the previous two phases of our attack, we accomplished to find a complete
victim nonce
n
(
j
)
,with a certain probability, by observing
m
t
consecutive runs of
the protocol. Now, we present how an adversary is able to recover all five secret
keys of the protocol. To find
k
(
j
)
,k
(
j
)
b
,k
(
j
)
and
k
(
j
)
d
, we should follow(26-29).
a
c
n
(
j
)
l
k
(
j
)
a
(
A
(
j
+1)
n
(
j
)
r
mod
2
N
≡
−
⊕
)
(26)
k
(
j
)
b
B
(
j
)
n
(
j
)
mod p
≡
−
(27)
1
n
(
j
)
k
(
j
)
c
C
(
j
)
mod p
≡
(
mod p
)
×
(28)
k
(
j
)
d
=
n
(
j
)
l
D
(
j
)
⊕
(29)
To recover
k
(
j
u
, we need to find the nonce in the next run (
n
(
j
+1)
), thus we
should calculate the updated keys for the (
j
+1)
th
run using (7) and (10).
k
(
j
+1)
a
=
k
(
j
)
a
n
(
j
)
r
⊕
(30)
k
(
j
+1)
d
=
k
(
j
)
d
n
(
j
)
r
⊕
(31)
Then we have:
n
(
j
+1)
l
⊕ k
(
j
+1)
d
=
D
(
j
+1)
(32)
n
(
j
+1)
l
k
(
j
+2)
a
=
A
(
j
+2)
⊕
(33)
Using (30) and (33), we can write:
n
(
j
+1)
r
=
k
(
j
+2)
a
k
(
j
+1)
a
⊕
(34)
Finally, by using (27),(32) and,(34) we can find
k
(
j
u
.
−
(
k
(
j
)
b
k
(
j
)
u
≡ B
(
j
+1)
− n
(
j
+1)
⊕ n
(
j
+1)
)
mod p
(35)
The procedure above provides us with our objective to recover all of the secret
keys with a certain probability(
P
t
). This probability can be increased by paying
the price of having more protocol run outputs available.
Furthermore, as it can be seen from the (32) and (34), next nonce is also
achievable. This implies that the secret keys of the next run can also be calculated
by using (26-35) for the next run. This is an ongoing procedure which yields the
keys of any arbitrary run of the protocol(
r
)which
r>j
. Being able to generate
the future secret keys, an adversary is capable of either impersonating both the
reader and the tag or tracing the tag.
Search WWH ::
Custom Search