Professional Documents
Culture Documents
September 2001
chris@phaedsys.org
www.phaedsys.org
Contents
Contents _________________________________________________________________ 3
History / Record of Changes ______________________________________________ 5
Release notes:-___________________________________________________________ 5
SCOPE ______________________________________________________________ 7
Dynamic Authentication______________________________________________ 9
Commands Using MAC/DES _________________________________________ 9
DES ________________________________________________________________ 11
Key Derivation______________________________________________________ 13
Unique Keys ________________________________________________________ 13
MAC DES Keys _____________________________________________________ 15
MAC Session Keys __________________________________________________ 15
MAC Computation __________________________________________________ 17
THEORY ________________________________________________________________17
Process: ________________________________________________________________18
RSA ________________________________________________________________ 29
RSA Keys ___________________________________________________________ 30
Remaining digits of the issuers public key to be hashed
________________________ 30
SHA-1 ___________________________________________________________________57
GSM A3A8 algorithm. ( COMP128) ______________________________________60
References _________________________________________________________ 66
www.phaedsys.org
Phaedrus Systems
Page 3 of 67
www.phaedsys.org
Phaedrus Systems
Page 4 of 67
13/08/97
CAH
4/Aug/01
1.0
CAH
Release notes:This document was originally produced as an internal document for a smart card project in
the UK in 1997-8. All the company/project specific parts have been removed and only
generic 7816, EMV, UKIS and cipher information remains. UKIS is a subset of 7816 used in UK
for APACS financial smart cards.
The cipher sources have been collected from several places all of them reputable but for
obvious reasons some of them are not attributed. None of them come with no guarantees of
any kind. You have to validate them for your own use.
www.phaedsys.org
Phaedrus Systems
Page 5 of 67
www.phaedsys.org
Phaedrus Systems
Page 6 of 67
SCOPE
The UKIS smart card working to 7816 requires security. Sending Message Authentication
Certificates (MAC) with certain messages ensures this. However the data in the message
itself is not encrypted. The card contains secret keys for this purpose. These keys are unique
and generated at personalisation time. These keys are used to generate session keys.
Apart from MACs they system requires transaction certificates that are also generated using
DEA in a similar manner to the MAC.
The card also contains other (RSA) keys that can be recovered from the card, using Read
Record that the terminal uses for static authentication. This does not require any involvement
by the card other than supplying the files.
There is also a method of read write access to the application and files. This is part of the file
system and outside the scope of this document.
www.phaedsys.org
Phaedrus Systems
Page 7 of 67
www.phaedsys.org
Phaedrus Systems
Page 8 of 67
Dynamic Authentication
Dynamic authentication is online authentication where the card talks (through the terminal)
to the issuer or host. When the card and the terminal verify each other without recourse to
the issuer it is static authentication. Dynamic authentication is undertaken using ISO DEA-1.
www.phaedsys.org
Phaedrus Systems
Page 9 of 67
P2, Lc, ATC,LAC, DATA(if present) VISA 1.3 6.3.2.4 also confirms this. LAC= Last
Application Cryptogram.
App Block
App Unblock
Card Block
Put Data
CLA,
INS,
P1,
P2,
Lc
Data +MAC
0x84
0x84
0x84
0x1E
0x18
0x16
0x04
0x00
0x00
0x00
0xDA
0x00
0x00
0x00
0x9F
0x08
0x08
0x08
0x58
0x09
P2,
0x00
Lc,
0x0A
Data
ARPC + ARPC RC
MAC
MAC
MAC
LCOL
MAC
External Authenticate
CLA,
0x00
INS,
0x82
P1,
0x00
Returns SW1/SW2
Generate AC
Generate Application Cryptogram is the only command that causes a cryptogram to be
generated and returned.
Command :
CLA,
0x80
Returns:
Length 1
INS,
0xAE
P1,
0x00
0x40
0x80
SW1/SW2 +
1
1
P2,
0x00
Lc,
0x1D
0x1F
CID+
2
ATC+ AC+
8
1
CID
ATC
AC
le
DKI
CVN
CVR
DKI
www.phaedsys.org
Phaedrus Systems
Data
CDOL1
CDOL2
le+
1
DKI+
1
CVN+ CVR
4
Page 10 of 67
DES
This 64-bit block cipher is the approved algorithm for secure messaging and
is standardised in ISO 8731-1, ISO 8372, and ISO/IEC 10116. More precisely,
both the single DES encipherment and the triple DES encipherment versions
described below are approved to be used in the encipherment and MAC
mechanisms described in Annex E.
Triple DES encipherment involves enciphering an 8-byte plaintext block in an
8-byte ciphertext block with a double-length (16-byte) secret key K = (KL ||
KR) as follows:
Y = DES(KL)[DES-1(KR)[DES(KL)[X]]].
Decipherment takes place as follows:
X = DES-1(KL)[DES(KR)[DES-1(KL)[Y]]].
.
The encipherment mechanisms for secure messaging for confidentiality uses a
64-bit block cipher ALG either in Electronic Codebook (ECB) Mode or in
Cipher Block Chaining (CBC) mode.
Encipherment of a message MSG of arbitrary length with Encipherment
Session Key KS takes place in the following steps.
Padding and Blocking
If the message MSG has a length that is not a multiple of 8 bytes, add a 80
byte to the right of MSG, and then add the smallest number of 00 bytes to the
right such that the length of resulting message MSG := (MSG || 80 || 00 ||
00 || . . . || 00) is a multiple of 8 bytes.
If the message MSG has a length that is a multiple of 8 bytes, the following two
cases can occur depending on pre-defined rules (see Part IV of this
specification).
- No padding takes place: MSG := MSG.
- MSG is padded to the right with the 8-byte block
(80 || 00 || 00 ||00 || 00 || 00 || 00 || 00)
to obtain MSG.
MSG is then divided into 8-byte blocks X1, X2, . . . , Xk.
www.phaedsys.org
Phaedrus Systems
Page 11 of 67
Cryptogram Computation
ECB Mode
Encipher the blocks X1, X2, . . . , Xk into the 8-byte blocks Y1, Y2, . . . , Yk with
the block cipher algorithm in ECB mode using the Encipherment Session Key
KS. Hence compute for i = 1, 2, . . . , k:
Yi := ALG(KS)[Xi].
CBC Mode
Encipher the blocks X1, X2, . . . , Xk into the 8-byte blocks Y1, Y2, . . . , Yk with
the block cipher algorithm in CBC mode using the Encipherment Session Key
KS. Hence compute for i = 1, 2, . . . , k:
Yi := ALG(KS)[Xi Yi-1],
with initial value Y0 := (00 || 00 || 00 || 00 || 00 || 00 || 00 ||
00).
Notation:
Y := (Y1 || Y2 || . . . || Yk) = ENC(KS)[MSG].
Decipherment is as follows.
Cryptogram Decipherment
ECB Mode
Compute for i = 1, 2, . . . , k:
Xi := ALG-1(KS)[Yi ].
CBC Mode
Compute for i = 1, 2, . . . , k:
Xi := ALG-1(KS)[Yi ] Yi-1,
with initial value Y0 := (00 || 00 || 00 || 00 || 00 || 00 || 00 || 00).
To obtain the original message MSG, concatenate the blocks X1, X2, . . . , Xk
and if padding has been used (see above) remove the trailing (80 || 00 ||
00 || . . . || 00) byte-string from the last block Xk.
Notation:
M = DEC(KS)[Y].
www.phaedsys.org
Phaedrus Systems
Page 12 of 67
Key Derivation
Unique Keys
The Unique DEA Keys are used to perform online card authentication, online
issuer authentication and TC generation. The Unique DEA keys are stored in
the card during personalisation and are derived using the Application PAN1
and Application PAN Sequence Number.
Note: This derivation does not take place on the card.
To derive the Unique Key A, the Application PAN and Application PAN
Sequence Number are concatenated together into a 16-hexadecimal field. If
the Sequence Number is not present then it is zero filled. If the length of the
Application PAN followed by the Sequence Number is not equal to 16 digits
then the following rules apply:
if the PAN plus the Sequence Number are less than 16 digits the
data is right justified in a 16-hexadecimal field and padded on the
left with 0s
if the PAN plus the Sequence Number are greater than 16 digits
only the rightmost 16 digits are used
Triple DEA encipherment (i.e. encipher, decipher, encipher), is then
performed using the Issuer generated double-length Derivation Key resulting
in the Unique Key A.
To derive the Unique Key B, the Application PAN and Application PAN
Sequence Number are concatenated together into a 16-hexadecimal field
using the formatting rules above and then inverted. Inversion takes place at
bit level where each bit with the value 1 is set to 0 and each bit with the
value 0 is set to 1.
Triple DEA encipherment is then performed using the Issuer generated
double-length Derivation Key resulting in the Unique Key B.
www.phaedsys.org
Phaedrus Systems
Page 13 of 67
www.phaedsys.org
Phaedrus Systems
Page 14 of 67
www.phaedsys.org
Phaedrus Systems
Page 15 of 67
inversion at bit level, (i.e. each bit with the value 1 is set to 0 and
each bit with the value 0 is set to 1)
The inverted ATC is then right justified in an 8-byte field and the
remaining 6 bytes are set to 0x00.
An exclusive-OR operation is performed on the inverted and
padded ATC with the MAC Key B stored on the card
The result of the exclusive-OR is session key B for the Maccing process.
Session Key
Created
Create Session
Key
Creat Session
Key
1
Create Key A
Create Key B
Session Key
A Created
Get key A
Session Key
B Created
Create MAC
Session Key A
Create MAC
Session Key B
MAC Key A
Session Key A
Get keu B
Session Key B
Get ATC
Get ATC
MAC Session
Key A
MAC Session
Key b
Application
Transaction
Counter
www.phaedsys.org
Phaedrus Systems
Page 16 of 67
MAC Key B
MAC Computation
THEORY
The computation of an s-byte MAC (4 s 8) is according to ISO/IEC 9797 using a 64-bit
block cipher ALG in CBC mode. More precisely, the computation of a MAC S over a
message MSG consisting of an arbitrary number of bytes with a MAC Session Key KS takes
place in the following steps.
Padding and Blocking
Pad the message M according to ISO 7816-4 (which is equivalent to method 2 of ISO/IEC
9797), hence add a mandatory 80 byte to the right of MSG, and then add the smallest
number of 00 bytes to the right such that the length of resulting message MSG := (MSG
|| 80 || 00 || 00 || . . . || 00) is a multiple of 8 bytes.
MSG is then divided into 8-byte blocks X1, X2, . . . , Xk.
www.phaedsys.org
Phaedrus Systems
Page 17 of 67
Process:
The MAC is generated using triple DEA encipherment with the MAC session
keys previously calculated as follows:
An initial 8-byte vector is set to 0x00
The following data is concatenated in the order specified to create a
block of data:
DATA
CLA
INS
P1
P2
Lc
ATC
NOTES
Bytes of the script command sent to the card from the
terminal
ARQC
DATA
This block of data is formatted into 8-byte data blocks labelled D1,
D2, D3D6, (the last block may be between 1 and 8 bytes
depending on the length of the original data block)
If the last block of data
00
00
00
00
00
00
00
Note: The number of data blocks will depend on the original data block.
The MAC is then generated by:
1 the first data block becomes the first input block I1
2 the card will perform an exclusive-OR operation on the initial vector and
the input block I1 to give I2
3 I2 is encrypted using the DES encrypt algorithm and the MAC session
key A to give the output block O1
4 the card will then perform an exclusive-OR on O1 and D2 to give I3
www.phaedsys.org
Phaedrus Systems
Page 18 of 67
5 I3 is encrypted using the DES encrypt algorithm and the MAC session
key A to give the output block O2
Steps 4 and 5 are then repeated for the number of data blocks that exist until
an exclusive-OR has been performed on the last data block, D(n), and the
result has been encrypted to give the output O(n).
6 O(n) is then decrypted using the DES decrypt algorithm and the MAC
session key B to give the output O(n + 1)
7 O(n + 1) is then encrypted using the DES encrypt algorithm and the
MAC session key A to give the output O(n + 2)
The result O(n + 2) is the 8-byte MAC.
The MAC is then compared to the MAC in the Command Data. This procedure
is shown diagrammatically below:
Initial
Vector
I2
I3
I4
I5
Xor
DEA(e)
DEA(e)
DEA(e)
DEA(e)
O1
O2
O3
O4
Xor
Xor
Xor
DEA(d)
I1 = D1
O5
DEA(e)
D2
D3
D4
O6
I
= Input
DEA (e) = Encrypt using MAC
Session Key A
DEA (d) = Decrypt using MAC
Session Key B
D = Data Block
O = Output
Calculated
8 byte MAC
= Exclusive Or
Xor
www.phaedsys.org
Phaedrus Systems
Page 19 of 67
www.phaedsys.org
Phaedrus Systems
Page 20 of 67
Generating An AC or an ARPC
APPLICATION CRYPTOGRAM - ARQC / TC or AAC
www.phaedsys.org
Phaedrus Systems
Page 21 of 67
The output 8-byte field is the resulting cryptogram returned by the card in
response to the Generate AC command
This procedure is shown diagrammatically below:
I1 = D1
I2
I3
I4
I5
DEA(e)
DEA(e)
DEA(e)
DEA(e)
DEA(e)
O1
O2
O3
O4
O5
Xor
Xor
Xor
Xor
DEA(d)
O6
DEA(e)
D2
D3
D4
D5
O7
Calculated
I
= Input
DEA (e) = Encrypt using DES
with Key A
DEA (d) = Decrypt using DES
with Key B
D = Data Block
O = Output
Xor
8 byte Cryptogram
= Exclusive Or
www.phaedsys.org
Phaedrus Systems
Page 22 of 67
www.phaedsys.org
Phaedrus Systems
Page 23 of 67
www.phaedsys.org
Phaedrus Systems
Page 24 of 67
www.phaedsys.org
Phaedrus Systems
Page 25 of 67
I1 = D1
DEA(e)
O1
DEA(d)
O2
DEA(e)
O3
Calculated
ARPC
I = Input DEA (e) = Encrypt using DES
D = Data Block
O = Output
www.phaedsys.org
Phaedrus Systems
Page 26 of 67
www.phaedsys.org
Phaedrus Systems
Page 27 of 67
www.phaedsys.org
Phaedrus Systems
Page 28 of 67
Static Authentication
Static Authentication uses Public Key cryptography based on RSA signed Keys. Static
Authentication is used in the terminal. The card stores the keys and the terminal obtains them
by READ RECORD. The card therefore does not need to know about RSA encryption or key
generation.
Static data authentication is performed by the terminal using a digital signature based on
public key techniques to confirm the legitimacy of critical ICC-resident static data identified
by the AFL. This detects unauthorised alteration of data after personalisation.
The data objects used for signing shall be retrievable by the terminal using the READ
RECORD Command.
RSA
Static data authentication requires the existence of a certification authority, which is a highly
secure cryptographic facility that signs the issuers public keys. Every terminal conforming
to this specification shall contain the appropriate certification authority's public key(s) for
every application recognised by the terminal. This specification permits multiple AIDs to
share the same set of certification authority public keys. The relationship between the data
and the cryptographic keys is shown below.
Issuer
Private Key
(Issuer)
SI
Public Key
(Issuer)
PI
Certification Authority
Private Key
(CA)
SCA
Public Key
(CA)
PCA
Acquirer
Distributed to Acquirer
(Resides in Terminal)
PI certified
with SCA
IC Card
IC Terminal
Terminal :
- Uses PCA to verify that the Issuers PI
www.phaedsys.org
Phaedrus Systems
Page 29 of 67
RSA Keys
The following keys are held on the card to be retrieved by the terminal using READ RECORD.
Issuer Public Key Certificate
Issuers public key certified by a certification authority for use in static data authentication.
Format:
320-1024 bits, Tag 90h , Length 40-128 bytes
Issuer Public Key Exponent
Issuer specified data to be used with the Issuerss public key algorithm for use in static data
authentication.
Format:
8-252 bits, Tag 9F32h, Length 1-32 bytes
Issuer Public Key Remainder
Remaining digits of the issuers public key to be hashed
Format:
8-272 bits, Tag 92h, Length 1-34 bytes
www.phaedsys.org
Phaedrus Systems
Page 30 of 67
File Security
There is no specified file security. There is, however, much implied security. This is part of
the file system and application set up and not a separate security module.
www.phaedsys.org
Phaedrus Systems
Page 31 of 67
www.phaedsys.org
Phaedrus Systems
Page 32 of 67
Cipher Sources
The cipher sources have been collected from several places all of them
reputable but for obvious reasons some are not attributed and come with
no guarantees of any kind.
As all these ciphers are in the public domain the sources will be available on my web site
(unless or until lawyers tell me different) The C version of DES is available on the Keil CD in
the 8051 examples directory. It originated from Applied Cryptography by Bruce Schneier
however due to the wonderfully democratic laws of the US whilst it was in printed from in the
book the electronic version on the Applied Cryptography CD is only available in the USA.
Bruce Schneier is an internationally acclaimed security and cipher consultant who does not
need me to validate the authenticity of his work. The 8051 assembler implementation comes
from an unimpeachable source at a major smart card vendor. The SHA-1 cipher comes from
another smart card vendor.
The diagrams were produced from the source using DA-C
DES Sources
C Source
The DES example is taken from the book "Applied Cryptography" by Bruce Schneier. It is
adapted for the Keil C51-Compiler. The example code is not optimized for code or data
space and shows the processing from long value arithmetic (56 bit) on an 8051 micro
controller. The source is available on the Keil demo CD
cpkey
Des.c
des_key
deskey
cookey
Des.c
Des.c
Des.c
des_enc
desfunc
Des.c
Des.c
des_dec
unscrun
Des.c
Des.c
main
Des.c
scrunch
Des.c
www.phaedsys.org
Phaedrus Systems
Page 33 of 67
#include <stdio.h>
#include <reg51.h>
typedef struct {
unsigned long ek[32];
unsigned long dk[32];
} des_ctx;
extern void deskey(unsigned char *, short);
/*
hexkey[8]
MODE
* Sets the internal key register according to the hexadecimal
* key contained in the 8 bytes of hexkey, according to the DES,
* for encryption or decryption according to MODE.
*/
extern void usekey(unsigned long *);
/*
cookedkey[32]
* Loads the internal key register with the data in cookedkey.
*/
extern void cpkey(unsigned long *);
/*
cookedkey[32]
* Copies the contents of the internal key register into the storage
* located at &cookedkey[0].
*/
extern void des(unsigned char *, unsigned char *);
/*
from[8]
to[8]
* Encrypts/Decrypts (according to the key currently loaded in the
* internal key register) one block of eight bytes at address 'from'
* into the block at address 'to'. They can be the same.
*/
static
static
static
static
void
void
void
void
static
static
static
static
bigbyte[24] = {
0x400000L,
0x200000L,
0x40000L,
0x20000L,
0x4000L,
0x2000L,
0x400L,
0x40L,
0x4L,
0x100000L,
0x10000L,
0x1000L,
0x200L,
0x20L,
0x2L,
0x1L
};
www.phaedsys.org
Phaedrus Systems
Page 34 of 67
13,
20, 12,
3 };
cook = dough;
for( i = 0; i < 16; i++, raw1++ ) {
raw0 = raw1++;
*cook
= (*raw0 & 0x00fc0000L) << 6;
*cook |= (*raw0 & 0x00000fc0L) << 10;
*cook |= (*raw1 & 0x00fc0000L) >> 10;
*cook++|= (*raw1 & 0x00000fc0L) >> 6;
*cook
= (*raw0 & 0x0003f000L) << 12;
*cook |= (*raw0 & 0x0000003fL) << 16;
*cook |= (*raw1 & 0x0003f000L) >> 4;
*cook++
|= (*raw1 & 0x0000003fL);
}
usekey(dough);
}
void cpkey(unsigned long *into)
www.phaedsys.org
Phaedrus Systems
Page 35 of 67
scrunch(inblock, work);
desfunc(work, KnL);
unscrun(work, outblock);
}
#endif
static void scrunch(unsigned char
*into
= (*outof++ & 0xffL) <<
*into |= (*outof++ & 0xffL) <<
*into |= (*outof++ & 0xffL) <<
*into++ |= (*outof++ & 0xffL);
*into
= (*outof++ & 0xffL) <<
*into |= (*outof++ & 0xffL) <<
*into |= (*outof++ & 0xffL) <<
*into |= (*outof
& 0xffL);
}
static void
*into++ =
*into++ =
*into++ =
*into++ =
*into++ =
*into++ =
*into++ =
*into
=
}
24;
16;
8;
0x01010404L,
0x00010000L,
0x00000400L,
0x00000004L,
0x00010400L,
0x01000404L,
0x00010004L,
0x01000000L,
0x01010000L,
0x00000400L,
0x01000004L,
0x00010404L,
0x01000404L,
0x01010400L,
0x00000000L,
0x01010004L };
www.phaedsys.org
Phaedrus Systems
Page 36 of 67
0x80000020L,
0x80008000L,
0x00108000L,
0x80000000L,
0x00100020L,
0x00008020L,
0x00000000L,
0x80008020L,
0x80100000L,
0x00108020L,
0x00008020L,
0x00100020L,
0x00108000L,
0x80000000L,
0x80108000L,
0x00000020L,
0x80008020L,
0x00108020L,
0x00000000L,
0x80100000L,
0x80100020L,
0x80108000L,
0x00000020L,
0x00008000L,
0x00100000L,
0x80000020L,
0x80008000L,
0x80108020L,
0x80000000L,
0x80100020L,
0x00000000L,
0x80100000L,
0x00108000L,
0x00008020L,
0x00100000L,
0x00008000L,
0x80108020L,
0x80000000L,
0x80000020L,
0x00100020L,
0x00008020L,
0x00108000L };
0x08020008L,
0x08000200L,
0x00020000L,
0x00000208L,
0x00000200L,
0x00020208L,
0x08000208L,
0x08000000L,
0x00000208L,
0x00000000L,
0x08000200L,
0x08020008L,
0x08020208L,
0x08000008L,
0x08020000L,
0x00020200L };
0x00000080L,
0x00002001L,
0x00802081L,
0x00800001L,
0x00802001L,
0x00002080L,
0x00800080L,
0x00000081L,
0x00802081L,
0x00802000L,
0x00000001L,
0x00000080L,
0x00002000L,
0x00800081L,
0x00802001L,
0x00802080L };
0x42000100L,
0x02080000L,
0x40080100L,
0x40000000L,
0x00000000L,
0x02000100L,
0x42000000L,
0x00080100L,
0x02000000L,
0x40080100L,
0x02080100L,
0x42080000L,
0x42080100L,
0x42000000L,
www.phaedsys.org
0x80108020L,
0x00100000L,
0x00100020L,
0x00008000L,
0x80000020L,
0x80108000L,
0x00108020L,
0x80100000L,
0x80008000L,
0x00000020L,
0x80108000L,
0x80008020L,
0x00000000L,
0x80100020L,
Phaedrus Systems
Page 37 of 67
0x20404010L,
0x00400000L,
0x20000010L,
0x00004010L,
0x00004000L,
0x20400010L,
0x20404000L,
0x20000000L,
0x00404000L,
0x20000010L,
0x00004010L,
0x20400000L,
0x20400010L,
0x00404010L,
0x00000000L,
0x20004010L };
0x00000000L,
0x04200800L,
0x04000002L,
0x00000802L,
0x04000800L,
0x00200002L,
0x04200802L,
0x00200800L,
0x04000802L,
0x00000002L,
0x00200000L,
0x04200800L,
0x04200000L,
0x04200802L,
0x00000800L,
0x00200002L };
0x10041040L,
0x10000000L,
0x00041000L,
0x00000040L,
0x00001040L,
0x10041000L,
0x10040040L,
0x00040000L,
0x00001000L,
0x00041040L,
0x10040000L,
0x10001040L,
0x10000040L,
0x00000000L,
0x00001040L,
0x10041000L };
leftt = block[0];
right = block[1];
work = ((leftt >> 4) ^ right) & 0x0f0f0f0fL;
right ^= work;
leftt ^= (work << 4);
www.phaedsys.org
Phaedrus Systems
Page 38 of 67
www.phaedsys.org
Phaedrus Systems
Page 39 of 67
* Key
: 0123 4567 89ab cdef
* Plain : 0123 4567 89ab cde7
* Cipher : c957 4425 6a5e d31d
*
**********************************************************************/
void des_key(des_ctx *dc, unsigned char *key){
deskey(key,EN0);
cpkey(dc->ek);
deskey(key,DE1);
cpkey(dc->dk);
}
/* Encrypt several blocks in ECB mode. Caller is responsible for
short blocks. */
void des_enc(des_ctx *dc, unsigned char *Data, int blocks){
unsigned long work[2];
int i;
unsigned char *cp;
cp = Data;
for(i=0;i<blocks;i++){
scrunch(cp,work);
desfunc(work,dc->ek);
unscrun(work,cp);
cp+=8;
}
}
void des_dec(des_ctx *dc, unsigned char *Data, int blocks){
unsigned long work[2];
int i;
unsigned char *cp;
cp = Data;
for(i=0;i<blocks;i++){
scrunch(cp,work);
desfunc(work,dc->dk);
unscrun(work,cp);
cp+=8;
}
}
void main(void){
des_ctx dc;
int i;
unsigned long Data[10];
char *cp,key[8] = {0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef};
char x[8] = {0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xe7};
/*-----------------------------------------------Setup the serial port for 1200 baud at 16MHz.
------------------------------------------------*/
SCON = 0x50;
/* SCON: mode 1, 8-bit UART, enable rcvr */
TMOD |= 0x20;
/* TMOD: timer 1, mode 2, 8-bit reload */
TH1
= 221;
/* TH1: reload value for 1200 baud @ 16MHz */
TR1
= 1;
/* TR1: timer 1 run */
TI
= 1;
/* TI:
set TI to send first char of UART */
cp = x;
des_key(&dc,key);
des_enc(&dc,cp,1);
printf("Enc(0..7,0..7) = ");
www.phaedsys.org
Phaedrus Systems
Page 40 of 67
www.phaedsys.org
Phaedrus Systems
Page 41 of 67
www.phaedsys.org
Phaedrus Systems
Page 42 of 67
8051 Assembler
The source below has come from a very good source (sic) that wishes not to advertise that it is
their implementation. However I know it has been tested and used at the highest levels.
;******************************************************************
;*
;* $Workfile: DES.A51 $
;* NAME : DES
;*
;* Copyright *******
;*
;* Author: **********
;* $Revision: 1 $
;*
;* Analysis reference:
;*
;* Input Parameters:
;*
;* Output Parameters:
;*
;* Compiler : Keil A51 Asembler
;* Target
:
;*
;* $Log: /des2/DES.A51 $
;*
;* 1
4/08/01 11:36 Chris
;*
;/
Extrn
Data
(CalcArea)
Extrn
Code
(GErrCrypt)
Public DES
;******************* Definitions *********
Decode
equ
Acc.5
MAC
equ
Acc.4
BM0
equ
024h
BM1
equ
BM0+1
BM2
equ
BM0+2
BM3
equ
BM0+3
BM4
equ
BM0+4
BM5
equ
BM0+5
BM6
equ
BM0+6
BM7
equ
BM0+7
DES_Proc
R2MAC
LenErr
ModeErr
equ
equ
equ
Segment
RSeg
Code
DES_Proc
010h
008h
003h
;Decode-/Encode~-Flag
;MAC-Flag
;BitMapMemory, 8 bytes used
;error messages
www.phaedsys.org
Phaedrus Systems
Page 43 of 67
=
=
C= 8
;R5
I,
u parameter P2 of APDU
;
b7b6
;
0 0
EBC
;
0 1
CBC
;
1 x
reserved
;
b5
;
0
encrypt
;
1
decrypt
;
;
b4
;
1
Build MAC
;
;R6
Input pointer
;R7
I
ByteCount
;B
TestRegister for ShiftTest of D-, C-Values
;Dptr
I
u Pointer to 64/56 bit DES-Key in TLV-Format
;Carry
0
0= Normal Termination
;Abbreviations: I = Input, O = Output, u = unchanged
;Two Stack-entries neccessary
;
;Key format:
sequence of TLV records
;
1st record:
key handleing information
;
2nd record:
DES key
;
3rd record:
initialvalue (optional)
;***********************************************************************
**
DES:
Mov
A,
R5
;mode
Jnb
MAC,DES_
Jnb
Decode,DES_
;Separate MAC at the end of the datafeild
Mov
A,
R7
;Acc
:= #(Data) + # (MAC)
Add
A,
#0F8h
;Acc
-= #(MAC)
Mov
R7,
A
;R7
:= true DataLength
DES_:
Mov
R3,
#8
;D, C := PC_1 (DES-Key), 2*28 bit
;Calculate key address (adrC = dptr+R2)
Mov
A,
#1
MovC
A,
@A+Dptr
;Acc
:= HeaderLength
Add
A,
#4
;Acc
:= addr(Key0)
Mov
R2,
A
;R2
KeyByteOffset
;address of 16 bytes calculation area
Mov
A,
#CalcArea
;Acc
:= addr
Xch
A,
R1
;Acc
:= addr (Input0)
Mov
R6,
A
;R6
:= addr (Input0)
;write permuted key to bitmal areA
DesGetKey:
Mov
Mov
MovC
Inc
Mov
Rlc
Xch
Rlc
Xch
Inc
Djnz
Djnz
R0,
A,
A,
R2
R4,
A
A,
A
A,
R0
R4,
R3,
#BM0
R2
@A+Dptr
#7
;R0
;Acc
;Acc
:= addr (C0)
:= KeyOffsetByte
:= ith byte of DES-Key
@R0
@R0
$-5
DesGetKey
Mov
A,
BM6
;Acc
:= D0
Xch
A,
BM4
;Acc
:= D2
Mov
BM6,
A
;Store D2 at correct location
;2nd permutation and copy to calculation area
www.phaedsys.org
Phaedrus Systems
Page 44 of 67
Mov
Mov
R0,
R3,
SetKeyNxt:
Mov
A,
Mov
R4,
Mov
A,
StandardPuermutationByte
Inc
R0
Rrc
A
Xch
A,
Rrc
A
Rrc
A
Xch
A,
Inc
R1
Djnz
R4,
#BM0
A
;R0
;R3
:= addr (C0)
:= permutate 7 bytes
R3
A
@R0
;Acc
;R4
;Acc
@R1
@R1
$-6
A
R1
#0F9h
A
;Save Accu
;Acc
;Acc
;R1
#8
R3
R4
;Acc
;Acc
;Acc
Mov
Mov
Add
Mov
Clr
Mov
SubB
Xch
Rrc
Xch
Rrc
Rrc
Xch
Inc
Djnz
Djnz
R4,
A,
A,
R1,
C
A,
A,
A,
A
A,
A
A
A,
R1
R4,
R3,
Call
VecExist
Jnc
Inc
Mov
MovC
Inc
Mov
$+5
R2
A,
A,
R1
R3,
R2
@A+Dptr
Mov
Add
Mov
A,
A,
R2,
R5
#0F1h
A
:= all bits
:= remaining bits to shift
:=remaining bits
@R1
@R1
$-6
SetKeyNxt
$-7
Cpl
Mov
Anl
Jnz
;Acc
:= addr(VectorI)
;Acc
:=VectorI
;addr (0) += 1
Decode
R5,
A
A,
#030h
DesLgOk
;Acc
;Acc
;R2
:= addr (output7)
:= addr (D0, C0)
:= addr (D0, C0)
;Acc
:= mode
encrypt
www.phaedsys.org
Phaedrus Systems
Page 45 of 67
DesLgOk:
Mov
Anl
Jz
Call
DB
A,
R7
A,
#007h
DesLgOk
GErrCrypt
008h
;Get ByteCount
;James Bond
Mov
Xrl
Anl
Jnz
A,
R5
A,
#040h
A,
#0F0h
DesSave
;Acc
:= mode
;CBC-Decode
Mov
Add
Add
Mov
A,
A,
A,
R6,
;Acc
;Acc
;Acc
;R6
Push
Push
Dpl
Dph
;No CBC-decode?
;CBC-Decode starts at end of
data
DesSave:
R6
R7
#0F8h
A
:=
:=
:=
:=
addr
addr
addr
addr
(Block0)
(BlockN) +8
(BlockN)
(blockN)
Xch
A,
R2
;Acc
:=
Jb
0F4h,
$+7
;BuildMac ? =>
Inc
R6
; addr (I) +=
;add previous output if necessary
Jnb
0F0h,
$+4
Xrl
A,
@R1
;Acc
^=
Mov
R0,
#BM0
;R0
:=
contains Right0
Mov
R4,
#8
;R4
:=
Djnz
R3,
$+4
SJmp
InitEnd
;permute byte into bitmap area
Inc
R1
;addr (0) += 1
Rlc
A
Xch
A,
@R0
Rlc
A
Xch
A,
@R0
Inc
R0
;addr (W) +=1
Djnz
R4, $-5
SJmp
InitPerm+2
;permute last byte
InitEnd:
Rl
A
www.phaedsys.org
Phaedrus Systems
PaddingByte
Skip Increment
1
OutputI
addr (Work0), it
shift 8
bits
Page 46 of 67
Rl
A
Rlc
A
Xch
A,
@R0
Rl
A
Rrc
A
Xch
A,
@R0
Inc
R0
;addr (W) += 1
Djnz
R4,
$-6
; load Permutated input in calculation area
Mov
@R1,
BM1
;R1
:=
Dec
R1
;R1
:=
Mov
@R1,
BM3
Dec
R1
;R1
:=
Mov
@R1,
BM5
Dec
R1
;R1
:=
Mov
@R1,
BM7
Dec
R1
;R1
:=
Mov
@R1,
BM0
Dec
R1
;R1
:=
Mov
@R1,
BM2
Dec
R1
;R1
:=
Mov
@R1,
BM4
Dec
R1
;R1
:=
Mov
@R1,
BM6
; 16 rounds
Mov
Add
Mov
Mov
OneRound:
addr (Left0)
addr (Left1)
addr (Left2)
addr (Left3)
addr (Right0)
addr (Right1)
addr (Right2)
addr (Right3)
DES opperation
A,
R1
A,
#0F8h
R2,
A
R3,
#16
;Acc
:= addr (Output0)
;Acc
:= addr (D0, C0)
;R2
:= addr (D0, C0)
;RoundCounter
Dec
Mov
Mov
Div
Mov
R3
A,
B,
AB
A,
;Decrement RoundCounter
;Acc
:= RoundCounter
;DivideValue for Shift1Test
;B-Accu
:= RoundCounter mod 7
;Acc
:= Parameter2 of
Anl
Jz
A,
#030h
RoundKey
;Acc5..4
:= Decode~, BuildMac
;Decryption ?
Mov
Mov
Mov
Add
Mov
Inc
Anl
Mov
Mov
Mov
Mov
Mov
Add
Xch
Rr
Rr
Xch
Dec
Djnz
Jbc
Mov
A,
R0,
A,
A,
A,
A
C,
BM0.7,
A,
R4,
R0,
A,
A,
A,
A
A
A,
R0
R4,
Bm0.7,
@R0,
R2
A
B
#0FFh
R3
;Acc
;R0
;Acc
;Acc
/Acc.4
C
@R0
#6
A
R2
R4
R0
;Carry
&= First Round ?
;BM0.7 == 0
?
=> Shift1
;Acc := D6, C6
<< 2
= D0, C0
;R4 := shift through 7 bytes
;R0
:= D6, C6 << 2 = D0, C0
;Acc
:= addr (D0, C0)
;Acc
:= addr (D6,C6)
;Acc
:= D6, C6 << 2
;Acc
:= D6, C6 << 1
;Acc
:= D6, C6
;ShiftDown one byte
;Address -= 1
R3
#7
R5
APDU
EncShift2:
RoundKey:
;Permutation
www.phaedsys.org
@R0
$-2
EncShift2
A
36
;Shift twice ?
;Store D0, C0
5 27 61 18 54
Phaedrus Systems
9 47
D6, C6
Page 47 of 67
;
;
;
;
;
;
44
52
60
6
11
19
13
21
29
37
45
53
35
43
52
59
2
10
6
14
22
30
38
46
26
34
42
50
58
1
62
7
15
23
31
39
17
25
33
41
49
57
55
63
4
12
20
28
=
=
=
=
=
=
D5,
D4,
D3,
D2,
D1,
D0,
C5
C4
C3
C2
C1
C1
Mov
A,
R2
;RoundKey
Mov
Mov
Mov
Rlc
Mov
Rl
Rl
Mov
Rlc
Mov
Mov
Rl
Rlc
Mov
Rlc
Mov
Inc
Mov
Rlc
Mov
Rl
Rl
Rlc
Mov
Mov
Mov
Rlc
Mov
Rl
Rlc
Mov
Inc
Mov
Rlc
Mov
Rlc
Mov
Rlc
Mov
Rlc
Mov
Rlc
Mov
Rlc
Mov
Rlc
Mov
Rlc
Mov
Inc
Mov
Rl
Rlc
Mov
Rl
Rlc
Mov
R0,
A,
BM2,
A
BM0,
A
A
BM6,
A
BM7,
BM6.0,
A
A
Bm7.7,
A
BM1,
R0
A,
A
BM2.6,
A
A
A
BM4,
BM5,
BM5.3,
A
BM3,
A
A
BM3.7,
R0
A,
A
BM0.1,
A
BM5.7,
A
BM0.7,
A
BM4.6,
A
BM1.7,
A
BM6.2,
A
BM1.2,
A
BM4.3,
R0
A,
A
A
BM6.7,
A
A
BM7.3,
A
@R0
A
;R0
;Acc
;Bit8
:= addr (C0)
:= D0, C0
;Bit1
;Bit53
A
C
;Bit46
;Bit39
;Bit32
;Bit15
@R0
;Acc
;Bit23
A
A
C
;Bit47
;Bit33
;Bit40
;Bit16
;Bit2
@R0
;Acc
;Bit24
;Bit48
;Bit17
;Bit41
;Bit10
;Bit34
;Bit3
;Bit55
@R0
;Acc
;Bit49
;Bit42
bit
www.phaedsys.org
Phaedrus Systems
:=D1, C1
;= D2, C3
:= D3, C3
Page 48 of 67
Rlc
Mov
Rl
Rlc
Mov
Rlc
Mov
Inc
Mov
Rlc
Mov
Rlc
Mov
Rlc
Mov
Rl
Rlc
Mov
Rlc
Mov
Rlc
Mov
Rlc
Mov
Inc
Mov
Rlc
Mov
Rlc
Mov
Rlc
Mov
Rlc
Mov
Rlc
Mov
Rlc
Mov
Rlc
Mov
Rlc
Mov
Inc
Mov
Rlc
Mov
Rlc
Mov
Rlc
Mov
Rlc
Mov
Rlc
Mov
Rl
Rlc
Mov
Rlc
Mov
A
BM0.0,
A
A
BM2.1,
A
BM6.1,
R0
A,
A
BM2.2,
A
BM7.4,
A
BM2.7,
A
A
BM2.0,
A
BM5.7,
A
BM0.3,
A
BM7.6,
R0
A,
A
BM3.4,
A
BM5.4,
A
BM3.5,
A
BM6.6,
A
BM3.6,
A
BM4.1,
A
BM1.5,
A
BM5.2,
R0
A,
A
BM1.3,
A
BM4.7,
A
BM1.6,
A
BM5.5,
A
BM0.6,
A
A
BM3.3,
A
BM4.0,
;Bit11
;Bit4
;Bit56
@R0
;Acc
;Bit26
;Bit50
;Bit19
;Bit12
;Bit36
;Bit5
;Bit29
@R0
;Acc
;Bit27
;Bit51
;Bit20
;Bit44
;Bit13
;Bit37
;Bit6
;Bit30
@R0
;Acc
;Bit28
;Bit52
;Bit21
;Bit45
;Bit14
;Bit7
;Bit31
Mov
Parameter2 of APDU
Anl
Jnz
Mov
www.phaedsys.org
A,
:=
D4,
C4
:= D5, C5
:= D6, C6
R5
;Acc
A,
#030h
InitExpand
;Acc5..4
:= decode~, BuildMac
A,
;Acc
R2
Phaedrus Systems
:=
Page 49 of 67
DecShift2:
bytes
Mov
Dec
Add
Mov
Jnz
Clr
Mov
Mov
R0,
A
A
A,
#0FFh
A,
R3
DecShift2-1
C
A,
@R0
R4,
#6
;R0
Inc
Xch
Djnz
Mov
Mov
Xch
Rl
Rl
Jbc
Mov
R0
A,
R4,
R0,
A,
A,
A
A
PSW.7,
@R0,
;Address += 1
;shiftUp one byte
;Carry
:= RoundCounter mod ?
:= Acc != => Shift2
;Last round ?
;Carry == 0
=> shift1
;Acc
:= D0, C0
;R4
:= shift through 7
@R0
$-2
A
R2
R0
DecShift2
A
;R0
:= D0, C0 >> 2 = D6, C6
;R0
:= addr (D0, C0)
;Acc
:= D0, C0 >> 2
;Acc
:= D0, C0 >>1
;Acc
:= D0, C0
;Shift twice ?
;Store D0, C0
InitExpand: Mov
SBoxValue)
Mov
Mov
Mov
Inc
Inc
Inc
R0,
#BM0
;R0
R4,
Dptr,
A,
R1
R1
R1
#4
#SBoxes
@R1
ExpXorSBox: XchD
Xch
Xrl
Swap
Anl
MovC
LowNibble valid
Xch
Inc
XchD
Mov
Xrl
Anl
MovC
HighNibble valid
Mov
Inc
Mov
Dec
Inc
Djnz
A,
A,
A,
A
A,
A,
@R1
@R0
@R0
A,
R0
A,
A,
A,
A,
A,
@R0
;Acc3..0
:= RightI, 4 bits
@R1
@R1
@R0
#0FCh
@A+Dptr
;Rebuild
;Acc7..0
;Acc7..2
;Mask
;Acc
RightI
:=RightI
:= SBoxIndex, 6 bit
SBoxIndex
:= SBoxValue,
@R0,
R0
A,
R1
Dptr
R4,
A
;Acc7..0
:= RightI
Mov
Jnb
Mov
Add
Mov
A,
Acc.0,
A,
A,
R1,
R3
$+7
R1
#8
A
Mov
Rrc
Mov
Rrc
Mov
Rrc
Mov
Rrc
C,
A
C,
A
C,
A
C,
A
BM1.6
www.phaedsys.org
;R1
#0FCh
@A+Dptr
:=addr (first
:= addr (Right0)
;Acc3..0
:= RightI, 4 bits
Acc := RoundKey,
bits 7, 6, 3..0
Acc := SBoxIndex,
bits 7, 6, 3..0
Acc7..2
:= SBoxIndex,
6 bits
;Mask
SBoxIndex
;Acc
:= SBoxValue,
@R1
ExpXorSBox
;Acc
:= RoundCounter
;Odd Round ?
;Acc
:= addr (Right3) -1
;Addres += 8
;R1
:= addr (Left0)
;P(B)1 :=B7, Righgt := P(B) ExOr Left
BM4.3
;P(B)2
:=B20
BM5.4
;P(B)3
:=B21
BM7.4
;P(B)4
:=B29
Phaedrus Systems
Page 50 of 67
Mov
Rrc
Mov
Rrc
Mov
Rrc
Mov
Rrc
Xrl
Mov
Mov
Rrc
Mov
Rrc
Mov
Rrc
Mov
Rrc
Mov
Rrc
Mov
Rrc
Mov
Rrc
Mov
Rrc
Dec
Xrl
Mov
Mov
Rrc
Mov
Rrc
Mov
Rrc
Mov
Rrc
Mov
Rrc
Mov
Rrc
Mov
Rrc
Mov
Rrc
Dec
Xrl
Mov
Mov
Rrc
Mov
Rrc
Mov
Rrc
Mov
Rrc
Mov
Rrc
Mov
Rrc
Mov
Rrc
Mov
Rrc
Dec
Xrl
www.phaedsys.org
C,
A
C,
A
C,
A
C,
A
A,
@R1,
C,
A
C,
A
C,
A
C,
A
C,
A
C,
A
C,
A
C,
A
R1
A,
@R1,
C,
A
C,
A
C,
A
C,
A
C,
A
C,
A
C,
A
C,
A
R1
A,
@R1,
C,
A
C,
A
C,
A
C,
A
C,
A
C,
A
C,
A
C,
A
R1
A,
BM2.3
;P(B)5
:=B12
BM6.3
;P(B)6
:=B28
BM4.0
;P(B)7
:=B17
BM0.0
;P(B)8
:=B1
@R1
A
BM3.6
;Acc
;Left0
;P(B)9
:= new Right0
:= new Right0
:=B15
BM5.6
;P(B)10
:=B23
BM6.1
;P(B)11
:=B26
BM1.4
;P(B)12
:=B5
BM4.1
;P(B)13
:=B18
BM7.6
;P(B)14
:=B31
BM2.1
;P(B)15
:=B10
BM0.1
;P(B)16
:=B2
@R1
A
BM1.7
;Acc
;Left1
;P(B)17
:= new Rihght1
:= new Right1
:=B8
BM5.7
;P(B)18
:=B24
BM3.5
;P(B)19
:=B14
BM7.7
;P(B)20
:=B32
BM6.2
;P(B)21
:=B27
BM0.2
;P(B)22
:=B3
BM2.0
;P(B)23
:=B9
BM4.2
;P(B)24
:=B19
@R1
A
BM3.4
;Acc
;Left2
;P(B)25
:= new Right2
:= new Right2
:=B13
BM7.5
;P(B)26
:=B30
BM1.5
;P(B)27
:=B6
BM5.5
;P(B)28
:=B22
BM2.2
;P(B)29
:=B11
BM0.3
;P(B)30
:=B4
BM6.0
;P(B)31
:=B25
BM3.7
;P(B)32
:=B16
@R1
;Acc
:= new Right3
Phaedrus Systems
Page 51 of 67
Mov
@R1,
Mov
Jz
Jmp
A,
R3
PreOutput
OneRound
R3,
#8
Mov
R0,
#BM0
Mov
Inc
Rl
Mov
Rrc
Xch
Rlc
Xch
Dec
Djnz
A,
R0
A
R4,
A
A,
A
A,
R1
R4,
@R0
Mov
Add
Mov
Djnz
A,
A,
R1,
R3,
R1
#8
A
InvItPerm
;Left3
:= new Right3
;Acc
:=RoundCounter
;Ready Rounds ?
;Next Rounds
;BM7
:= Right3
;BM5
:= Right2
;BM3
:= Right1
;BM1
:= Right0
;BM6
:= Left3
;BM4
:= Left2
;BM2
:= Left1
;BM0
:= Left0
IP^-1
InvItPerm:
#8
@R1
@R1
$-5
;Acc
;Acc
;R1
:= addr (Output0) -1
:= addr (Output7)
:= addr (Output7)
Mov
A,
@R1
;Acc
Rr
A
Rr
A
Mov
@R1,
A
;Results of DEs operation available
Mov
A,
R6
;Acc
Mov
R0,
A
;R0
Clr
C
TestEnd:
:= Output7 << 2
:= addr (Input0) + 8
:= addr (Input0) + 8
Mov
Jb
Rl
Rlc
Anl
A,
Acc.4,
A
A
C,
R5
TestEnd
;BuildMac ?
/Acc.7
;Carry
Mov
Mov
Dec
Dec
Mov
Djnz
R3,
A,
R1
R0
@R0,
R3,
#8
@R1
Mov
A,
R7
www.phaedsys.org
A
$-4
Phaedrus Systems
Page 52 of 67
NoCbcDec:
DesEnd:
DesRet:
Jz
Jnc
Mov
Add
Mov
Mov
Mov
Mov
Xrl
Mov
Inc
Inc
Djnz
LJmp
DesEnd
;End of input data reached?
NoCbcDec
A,
R6 ;For CBC decode set pointer to next block
A,
#0F0h
R6,
A
R1,
A
R3,
#8
;and XOR it with pervious outout
A,
@R1
A,
@R0
@R0,
A
R0
R0
R3,
$-5
DesAction
Pop
Pop
Jnc
Call
Jnc
Dph
Dpl
DesRet
VecExist
DesRet
Mov
MovC
Add
Mov
Mov
MovC
Inc
Xrl
Mov
Inc
Djnz
A,
A,
A,
R1,
A,
A,
R1
A,
@R0,
R0
R3,
;Restor DataPointer
#1
@A+Dptr
#14
A
R1
@A+Dptr
:= VectorI
@R0
A
$-6
Mov
R3,
#8
Mov
A,
R2
;Acc
Add
A,
R3
;Acc
Mov
R1,
A
;R1
Mov
A,
R5
;Acc
Jnb
Acc.4, NoMAC
;MAC verification/copy MAC to end of data
Mov
C,
Acc.5
Mov
A,
@R1
Jc
$+5
Xrl
A,
@R0
Jnz
MacErr
Mov
@R0,
A
Inc
R0
Inc
R1
Djnz
R3,
$-9
NoMAC:
Mov
Mov
Mov
Clr
Ret
A,
R1,
A,
c
MacErr:
Call
DB
GErrCrypt
R2MAC
VecExist:
Mov
MovC
Rrc
Mov
MovC
A,
A,
A
A,
A,
www.phaedsys.org
:=
:=
:=
:=
R6
A
#8
;Normal termination => Carry == 0!
#2
@A+Dptr
;Invalid MAC
;Acc
;Carry
#1
@A+Dptr
Phaedrus Systems
;Acc
:=KeyType
:=InitialVectorExistanc
:= HeaderLength
Page 53 of 67
MovC
Dec
Jnz
Clr
Mov
Ret
A,
A
$+3
C
R3,
@A+Dptr
;Acc
:= EntryCount
;EntryCount >1
;EntryCount == 1 => C := 0
#8
;***********************************************************************
* SBOX DATA */
SBoxes:
;BoxNr.:
2,1 4,3 6,5 8,7
DB
0F7h,0E5h,034H,02Bh
DB
002h,05Bh,092h,0E8h
DB
09Ch,088h,001h,05Ch
DB
0AFh,0DFh,0EFh,005h
DB
046h,006h,09Eh,06Fh
DB
05Bh,031h,045h,093h
DB
03Ah,0DDh,07Bh,0AAh
DB
09Ch,0AAh,086h,0F0h
DB
01Bh,079h,052h,014h
DB
0E7h,092h,0F8h,02Dh
DB
046h,013h,0CCh,0C9h
DB
039h,0C4h,023h,056h
DB
0CDh,09Fh,06Dh,0d1h
DB
0B4h,0ECh,03Eh,07Eh
DB
0A0h,024h,0A7h,036h
DB
04Ah,017h,0D0h,0A9h
DB
082h,0B0h,083h,04Dh
DB
078h,066h,074h,0D2h
DB
0E5h,04Bh,0BAh,093h
DB
013h,088h,009h,06Fh
DB
0DFh,06Ch,045h,0F0h
DB
026h,0DFh,01Bh,03Ch
DB
009h,032h,0E0h,005h
DB
0C5h,045h,0BCh,0CAh
DB
078h,0C7h,0F8h,027h
DB
0D1h,009h,0ADh,08Bh
DB
0B3h,0AEh,03Fh,07Eh
DB
06Eh,073h,05Ah,0B1h
DB
021h,05Ah,016h,08Bh
DB
08Dh,0B0h,0C1h,047h
DB
05Eh,0f1h,0D9h,0E8h
DB
0F0h,02Eh,067h,014h
DB
0C0h,0BBh,057h,08Bh
DB
0BFh,0C8h,02Dh,046h
DB
035h,024h,06Ah,037h
DB
0DAh,092h,0D6h,0F9h
DB
0F7h,06Ch,0E2h,052h
DB
0C2h,056h,098h,028h
DB
069h,083h,00Ch,004h
DB
005h,03Dh,065h,0C7h
DB
02Eh,0D0h,024h,0BDh
DB
051h,00Bh,043h,07Bh
DB
083h,04Ah,0BFh,06Ah
DB
0ECh,0A7h,080h,090h
DB
01Bh,006h,09Bh,0E8h
DB
028h,0B1h,0F4h,015h
DB
0DCh,07Fh,0C1h,091h
DB
076h,044h,01Ah,06Ch
DB
0BFh,01Eh,0FDh,0F0h
DB
013h,0F5h,0C1h,08Dh
DB
006h,0E1h,080h,0ACh
DB
06Dh,02Fh,07Fh,034h
DB
044h,0f2h,03Eh,0C9h
DB
0F9h,089h,0A7h,052h
DB
09Ah,05Dh,0D9h,07Fh
DB
0A0h,0EAh,002h,0A4h
www.phaedsys.org
Phaedrus Systems
Page 54 of 67
DB
DB
DB
DB
DB
DB
DB
DB
0E2h,0A9h,043h,01Eh
084h,060h,03Eh,0E1h
05Dh,037h,075h,0D3h
037h,0DCh,0E9h,00Fh
078h,0C5h,0A8h,025h
04Eh,01Eh,05Bh,0BEh
0A1h,098h,016h,046h
09Bh,073h,0BCh,0d3h
www.phaedsys.org
Phaedrus Systems
Page 55 of 67
www.phaedsys.org
Phaedrus Systems
Page 56 of 67
SHA-1
This is a basic Hash function used in many smart card systems. This implementation is in Java
is used for electronic data signature. The source is a well known smart card vendor.
You will find at http://www.itl.nist.gov/fipspubs/fip180-1.htm the FIPS PUB 180-1
corresponding specification from the NIST. This implementation for Java (that could easily
be converted for C), is without any guarantee .
import java.awt.*;
import java.applet.*;
import java.io.*;
public class sha {
long a;
long b;
long c;
long d;
long e;
public class Message {
int ml;
long m[] = new long[1024];
Message(){
for (int i=0; i<1024; i++) m[i]=0;}
}
public static long F(long x, long y, long z) {
return (((x & y) | ((x ^ 0xFFFFFFFF) & z)) & 0xFFFFFFFF);}
public static long G(long x, long y, long z) {
return ((x ^ y ^ z) & 0xFFFFFFFF);}
public static long H(long x, long y, long z) {
return (((x & y) | (x & z) | (y & z)) & 0xFFFFFFFF);}
public static long I(long x, long y, long z) {
return ((x ^ y ^ z) & 0xFFFFFFFF);}
public static String hexa(long n) {
char T[]={'0','1','2','3','4','5','6','7','8','9','A','B','C','D
','E','F'};
String s="";
int i;
for (i=0; i<8; i++) {
s=T[(int) (n & 0x0F)] + s;
n>>=4;}
return(s);}
public long ROTATE_LEFT(long x, int n) {
int mask1=0x80000000;
int mask2=0x0;
for (int i=0; i<32-n; i++) {mask1>>=1; mask1|=0x80000000;}
for (int i=0; i<n; i++) {mask2<<=1; mask2++;}
return ((((x << n) & mask1) | ((x >> (32-n)) & mask2))
& 0xffffffff);}
sha()
a
b
c
d
e
{
=
=
=
=
=
0x67452301;
0xefcdab89;
0x98badcfe;
0x10325476;
0xc3d2e1f0;}
www.phaedsys.org
Phaedrus Systems
Page 57 of 67
www.phaedsys.org
Phaedrus Systems
Page 58 of 67
+=
+=
+=
+=
+=
old.a;
old.b;
old.c;
old.d;
old.e;
}
public String toString () {
return(hexa(a) + hexa(b) + hexa(c) + hexa(d) + hexa(e));}
}
www.phaedsys.org
Phaedrus Systems
Page 59 of 67
( Perform substitutions )
for
for
false
for
code
for
for
code
code
Third, SRES is taken from the first 8 nibbles of x[], not the last 8
as claimed in the document. (And the document doesn't specify how Kc is derived, but that
was also easily discovered with reverse engineering.)
All of these typos have been corrected in the following code.
www.phaedsys.org
Phaedrus Systems
Page 60 of 67
/* in */ Byte rand[16],
/* in */ Byte key[16],
/* out */ Byte simoutput[12]);
www.phaedsys.org
Phaedrus Systems
Page 61 of 67
static const
{
52,
37,
55,
62,
48,
29,
20,
31,
};
Byte table_2[128] =
50,
4,
10,
57,
2,
14,
38,
53,
44,
40,
33,
27,
21,
45,
2,
47,
6,
34,
35,
6,
28,
26,
30,
38,
21,
61,
50,
8,
36,
55,
58,
63,
49,
12,
1,
31,
42,
46,
35,
15,
41,
28,
43,
26,
60,
11,
1,
49,
59,
4,
3,
54,
33,
17,
16,
5,
39,
58,
57,
41,
34,
54,
56,
37,
51,
23,
13,
22,
18,
46,
40,
53,
25,
8,
62,
45,
0,
9,
23,
25,
32,
15,
14,
20,
11,
24,
48,
36,
51,
12,
7,
39,
24,
30,
13,
63,
47,
22,
42,
3,
10,
60,
19,
29,
52,
9,
44,
16,
17,
32,
19,
5,
43,
18,
59,
56,
61,
0,
27,
7
www.phaedsys.org
Phaedrus Systems
Page 62 of 67
7,
2,
5,
5,
0, 14,
6, 8,
7, 1, 2, 13, 8,
9, 11, 13, 15, 12
/* in */ Byte rand[16],
/* in */ Byte key[16],
/* out */ Byte simoutput[12])
{
Byte x[32];
Byte xsbit[128];
int
int
int
int
int
int
int
int
int
i;
j;
k;
l;
m;
n;
y;
z;
next_bit;
www.phaedsys.org
Phaedrus Systems
Page 63 of 67
www.phaedsys.org
Phaedrus Systems
Page 64 of 67
x = toupper(x);
if (x >= 'A' && x <= 'F')
return x-'A'+10;
else if (x >= '0' && x <= '9')
return x-'0';
fprintf(stderr, "bad input.\n");
exit(1);
}
int main(int argc, char **argv)
{
Byte
rand[16];
Byte
key [16];
Byte
simoutput[12];
int i;
if (argc != 3 || strlen(argv[1]) != 34 || strlen(argv[2]) != 34
|| strncmp(argv[1], "0x", 2) != 0
|| strncmp(argv[2], "0x", 2) != 0)
{
fprintf(stderr, "Usage: %s 0x<key> 0x<rand>\n", argv[0]);
exit(1);
}
for (i=0; i<16; i++)
{
key[i] = (hextoint(argv[1][2*i+2])<<4)|
hextoint(argv[1][2*i+3]);
}
for (i=0; i<16; i++)
{
rand[i] = (hextoint(argv[2][2*i+2])<<4)
hextoint(argv[2][2*i+3]);
}
A3A8(key, rand, simoutput);
printf("simoutput: ");
for (i=0; i<12; i++)
{
printf("%02X", simoutput[i]);
}
printf("\n");
return 0;
}
#endif
www.phaedsys.org
Phaedrus Systems
Page 65 of 67
References
Applied Cryptography 2nd Ed By Bruce Schneier
pub 1996 by Wiley ISBN 0-47111709-9 NOTE US citizens may also obtain a companion CD containing electronic versions of
most of the ciphers in the book. The is THE reference for cryptography for the average
person.
Smart Card Handbook 2nd Ed. By Wrankel & Effing Pub 1999 by Wiley. ISBN 0-471-
98875-8 This is THE smart card reference book. Note the 2nd Edition in English is the 3rd
Edition of the original German version.
http:/www.europay.com
www.phaedsys.org
Phaedrus Systems
Page 66 of 67
chris@phaedsys.org
www.phaedsys.org
www.phaedsys.org
Phaedrus Systems
Page 67 of 67