nismo
07-29-2005, 09:11 AM
i found this on other site :
This is a C&P, Nagraman is the writer.
--------------------------------------------------------------------------------
First off, this discussion is directed to the handful of real technical
experts out there. The layman is also welcome to read this thread for it
will give him a realistic picture of the new encryption technology, but
he should refrain from participating in this discussion if he has
nothing of technical merit to contribute. Otherwise, this thread will
degenerate into useless rambling.
I decided to post my findings because there is so much mis-information
out there. There has been much talk recently that Nagra 2 is an
impenetrable fortress that will never be compromised, much like the P4
card. At any rate, that is the prevailing view among the layman. Perhaps
this thread will enlighten many of you.
Anyone who has logged the Nagra 2 datastream and compared it to the
Nagra 1 datastream will be astonished - nothing much has changed! Some
of the commands have been renamed and slightly re-formatted. Why were
the commands re-named? Most likely so that a Nagra 1 card wouldn't get
confused with commands directed to the Nagra 2 card and vice-versa,
while both the Nagra 1 and 2 streams were active together.
Now, there are some commands that come down in plaintext and others that
are encrypted. The plaintext commands are trivial and can be easily
emulated for both Nagra 1 and 2 and we won't bother discussing them. The
encrypted commands are $04, $07 and $1C for Nagra 2. (The corresponding
ones for Nagra 1 are $00, $03 and $13).
We can completely ignore command $04 because it only provides updates to
the card that are not critical to generating video. This was the purpose
of the $00 command in Nagra 1 and as many of you know, when you put
blocker code on your Nagra 1 cards, you are simply ignoring command $00,
but you still get video!
So, that just leaves commands $07 and $1C. Since this is the heart of
the Nagra 2 encryption, it is quite astonishing that nobody has much to
say about these commands even when the demise of Nagra 1 is upon us.
Well, here is where the discussion gets more technical, so do try to
follow along.
Technical Discussion: Command $07
Well, it would help if we all knew what a command $07 looks like, so
here is a recent log of that command:
21 00 4D ; A0 CA 00 00 ;Standard Header
47 ;Instruction Length
07 ;Command
45 ;Command Data Length
01 01 ;System ID
86 00 08 ;ECM Type, Key Select
xx xx xx xx xx xx xx xx ;Valid Hash (Signature)
xx xx xx xx xx xx xx xx ;Encrypted Packet 1
xx xx xx xx xx xx xx xx ;Encrypted Packet 2
xx xx xx xx xx xx xx xx ;Encrypted Packet 3
xx xx xx xx xx xx xx xx ;Encrypted Packet 4
xx xx xx xx xx xx xx xx ;Encrypted Packet 5
xx xx xx xx xx xx xx xx ;Encrypted Packet 6
xx xx xx xx xx xx xx xx ;Encrypted Packet 7
02 ;Expected Response Length
cs ;Checksum
And the standard response from the card:
12 00 04 ; 87 ;Standard Response Header
00 ;Response Code Length
90 00 ;SW1/SW2
53 ;Checksum
Well, for those of you who are familiar with Nagra 1, it looks exactly
the same as the $03 command except we have 7 encrypted packets instead
of 4. The first question we need to ask is why are there 3 more packets?
The answer, as you will see later on when we discuss the $1C command is
that 6 control words ?? are being sent as opposed to 2 in the Nagra 1
setup. So, we would expect 4 more encrypted packets over the original 4
in Nagra 1. But that would be a total of 8 packets and not 7? But
remember, with Nagra 1, there were some pad bytes that they are probably
now using for the extra control words. So 7 encrypted packets sounds
about right.
Now, what is the encryption being used? We can certainly rule out 64
byte RSA because there are only 56 bytes of data. So it has to be a
block cipher that operates on 8 bytes or 64 bits at a time. We can rule
out any block ciphers that operate on 16 bytes or 128 bits at a time
because we have 7 packets and not 8.
So what are the cipher candidates? DES, 3-DES, IDEA. There are other
candidates like Lucifer, Madryga, NewDES, FEAL, etc. The problem with
these latter ciphers is that they have either been proven unreliable or
simply aren't widely implemented on silicon.
I am hesitant to even include IDEA in the list because there has been no
rush by industry to adopt it as a replacement to DES and a commercial
license must be granted by the inventors for its use. IDEA also uses a
128 bit key and operates on 64 bits of data. Also, patents filed by
Kudelski indicate a 64 bit ECM key and not 128 bit.
Many in the testing community have suggested that 128 bit IDEA is being
used. Yet, they have not offered any proof of this. They are welcome to
substantiate their claims here.
This writer believes that DES or variation of DES such as 3-DES is being
used, similar to Nagra 1. Why would they change this encryption
algorithm when it was never compromised? I mean everyone was getting the
DES keys from card dumps and NOT from a genuine attack on the DES
algorithm. It would be like a shopowner installing a bigger lock on his
shop door after burglars broke in through the window...he would be
better off putting bars on the window instead.
Also, they had the DES crypto-processor in silicon already and my hunch
is that they simply built around the Nagra 1 card.
Put very simply: If you can't get the DES keys in a roundabout way, DES
is quite secure. And at this time, nobody can get the DES keys!
One way to settle this matter would be to perform a statistical power
analysis of both Nagra 1 and 2 chips while they are decrypting $03 and
$07 commands. If there 16 rounds of decryption, then it is DES. IF there
are 8 rounds, then IDEA. If there are 48 rounds, then 3-DES. These
patterns will be clear during the test. A secondary test, although less
conclusive would be a to simply time the execution of the $03 and $07
commands. IDEA takes only half the time to execute on average.
If anyone has more information about the block cipher or about command
$07, please feel free to post. We really can't go any further until we
know the block cipher with certainty.
But the $1C command is much more interesting and easier to break! Keep
reading...
Technical Discussion: Command $1C
This command is used to encrypt the control words and send them to the
IRD. It is the counterpart to the $13 command in Nagra 1. It is slightly
different in format to the $13 command, which led us to our observations
about the extra 3 packets in the $07 command.
Here is a log of the $1C command:
21 00 08 ; A0 CA 00 00 ;Standard Header
02 ;Instruction Length
1C ;Command
00 36 ;Response Length
cs ;Checksum
And the response from the Nagra 2 card
12 00 38 ; 9C 34 ;Standard Response Header
00 08 ;Control Select? Filler?
aa aa aa aa aa aa aa aa ;Control Word 1a
bb bb bb bb bb bb bb bb ;COntrol Word 1b
cc cc cc cc cc cc cc cc ;Control Word 1c
00 08 ;Control Select? Filler?
AA AA AA AA AA AA AA AA ;Control Word 2A
BB BB BB BB BB BB BB BB ;Control Word 2B
CC CC CC CC CC CC CC CC ;Control Word 2C
90 00 ;SW1/SW2
cs ;Checksum
The response is exactly as expected from the Nagra 1 card except Control
Words 1b, 1c, 2B and 2C are new! Now, since the control words come down
in the $07 command, we are justfied in assuming the extra 3 packets in
the $07 command are simply these extra control words coming down. These
extra "control words" must be important or they would not be added to
the $07 payload!
What are these extra control words and why are they there? The Mpeg-2
stream only needs 2 control words to be descrambled. Perhaps the extra
"control words" are for future use on the Mpeg-4 stream. If there are
any experts on the Mpeg-4 digital format, please enlighten us on the use
of control words in Mpeg-4. As far as I know, there is an extra DEFAULT
control word, in addition to the ODD/EVEN control words used in Mpeg-2.
Although we are not entirely certain that these extra "control words"
are really control words, we shall call them by that name. We are
certain that 2 of the 6 are indeed control words, or otherwise, the
current MPEG-2 stream could not be descrambled.
Now, lets discuss the encryption used by $1C. First off, the encryption
used by Nagra 1 and command $13 was DES and the 64 bit key used for
encryption was the infamous IRD boxkey. Whatever the encryption for
command $1C, the IRD boxkey is still being used as anyone can confirm by
changing the IRD boxkey on a subbed Nagra 2 IRD. The result will be a
black screen. Furthermore, one can easily clone receivers and still use
a valid Nagra 2 card.
IDEA has been proposed as the new encryption schema here too, but no
proof has been given. Nobody has publicly disassembled the firmware and
reverse engineered the algorithm. If IDEA is not being used on the $07
command, it definitely not be used on a much less sensitive command like
$1C. Again, thos who claim IDEA is being used are welcome to offer
proof.
It is the opinion of this writer that DES or a variation of DES is being
used. I am led to believe this because I have not succeeded in finding
the S-box constants in any IRD TSOP dumps...leading me to believe that
DES decryption is being done by a dedicated crypto-processor inside the
IRD. A card swap does not mean any chips inside the IRD are
changing...so unless an IDEA chip already existed in all IRDs
(farfetched, but possible), they would have to implement IDEA in
software and that would give the inner workigs of the algorithm away.
If anyone knows where the S-Box constants are stored, please tell us and
that would settle this matter.
There has been some talk about a "secondary key" in some model IRDs.
This supposedly prevents receiver cloning as both the boxkey and
mysterious "secondary key" have to be known. Some have argued that this
supports the hypothesis of IDEA being used with a 16 byte key. However,
any secondary or tertiary keys may also be used in 3-DES or some
variant. The model IRDs I have examined do not seem to have any "extra"
keys.
The decryption process of the $1C command should not be too hard to
break, and I expect it to be broken first. It would be the first step
towards a married-sub solution.
More than likely, what is happening is the 6 "control words" are being
decrypted using DES and then combined using basic logic functions to
come up with the "valid" 2 control words that we were all used to with
Nagra 1.
For if they sent down only 2 control words in Nagra 2, we could compare
them with the known 2 control words being used by Nagra 1 and quickly
break the cipher. Hence, the most logical reason for 6 "control words"
is confusion.
Something to try: If anyone is running an emulation setup for Nagra 2,
they could try changing control words 1b, 1c, 1B, 1C or, any combination
thereof, before sending them to the IRD and see what difference it
makes. Are you still getting video?
So folks, that is a realistic view of Nagra 2...it is one of the
simplest Conditional Access systems around, but, when you don't have the
cipher keys, one of the most complex too!
Nagraman
well first of all the 4 year crack due to cpu capabilities is dumb certain windows encriptions have been broken by combining cpu power of many ppls instead of using just 1 cpu vs 100, 500 as many as you can get to contribute.
also why not create a registry of valid sub cards and beat n2 like people beat copywrite sharing leagl subs shiet will get out of hand fast
This is a C&P, Nagraman is the writer.
--------------------------------------------------------------------------------
First off, this discussion is directed to the handful of real technical
experts out there. The layman is also welcome to read this thread for it
will give him a realistic picture of the new encryption technology, but
he should refrain from participating in this discussion if he has
nothing of technical merit to contribute. Otherwise, this thread will
degenerate into useless rambling.
I decided to post my findings because there is so much mis-information
out there. There has been much talk recently that Nagra 2 is an
impenetrable fortress that will never be compromised, much like the P4
card. At any rate, that is the prevailing view among the layman. Perhaps
this thread will enlighten many of you.
Anyone who has logged the Nagra 2 datastream and compared it to the
Nagra 1 datastream will be astonished - nothing much has changed! Some
of the commands have been renamed and slightly re-formatted. Why were
the commands re-named? Most likely so that a Nagra 1 card wouldn't get
confused with commands directed to the Nagra 2 card and vice-versa,
while both the Nagra 1 and 2 streams were active together.
Now, there are some commands that come down in plaintext and others that
are encrypted. The plaintext commands are trivial and can be easily
emulated for both Nagra 1 and 2 and we won't bother discussing them. The
encrypted commands are $04, $07 and $1C for Nagra 2. (The corresponding
ones for Nagra 1 are $00, $03 and $13).
We can completely ignore command $04 because it only provides updates to
the card that are not critical to generating video. This was the purpose
of the $00 command in Nagra 1 and as many of you know, when you put
blocker code on your Nagra 1 cards, you are simply ignoring command $00,
but you still get video!
So, that just leaves commands $07 and $1C. Since this is the heart of
the Nagra 2 encryption, it is quite astonishing that nobody has much to
say about these commands even when the demise of Nagra 1 is upon us.
Well, here is where the discussion gets more technical, so do try to
follow along.
Technical Discussion: Command $07
Well, it would help if we all knew what a command $07 looks like, so
here is a recent log of that command:
21 00 4D ; A0 CA 00 00 ;Standard Header
47 ;Instruction Length
07 ;Command
45 ;Command Data Length
01 01 ;System ID
86 00 08 ;ECM Type, Key Select
xx xx xx xx xx xx xx xx ;Valid Hash (Signature)
xx xx xx xx xx xx xx xx ;Encrypted Packet 1
xx xx xx xx xx xx xx xx ;Encrypted Packet 2
xx xx xx xx xx xx xx xx ;Encrypted Packet 3
xx xx xx xx xx xx xx xx ;Encrypted Packet 4
xx xx xx xx xx xx xx xx ;Encrypted Packet 5
xx xx xx xx xx xx xx xx ;Encrypted Packet 6
xx xx xx xx xx xx xx xx ;Encrypted Packet 7
02 ;Expected Response Length
cs ;Checksum
And the standard response from the card:
12 00 04 ; 87 ;Standard Response Header
00 ;Response Code Length
90 00 ;SW1/SW2
53 ;Checksum
Well, for those of you who are familiar with Nagra 1, it looks exactly
the same as the $03 command except we have 7 encrypted packets instead
of 4. The first question we need to ask is why are there 3 more packets?
The answer, as you will see later on when we discuss the $1C command is
that 6 control words ?? are being sent as opposed to 2 in the Nagra 1
setup. So, we would expect 4 more encrypted packets over the original 4
in Nagra 1. But that would be a total of 8 packets and not 7? But
remember, with Nagra 1, there were some pad bytes that they are probably
now using for the extra control words. So 7 encrypted packets sounds
about right.
Now, what is the encryption being used? We can certainly rule out 64
byte RSA because there are only 56 bytes of data. So it has to be a
block cipher that operates on 8 bytes or 64 bits at a time. We can rule
out any block ciphers that operate on 16 bytes or 128 bits at a time
because we have 7 packets and not 8.
So what are the cipher candidates? DES, 3-DES, IDEA. There are other
candidates like Lucifer, Madryga, NewDES, FEAL, etc. The problem with
these latter ciphers is that they have either been proven unreliable or
simply aren't widely implemented on silicon.
I am hesitant to even include IDEA in the list because there has been no
rush by industry to adopt it as a replacement to DES and a commercial
license must be granted by the inventors for its use. IDEA also uses a
128 bit key and operates on 64 bits of data. Also, patents filed by
Kudelski indicate a 64 bit ECM key and not 128 bit.
Many in the testing community have suggested that 128 bit IDEA is being
used. Yet, they have not offered any proof of this. They are welcome to
substantiate their claims here.
This writer believes that DES or variation of DES such as 3-DES is being
used, similar to Nagra 1. Why would they change this encryption
algorithm when it was never compromised? I mean everyone was getting the
DES keys from card dumps and NOT from a genuine attack on the DES
algorithm. It would be like a shopowner installing a bigger lock on his
shop door after burglars broke in through the window...he would be
better off putting bars on the window instead.
Also, they had the DES crypto-processor in silicon already and my hunch
is that they simply built around the Nagra 1 card.
Put very simply: If you can't get the DES keys in a roundabout way, DES
is quite secure. And at this time, nobody can get the DES keys!
One way to settle this matter would be to perform a statistical power
analysis of both Nagra 1 and 2 chips while they are decrypting $03 and
$07 commands. If there 16 rounds of decryption, then it is DES. IF there
are 8 rounds, then IDEA. If there are 48 rounds, then 3-DES. These
patterns will be clear during the test. A secondary test, although less
conclusive would be a to simply time the execution of the $03 and $07
commands. IDEA takes only half the time to execute on average.
If anyone has more information about the block cipher or about command
$07, please feel free to post. We really can't go any further until we
know the block cipher with certainty.
But the $1C command is much more interesting and easier to break! Keep
reading...
Technical Discussion: Command $1C
This command is used to encrypt the control words and send them to the
IRD. It is the counterpart to the $13 command in Nagra 1. It is slightly
different in format to the $13 command, which led us to our observations
about the extra 3 packets in the $07 command.
Here is a log of the $1C command:
21 00 08 ; A0 CA 00 00 ;Standard Header
02 ;Instruction Length
1C ;Command
00 36 ;Response Length
cs ;Checksum
And the response from the Nagra 2 card
12 00 38 ; 9C 34 ;Standard Response Header
00 08 ;Control Select? Filler?
aa aa aa aa aa aa aa aa ;Control Word 1a
bb bb bb bb bb bb bb bb ;COntrol Word 1b
cc cc cc cc cc cc cc cc ;Control Word 1c
00 08 ;Control Select? Filler?
AA AA AA AA AA AA AA AA ;Control Word 2A
BB BB BB BB BB BB BB BB ;Control Word 2B
CC CC CC CC CC CC CC CC ;Control Word 2C
90 00 ;SW1/SW2
cs ;Checksum
The response is exactly as expected from the Nagra 1 card except Control
Words 1b, 1c, 2B and 2C are new! Now, since the control words come down
in the $07 command, we are justfied in assuming the extra 3 packets in
the $07 command are simply these extra control words coming down. These
extra "control words" must be important or they would not be added to
the $07 payload!
What are these extra control words and why are they there? The Mpeg-2
stream only needs 2 control words to be descrambled. Perhaps the extra
"control words" are for future use on the Mpeg-4 stream. If there are
any experts on the Mpeg-4 digital format, please enlighten us on the use
of control words in Mpeg-4. As far as I know, there is an extra DEFAULT
control word, in addition to the ODD/EVEN control words used in Mpeg-2.
Although we are not entirely certain that these extra "control words"
are really control words, we shall call them by that name. We are
certain that 2 of the 6 are indeed control words, or otherwise, the
current MPEG-2 stream could not be descrambled.
Now, lets discuss the encryption used by $1C. First off, the encryption
used by Nagra 1 and command $13 was DES and the 64 bit key used for
encryption was the infamous IRD boxkey. Whatever the encryption for
command $1C, the IRD boxkey is still being used as anyone can confirm by
changing the IRD boxkey on a subbed Nagra 2 IRD. The result will be a
black screen. Furthermore, one can easily clone receivers and still use
a valid Nagra 2 card.
IDEA has been proposed as the new encryption schema here too, but no
proof has been given. Nobody has publicly disassembled the firmware and
reverse engineered the algorithm. If IDEA is not being used on the $07
command, it definitely not be used on a much less sensitive command like
$1C. Again, thos who claim IDEA is being used are welcome to offer
proof.
It is the opinion of this writer that DES or a variation of DES is being
used. I am led to believe this because I have not succeeded in finding
the S-box constants in any IRD TSOP dumps...leading me to believe that
DES decryption is being done by a dedicated crypto-processor inside the
IRD. A card swap does not mean any chips inside the IRD are
changing...so unless an IDEA chip already existed in all IRDs
(farfetched, but possible), they would have to implement IDEA in
software and that would give the inner workigs of the algorithm away.
If anyone knows where the S-Box constants are stored, please tell us and
that would settle this matter.
There has been some talk about a "secondary key" in some model IRDs.
This supposedly prevents receiver cloning as both the boxkey and
mysterious "secondary key" have to be known. Some have argued that this
supports the hypothesis of IDEA being used with a 16 byte key. However,
any secondary or tertiary keys may also be used in 3-DES or some
variant. The model IRDs I have examined do not seem to have any "extra"
keys.
The decryption process of the $1C command should not be too hard to
break, and I expect it to be broken first. It would be the first step
towards a married-sub solution.
More than likely, what is happening is the 6 "control words" are being
decrypted using DES and then combined using basic logic functions to
come up with the "valid" 2 control words that we were all used to with
Nagra 1.
For if they sent down only 2 control words in Nagra 2, we could compare
them with the known 2 control words being used by Nagra 1 and quickly
break the cipher. Hence, the most logical reason for 6 "control words"
is confusion.
Something to try: If anyone is running an emulation setup for Nagra 2,
they could try changing control words 1b, 1c, 1B, 1C or, any combination
thereof, before sending them to the IRD and see what difference it
makes. Are you still getting video?
So folks, that is a realistic view of Nagra 2...it is one of the
simplest Conditional Access systems around, but, when you don't have the
cipher keys, one of the most complex too!
Nagraman
well first of all the 4 year crack due to cpu capabilities is dumb certain windows encriptions have been broken by combining cpu power of many ppls instead of using just 1 cpu vs 100, 500 as many as you can get to contribute.
also why not create a registry of valid sub cards and beat n2 like people beat copywrite sharing leagl subs shiet will get out of hand fast