[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fiat Shamir Zero Knowledge Test

>Can someon point me to a net description of
>the "Fiat Shamir Zero Knowledge Test" used
>in the RCA DirecTV smart cards.

The standard text on this is the paper "How To Prove Yourself" by Fiat and
Shamir. I'll try and dig up the name of the ftp site I found it on but in
the meantime here is a rough description.

The access control system for RCA DirecTv was developed by News Datacom.
They, News Datacom, also developed the security for the VideoCrypt system
here in Europe. The smart card used in VideoCrypt here in Europe has been
continually reverse-engineered for the last three card issues. (currently on
issue 09). Therefore much of the description below is based on the European
system. Of course the fact that the DSS cards are now turning up in Europe
repainted as Sky cards indicates that the ROM is identical. This is where
the routined for card i/o protocols and data packets are. As a result, the
DirecTv system probably uses the same packet types. Any of the pirate smart
card emulator programs available on BBSes on FTP sites can be used to
monitor the data flowing to and from the card. Cutting to the chase:

Packet - Direction- Bytes - Function
70       C > D      6       Card presents  6 byte ID number to decoder
7C       C > D     16       Card sends tiering/authorisation levels to decoder
7E	 C > D     64       Card sends X value for ZKT to decoder 
80       D > C	    1       Decoder sends Q flag to card (either 00h or 01h)
82       C > D     64       Card's Y ZKT response to decoder
70       C > D      6       Card presents 6 byte ID number to decoder

The Fiat Shamir ZKT as used in here is dependent on a number of elements:
S, the serial number of the card. 
N, the common modulus. 
R, the look-up table in the card (a block of data).
X, the value sent by the card to be authenticated.
Q, the calculation mode flag (either 00h or 01h)
Y, the calculated response from the card.

The X value is calculated as X=R^2 mod N. The Y responses are calculated as

 Y = R if Q=00h
 Y = (R * S) mod N if Q=01h

The Q flag tells the card how to generate response Y. The card would be
authenticated in the following cases:

If Q=00h then Y^2 = X mod N

If Q=01h then Y^2 = (X * V) mod N where V is the card identity number
received prior to the authentication process. S, the card serial number is
derived from V by the equation: S = sqrt (V) mod N

The implementation of the ZKT in VideoCrypt is faulty and open to a simple
hack. It is designed to make the card authenticate itself. Many of the
earlier decoders had a flaw in the ZKT calculation routines in the decoder.
Of course the data in the decoder was easily popped by hackers since the
microcontroller in charge of the authentication was not secured.

In the VideoCrypt system, one of the latest bypasses for the ZKT is to
record the response from a valid card and have the pirate card replay it.
This saves a lot of time and it does work perfectly.

Since the complete contents, (ROM and EEPROM), of the VideoCrypt card are
now available, the whole idea of authentication is invalid. In the DSS
system, however, there the ZKT is still viable though there are some ways in
which it theoretically could  be bypassed if it uses the same implementation
as VideoCrypt.

(John McCormac)
Version: 2.6.2