Encrypting Mag-Stripe cards [Cryptographic...
DarkEyeDragon 23 Jun 2016
Hello! I've been messing with the Cryptographic Accelerator for a few days now, but its quite advanced and I can't seem to figure out to decrypt my encrypted string from a Mag-stripe card.
This is how far i got:
DarkOS(core)
The encryption of the card: (Would it be better to use asymmetrical encryption for this? can't seem to figure that out tho)
The decryption part is just a mess. I got no idea how to even start on this xD
Documentation:
http://www.computerc...0272#entry90272 (API of the Cryptographic Accelerator)
http://www.computerc...ss-peripherals/
(general information on the mod)
To conclude:
I'm trying to encrypt a string onto a Mag-stripe card to then later decrypt it back and decode it. To check weather or not the person is valid to enter the building.
Edit: Some might be interested in why i want to do this?
Its just to prevent people from making a mag-card reader and pulling the information from the card and make a "cracked" version of it to break into my building. I know it sounds highly unlikely that that will ever happen. But hey, one can never be too secure.
Edited by DarkEyeDragon, 23 June 2016 - 04:53 PM.
This is how far i got:
DarkOS(core)
local p = peripheral.wrap("left") function encryption(encr) key = p.generateSymmetricKey("AES") encodedKey = key.encode() ciphertext = key.encrypt("AES", encr) return encodedKey, ciphertext end function decription(encoded ,encrypted) key = p.decodeKey("AES", encoded) plaintext = key.decrypt("AES", encrypted) return plaintext end
The encryption of the card: (Would it be better to use asymmetrical encryption for this? can't seem to figure that out tho)
os.loadAPI("darkOS") encr = darkOS.encryption("user"..math.random(10,50)) local reader = peripheral.wrap("mag card reader_0") while true do local event, arg1, arg2, arg3 = os.pullEvent() reader.beginWrite(encr, "DarkEyeDragon") if event == "mag_write_done" then print("card made") end end
The decryption part is just a mess. I got no idea how to even start on this xD
os.loadAPI("darkOS") while true do local event,arg1,arg2,arg3 = os.pullEvent() decri = darkOS.decription(arg1) if arg1 == decri then print("yey") else print("nope") end end
Documentation:
http://www.computerc...0272#entry90272 (API of the Cryptographic Accelerator)
http://www.computerc...ss-peripherals/
(general information on the mod)
To conclude:
I'm trying to encrypt a string onto a Mag-stripe card to then later decrypt it back and decode it. To check weather or not the person is valid to enter the building.
Edit: Some might be interested in why i want to do this?
Its just to prevent people from making a mag-card reader and pulling the information from the card and make a "cracked" version of it to break into my building. I know it sounds highly unlikely that that will ever happen. But hey, one can never be too secure.
Edited by DarkEyeDragon, 23 June 2016 - 04:53 PM.
Anavrins 23 Jun 2016
Encryption won't prevent forging another card, the attacker can simply copy the already encrypted string onto a new card, and will still be decrypted correctly, even without knowing the secret key or string.
A good way would be to use One-Time Passwords, something similar to 2 Factor Authentication.
I don't quite have the time to give more info on that, I'll edit this post later when I do.
Edited by Anavrins, 23 June 2016 - 06:46 PM.
A good way would be to use One-Time Passwords, something similar to 2 Factor Authentication.
I don't quite have the time to give more info on that, I'll edit this post later when I do.
Edited by Anavrins, 23 June 2016 - 06:46 PM.
DarkEyeDragon 23 Jun 2016
Anavrins, on 23 June 2016 - 06:43 PM, said:
Encryption won't prevent forging another card, the attacker can simply copy the already encrypted string onto a new card, and will still be decrypted correctly, even without knowing the secret key or string.
A good way would be to use One-Time Passwords, something similar to 2 Factor Authentication.
I don't quite have the time to give more info on that, I'll edit this post later when I do.
A good way would be to use One-Time Passwords, something similar to 2 Factor Authentication.
I don't quite have the time to give more info on that, I'll edit this post later when I do.
Well my idea was to base the encrypted string on time and a random number between a certain range. after lets say 3 minecraft days the card would not be accepted anymore. And encrypting it would be a good way to stop people from figuring out that method. That was the plan at least. Looking forward for your edit ;D
Anavrins 25 Jun 2016
Sorry for the late reply
I was thinking about this https://en.wikipedia...e-time_password
Basically, every time you swipe your mag-card, it authenticate the data on it, and then writes a new key, which will become the new correct key.
What this means is that the instant you legitimately authenticate, every illegitimate copy of it will be invalidated. You suspect somebody cloned your card, swipe it, every copies of it except yours is invalid now
The only caveat with this is in case somebody clones your card, until you next swipe your card, he still have a valid card, and can invalidate your card from authenticating.
There's not much you can do against that other than frequently swiping your card once in a while to make sure.
All of this uses HMAC-SHA256, it's not available with the crypto accel. but I have a native lua implementation of it which is quite fast, so you won't even need the accelerator
Edited by Anavrins, 25 June 2016 - 03:49 PM.
I was thinking about this https://en.wikipedia...e-time_password
Basically, every time you swipe your mag-card, it authenticate the data on it, and then writes a new key, which will become the new correct key.
What this means is that the instant you legitimately authenticate, every illegitimate copy of it will be invalidated. You suspect somebody cloned your card, swipe it, every copies of it except yours is invalid now
The only caveat with this is in case somebody clones your card, until you next swipe your card, he still have a valid card, and can invalidate your card from authenticating.
There's not much you can do against that other than frequently swiping your card once in a while to make sure.
All of this uses HMAC-SHA256, it's not available with the crypto accel. but I have a native lua implementation of it which is quite fast, so you won't even need the accelerator
Edited by Anavrins, 25 June 2016 - 03:49 PM.
DarkEyeDragon 26 Jun 2016
Anavrins, on 25 June 2016 - 03:43 PM, said:
Sorry for the late reply
I was thinking about this https://en.wikipedia...e-time_password
Basically, every time you swipe your mag-card, it authenticate the data on it, and then writes a new key, which will become the new correct key.
What this means is that the instant you legitimately authenticate, every illegitimate copy of it will be invalidated. You suspect somebody cloned your card, swipe it, every copies of it except yours is invalid now
The only caveat with this is in case somebody clones your card, until you next swipe your card, he still have a valid card, and can invalidate your card from authenticating.
There's not much you can do against that other than frequently swiping your card once in a while to make sure.
All of this uses HMAC-SHA256, it's not available with the crypto accel. but I have a native lua implementation of it which is quite fast, so you won't even need the accelerator
I was thinking about this https://en.wikipedia...e-time_password
Basically, every time you swipe your mag-card, it authenticate the data on it, and then writes a new key, which will become the new correct key.
What this means is that the instant you legitimately authenticate, every illegitimate copy of it will be invalidated. You suspect somebody cloned your card, swipe it, every copies of it except yours is invalid now
The only caveat with this is in case somebody clones your card, until you next swipe your card, he still have a valid card, and can invalidate your card from authenticating.
There's not much you can do against that other than frequently swiping your card once in a while to make sure.
All of this uses HMAC-SHA256, it's not available with the crypto accel. but I have a native lua implementation of it which is quite fast, so you won't even need the accelerator
Thats quite cool. I just really wanted to figure out how to use the accelerator though, but no one here seems to know how to use it xD
TYKUHN2 26 Jun 2016
Encryption isn't validation, it's obscuration. The best you can do to validate with encryption is asymmetrical encryption, proves that the sender is who they say they are, but it is still vulnerable to replay attacks assuming you don't include a one time key. Anavrins' suggestion is probably the best for a mag card, because mag-cards have no verifiable UUID (that I know of) making encryption next to worthless.
Wireless transmissions (or transmissions in general) are instantaneous enough and information dense enough that encryption works, sort of, assuming you modify a few identifiers.
Edited by TYKUHN2, 26 June 2016 - 04:15 PM.
Wireless transmissions (or transmissions in general) are instantaneous enough and information dense enough that encryption works, sort of, assuming you modify a few identifiers.
Edited by TYKUHN2, 26 June 2016 - 04:15 PM.
DarkEyeDragon 26 Jun 2016
TYKUHN2, on 26 June 2016 - 04:10 PM, said:
Encryption isn't validation, it's obscuration. The best you can do to validate with encryption is asymmetrical encryption, proves that the sender is who they say they are, but it is still vulnerable to replay attacks assuming you don't include a one time key. Anavrins' suggestion is probably the best for a mag card, because mag-cards have no verifiable UUID (that I know of) making encryption next to worthless.
Wireless transmissions (or transmissions in general) are instantaneous enough and information dense enough that encryption works, sort of, assuming you modify a few identifiers.
Wireless transmissions (or transmissions in general) are instantaneous enough and information dense enough that encryption works, sort of, assuming you modify a few identifiers.
Thanks for the information. I see your point I'll just use some randomizer of some sort and check the date etc.
Edited by DarkEyeDragon, 26 June 2016 - 04:58 PM.