[Simsec] doubt about fuzzing algorithm of SIMTester

S. L. atalasa at hotmail.com
Wed Nov 13 04:00:35 CET 2019


I'm focused on the fuzzing part of SimTester
My goal is to understand how to detect in an OTA package (03.48) if there is a TAR without encryption or a TAR with DES encryption, to know what part of the message is encrypted to be broken to make a rainbow table

Please, tell me if I understood correctly

1) To detect TAR without encryption:
They send an OTA with TAR = 0x00000 for example,
an SPI = mandatory PoR, not encrypted, not checksum
KiC and KiD = 01, for example
And they save the value of the COUNTER
So if in the response OTA the value of the COUNTER matches the one you sent and the RSC (status code) is different from 0x09, they know it is not encrypted and they call it  in SIMTester CRITICAL WEAKNESS

2) To detect TAR with DES encryption:
They send an OTA with TAR = 0x00000 for example,
an SPI = mandatory PoR, DES encryption, DES checksum
KiC and KiD = 01, for example
And they save the value of the COUNTER

If the COUNTER value is different, it is encrypted. And even the OTA message can come with added data encrypted in the user part and this is called in SIMTester a WARNING WEAKNESS

Then the values ‚Äč‚Äčthat will be encrypted are COUNTER, PTCNT, RSC, and the user added value


Is this reasoning correct?

Do you have any solved example of an OTA message with DES encryption or without encryption?

Thank you for your help and your time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.srlabs.de/pipermail/simsec/attachments/20191113/4137162a/attachment.html>


More information about the Simsec mailing list