Decoding Encryption with Permission...

[rescue161]

Your completely ignoring my fresh challenge with P25 DES-OFB.

Not really, just haven't had a lot of time as of late. The radios are charging now, so I should have it up shortly.

How do you want it recorded? From a disc tap or just speaker audio? I think I can get discriminator output from an Astro Saber, but am not sure.

Lastly, I don't have more than one radio with DES-OFB on the same band, so that is out. The best I can do is going to be DES or DES-XL in digital mode. The modules do not include DES-OFB when read from the service menu. Is this a show-stopper? If not, which one do you want?

 

[rescue161]

For some reason, I can't seem to get the new laptop to cooperate with recording the IMBE DES message. It keeps trying to adjust the volume and washing out the data. I can't seem to get a decent recording and the pins I've tried for the disc tap are not working either.

I'll bust out the original recording laptop this weekend and try it again. I have a better audio recording program on it, so wish me luck.

 

[benbenrf]

Matt is correct - DES is DES is DES ......

However, there are characteristics which "vary" with respect to DES (and most other encryption/cypher techniques) that add additional considerations when undertaking key recovery in rf enviroments:

MODULATION [technique]: to recover any info from an rf transmission - encrypted/cyphered, or not - the unavoidable step of demodulation has to be undertaken first thing that has to be undertaken. What of course affects how this impacts subsequent key/data recovery are characteristics of the modulation technique adopted in the first place, namely the modulation technique used, the associated signal to noise ration (SNR), and as already mentioned earlier, the dynamic range (DR).

All very well in theory, however, different modulation techniques and associated rf hardware gives rise to different [acceptable] SNR levels, before info/data starts to get corrupted in one way or another and becomes unrecoverable, and different spurious free dynamic ranges (SFDR). These are complications that can occur during modulation and/or demodulation.Dynamic Range & SNR seldom, if ever, the issue in hardwired comm's that they are in rf comm's.

Tackling recorded rf/DES? - I don't see a problem - given hardware/software that can deal with the above added complications (and it does exist off the shelf today) it's been demonstrated more than once within the enthusiast community (i.e. outside of state/LEO/intelligence community)

Tackling rf/DES on the fly"/realtime? - ?????. That's another story altogether!! Keeping in mind the processess that have to be run through (of which the actual decryption part is only one), and the additional potential "complications" that have to be overcome - quite frankly, I don't think the processing power & speed required has got to a level yet where it can be budgeted for by anyone other than the state/LEO/intelligence community, or a seriously wealthy private individual for whom funding would not be their - but technicaly, yes, I believe it is possible to do.

DES, however, is still DES at the end of the day - it's just that the rf enviroment adds a whole bunch of issues - practical & financial - that are not encountered dealing with DES in hardwired enviroments.

 

[MattSR]

Scott - It needs to be one of the P25 approved algorithms - DES-OFB or AES256 (with part of the key of course cause we dont have access to an NSA style supercomputer)

 

[rescue161]

I do have a few radios with DES-OFB, but I don't have a radio to record the decrypted audio. Would a scanners disc tap be okay?

Also, my key loader is a T3011DX. Will it load a DES-OFB key? I'm assuming yes.

 

[MattSR]

Yep, Yes and tops!

 

[gary123]

Rescue you can check the "quality" of the sample by feeding it back to the transmitting unit. If the signal is good you should be able to get decrypt.

Matt i like the idea of P25 DES-OFP as you have stated the format for this signal is standardised. The routine I was mentioning in another thread would have uses for this aplication as raw data from the LDU1and 2 can be looked at directly.

 

[MattSR]

Hi Scott, just wondering if have you had a chance to create a capture?

 

[rescue161]

I did, but I still don't think it sounds right. I am running into the same problem as last time - nowhere to host it.

 

[PJH]

Rapid share?

 

[MattSR]

megaupload also works well.

In any case, it only needs to be a short transmission (a couple of seconds max) so the resulting wave file should be very small - small enough to email even

 

[MattSR]

So.

To everyone that said it can't be done, I will be presenting the results of our research next week at RUXCON. Breaking DES-OFB is computationally easier than looking for ASCII text. I figured out how to do this is about March this year and now we are ready to release our work.

Researcher eyes holes in Triple Zero radio - Security - News

Thats me at the bottom. Steve started the project and I discovered a flaw that allow us to brute force DES-OFB quite simply (whence why im co-presenter)

Cheers,
Matt

 

[rescue161]

So.

To everyone that said it can't be done, I will be presenting the results of our research next week at RUXCON. Breaking DES-OFB is computationally easier than looking for ASCII text. I figured out how to do this is about March this year and now we are ready to release our work.

Researcher eyes holes in Triple Zero radio - Security - News

Thats me at the bottom. Steve started the project and I discovered a flaw that allow us to brute force DES-OFB quite simply (whence why im co-presenter)

Cheers,
Matt

Sorry I haven't been active in a while. I've just been extremely busy at work. What is the difference between cracking DES-OFB and regular old DES? My original message was posted in DES. Would it be more or less difficult to decode my message versus a DES-OFB message?

One guy got REALLY close and sent me a transcrypt of what I said in the first sentence. He didn't provide me with the decrypted audio of my voice, but the text matched what I said (it's a very strange script).

I tried to get a good audio file to upload, but am having difficulty. Are you able to use my original file for decoding purposes?

 

[gary123]

MattSR exellent info I wish I could atttend the lecture .

 

[MattSR]

Would it be more or less difficult to decode my message versus a DES-OFB message?

The computational work effort is identical since its the same underlying block cipher (just plain DES) -OFB adds some stuff that prevents TMTO attacks which enable the creation of rainbow tables that allow you to recover a key and break encryption in 10 seconds or so. Depending on which mode the original Securenet DES uses (plain DES is normally DES-ECB) then the 10 second rainbow table attack could be implemented with some work.

One guy got REALLY close and sent me a transcrypt of what I said in the first sentence. He didn't provide me with the decrypted audio of my voice, but the text matched what I said (it's a very strange script).

Yep - and its a safe bet that he no cryptographic work at all. After you posted the key, he simply keyloaded a radio with the known key and used it as a receiver while he replayed the wave file through a transmitter. While it might get you the original message, it doesn't count

I tried to get a good audio file to upload, but am having difficulty. Are you able to use my original file for decoding purposes?

Our work solely focuses on APCO P25

 

[highstupid]

Simple Answer

Sorry to add to this old thread but could you not get another radio with DES and put the key on it and play back the discr. tap audio through another radio on the same frequency but bypass the microphone and record the end result.