1995-07-12 - SSL RC4 challenge

Header Data

From: Hal <hfinney@shell.portal.com>
To: cypherpunks@toad.com
Message Hash: 956294cadc34e589a869da2791ec06bc71e3cae93b42501917a9229ada9f0bfb
Message ID: <199507121722.KAA19834@jobe.shell.portal.com>
Reply To: N/A
UTC Datetime: 1995-07-12 17:23:37 UTC
Raw Date: Wed, 12 Jul 95 10:23:37 PDT

Raw message

From: Hal <hfinney@shell.portal.com>
Date: Wed, 12 Jul 95 10:23:37 PDT
To: cypherpunks@toad.com
Subject: SSL RC4 challenge
Message-ID: <199507121722.KAA19834@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


Here is a challenge to try breaking SSL using the default exportable
encryption mode, 40-bit RC4.  It consists of a record of a submission
of form data which was sent to Netscape's electronic shop order form in
"secure" mode.  However the data I entered in the form is not my real
name and address.  The challenge is to break the encryption and recover
the name and address info I entered in the form and sent securely to
Netscape.

(A URL for info on SSL is http://home.netscape.com/newsref/std/SSL.html.)

Below is the data which was sent back and forth, along with some
annotations to help interpret it.  The connection was made to
order.netscape.com at port 443, the https port.

The following is the first message from client to server, the
CLIENT-HELLO message.  It is not encrypted.

0x80 0x1c 0x01 0x00 0x02 0x00 0x03 0x00 0x00 0x00 0x10 0x02 0x00 0x80 0xaf 0x84
0xa7 0x79 0xf8 0x13 0x69 0x20 0x25 0x9b 0x53 0xa0 0x60 0xae 0x75 0x51 

This is interpreted as follows:

0x80 0x1c	Length field: 28 bytes follow in the packet.
0x01		MSG_CLIENT_HELLO
0x00 0x02	CLIENT-VERSION-MSB CLIENT-VERSION-LSB
0x00 0x03	CIPHER-SPECS-LENGTH-MSB CIPHER-SPECS-LENGTH-LSB
0x00 0x00	SESSION-ID-LENGTH-MSB SESSION-ID-LENGTH-LSB
0x00 0x10	CHALLENGE-LENGTH-MSB CHALLENGE-LENGTH-LSB
0x02 0x00 0x80	CIPHER-SPECS-DATA
<none>		SESSION-ID-DATA
0xaf...0x51	CHALLENGE-DATA [16 bytes]

The only cipher spec sent (and hence supported) by the browser is
0x02 0x00 0x80, which is SSL_CK_RC4_128_EXPORT40_WITH_MD5.  No session id
is sent, hence new key information will be calculated for this session.
And 16 bytes of challenge data are sent in the clear; this will be useful
as known plaintext returned encrypted by the server later.

The following data is then returned by the server, in the SERVER-HELLO
message:

0x82 0x2b 0x04 0x00 0x01 0x00 0x02 0x02 0x0d 0x00 0x03 0x00 0x10 0x30 0x82 0x02
0x09 0x30 0x82 0x01 0x72 0x02 0x02 0x00 0x88 0x30 0x0d 0x06 0x09 0x2a 0x86 0x48
0x86 0xf7 0x0d 0x01 0x01 0x04 0x05 0x00 0x30 0x47 0x31 0x0b 0x30 0x09 0x06 0x03
0x55 0x04 0x06 0x13 0x02 0x55 0x53 0x31 0x10 0x30 0x0e 0x06 0x03 0x55 0x04 0x0b
0x13 0x07 0x54 0x65 0x73 0x74 0x20 0x43 0x41 0x31 0x26 0x30 0x24 0x06 0x03 0x55
0x04 0x0a 0x13 0x1d 0x4e 0x65 0x74 0x73 0x63 0x61 0x70 0x65 0x20 0x43 0x6f 0x6d
0x6d 0x75 0x6e 0x69 0x63 0x61 0x74 0x69 0x6f 0x6e 0x73 0x20 0x43 0x6f 0x72 0x70
0x2e 0x30 0x1e 0x17 0x0d 0x39 0x35 0x30 0x32 0x32 0x34 0x30 0x31 0x30 0x39 0x32
0x34 0x5a 0x17 0x0d 0x39 0x37 0x30 0x32 0x32 0x33 0x30 0x31 0x30 0x39 0x32 0x34
0x5a 0x30 0x81 0x97 0x31 0x0b 0x30 0x09 0x06 0x03 0x55 0x04 0x06 0x13 0x02 0x55
0x53 0x31 0x13 0x30 0x11 0x06 0x03 0x55 0x04 0x08 0x13 0x0a 0x43 0x61 0x6c 0x69
0x66 0x6f 0x72 0x6e 0x69 0x61 0x31 0x16 0x30 0x14 0x06 0x03 0x55 0x04 0x07 0x13
0x0d 0x4d 0x6f 0x75 0x6e 0x74 0x61 0x69 0x6e 0x20 0x56 0x69 0x65 0x77 0x31 0x2c
0x30 0x2a 0x06 0x03 0x55 0x04 0x0a 0x13 0x23 0x4e 0x65 0x74 0x73 0x63 0x61 0x70
0x65 0x20 0x43 0x6f 0x6d 0x6d 0x75 0x6e 0x69 0x63 0x61 0x74 0x69 0x6f 0x6e 0x73
0x20 0x43 0x6f 0x72 0x70 0x6f 0x72 0x61 0x74 0x69 0x6f 0x6e 0x31 0x16 0x30 0x14
0x06 0x03 0x55 0x04 0x0b 0x13 0x0d 0x4f 0x6e 0x6c 0x69 0x6e 0x65 0x20 0x4f 0x72
0x64 0x65 0x72 0x73 0x31 0x15 0x30 0x13 0x06 0x03 0x55 0x04 0x03 0x13 0x0c 0x41
0x72 0x69 0x20 0x4c 0x75 0x6f 0x74 0x6f 0x6e 0x65 0x6e 0x30 0x5a 0x30 0x0d 0x06
0x09 0x2a 0x86 0x48 0x86 0xf7 0x0d 0x01 0x01 0x01 0x05 0x00 0x03 0x49 0x00 0x30
0x46 0x02 0x41 0x00 0xa5 0xa7 0x7b 0x42 0xb1 0x79 0x2d 0x0b 0x35 0x08 0xb4 0x0d
0x74 0x1d 0x46 0x6a 0x29 0x07 0x47 0x08 0xdc 0x3a 0x76 0x36 0xbd 0x7f 0xb3 0xd4
0xa9 0x85 0x9d 0x4b 0x65 0x74 0xc1 0x00 0x56 0xec 0x5a 0x31 0x72 0x23 0x04 0xc1
0xcf 0x78 0x63 0x21 0x77 0x69 0xd9 0xf0 0x61 0xc8 0x73 0xf7 0xdc 0x4c 0xde 0xd2
0x22 0x99 0x79 0xdf 0x02 0x01 0x03 0x30 0x0d 0x06 0x09 0x2a 0x86 0x48 0x86 0xf7
0x0d 0x01 0x01 0x04 0x05 0x00 0x03 0x81 0x81 0x00 0x7e 0x4a 0x28 0x7d 0xba 0xfa
0x41 0x5a 0x19 0x1c 0x9a 0xea 0x6d 0x3b 0x07 0x1c 0x97 0xe0 0xf5 0xf8 0x4c 0xd5
0x92 0x0c 0x1c 0x30 0x49 0x06 0x72 0x42 0x9a 0x3f 0xfc 0x3b 0x11 0x17 0x78 0x7e
0x6c 0x27 0x8a 0x12 0x19 0xf3 0x08 0x18 0x6e 0xe0 0xc3 0xbe 0xe7 0x37 0xbd 0x4e
0xae 0xe1 0x9e 0x4a 0x3b 0xa9 0xbf 0xc0 0x92 0x59 0x2c 0xdb 0x37 0x34 0xc8 0xa0
0xc0 0xba 0xb8 0x6f 0xd3 0xd6 0xc7 0x48 0x88 0xbc 0xd6 0xff 0x7a 0xf7 0x76 0x70
0x2c 0x19 0x07 0xc8 0x7c 0x80 0x29 0x18 0x58 0xfc 0xd1 0x12 0x86 0x99 0x4e 0x32
0xee 0xb9 0xf5 0x11 0x70 0xd5 0x1b 0xf7 0x85 0x5b 0x4a 0x0e 0xd6 0xe6 0x6c 0x52
0xf5 0x8a 0x2c 0x97 0x3e 0x63 0x85 0x57 0x43 0xbc 0x02 0x00 0x80 0xbf 0xeb 0x90
0xf8 0x2c 0x0c 0xe1 0xea 0x18 0xac 0x11 0x4c 0x83 0x14 0x21 0xb6 

This is interpreted as follows:

0x82 0x2b	Packet length, 555 bytes follow.
0x04		MSG-SERVER-HELLO
0x00		SESSION-ID-HIT
0x01		CERTIFICATE-TYPE
0x00 0x02	SERVER-VERSION-MSB SERVER-VERSION-LSB
0x02 0x0d	CERTIFICATE-LENGTH-MSB CERTIFICATE-LENGTH-LSB
0x00 0x03	CIPHER-SPECS-LENGTH-MSB CIPHER-SPECS-LENGTH-LSB
0x00 0x10	CONNECTION-ID-LENGTH-MSB CONNECTION-ID-LENGTH-LSB
0x30...0xbc	CERTIFICATE-DATA [525 bytes]
0x02 0x00 0x80	CIPHER-SPECS-DATA
0xbf...0xb6	CONNECTION-ID-DATA [16 bytes]

Most of the packet is the certificate.  SESSION-ID-HIT is 0 since no
session ID was sent by the client.  After the 525 (0x020d) bytes of
certificate comes the 3 byte code for 40 bit RC4, then the 16 byte
connection ID.  The main importance of the connection ID data here
is that it helps to calculate the session keys as described below.

The next message, from the client to the server, is the CLIENT-MASTER-KEY
sent mostly in the clear:

0x80 0x55 0x02 0x02 0x00 0x80 0x00 0x0b 0x00 0x40 0x00 0x00 0x0e 0x89 0x94 0xb8
0xbf 0x0e 0xb9 0x2e 0x50 0x44 0x07 0x8c 0x52 0xeb 0xef 0x44 0xc1 0x01 0x4b 0xc1
0x02 0xd2 0x2e 0x37 0x1f 0x1d 0x54 0xc2 0x83 0x45 0x79 0x6b 0xc8 0xe3 0x85 0x17
0xb8 0xd4 0x84 0xc6 0x9f 0xb1 0x6a 0x03 0x2e 0x97 0xae 0x82 0x75 0x10 0xf0 0x7b
0x5f 0x25 0x7b 0x88 0x75 0xc6 0x7a 0x33 0x5f 0xd6 0x96 0x99 0x94 0xd0 0x7a 0x78
0xae 0x50 0x32 0x1a 0xbb 0x66 0x50 

It is interpreted as follows:

0x80 0x55	Packet length, 85 bytes follow.
0x02		MSG-CLIENT-MASTER-KEY
0x02 0x00 0x80	CIPHER-KIND
0x00 0x0b	CLEAR-KEY-LENGTH-MSB CLEAR-KEY-LENGTH-LSB
0x00 0x40	ENCRYPTED-KEY-LENGTH-MSB ENCRYPTED-KEY-LENGTH-LSB
0x00 0x00	KEY-ARG-LENGTH-MSB KEY-ARG-LENGTH-LSB
0x0e...0x07	CLEAR-KEY-DATA [11 bytes]
0x8c...0x50	ENCRYPTED-KEY-DATA [64 bytes]
<none>		KEY-ARG-DATA

The 11 most significant bytes (88 bits) of "master key" information are
sent in the clear as the CLEAR-KEY-DATA.  The remaining 40 low-order
bits of the 128-bit master key are RSA encrypted using the server's
public key, expanding in the process to 64 bytes, and sent as the
ENCRYPTED-KEY-DATA.  No KEY-ARG-DATA is sent since RC4 doesn't need an
initialization vector.

Now that these packets have been exchanged, from this point on, all
packets are sent encrypted.  For each such packet, after the packet
length bytes there is a 16-byte Message Authentication Code (MAC).
Then comes the RC4 encrypted data itself.

Two different session keys are used, both generated from the master key,
the 16-byte challenge data, and the 16-byte connection ID data.  The
CLIENT-READ-KEY, used for data sent from server to client, is calculated
as:

	MD5 (MASTER-KEY, "0", CHALLENGE, CONNECTION-ID).

"0" is one byte of 0x30, ascii 0.

The CLIENT-WRITE-KEY, used for data sent from client to server, is
calculated as:

	MD5 (MASTER-KEY, "1", CHALLENGE, CONNECTION-ID).

"1" is one byte of 0x31, ascii 1.

MD5 produces 128 bits of output which are used directly as the key input
to the RC4 algorithm.

The next message, from server to client, is SERVER-VERIFY.  It is sent
encrypted:

0x80 0x21 0x37 0x68 0x3a 0x8c 0x7d 0x33 0xb2 0x2f 0xb9 0x66 0xeb 0xd2 0x63 0xcd
0xa7 0xed 0x71 0xa0 0xb6 0x2f 0xb6 0xe2 0x31 0xa4 0x2a 0x81 0xd3 0x25 0x61 0x58
0xbc 0xf0 0xf4 

This is interpreted as follows:

0x80 0x21	Packet length, 33 bytes follow
0x37...0xed	MAC [16 bytes]
0x71		RC4 encrypted MSG-SERVER-VERIFY (0x05)
0xa0...0xf4	RC4 encrypted CHALLENGE-DATA from CLIENT-HELLO message
		[16 bytes]

The first RC4 encrypted byte is MSG-SERVER-VERIFY (which has a value of
0x05).  This is followed by 16 bytes of challenge data from the first
client message, encrypted.  These 17 bytes represent known plaintext
which can be used to easily check any guessed RC4 CLIENT-READ-KEY.

Let me make this a little more clear.  The first RC4 encryption with the
CLIENT-READ-KEY, immediately after key setup, is as follows:

Plaintext (MSG-SERVER-VERIFY plus CHALLENGE-DATA):

0x05 0xaf 0x84 0xa7 0x79 0xf8 0x13 0x69 0x20 0x25 0x9b 0x53 0xa0 0x60 0xae 0x75
0x51 

Ciphertext (from SERVER-VERIFY packet):

0x71 0xa0 0xb6 0x2f 0xb6 0xe2 0x31 0xa4 0x2a 0x81 0xd3 0x25 0x61 0x58 0xbc 0xf0
0xf4 

The next message in the protocol is CLIENT-FINISHED, sent encrypted from
client to server:

0x80 0x21 0xed 0x59 0x0a 0x2a 0x80 0x50 0x42 0xec 0xcd 0xed 0x6c 0x96 0x0a 0xab
0x5c 0x0e 0xed 0x55 0xc3 0x21 0x6e 0x34 0x26 0x5b 0x46 0x41 0x35 0x51 0xb7 0xaa
0xec 0x57 0x9f 

This is interpreted as follows:

0x80 0x21	Packet length, 33 bytes follow
0xed...0x0e	MAC [16 bytes]
0xed		RC4 encrypted MSG-CLIENT-FINISHED (0x03)
0x55...0x9f	RC4 encrypted CONNECTION-ID from SERVER-HELLO [16 bytes]

This is the first message sent encrypted with the CLIENT-WRITE-KEY and
could also be used as known plaintext to check a guessed key.

The next message is SERVER-FINISHED, sent encrypted from server to
client:

0x80 0x21 0x79 0x84 0xc6 0xb6 0xde 0xf4 0x4c 0xd2 0x52 0x56 0xdc 0x58 0x23 0xa0
0xfa 0x4d 0x06 0x7d 0x4c 0x12 0x32 0x32 0xea 0xaa 0x5a 0xb6 0xa7 0xb8 0x1a 0x66
0xeb 0x65 0x56 

This is interpreted as follows:

0x80 0x21	Packet length, 33 bytes follow
0x79...0x4d	MAC [16 bytes]
0x06		RC4 encrypted MSG-SERVER-FINISHED (0x06)
0x7d...0x56	RC4 encrypted SESSION-ID-DATA [16 bytes]

The SESSION-ID-DATA has not been previously sent in the clear.  It would
be used to cache the key info for a future session.

From here on out, the handshaking is done.  Every message sent will be
encrypted and packetized.  The first two bytes are packet length, then
16 bytes of MAC, then the data.

First data message from client to server.  Presumably it is an http "GET"
request, with form information embedded in the URL.  This is the main one
to try decrypting (starting with 0x6b as the first encrypted byte).

0x82 0xf8 0x07 0x97 0xef 0x99 0x66 0x45 0x48 0x22 0xe4 0xdc 0x31 0xe4 0xf9 0x0b
0xb9 0x98 0x6b 0x99 0x2a 0x09 0x29 0xae 0xa6 0x8d 0xbf 0xb0 0xd3 0xa6 0x83 0xec
0x69 0x1c 0xcc 0x11 0x66 0x84 0x21 0x77 0xfb 0x86 0x73 0x10 0xfb 0xa9 0xe3 0x3b
0x2f 0xd4 0x0f 0xb9 0xbd 0x3f 0xa4 0x0b 0x41 0xd5 0xc9 0x90 0x6d 0xa7 0x34 0x7a
0x5a 0xc1 0x69 0x8d 0xe9 0x64 0xad 0x0d 0xa8 0xae 0x91 0xd1 0xa6 0x70 0xac 0xf9
0xe6 0x11 0x38 0xa0 0xa7 0xd9 0x7c 0xc7 0x18 0x17 0xe2 0x0d 0x8d 0x30 0xb0 0x1c
0x22 0x25 0xa3 0x61 0xee 0xa2 0xca 0xe5 0xf8 0x20 0x5b 0xe1 0x58 0xcf 0xa5 0x21
0xe3 0x23 0xa6 0xfb 0xf6 0x2b 0xba 0x69 0xca 0xa3 0xe6 0x4a 0x47 0x4c 0x77 0xb8
0xc2 0x93 0x8e 0xb7 0x5d 0x17 0x06 0x57 0x19 0x6e 0x00 0x34 0xd6 0xc5 0x64 0x5e
0x23 0x60 0x03 0xf9 0xb2 0x9d 0xee 0xb4 0x83 0x28 0xae 0xfe 0xbb 0xb0 0xe3 0x49
0xfc 0x8f 0x68 0x24 0x51 0x03 0x26 0x8f 0x2b 0xcd 0xc1 0x0c 0x6d 0x79 0xed 0xc4
0x7f 0x3a 0x1e 0x2a 0xc5 0x4e 0xd8 0xe9 0x35 0x27 0xb7 0xde 0x50 0xc3 0xac 0x49
0x84 0x55 0x90 0xa6 0x44 0xcb 0xf7 0xfc 0x69 0xb4 0x19 0xea 0xb6 0xf0 0x72 0x37
0xef 0xfc 0xdf 0x20 0xaf 0x34 0x10 0xa8 0xf9 0xc2 0x74 0xa8 0x64 0xb2 0xd5 0xe9
0x25 0xd8 0xf2 0xca 0xf6 0xb6 0xa0 0x35 0x6f 0x3c 0x6c 0x4c 0xc6 0x99 0x4e 0x51
0xc4 0x5c 0x32 0x8e 0x0b 0x7c 0x59 0x7b 0xda 0x19 0x3f 0x89 0x7b 0xd3 0x33 0x9c
0x2d 0x20 0x46 0x59 0x26 0xb4 0x20 0x61 0x54 0x49 0xb8 0x71 0xa4 0xde 0x2b 0x7b
0xf3 0xdd 0xb2 0x64 0xa1 0x1a 0x39 0x4b 0x50 0x20 0x21 0x6a 0x9c 0x3d 0x34 0xaf
0x91 0xf4 0x2e 0xe1 0x4c 0x74 0x6a 0xed 0x4e 0x18 0x3d 0x11 0xe5 0xa9 0xf6 0x87
0xb3 0x7a 0xf0 0xf1 0x5e 0x9b 0x9c 0x1f 0xc0 0x44 0x72 0xdc 0xc3 0xe9 0x62 0x88
0x0b 0xec 0x3c 0x71 0x29 0x99 0xac 0xfa 0x1f 0x31 0xdd 0xae 0x5f 0x84 0x3c 0x16
0x04 0xdb 0x9d 0x4b 0xbb 0xdf 0x6c 0x32 0x0e 0xa0 0xe7 0xa0 0xdc 0x6a 0xa5 0x49
0x12 0xd7 0x59 0xce 0x3c 0x5d 0x36 0x46 0xbf 0x0b 0xcb 0xf7 0x0e 0x41 0x50 0x37
0x53 0xb5 0xdf 0x6d 0xc0 0x7e 0x7f 0x35 0x75 0xf5 0xec 0xad 0x40 0xb5 0x69 0x3c
0xb7 0x5c 0x44 0x0b 0x48 0xe6 0x07 0x41 0xb8 0x4c 0x9d 0x2c 0x4c 0xdf 0xf3 0xa7
0x15 0xcf 0x12 0xdd 0x11 0xcb 0xeb 0x3b 0x89 0x11 0x2e 0x6b 0x84 0x1a 0x3d 0xd9
0x25 0xa2 0x51 0xed 0xdf 0x93 0x76 0x86 0xc4 0xa4 0xcb 0xe8 0x5c 0xd8 0x7a 0x41
0x7d 0xc8 0x70 0xa1 0x0c 0xa1 0xd8 0xda 0xe2 0x75 0x05 0x0b 0x0b 0x83 0x3c 0x6c
0x71 0x13 0x42 0x19 0xcd 0x5d 0xd0 0x99 0x7b 0x24 0xc9 0x7b 0xc2 0x1c 0x2e 0x6e
0x78 0xe0 0xad 0x7f 0x7b 0x4b 0x50 0x33 0x7e 0xa0 0xb9 0x93 0xf4 0x75 0x39 0x50
0x41 0x41 0xe3 0x2b 0x0f 0xf1 0xf3 0xbc 0x84 0x9d 0x6f 0xa7 0x27 0xa7 0x58 0x55
0x8d 0xc7 0xf1 0xa1 0xb8 0x60 0x6f 0x0f 0x19 0xac 0xea 0xef 0x2c 0xba 0x90 0x9b
0x79 0x7b 0x61 0x54 0x03 0xf6 0x92 0x10 0xb4 0x9c 0x78 0x85 0xf3 0x7b 0x3f 0x0e
0xf9 0x8e 0x3d 0xa3 0x43 0xab 0xf4 0x33 0xa4 0x55 0x4b 0x86 0x50 0x75 0x93 0x3a
0x50 0x24 0xae 0x70 0x0c 0xde 0xa7 0x52 0x28 0x43 0x07 0x35 0x5c 0x5a 0xeb 0xc0
0xe1 0xba 0x8c 0xcd 0x76 0xdc 0x07 0x1f 0xa4 0x57 0xdd 0x18 0xa3 0x4e 0xc3 0xf3
0x7b 0x2d 0x0e 0x6b 0xb9 0x92 0xc1 0xfb 0x54 0xc8 0xd7 0x33 0x31 0x43 0xe1 0xce
0xb5 0x89 0xbd 0x0d 0x4e 0x14 0xbc 0x64 0xc5 0xf6 0x28 0x58 0x84 0x64 0xe7 0x8c
0xb2 0xa9 0xd2 0x0b 0x9f 0x1c 0x28 0xfd 0x95 0x93 0x8e 0x51 0x9a 0x5b 0xeb 0x0d
0x51 0x60 0x93 0x35 0x7c 0x59 0x7d 0x6f 0x37 0xbd 0xa4 0x9b 0x2d 0x4f 0x75 0x92
0xbe 0x85 0xc6 0xc3 0x68 0xf6 0x41 0xcc 0x51 0x4c 0xfc 0xda 0x21 0xc3 0x77 0xc1
0xe2 0x79 0xe8 0x0d 0xc7 0x26 0xc3 0x14 0x9e 0x48 0x2f 0xa4 0x95 0x21 0x24 0x61
0x31 0xd5 0x3b 0x14 0x42 0x45 0xd1 0x6d 0x90 0xfe 0x72 0x28 0xa7 0x81 0xe9 0x07
0x47 0x8a 0x0d 0xda 0x08 0x99 0xbc 0x76 0x42 0xec 0x0b 0xfd 0xeb 0x69 0x47 0x58
0xd7 0x81 0x6b 0x71 0xf6 0xb6 0xbe 0xcd 0x4e 0x29 0xd9 0xdb 0xc8 0x12 0x5c 0x46
0xa0 0x3c 0x5b 0x57 0x2b 0x59 0x92 0x36 0x3c 0x6a 0xc3 0x4a 0x13 0x41 0x34 0x2f
0x12 0x13 0xa2 0x51 0xfb 0xf2 0xe0 0x0b 0x2f 0xfc 0x14 0x25 0xad 0x60 0x3a 0x35
0x62 0x7e 0xd2 0x11 0x4c 0x4a 0x29 0xa4 0xca 0x44 

This is the first data packet response from the server:

0x80 0x84 0x16 0xc9 0xe0 0x80 0xd6 0x0b 0x4e 0xd8 0xfe 0x00 0xce 0xe2 0x07 0xe1
0xec 0xb9 0x03 0xa8 0x51 0x0b 0xc9 0xd5 0xd9 0x27 0x59 0x07 0x83 0x0c 0x2b 0x75
0x24 0x50 0xcf 0x0c 0xd2 0x8e 0x7b 0xbc 0xbe 0x65 0x48 0x23 0xc9 0xdb 0x82 0x2f
0x54 0x50 0x3b 0xf2 0x50 0xd3 0x15 0x30 0xec 0x78 0xa2 0x61 0x09 0x9a 0x2a 0xc8
0x9c 0x07 0x67 0x70 0x44 0x46 0xca 0xe4 0x65 0x1a 0x0e 0xd9 0x2a 0x77 0xeb 0xc1
0x7e 0x37 0x83 0x43 0x2e 0x26 0xde 0x5f 0x9d 0xa3 0x31 0x87 0xf2 0xe1 0x4f 0x67
0x8d 0xfc 0x4f 0x3f 0x00 0x2c 0x40 0x70 0x34 0x2b 0x62 0x80 0xcf 0x0d 0x93 0xff
0xc9 0x5e 0xd2 0x21 0xf6 0xa4 0xf4 0xd7 0x13 0x13 0x59 0x44 0x6c 0xd1 0xd1 0x05
0x8f 0x5f 0x15 0x10 0x08 0xed 

Here is the second data packet response from the server:

0x81 0x04 0xc9 0x4c 0x54 0xcb 0x2c 0xe0 0x8e 0xf9 0x13 0x31 0xb4 0xf1 0x82 0x92
0xd3 0x65 0xc9 0x45 0x7e 0x0f 0x8e 0x54 0x4f 0x7f 0x35 0xc8 0x20 0xa8 0x55 0x18
0x1e 0x27 0x5d 0x6a 0x53 0x79 0xd2 0x2e 0x01 0x5d 0x06 0x25 0x6f 0xaa 0x49 0x68
0x73 0x4e 0x35 0x6b 0x87 0x47 0x6d 0x26 0xb6 0xb0 0x1e 0xd0 0x96 0xd5 0xe6 0x4f
0x94 0x10 0x9f 0x5f 0x83 0x7e 0x0c 0x67 0x36 0x82 0xce 0xcb 0xb1 0xd5 0xc9 0xf9
0xf5 0x32 0xa9 0xf3 0x31 0xbf 0x40 0xe4 0xa6 0x24 0x0e 0xc3 0xfe 0x61 0x24 0x59
0x9d 0x85 0x35 0x0d 0x7d 0xbe 0x16 0x0b 0x8a 0x98 0x74 0x7b 0x5a 0x37 0x73 0x30
0xd9 0x66 0x6c 0x65 0xaf 0xd4 0xc7 0x2a 0x8f 0x14 0xe3 0xf6 0x06 0x63 0x19 0x53
0xc5 0x9a 0x69 0x63 0x29 0x04 0x7a 0x28 0x0e 0x7b 0x17 0xf3 0x60 0xee 0x9d 0xbd
0xe5 0x00 0x0a 0x9d 0x1b 0xc5 0x26 0x93 0x19 0x78 0x43 0x2f 0xe4 0x9a 0x27 0x3c
0x13 0x03 0x9c 0xab 0xad 0xad 0xe1 0xbd 0x8b 0x7c 0x04 0x74 0x7e 0x08 0x50 0xa6
0x19 0x28 0xb7 0x6c 0xbe 0x2b 0x48 0x14 0xd2 0xcb 0xa6 0xad 0x69 0x41 0x31 0x93
0x3a 0x8d 0x87 0x78 0x80 0xc1 0x85 0xa5 0x7a 0x79 0xd1 0x55 0xca 0xb8 0x94 0x0b
0x65 0x3e 0xf2 0x51 0x8d 0xae 0x89 0x87 0x96 0xae 0xd5 0x4d 0x2f 0x14 0x66 0xe6
0xcc 0x63 0x2f 0x50 0x98 0x98 0x59 0xfa 0xf6 0xeb 0xb6 0x44 0x9d 0xc2 0x6c 0xe2
0x7d 0xc9 0x47 0xfa 0x3d 0xa4 0x6b 0x71 0x52 0xcc 0x15 0xdf 0xb3 0x92 0x3f 0x67
0x8e 0x9e 0x84 0xd6 0x39 0xa0 

This ends the communication.

To try to attack this, the most effective approach would be to calculate
CLIENT-READ-KEY by trying all possible values for the 40 least
significant bits of the MASTER-KEY, and feeding that into the MD5
formula.  Then use the known plaintext in the SERVER-VERIFY message to
check the result.  Once the proper 40 bit value is found,
CLIENT-WRITE-KEY can easily be calculated and the data messages
decrypted.

Good luck!

Hal Finney
hfinney@shell.portal.com





Thread