Properly handle edge cases in AN10922 key diversification #118
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit fixes issue #91.
AN10922 specifies the key diversification algorithms used by the MIFARE SAM AV3. Support for these algorithms was added to
libfreefare
via pull-request #79.However, while every attempt was made to write a faithful implementation, the implemented code did not properly handle cases where the diversification data was less than or equal to the block size of the cipher: 16 bytes for AES, and 8 bytes for DES. This bug was identified in issue #91.
This commit addresses this problem while providing a way to revert to the previous behavior in cases where it is necessary to maintain previous deployments. This was accomplished by introducing a new
flags
parameter to themifare_key_deriver_new_an10922
method.Normally,
flags
should simply be set toAN10922_FLAG_DEFAULT
. However, if the previous behavior is required, it should be set toAN10922_FLAG_EMULATE_ISSUE_91
.AN10922 does not include any test vectors that might have helped to identify this problem earlier. However, AN10957 (pages 13-14) was found to have a suitable example usage of AN10922 with an appropriately short value for M that we are using as a test vector to verify correct behavior.
Note that the issue being addressed here is not a security issue: using the
AN10922_FLAG_EMULATE_ISSUE_91
should not be any less secure than usingAN10922_FLAG_DEFAULT
.