ALGORITHM OF DECRYPTATION SECA2 the algorithm of decriptaggio of Mediaguard operates on one criptata word of 8-byte, using one 16-byte key in order to produce one word of 8-byte in luminosity.

 The key of 16-byte c constituted from one Primary Key of 8-byte to from one Secondary equally of 8-byte.  Some time the ChiaveSecondaria coincides with that Primary one, other times c various.  In order to clear this situation of confusion we examine piu the 2 keys approfonditamente.

 Both the keys, Primary and secondary, are numbered from 0x00 to 0x0F so that potentially they can it are to us 16 Primary Keys and 16 Secondary Keys.  It seems that the operating keys (Operation keys - for ECM) they are from 0x0C to 0x0F and that the keys from 0x00 to 0x0B are of manipulation (management keys - for EMM).

 But the primary keys, to whim of the issuing ones, when they have been memorizzate in the Smartcard can have been numbered from 0x10 to 0x1F. Only the Primary keys numbered things can be used with the Secondary keys equivalents.  The P1 parameter of the commando C1 32 determines if this avverrr;  if P1 c in the shape 0x1n.


 Things hour we would have to understand like formed c the key of 16-byte for the algorithm.


 Algorithm c format from two is made:  Preparation of the Key Manipulation of gives to you

1) Preparation of the Key we imagine in this way that the byte of the key is disposed in circular shape as they were wrapped on a circle,:


...k15, k16, k1, k2, ..., k13, k14...

We begin from k1, we take the byte that ' the precede' (cioc k16), we make the XOR of this with what ' segue' k1 (cioc k2) and with one constant C. we use this result as index in the first 256-byte of table T1 and make the XOR of the value obtained from T1 with k1.  This c the new value of k1.  Constant C has one value begins them null, and shown table T1 c to the end of this section.


 Things k1 = k1 XOR T1(k16 XOR k2 XOR C).

We repeat this procedure others 3 times on k2, k3 and k4 in order to assign:  k2 = k2 XOR T1(k1 XOR k3 XOR C) k3 = k3 XOR T1(k2 XOR k4 XOR C) k4 = k4 XOR T1(k3 XOR k5 XOR C).


 We increase constant C of 1 and make others 4 iterances (on k5.


.

.

k8):  k5 = k5 XOR T1(k4 XOR k6 XOR C) k6 = k6 XOR T1(k5 XOR k7 XOR C) k7 = k7 XOR T1(k6 XOR k8 XOR C) k8 = k8 XOR T1(k7 XOR k9 XOR C) We increase constant C and we make others 4 iterances (on k9.

.. k12):  K9 = k9 XOR T1(k8 XOR k10 XOR C) K10 = k6 XOR T1(k9 XOR k11 XOR C) k11 = k7 XOR T1(k10 XOR k12 XOR C) k12 = k8 XOR T1(k11 XOR k13 XOR C) We increase constant C and we make others 4 iterances (on k13..


. k16):  K13 = k13 XOR T1(k12 XOR k14 XOR C) K14 = k14 XOR T1(k13 XOR k15 XOR C) k15 = k15 XOR T1(k14 XOR k16 XOR C) k16 = k16 XOR T1(k15 XOR k1 XOR C) To this C=3 point.

 We still increase C and we recommence from the beginning for ottenre k1... k16.  Hour C=7 Ripetiamo still two times the process  always increasing C and forming new values for all and 16 the ' k' byte.  To this C=15 point and we have repeated algorithm 16 x 4 times.  We have finished phase 1 of preparation of the key and the final values of k1...,k16 are those used in the phase of manipulation of give to you.  Algorithm c format from 16 cycles.  Every cycle operates alone on 4 byte of 4 key and byte of give to you.  Sayings k1, k2..., k16 the byte of the key (obtained after the phase of preparation of the key) and sayings the byte of give to you d1,d2...,d8 are had:  CicloByte number of chiaveByte of gives 1, 5, 9, 13k13, k14, k15, k16d5, d6, d7, d82, 6, 10, 14K9, k10, k11, k12d5, d6, d7, d83, 7, 11, 15k5, k6, k7, k8d5, d6, d7, d84, 8, 12 to you, 16k1, k2, k3, k4d5, d6, d7, d8

A cycle consists in:  To make the XOR of the byte of key with those of they give to you:  - To execute the Function Nucleus (the Cores function) on the byte of give in order to calculate the 4 to you new byte of give to you - To make the XOR of these values with the others 4 byte byte of key to use in the following cycle gives in order to calculate the 4 new values to you for the byte of gives to you d5-d8 for the successive cycle - To try the byte of key in order to calculate the 4 new.

 First step - XOR of the byte of key with those of give This simple c to you:  d5 = K(i) XOR d5 d6 = K(i+1) XOR d6 d7 = K(i+2) XOR d7 d8 = K(i+3) XOR d8 where = the 13 for cycles 1, 5, 9, 13 9 for cycles 2, 6, 10, 14 5 for cycles 3, 7, 11, 15 1 for cycles 4, 8, 12, 16.


 According to step - Function Nucleus Before to execute 4 accesses to Table 1:  d5 = T1[d5 ], d6 = T1[d6 ], d7 = T1[d7 ], d8 = T1[d8 ] Subsequently to use Table 2 (you see beyond).  The term ' ~ ' means that exchange of place of average less meaningful byte with that one piu meaningful (es. 11100010 = E2 T ~E2 = Is = 00101110):  d5 = d8 XOR d5 d7 = T2[(~d8) + d7 ] d8 = d7 XOR d8 d6 = T2[ (~d7) + d6 ] d7 = d6 XOR d7 d5 = T2[ (~d6) + d5 ] Hour must be used Table 1 as it follows:  d6 = d5 XOR d6 d8 = T1[(~d5) + d8 ] d5 = d8 XOR d5 d7 = T1[(~d8) + d7 ] d8 = d7 XOR d8 d6 = T1[(~d7) + d6 ] Finally to execute:  D7 = D6 XOR D7 D6 = D5 XOR D6.


 If in some addition greater turning out value c of 0xFF, to embezzle the value 0x0100 before approaching the tables.


 Third party Step - To calculate the new values of the byte of they give you for prosimo the cycle These are obtained from Table 2 proceeding as it follows:  d1 = T2[d6 ] XOR d1 d2 = T2[d8 ] XOR d2 d3 = T2[d5 ] XOR d3 d4 = T2[d7 ] XOR d4 Before using the byte of gives to you d1..., d8 is necessary to exchange them as it follows:

d1 D d5 d2 D d6 d3 D d7 d4 FAMOUS D d8:  to the term of 16 the cycle pern this exchange does not have to be made and the byte of gives to you decrypts to you is d1.


.


., d8.  Quarter step - To obtain new byte of key for the successive cycle To execute the following operations:  k(i+3) = k(i+3) XOR T1[k(i+4) XOR k(i+2) XOR C ] k(i+2) = k(i+2) XOR T1[k(i+3) XOR k(i+1) XOR C ] k(i+1) = k(i+1) XOR T1[K(i+2) XOR k(i) XOR C ] k(i) = k(i) XOR T1[k(i+1) XOR k(i-1) XOR C ] where i = 13 for i cycles 1, 5, 9, 13 9 for cycles 2, 6, 10, 14 5 for cycles 3, 7, 11, 15 1 for cycles 4, 8, 12, 16.

 In the cases in which the aforesaid formula it gives suffissi k outside from interval 1-16, the value obtained from k must be considered making of module 16.  Es.
If k = 17, then k = k mod 16 = 1, if k=16, then k = k mod 16 = 0).  The value of constant C depends on the cycle number.  For cycles 1, 2..., 15, 16 such constant has respective equal values to 0x0F, 0x0E..., 0x01, 0x00.  

TABLES Table 1:

02ah0e1h00bh013h03eh06eh032h048h0d3h031h008h08ch08fh095h0bdh0d0h0e4h06dh050h081 h020h030h0bbh075h0f5h0d4h07ch087h02ch04eh0e8h0f4h0beh024h09eh04dh080h037h0d2h05f h0dbh004h07ah03fh014h072h067h02dh0cdh015h0a6h04ch02eh03bh00ch041h062h0fah0eeh083 h01eh0a2h001h00eh07fh059h0c9h0b9h0c4h09dh09bh01bh09ch0cah0afh03ch073h01ah065h0b1h 076h084h039h098h0e9h053h094h0bah01dh029h0cfh0b4h00dh005h07dh0d1h0d7h00ah0a0h05c 

h091h071h092h088h0abh093h011h08ah0d6h05ah077h0b5h0c3h019h0c1h0c7h08eh0f9h0ech035h 04bh0cch0d9h04ah018h023h09fh052h0ddh0e3h0adh07bh047h097h060h010h043h0efh007h0a5h 049h0c6h0b3h055h028h051h05dh064h066h0fch044h042h0bch026h009h074h06fh0f7h06bh04fh0 2fh0f0h0eah0b8h0aeh0f3h063h06ah056h0b2h002h0d8h034h0a4h000h0e6h058h0ebh0a3h082h0 85h045h0e0h089h07eh0fdh0f2h03ah036h057h0ffh006h069h054h079h09ah0b6h06ch0dch08bh0a 7h01fh090h003h017h01ch0edh0d5h0aah05eh0feh0dah078h0b0h0bfh012h0a8h022h021h03dh0c2 h0c0h0b7h0a9h0e7h033h0fbh0f1h070h0e5h017h096h0f8h08dh046h0a1h086h0e2h040h038h0f6h 068h025h016h0ach061h027h0cbh05bh0c8h02bh00fh099h0deh0ceh0c5h 



Tabella 2: 

0bfh011h06dh0fah026h07fh0f3h0c8h09eh0ddh03fh016h097h0bdh008h080h051h042h093h049h0 

5bh064h09bh025h0f5h00fh024h034h044h0b8h0eeh02eh0dah08fh031h0cch0c0h05eh08ah061h0a 

1h063h0c7h0b2h058h009h04dh046h081h082h068h04bh0f6h0bch09dh003h0ach091h0e8h03dh0 

94h037h0a0h0bbh0ceh0ebh098h0d8h038h056h0e9h06bh028h0fdh084h0c6h0cdh05fh06eh0b6h0 

32h0f7h00eh0f1h0f8h054h0c1h053h0f0h0a7h095h07bh019h021h023h07dh0e1h0a9h075h03eh0d 

6h0edh08eh06fh0dbh0b7h007h041h005h077h0b4h02dh045h0dfh029h022h043h089h083h0fch0d 

5h0a4h088h0d1h0f4h055h04fh078h062h01eh01dh0b9h0e0h02fh001h013h015h0e6h017h06ah08 

dh00ch096h07eh086h027h0a6h00dh0b5h073h071h0aah036h0d0h006h066h0dch0b1h02ah05ah0 

72h0beh03ah0c5h040h065h01bh002h010h09fh03bh0f9h02bh018h05ch0d7h012h047h0efh01ah0 

87h0d2h0c2h08bh099h09ch0d3h057h0e4h076h067h0cah03ch0fbh090h020h014h048h0c9h060h0 

b0h070h04eh0a2h0adh035h0eah0c4h074h0cbh039h0deh0e7h0d4h0a3h0a5h004h092h08ch0d9h0 

7ch01ch07ah0a8h052h079h0f2h033h0bah01fh030h09ah000h050h04ch0ffh0e5h0cfh059h0c3h0e3 

h00ah085h0b3h0aeh0ech00bh0feh0e2h0abh04ah0afh069h06ch02ch05dh 

ALGORITHM OF MESSAGE SIGNATURE Seems that it is for messages ECM that for those EMM come only used a signature algorithm.


 The procedure consists in the following steps:  - Initialization of a buffer hash of 8-byte - XOR between the 8 byte of give you of income and the content of buffer - Execution of the signature algorithm - the Repetition of last the 2 steps until the exhaustion of the byte of gives to you in income to try - Comparazione of the result with the 8-byte of gives you of signature.


 Being the signature algorithm the inverse one of the algorithm of decriptaggio (like for Eurocrypt S), c necessary not to describe it in all its details (like instead made c for the decriptaggio algorithm).


 The initialization of buffer hash the c based on the value of bit 7-5 piu meant you of the P1 parameter, as it follows:  - P1(7-5) = 1:  last 6 byte of the answer C1 0E 00 00 08 + 00 00 - P1(7-5) = 2:  value UA of Smartcard - P1(7-5) = 3:  value KNOWS of the Smartcard (sees beyond) - P1(7-5) = whichever other value:  00 00 00 00 00 00 00 00.

The algorithm consists in 16 cycles.  Every cycle operates alone on 4 byte of 4 key and byte of give to you.  Sayings k1, k2.


..


, k16 the byte of the key (obtained after the phase of preparation of the key) and sayings the byte of give to you d1,d2...

,d8 are had:  CicloByte number of chiaveByte of gives 1, 5, 9, 13k1, k2, k3, k4d5, d6, d7, d82, 6, 10, 14K5, k6, k7, k8d5, d6, d7, d83, 7, 11, 15K9, k10, k11, k12d5, d6, d7, d84, 8, 12 to you, 16k13, k14, k15, k16d5, d6, d7, d8 a cycle consists in:  To try the byte of key in order to calculate the 4 new byte of key to use in the following cycle To make the XOR of the byte of key with those of gives to you:  To execute the Function Nucleus (the Cores function) on the byte of give in order to calculate the 4 to you new byte of give To make the XOR of these values with the others 4 to you byte give in order to calculate the 4 new values to you for the byte of give to you d5-d8 for the successive cycle.  The order of operations c light various regarding that one of decriptaggio from the moment that inverse process c to this last C similar to ' left shifts DES function' and ' DES function, right shift' of Eurocrypt M and S.

Primo step - To obtain new byte of key for the successive cycle To execute the following operations:  k(i) = k(i) XOR T1[k(i+1) XOR k(i-1) XOR C ] k(i+1) = k(i+1) XOR T1[K(i+2) XOR k(i) XOR C ] k(i+2) = k(i+2) XOR T1[k(i+3) XOR k(i+1) XOR C ] k(i+3) = k(i+3) XOR T1[k(i+4) XOR k(i+2) XOR C ] where i = 1 for i cycles 1, 5, 9, 13 5 for cycles 2, 6, 10, 14 9 for cycles 3, 7, 11, 15 13 for cycles 4, 8, 12, 16.
 In the cases in which the aforesaid formula it gives suffissi k outside from interval 1-16, the value obtained from k must be considered making of module 16.  Es. If k = 17, then k = k mod 16 = 1, if k=16, then k = k mod 16 = 0).  The value of constant C depends on the cycle number.  For cycles 1, 2..., 15, 16 such constant has respective equal values to 0x00, 0x01..., 0x0E, 0x0F.  This cancels (unwinding) the effect of the manipulation of the circular key in the decriptaggio algorithm.

According to step - XOR of the byte of key with those of give This simple c to you:  d5 = K(i) XOR d5 d6 = K(i+1) XOR d6 d7 = K(i+2) XOR d7 d8 = K(i+3) XOR d8 where = the 1 for cycles 1, 5, 9, 13 5 for cycles 2, 6, 10, 14 9 for cycles 3, 7, 11, 15 13 for cycles 4, 8, 12, 16.


 The reversal of the suffissi cancels (unwinds) the interaction of the byte of key with those of gives to you, confronts to you in the decriptaggio algorithm.


 Third party step - Function Nucleus Before to execute 4 accesses to Table 1:  d5 = T1[d5 ], d6 = T1[d6 ], d7 = T1[d7 ], d8 = T1[d8 ] Subsequently to use Table 2 (you see beyond).  The term ' ~ ' means that exchange of place of average less meaningful byte with that one piu meaningful (es. 11100010 = E2 T ~E2 = Is = 00101110):  d5 = d8 XOR d5 d7 = T2[(~d8) + d7 ] d8 = d7 XOR d8 d6 = T2[ (~d7) + d6 ] d7 = d6 XOR d7 d5 = T2[ (~d6) + d5 ] Hour must be used Table 1 as it follows:  d6 = d5 XOR d6 d8 = T1[(~d5) + d8 ] d5 = d8 XOR d5 d7 = T1[(~d8) + d7 ] d8 = d7 XOR d8 d6 = T1[(~d7) + d6 ] Finally to execute:  D7 = D6 XOR D7 D6 = D5 XOR D6.

 If in some addition greater turning out value c of 0xFF, to embezzle the value 0x0100 before approaching the tables.

 This identical step c to that relative all Function Nucleus of decriptaggio, but clearly work in opposite direction.


 Quarter step - To calculate the new values of the byte of they give you for prosimo the cycle These are obtained from Table 2 proceeding as it follows:  d1 = T2[d6 ] XOR d1 d2 = T2[d8 ] XOR d2 d3 = T2[d5 ] XOR d3 d4 = T2[d7 ] XOR d4 Before using the byte of gives to you d1..., d8 is necessary to exchange them as it follows:  d1 D d5 d2 D d6 d3 D d7 d4 D d8

FAMOUS:  to the term of 16 the cycle pern this exchange does not have to be made and the byte d1.

.

.

, d8 represents the 8 the complete signature that would have to coincide to byte that following to the parameter 0x82.

 They are aware that a glance to all discouraging questomateriale c, but if you will study the material enough through an example, you find the courage to go ahead.

 In order ricapitolare, can say that the word of control c the Decriptaggio Mediaguard, viceversa the message of signature c the Criptaggio Mediaguard.  The keys memorizzate for the use directed with the criptaggio Mediaguard and to every cycle circular key for that cycle comes generated one.

 We can therefore say that the algorithm of Criptaggio operates on the circular keys R1, R2..


.
,  R16.  The algorithm of decryptaggio c the inverse one of that one of Criptaggio;  the aim of the phase of preparation of key c that one to generate R16. To every cycle of Decriptaggio comes generated the circular key for the successive cycle.  The circular keys for the decriptaggio are R16, R15...,  R1. the entire procedure assures that Decryptaggio c exactly the inverse procedure of the Criptaggio.  For recorded, if someone recognizes the algorithm and its name, perhaps avrr the gentility to make me to know it.