Dec 2 2011

Cracking “Rav-Kav” (Part I)

Yesterday at the university, I’ve got my brand new “Rav-Kav” (רב-קו) card. I was really happy when I discovered that mine was one of those “smart card with the golden chip on it”. Because I’ve got a software on my computer at home, that uses smart-card as a dongle, therefore, I’ve got a smart-card reader back at home.

Rav-Kav card

My first task, was to find out how to communicate with the smart-card. A quick google search and I’ve found the wonderful python module pyscard which allows me to send and receive APDU commands to/from the smart card. My second task was to read a bit about smart cards, and the commands they use. Again, google came up handy, and I’ve found the following site which describing more-or-less every command and response you are likely to get from the little shiny card.

The first thing you need to understand, A smart-card is not a flash drive! A smart-card is a microprocessor, It has it’s own operating system, and it communicates with the device using it (my computer for example) using the T=0 protocol. Meaning: You can’t read and write whatever you want into it.

For those of you who reads this article only to get “free rides”: No, I don’t believe I’ll be able to add “free rides” to my “Rav-Kav” card, because those things are usually very protected (and even if I could, it will be illegal to use it and sharing the information), but it’s quite interesting to check what kind of information is stored in this little piece.

When I plugged the card and connected to it, the ATR was: “3B 6F 00 00 80 5A 0A 07 06 20 04 2C 02 63 EE FF 82 90 00”. But I’m not sure if that means anything….

The first thing I tried was to map all the command classes available for this card.
I’ve scanned the classes simply by trying a random command in all the possible classes (256 possibilities), and ignored all the classes that returned “0x6e – Class not supported“. I’ve found out that the only available classes are 0x80, 0x94. And that all the interesting commands shown on chapter 6 can be found on the 0x94 class.

The next thing I did was to “brute force” the file-system under the master-file using the SELECT command. And I got the following list:

0x0002
0x0003
0x2000
0x2001
0x2004
0x2010
0x2020
0x202a
0x202b
0x202c
0x202d
0x2030
0x2040
0x2050
0x2069
0x206a
0x20f0
0x2100
0x2101
0x2104
0x2110
0x2120
0x2140
0x2150
0x2169
0x21f0
0x2f10
0x3f04
0xfeff

I’m not sure yet which one of those is an EF (normal file) and which one if a DF (a directory). But I’ll find those out next time. Stay tuned.


Nov 11 2011

Happy HDLC Day!

011.11.110

Today is the HDLC day!

For those of you who doesn’t know, the frame delimiter in HDLC is the bit sequence 01111110.

(Thanks to Yoni Ho)


Nov 7 2011

Birthday Paradox

The Birthday Paradox is not real paradox, you will not find any logical contradiction in the next few paragraphs. It is called a paradox because it is very counter-intuitive, and you will soon find out why.

The paradox is demonstrated in the following way: Choose $latex n$ people randomly. What is the probability that two of them were born on the same date? (only day and month, discarding the year. and assuming there are 365 days every year)

Lets say that $latex n=40$, what do you think that chances are?
Most people will think the probability is very low, but is it?

First lets define our sample space:

$latex \Omega=\left\{ \left(d_{1},\ldots,d_{n}\right)\, d_{i}\in\left\{ 1,\ldots,365\right\} \right\}$

The vector $latex \left(d_{1},\ldots,d_{n}\right)$ defines a series of dates for every person. Meaning $latex d_1$ is the birthday of the first person, $latex d_2$ of the second and so on…

The event we are interested in is the following:

$latex A=\left\{ d_{i}=d_{j},\text{ for any } i\neq j \right\}$

Apparently, Doing the direct calculation to solve this problem is hard, too hard. So we’ll attack the problem from a different angle.

Lets take a look at the complement of A (meaning, that every person in the group was born on a unique date):

$latex A^{c}=\left\{ \left(d_{1},\ldots,d_{n}\right)\in\Omega:\, d_{i}\neq d_{j},\,\forall i\neq j\right\}$

It is easily calculated that the number of elements in $latex A^{c}$ is:

$latex \left|A^{c}\right|=365\cdot364\cdot\ldots\cdot\left(365-n+1\right)$

And of course the number of elements in our sample space (meaning the number of options for birthdays for $latex n$ people) is:

$latex \left|\Omega\right|=365^{n}$

Assuming uniform probability, the probability that every person was born on a unique date is:

$latex P\left(A^{c}\right)=\frac{\left|A^{c}\right|}{\left|\Omega\right|}=\frac{365}{365}\cdot\frac{364}{365}\cdot\ldots\cdot\frac{365-n+1}{365}=\prod_{k=0}^{n-1}\left(1-\frac{k}{365}\right)$

Therefore, the probability that at least two people were born on the same day is:

$latex P\left(A\right)=1-P\left(A^{c}\right)=1-\prod_{k=0}^{n-1}\left(1-\frac{k}{365}\right)$

So, said $latex n=40$ right? lets calculate! (Don’t worry, you can let WolframAlpha do the calculations for you)

$latex P\left(A_{40}\right)=1-\prod_{k=0}^{39}\left(1-\frac{k}{365}\right)\approx 0.891232$

So it seems the probability is more than 89%! Amazing, isn’t it?

If you want, you can checkout and find that after 23 people, the probability pass the 50% barrier, and that after only 57 people the probability is more than 99%!