Encrypting Mag-Stripe cards [Cryptographic Accelerator]

Hello! I've been messing with the Cryptographic Accelerator for a few days now, but its quite advanced and I can't seem to figure out to decrypt my encrypted string from a Mag-stripe card.

This is how far i got:

DarkOS(core)

local p = peripheral.wrap("left")
function encryption(encr)
  key = p.generateSymmetricKey("AES")
  encodedKey = key.encode()
  ciphertext = key.encrypt("AES", encr)
  return encodedKey, ciphertext
end
function decription(encoded ,encrypted)
  key = p.decodeKey("AES", encoded)
  plaintext = key.decrypt("AES", encrypted)
  return plaintext
end

The encryption of the card: (Would it be better to use asymmetrical encryption for this? can't seem to figure that out tho)

os.loadAPI("darkOS")
encr = darkOS.encryption("user"..math.random(10,50))
local reader = peripheral.wrap("mag card reader_0")
while true do
  local event, arg1, arg2, arg3 = os.pullEvent()
  reader.beginWrite(encr, "DarkEyeDragon")
  if event == "mag_write_done" then
	print("card made")
  end
end

The decryption part is just a mess. I got no idea how to even start on this xD

os.loadAPI("darkOS")
while true do
local event,arg1,arg2,arg3 = os.pullEvent()

decri = darkOS.decription(arg1)
if arg1 == decri then
  print("yey")
else print("nope")
end
end

Documentation:
http://www.computerc...0272#entry90272 (API of the Cryptographic Accelerator)

http://www.computerc...ss-peripherals/
(general information on the mod)

To conclude:

I'm trying to encrypt a string onto a Mag-stripe card to then later decrypt it back and decode it. To check weather or not the person is valid to enter the building.

Edit: Some might be interested in why i want to do this?
Its just to prevent people from making a mag-card reader and pulling the information from the card and make a "cracked" version of it to break into my building. I know it sounds highly unlikely that that will ever happen. But hey, one can never be too secure.

Encryption won't prevent forging another card, the attacker can simply copy the already encrypted string onto a new card, and will still be decrypted correctly, even without knowing the secret key or string.

A good way would be to use One-Time Passwords, something similar to 2 Factor Authentication.

I don't quite have the time to give more info on that, I'll edit this post later when I do.

Anavrins, on 23 June 2016 - 07:43 PM said:

Encryption won't prevent forging another card, the attacker can simply copy the already encrypted string onto a new card, and will still be decrypted correctly, even without knowing the secret key or string.

A good way would be to use One-Time Passwords, something similar to 2 Factor Authentication.

I don't quite have the time to give more info on that, I'll edit this post later when I do.

Well my idea was to base the encrypted string on time and a random number between a certain range. after lets say 3 minecraft days the card would not be accepted anymore. And encrypting it would be a good way to stop people from figuring out that method. That was the plan at least. Looking forward for your edit ;D

Really. No one? Well this is quite dissapointing :/

Sorry for the late reply :P/>

I was thinking about this https://en.wikipedia...e-time_password
Basically, every time you swipe your mag-card, it authenticate the data on it, and then writes a new key, which will become the new correct key.
What this means is that the instant you legitimately authenticate, every illegitimate copy of it will be invalidated. You suspect somebody cloned your card, swipe it, every copies of it except yours is invalid now :D/>
The only caveat with this is in case somebody clones your card, until you next swipe your card, he still have a valid card, and can invalidate your card from authenticating.
There's not much you can do against that other than frequently swiping your card once in a while to make sure.

All of this uses HMAC-SHA256, it's not available with the crypto accel. but I have a native lua implementation of it which is quite fast, so you won't even need the accelerator :P/>

Anavrins, on 25 June 2016 - 04:43 PM said:

Sorry for the late reply :P/>

I was thinking about this https://en.wikipedia...e-time_password
Basically, every time you swipe your mag-card, it authenticate the data on it, and then writes a new key, which will become the new correct key.
What this means is that the instant you legitimately authenticate, every illegitimate copy of it will be invalidated. You suspect somebody cloned your card, swipe it, every copies of it except yours is invalid now :D/>
The only caveat with this is in case somebody clones your card, until you next swipe your card, he still have a valid card, and can invalidate your card from authenticating.
There's not much you can do against that other than frequently swiping your card once in a while to make sure.

All of this uses HMAC-SHA256, it's not available with the crypto accel. but I have a native lua implementation of it which is quite fast, so you won't even need the accelerator :P/>

Thats quite cool. I just really wanted to figure out how to use the accelerator though, but no one here seems to know how to use it xD

Encryption isn't validation, it's obscuration. The best you can do to validate with encryption is asymmetrical encryption, proves that the sender is who they say they are, but it is still vulnerable to replay attacks assuming you don't include a one time key. Anavrins' suggestion is probably the best for a mag card, because mag-cards have no verifiable UUID (that I know of) making encryption next to worthless.

Wireless transmissions (or transmissions in general) are instantaneous enough and information dense enough that encryption works, sort of, assuming you modify a few identifiers.

TYKUHN2, on 26 June 2016 - 05:10 PM said:

Encryption isn't validation, it's obscuration. The best you can do to validate with encryption is asymmetrical encryption, proves that the sender is who they say they are, but it is still vulnerable to replay attacks assuming you don't include a one time key. Anavrins' suggestion is probably the best for a mag card, because mag-cards have no verifiable UUID (that I know of) making encryption next to worthless.

Wireless transmissions (or transmissions in general) are instantaneous enough and information dense enough that encryption works, sort of, assuming you modify a few identifiers.

Thanks for the information. I see your point :)/> I'll just use some randomizer of some sort and check the date etc.