Citroen wrote:
If the verification code is encrypted with DES, there's an awful lot of keyspace to search and I doubt Chad has any access to the kind of supercomputer to crack it quickly.
.....
We know that the 16 hex chars of the verification code holds date, distance and workout time. So we have the cleartext.
03/18/2006 2000m 5:44.9
Chad clearly has the verification key generated by the PM3 (which I'll assume is the ciphertext encrypted with a public key).
.....
What we don't have is the private key (which must be held by C2 for their website and must be stored in the PM3 firmware). If the private key is compromised all bets are off. C2 will have a definite problem changing their private key if it's held in firmware (which is unlikely). They'd have a job - but less of a job if the public key is compromised - you can generate a new public key - you can publish public keys without compromising the system.
So your suggestion doesn't really hold water. I doubt the verification system has been cracked.
As a purely theoretical reply (I am not accusing anyone or supposing anyone has done this.) But Citroen your analysis does not hold water. The PM3 is a closed box. The (only) input is the strokes of the rower(s). The output is a verification code. There is no public/private key to change the encryption. Ok there could be one but it must be fixed. Hence the discussion of public/private key is moot.
Ok so as long as the box (pm3) is closed I agree with you that it would be difficult to generate a fake verification code. Now lets open that box. To simplify things we would have a processor, an eeprom (firmware) and a sensor. (I am not sure of this, I have never seen a PM3, nor have opened my PM2+) Now this is the weakness. There would be several ways to cheat.
1. Manipulate the input to the sensor, such as increasing the signal (gain) electronically.
2. Reverse assemble the firmware, modify it and place it back in the EEPROM. Here, one could change how the PM3 processes each stroke.
In both of these cases, the rower could actually be rowing a pace of 1:30/500m and the PM3 will interpret it as a 1:25 pace.
3. Upload the firmware to a simulator or emulator. Find in the code where it generates the encrypted string and the contents of the string. Create your own string and simulate the encryption. You don't need to understand or break the encryption. It is just a function, input cleartext -> output encrypted text.
Now, I know all three are possible because over ten years ago I worked on embedded systems and have done all three (though not on a PM3 but on communication systems and medical devices).
The only caveat would be that C2 may use an encrypted eeprom which would probably make (2) and (3) very unlikely. This may be more common now but in the past encrypted eproms were common only in military systems
Remember this is purely an academic digression, I am not accusing anyone of doing this nor implying that anyone has done this.
andy
andy m44y 78kg(172lbs) 1.76m(5'9") see [url=http://andyarvid.infogami.com/exercise_log]my training log[/url] or [url=http://decenturl.com/spreadsheets.google/andys-exercise-log]spreadsheet training log[/url]
That will be your new nickname from now on Sir P 
