Reply To: MIFARE DESFire EV2 – how to encrypt data with custom key

Forum MIFARE general topics and applications MIFARE DESFire EV2 – how to encrypt data with custom key Reply To: MIFARE DESFire EV2 – how to encrypt data with custom key

Re: MIFARE DESFire EV2 – how to encrypt data with custom key

29. May 2020 at 13:01

For a blank MIFARE DESFire EV2 the Master PICC Key is all bytes zero and 2K3DES cipher. The settings are the defaults from the first MIFARE DESFire (D40).

I urgently recommend to change the default key value AND also the cipher! 2K3DES is not “state of the art” anymore, you should use always AES (128). Another recommendation. Never use key values which you can easily write down like “01234…” or “fefefe…”. Use ALWAYS values from a random generator!

Let us clear your open questions.

  1. Yes it is possible and you should change key value and key cipher. Take in mind, for the PICC Master Key you can do this. For all applications keys, the cipher is defined with the application settings at creation time.

  2. Yes. If you create an application, you define the cipher (2K3DES, 3K3DES or AES) for the whole application and also the number of keys you want to use within the application. You can have up to 14 keys.

  3. Yes, the term “application” shows that all content of an application is managed by one identity. Let me explain it with an example. Let us assume you are the issuer of the card and the purpose is to manage the automatic doors in your facility. You create one application, let say “000001” and put all files in that app. Now let us assume you have a cafeteria in your facility. You can allow the cafeteria operator to create a second app, let say “000002” on the card and put the balance file (which tracks the credit of the card user) in app “000002”. The keys and files of the door access and the keys and files of the cafeteria credit are separated and protected from each other.

  4. No, sorry. We do not have ready-to-use examples, because every customer has different needs. But to setup your application is not difficult. You can ask via this forum. In the case we need to talk about non-public content, we must communicate via email.

This is my “recommendation list” for your setup:

  • Define the number of keys and the cipher you want to use. Let say you have one application key (only for modifying files), one write key and three read keys. Create the application with AES128 and 5 keys.

  • Define the files for your needs. Let say one standard data file which contains read only data like user name and user ID. Take in mind, you must also define the length of the file at creation time. A file size cannot be changed later. Let say your app can have three token files which permit (or denied) access to floor 1, 2 and 3. Let say, key #2 is a read key for accessing the 1st floor, key #3 for accessing 2nd floor etc. Then you could have the following setup:

  • File ID 1, standard data file, contains user name and ID, read access: 0xE (free access), all other permissions: 0x0 (admin key).

  • File ID 2, standard data file, contains token for 1st floor, read access 0x2 (1st floor key), all other permission: 0x0 (admin key).

  • File ID 3, standard data file, contains token for 2nd floor, read access 0x3 (2nd floor key), all other permission: 0x0 (admin key).

  • File ID 4, standard data file, contains token for 3th floor, read access 0x4 (3th floor key), all other permission: 0x0 (admin key).

  • At the end you have to change the default settings of PICC Master Key as mentioned in the beginning.

There are finer tuning points to mention, but this will be too much for this briefly overview.
In the sequence of using the card in your application, application ID “000000” is not used! The reader in the first floor will do the following:

  1. SelectApplication(000001); // Your application

  2. ReadData(<file ID1>); // File with user ID, can be read without authentication

  3. AuthenticateAES(<key #2>); // Read access key #2

  4. ReadData(<file ID2>); // File with access token for first floor

This should be enough for beginning your own app.

The TapLinx team
+ 0  |  - 0