Cannot create DESFire EV1 aplication with AES key

Forum / MIFARE SDK / Cannot create DESFire EV1 aplication with AES key

Tagged: ,

  • 13. July 2016 at 0:29
    Hello.
    We trying to migrate from lite SDK to advanced one. It means we have bunch of cards previously personalized using lite SDK version witch uses AES application master key to access files.

    I can successfully read/write all this cards with AES master key this way:


    card.authenticate(DESFireEV1.AuthType.AES, Sam.NxpKey.PICC_KEY.ordinal(), (byte)0, 0, IKeyConstants.DIV_OPTION_NODIVERSIFICATION, null);
    card.selectApplication(AID);
    card.authenticate(DESFireEV1.AuthType.AES, Sam.NxpKey.AP_KEY.ordinal(), (byte)0, 0, IKeyConstants.DIV_OPTION_NODIVERSIFICATION, null);
    data = card.readData(0,0,remainingLength);


    The question is how to personalize blank card to be able follow same algorithm to read/write?
    I tried many variations and it every failed. In common words the personalization follows next way:


    byte appKeySettings1 = card.formatApplicationKeySettingOne((byte)1,
    IDESFireEV1.KSONE_APP_MKEY_CHANGABLE,
    IDESFireEV1.KSONE_CONFIG_CHANGABLE,
    IDESFireEV1.KSONE_FILE_DEL_NO_MKEY,
    IDESFireEV1.KSONE_GET_NO_MKEY);
    byte appKeySettings2 = card.formatApplicationKeySettingTwo((byte)2, IDESFireEV1.KSTWO_AES, false);

    card.selectApplication(0);
    card.authenticate(DESFireEV1.AuthType.Native, Sam.NxpKey.DEF_KEY.ordinal(), (byte) 0, 0, IKeyConstants.DIV_OPTION_NODIVERSIFICATION, null);
    card.changeKey(0, Sam.NxpKey.DEF_KEY.ordinal(), (byte) 0, Sam.NxpKey.PICC_KEY.ordinal(), (byte) 0, DESFireEV1.KeyType.AES, IKeyConstants.DIV_OPTION_NODIVERSIFICATION, IKeyConstants.DIV_OPTION_NODIVERSIFICATION, null);

    card.authenticate(DESFireEV1.AuthType.AES, Sam.NxpKey.PICC_KEY.ordinal(), (byte) 0, 0, IKeyConstants.DIV_OPTION_NODIVERSIFICATION, null);

    card.setConfigurationDefaultKey(Sam.NxpKey.AP_KEY.ordinal(), (byte)0);
    card.createApplication(AID, appKeySettings1, appKeySettings2);
    card.selectApplication(AID);

    card.authenticate(DESFireEV1.AuthType.Native, Sam.NxpKey.AP_KEY.ordinal(), (byte)0, 1, IKeyConstants.DIV_OPTION_NODIVERSIFICATION, null);

    // Next line it fails with "invalidResponse: Authentication Error"
    card.changeKey(0, Sam.NxpKey.AP_KEY.ordinal(), (byte)0, Sam.NxpKey.AP_KEY.ordinal(), (byte)0, DESFireEV1.KeyType.AES, IKeyConstants.DIV_OPTION_NODIVERSIFICATION, IKeyConstants.DIV_OPTION_NODIVERSIFICATION, null);

    //Next line fails with same exception
    card.changeKey(1, Sam.NxpKey.AP_KEY.ordinal(), (byte)0, Sam.NxpKey.AP_KEY.ordinal(), (byte)0, DESFireEV1.KeyType.AES, IKeyConstants.DIV_OPTION_NODIVERSIFICATION, IKeyConstants.DIV_OPTION_NODIVERSIFICATION, null);


    Thanks in advance!

    + 0  |  - 0

    Re: Cannot create DESFire EV1 aplication with AES key

    13. July 2016 at 9:35
    Hi Lexis,

    The general procedure for personalize a blank MIFARE DESFire EV1 is as follow:

    1. Authenticate with the PICC Master Key (“00…00”).

    2. Create an application for your files. If you expect to use e.g. two keys, set as parameter three keys! In your case is key #0 the Application Master key, #1, the key for read access and #3 the key for write access.
    3. Select to your application (key #0 is not the PICC Master Key anymore, now it is the Application Master Key).
      Now you can create the files or create/change the keys.

    4. Create the a file with key #1 as read access, #2 as write access and maybe #0 as change access.

    5. Change the application keys:
      First authenticate to key #0 with the default key 00…00.

    6. Change the key #0 from default 00…00 to the new key value.

    7. Repeat it for the other keys, first authenticate to the key with the default key, and then change the key value.

    8. At the end change the PICC Master Key.


    Kind Regards,
    The MIFARE Team
    + 0  |  - 0

    Re: Cannot create DESFire EV1 aplication with AES key

    13. July 2016 at 13:56
    Below is sample i created according to your instructions (except PICC Master key is changed before creating new application) and it does not work. Authentication for new application fails. Does some workable sample exist which uses AES keys?
    Please NOTE: if I don't change auth type from default to AES then it work fine. My question is EXACTLY about AES keys in application.


    byte appKeySettings1 = card.formatApplicationKeySettingOne((byte)1,
    IDESFireEV1.KSONE_APP_MKEY_CHANGABLE, IDESFireEV1.KSONE_CONFIG_CHANGABLE, IDESFireEV1.KSONE_FILE_DEL_NO_MKEY, IDESFireEV1.KSONE_GET_NO_MKEY);
    byte appKeySettings2 = card.formatApplicationKeySettingTwo((byte)2, IDESFireEV1.KSTWO_AES, false);

    card.selectApplication(0);
    card.authenticate(DESFireEV1.AuthType.Native, Sam.NxpKey.DEF_KEY.ordinal(), (byte) 0, 0, IKeyConstants.DIV_OPTION_NODIVERSIFICATION, null);
    card.changeKey(0, Sam.NxpKey.DEF_KEY.ordinal(), (byte) 0, Sam.NxpKey.PICC_KEY.ordinal(), (byte) 0, DESFireEV1.KeyType.AES, IKeyConstants.DIV_OPTION_NODIVERSIFICATION, IKeyConstants.DIV_OPTION_NODIVERSIFICATION, null);

    card.authenticate(DESFireEV1.AuthType.AES, Sam.NxpKey.PICC_KEY.ordinal(), (byte) 0, 0, IKeyConstants.DIV_OPTION_NODIVERSIFICATION, null);

    card.createApplication(AID, appKeySettings1, appKeySettings2);

    card.selectApplication(AID);

    card.createFile(0, new DESFireFile.StdDataFileSettings(DESFireEV1.CommunicationType.Plain, 0, 0, 1, 1, 8));

    // Next line fails both with AuthType.Native and AuthType.AES
    card.authenticate(DESFireEV1.AuthType.Native, Sam.NxpKey.DEF_KEY.ordinal(), (byte)0, 0, IKeyConstants.DIV_OPTION_NODIVERSIFICATION, null);

    card.changeKey(0, Sam.NxpKey.DEF_KEY.ordinal(), (byte)0, Sam.NxpKey.AP_KEY.ordinal(), (byte)0, DESFireEV1.KeyType.AES, IKeyConstants.DIV_OPTION_NODIVERSIFICATION, IKeyConstants.DIV_OPTION_NODIVERSIFICATION, null);
    card.authenticate(DESFireEV1.AuthType.AES, Sam.NxpKey.AP_KEY.ordinal(), (byte)0, 0, IKeyConstants.DIV_OPTION_NODIVERSIFICATION, null);

    card.authenticate(DESFireEV1.AuthType.Native, Sam.NxpKey.DEF_KEY.ordinal(), (byte)0, 1, IKeyConstants.DIV_OPTION_NODIVERSIFICATION, null);
    card.changeKey(1, Sam.NxpKey.DEF_KEY.ordinal(), (byte)0, Sam.NxpKey.AP_KEY.ordinal(), (byte)0, DESFireEV1.KeyType.AES, IKeyConstants.DIV_OPTION_NODIVERSIFICATION, IKeyConstants.DIV_OPTION_NODIVERSIFICATION, null);



    + 0  |  - 0

    Re: Cannot create DESFire EV1 aplication with AES key

    13. July 2016 at 14:33
    Hi Lexis,

    If your PICC Master Key is for instance of type 3DES, you have to authenticate to this key with authenticate(DESFireEV1.NATIVE, ...) instead of authenticate(DESFireEV1.AES, ...) . But you are free to select the cipher for your application keys you want (this are parameters of the command createApplication()). You are also free to change the cipher of the PICC Master Key from 3DES to AES if you want (with the command changeKey()).

    The MIFARE Team
    + 0  |  - 1

    Re: Cannot create DESFire EV1 aplication with AES key

    13. July 2016 at 14:59
    Unfortunately first application authenticate with DESFireEV1.AuthType.AES does not work as well.

    + 0  |  - 0

    Re: Cannot create DESFire EV1 aplication with AES key

    14. July 2016 at 13:44
    Hello.

    Our development is blocked by this problem :(
    Is there any workable sample how to personalize blank DESFire card with AES keys?
    + 0  |  - 0

    Re: Cannot create DESFire EV1 aplication with AES key

    14. July 2016 at 16:46
    Hi Lexis,

    OK, I implement the personalizing on a blank DESFire EV1 with a 3DES default PICC Master Application Key.
    First I define my key values, and the key store entries:



    I use entry #0 as AES default key, entry #2 with a user AES key (non-default) and entry #4 as 3DES default key:



    Let us go to the implementation. I select AID=0 and authenticate with 3DES default key. Then I create an application with AES cipher and two user keys. Then I select that application, because I want to create files and keys. Then I authenticate with the AES default key to user key #1. This is the key I want to change. Then I change the user key #1 from default to the key value in entry #2. At least I create a standard data file with the size of 16 bytes. Read access is free, but write access is permitted to card key #1.



    Before I can write to the file I have to authenticate to card key #1. The last commands are write 16 bytes to the file and read 16 bytes from the file.



    The log messages look likes:



    I hope it helps you to get of the blocking issue.

    Regards,
    The MIFARE Team
    Attachments:
    You must be logged in to view attached files.

    + 1  |  - 0

    Re: Cannot create DESFire EV1 aplication with AES key

    14. July 2016 at 21:36
    Thank you a lot. Using your sample I complete it.

    It looks the problem was with bKeySet value. The helper method formatApplicationKeySettingTwo works in some unclear way...

    I think many people will say thank you next days for this sample!
    + 0  |  - 0

    Re: Cannot create DESFire EV1 aplication with AES key

    17. September 2019 at 14:15
    Hello

    I am trying to change the key of my desfire EV1 PICC and cipher algorithm is AES. But I am facing an issue. The algorithm is still showing as 3des when checked with other android NFC application.
    I also tried to authenticate the card with my custom AES key and it got authenticated. The problem is android application or for instance other card reading software is still showing me 3des in cipher algo.
    What could be the problem here?

    Key id is 0x80, key version is 0 with new and old key.

    Any help would be appreciated.

    Thanks in advance.
    + 0  |  - 0

    Re: Cannot create DESFire EV1 aplication with AES key

    18. September 2019 at 9:32
    Hi Anmol,

    Why do you add your question at the end of this thread? Has this anything to do with creating DESFire applications?

    The TapLinx team
    + 0  |  - 0

    Re: Cannot create DESFire EV1 aplication with AES key

    20. September 2019 at 8:57
    Hi Taplink Support
    Yes it is related to the Desfire applications.

    Thanks
    A
    + 0  |  - 0

    Re: Cannot create DESFire EV1 aplication with AES key

    25. September 2019 at 10:30
    Hi Anmol,

    You wrote: “… other card reading software is still showing me 3des in cipher algo.”. How can a software show you the used cipher? To show that you use a certain cipher, the software must authenticate successful with a known key.

    If the old key is a 2K3DES key and you want to change it to an AES key, then it is still a 2K3DES key if the key change fails. You should get an error message after the change key command.

    The TapLinx team
    + 0  |  - 0
Viewing 12 posts - 1 through 12 (of 12 total)

You must be logged in to reply to this topic.