DesfireFire Personalization, Authentication

Forum / MIFARE SDK / DesfireFire Personalization, Authentication


  • 11. May 2016 at 22:08

    I have been studying the SDK (lite) and trying to make sense of the APIs. Below are functions API for DesFire. I am trying to understand both the sequence of formatting, personalizing and writing and writing the cards.

    I have listed below the API methods in the order I believe is how a new virgin cards is called. Please validate my sequence if it makes sense

    I have also labeled the function arguments names to match what I believe the actually arguments names represents, for example, I believe the MasterKeys in all the functions (assuming your working on the same card) is the same MasterKey. Please validate my thinking, In the example provided in the SDK, the MasterKeys are called mykey in the Format and Personalize function. masterkey in updateApplicationMasterKey, and authenticate function, oldKey and newKey respectively in updatePICCMasterKey .

    My thinking is that these are the same piccmasterkey and appKey (assuming the same card)

    This is my understand of sequence of order for a new new
    1. Formatted – the card needs to be initialized by formatting the cards

    This piccmasterkey is a 16 bytes AES key I generate right? Does a card come with a default key?

    2. Personalized – card is personalized as shown below
    mDESFire.personalize(piccmasterkey, appId, appKey);
    piccmasterkey is the same key I used in the format right?
    I generate my own appKey (16 bytes AES key) right?

    3. UpdatePICCMasterKey
    mDESFire.updatePICCMasterKey(oldpiccmasterkey, newpiccmasterkey)

    4. UpdateApplicationMasterKey
    mDESFire.updateApplicationMasterKey(piccmasterkey, appId, oldappKey,newappKey)

    + 0  |  - 0

    Re: DesfireFire Personalization, Authentication

    12. May 2016 at 9:24
    Hi Onyekachi,

    A brand new DESFire EV1 contains a 3DES default master key 00...00 as card key #0. The predecessor product did not support AES cipher, so the EV1 is compatible with its predecessor. You can change the cipher by changing the key to a 128 bit AES key.

    Card key #0 is the master key and you should use it only for administrative tasks, e.g.: set a new application key, format the whole card etc. For your application you should always create new keys with numbers #1, #2 etc. These keys belongs to the application and will be removed if you format the entire card. But the master key #0 is not removed, you need this key for creating new keys after the format.

    The personalizing of a brand new DESFire EV1 could be:

    1. Set default master key by changing the key from 3DES 00…00 to AES xx…xx (all zeros is the default value).
    2. Create a new application with an AID and define the number of keys you will need for protecting your files. If you need 3 keys, you should set the number to 4.
    3. Select the application with the AID.
    4. Create the files with the appropriate permissions. You cannot write to the file, because the keys are not yet initialized.
    5. Create the application keys. For creating app key #1, first authenticate to card key #1 with the default key to ensure you have the permission and the key is not in use. Then change the key #1 from the default value 00…00 to the destination value. Repeat it for the other application keys.
    6. Now you can access the file. E.g.: if it use key #1 you have to authenticate with key #1 and then you can read or write to the file.
    7. Do not forget to select to the application first before you operate with keys and files of this application.

    An addendum: if the master key (key #0) is initialized as first step in your personalizing phase, there is no reason to change it later again. Later you change only application keys and use the master key only for initializing new keys.

    Kind regards,
    The MIFARE Team
    + 0  |  - 0

    Re: DesfireFire Personalization, Authentication

    15. May 2016 at 20:56
    Thanks for your response, based on your response, would you please help me with the comparable Advanced SDK function for the give SDK LIte functions?

    1. In SDK LIte, I can perform a function mDESFire.updatePICCMasterKey(piccMasterKey, newPiccMasterKey). Assume the piccMasterKey is the default masterkey and the newpiccMasterKey is the new Key and your converting from DES to AES

    I was using the functions mDESFire.changeKey . Is this the correct function? Can you give me a sample argument on how to call it (if its the right function)

    2. How do you perform the following SDK Lite function in Advanced?
    mDESFire.updateApplicationMasterKey(piccMasterKey, appId, appKey, newAppKey);

    + 0  |  - 0

    Re: DesfireFire Personalization, Authentication

    16. May 2016 at 1:51

    I saw a response to most of my questions in a previous history

    I think the example in the link above was very helpful. I have a follow-up questions though

    1> Please explain why its not a good practice to change the whole card default key, Am assuming the master key for default app(0) is the main master key that can be used to reformat the whole card right?

    2> in the change key function
     objDESFireEV1.changeKey( 1 , 2, (byte)0x00, 5, (byte)0, DESFire.KeyType.TWOK3DES,



    showMessage( "Card key 1 changed from default to new value", 'd' );

    What determines number of keys I have? where was the number of keys defined first before knowing which number to change.
    + 0  |  - 0

    Re: DesfireFire Personalization, Authentication

    17. May 2016 at 23:58

    1) I am not sure as to why it is not. I think you should change your DEFAULT MASTER KEY to something what you want, otherwise everyone who detects that you use DESFire will first try to authenticate with DEFAULT MASTER KEY, which means, that person can erase your card or even do other changes if you weren't carefull.

    2) You determine the number of keys you have during application creation procedure in KeySettingsTwo --> check the JavaDoc you'll notice it. Once you create an application with 5 keys (for example) they are all 00's. Once you apply changeKey method, they will change to the keys you defined in KeyStore.

    Hope it helps.
    + 0  |  - 0
Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.