Error E1 when changekey from TDES to AES on Desfire Card

[Christian Pennaforte]

Hello,

I'm trying to change a default CMK key (00 x 16 times) to an AES key.
I implemented this in a sand box which reproduces exactly the results of p. 73 of AN945.

When I run this code on a real card, if fails.

Here's the trace :

```
session: 619fe10487358dc942911b309954d6e3
keyNumber: 80 (I want an AES key)
keyVersion: 00
newKeyValue: 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10
CRC32(cmd + keyNumber + newKeyValue + keyVersion): B1 79 B3 64
ek0 = encryptTDES(source:01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 00 B1 79 B3 64 00 00 00, key: 61 9F E1 04 87 35 8D C9 42 91 1B 30 99 54 D6 E3, iv: 00 00 00 00 00 00 00 00)
ek0: 456c900fba087f349c561c46f15d5422189546852434b3a9
>>> 90 C4 00 00 19 80 45 6C 90 0F BA 08 7F 34 9C 56 1C 46 F1 5D 54 22 18 95 46 85 24 34 B3 A9 00
<<< 91 1E
ERR: CRC or MAC does not match data
```

Can some one give me a hint of what I'm doing wrong ?

Thansk

---

+ 0  |  - 0

[Christian Pennaforte]

Sorry, mistake writing the title : the error is 1E as you can read down the post, not E1 (but the question is still the same).

---

+ 0  |  - 0

[Christian Pennaforte]

Answer to myself, with the very good help from NXP support team: my card was initialized in single DES, and I computed the session as if it was not.

The good computation is explained at the bottom of 6.2 p. 45 or the doc AN0945:
- session key = RndA(byte0-byte3) + RndB(byte0-byte3)
and, in my case, not RndA(byte0-byte3) + RndB(byte0-byte3) + RndA(byte4-byte7) + RndB(byte4-byte7)

That's all, and simple.

---

+ 0  |  - 0

[Raavikant Chouhan]

Hi,

I have been through your query and it typically indicates that there is a mismatch between the computed and received CRC (Cyclic Redundancy Check) or MAC (Message Authentication Code). This mismatch could be due to several reasons, including incorrect encryption or decryption process, wrong keys, or improper handling of data.

Ok let's try to debug your issue:

Check the key values: Make sure that the new AES key you're trying to set, 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10, is correct and valid for your card. Also, verify the session key, 619fe10487358dc942911b309954d6e3, which is used for the encryption.

Verify the TDES encryption: Your trace indicates that you are using Triple DES (TDES) encryption to encrypt your data before sending it to the card. You should confirm that the TDES encryption process is functioning correctly. Cross-check the encryption algorithm with a trusted and tested TDES encryption utility.

Double-check the CRC32 value: The CRC32 value, B1 79 B3 64, seems to be derived from cmd + keyNumber + newKeyValue + keyVersion. Ensure that the CRC32 calculation is correct and the inputs are in the correct order.

Inspect command formatting: The command you're sending to the card, 90 C4 00 00 19 80 45 6C 90 0F BA 08 7F 34 9C 56 1C 46 F1 5D 54 22 18 95 46 85 24 34 B3 A9 00, should be properly formatted according to your card's documentation. Make sure each part of the command is correct.

Consult card's documentation: Refer to your card's documentation or technical manual to ensure that you're using the correct procedure for changing the CMK key. There might be specific requirements or restrictions imposed by the card manufacturer.

Lastly, if you're still having issues, consider reaching out to the card's manufacturer or vendor for technical support. They might be able to provide specific insights into why the process is failing.

Thanks

---

+ 0  |  - 0

[Author]

Posts