KeyA and KeyB and how to protect the contacless card from cloning?

Forum / MIFARE general topics and applications / KeyA and KeyB and how to protect the contacless card from cloning?

Tagged: 

  • 15. February 2016 at 9:02
    Hi,
    I have a Pos terminal that can write into contactless mifare card and read from contactless mifare card. For writing a Key A I use;
    cCard_.loadKey(aKey, eKeyStore);
    eKeyStore = 0;
    aKey[6] = {“FF”,”FF”,”FF”,”FF”,”FF”,”FF”}

    My access bits KeyA is in Sector 1 Block 3. Which means trailer block 7. Am I right?

    If I am correct there are 16 sector. I already have my own Key other than “FFFFFFFFFFFF”. Example;

    For Sector 0 Key A:
    My_Key = “8fd0a4f256e9”;
    My_Data1 = “2153”;
    My_Data2 = “es56fg87p4f2”;
    My_Data3 = “5852337644220001”;



    In Block Number 0, I have My_Data3, in block number 1, I have My_Data2 and in block number 2, I have My_Data1.

    I want to understand the how to set my key for Key A and Key B?
    So when I say Block number 3, Key Store number 0 is it equal to “8f” or equal to “8fd0a4f256e9”?

    I need to understand the key option so I can encrypt my keys so only my Pos terminal can access it.

    Example:
    CardNo: “5852337644220001”
    CardPass: “es56fg87p4f2”
    CardPin: “2153”
    KeyA: “8fd0a4f256e9”

    1) Which Sector do I have to use to store my data for above example? Can I use Sector 1?
    2) In above table example how to I write My_Data1? Should I use Sector 1, Block 2, StoreNum 0, StoreNum1, StoreNum2, StoreNum3?
    3) Can I store a data “2153” in sectore 1, block 2, storenum 0?

    What type encryption do I have to use to protect my data from cloning?
    Attachments:
    You must be logged in to view attached files.

    + 0  |  - 0

    Re: KeyA and KeyB and how to protect the contacless card from cloning?

    15. February 2016 at 9:47
    Hi,

    First of all: you can use any sector of the MIFARE Classic card. Only for sector 0 the first block is used with the manufacturer data. This is the UID of the device which you cannot change. The number of sectors and blocks depend on the size of the card. E.g.: a MIFARE Classic 1K provides 16 sectors with 4 blocks (=1024 bytes).

    If you use sector 1 (blocks 4 … 7) then 3 blocks (4, 5 and 6) can be used for store you data. The last block is the so called sector trailer and contains the keys and the access condition bits. The access condition bits can be set e.g. to “read = free”, “write = Key A” or “read = Key B” and “write = Key A” etc. The level of protection depends on your use case.

    Please note that you have to authenticate with the correct key to each sector before you can read or write to it.
    Let us assume you use sectors 1 and 2 for your application. A typical sequence look like:

    Authenticate( 4, KEY_A )   // Authenticate to sector 1/block 4 with key A
    Read( 4 ) // Read from block 4
    Write( 4, “0011...” ) // Write to block 4
    Authenticate( 8, KEY_B ) // Authenticate to sector 2/block 8 with key B
    Read( 8 ) // Read from block 8
    ...


    The real commands depend on the driver interface you use (C, C#, Java etc.)

    For a blank card both keys are “FFFFFFFFFFFF”. Before you issue the card to the end-customer you change the default keys to a new byte sequence. Please note, if you write to the sector trailer, you also set the access condition bits. Any later access to the sector must comply the new keys and condition bits.

    You will find more information:
    http://www.nxp.com/documents/data_sheet/MF1S50YYX_V1.pdf

    Kind regards,
    The MIFARE Team
    + 0  |  - 0

    Re: KeyA and KeyB and how to protect the contacless card from cloning?

    15. February 2016 at 10:45
    Kind Thanks,

    I read a lot about Mifare card. The driver interface that I have don’t explain very much. Even in demo code there isn’t any comment to make any sense.
    In my app;

    1) I can connect to the card
    2) Load the Key (“FFFFFFFFFFFF” to save in terminal IC register somehow)
    3) Authenticate
    4) Read the block
    5) Write to the block


    I am having difficulty to understand the access bit rules. My understanding is this;
    There are 2 access bit rules. 1 for the Data Block access bits and the other for Sector trailer access bit rules. Am I right?

    I have a data that shown below.

    My_Data1 = “2153”;
    My_Data2 = “es56fg87p4f2”;
    My_Data3 = “5852337644220001”;
    My current default KeyA = “FFFFFFFFFFFF”
    My current default KeyB = “FFFFFFFFFFFF”


    If I use KeyA I can read and write my data into the Sector 1, Block 0, Block 1 and Block 2.
    My main problem is I don’t know the access bits for data block or the sector trailer block.

    First of all with my app I want to change all the KEY A, KEY B and the access bits. I need to use Key A for writing data into the card and I want to use Key B to read the data from card. Is it possible?

    If so;
    Example:
    My new KeyA will be = “1665FE2AE945”
    My new KeyB will be = “3321FB75A356”

    1) How to change my Key A and Key B?
    2) Do I need to change the sector trailer access bit?
    3) How do I set new sector trailers bit?
    4) How do I set new data block access bits for KEY_A for writing and KEY_B is for reading?
    I know I have to use new sector trailer as;
    " | access bits | general purpose byte | "

    But is possible for you to give me an example regarding to use my above data, current key and new key?
    So I can get in my brain. I am very confuse because of reading a lot and not having good documentation of API for my terminal.

    Kind Regards,
    + 0  |  - 0

    Re: KeyA and KeyB and how to protect the contacless card from cloning?

    15. February 2016 at 10:53
    So I couldnt edit;

    I know I have to use new sector trailer as;
    “new key A” | access bits | general purpose byte | “new key B”
    + 1  |  - 0

    Re: KeyA and KeyB and how to protect the contacless card from cloning?

    15. February 2016 at 17:06
    Hi,

    No, there are no two different “access rules”. The sector trailer is always the last block of a sector. For a MIFARE Classic 1K you have 16 sectors with 4 blocks for each sector. But for a MIFARE Classic 4K you have 32 sectors with 4 blocks for each sector and 8 sectors with 16 blocks!

    You can arrange the data you want to save in any way. Each block has 16 bytes and if your data is binary data you can save 16 bytes in any block. If your data are ASCII characters, you can save 16 characters in each block. For example if My_data1 contains binary data if reserves 2 bytes and My_data2 8 bytes you can write it to one block. My_data2 contains non hex values, then you have to save it as ASCII characters in another block.

    The pre-personalizing (the initializing of data on the card before you hand-over the card out to the end-user) could look like:
    LoadKey( 1, FFFFFFFFFFFF )   // default key
    LoadKey( 2, 1665FE2AE945 ) // your access key A
    Authenticate( 4, 1 ) // authenticate to block 4 with key store 1 = default key
    Write( 4, 58523376442200010000000000002153 ) // Write My_data1 and My_data3 to block 4
    Write( 5, “es56fg87p4f2 ” ) // Write My_data2 to block 5 as ASCII bytes (with space chars at the end)
    Write( 7, 1665FE2AE945XXXXXX003321FB75A356 ) // write to sector trailer the new keys
    ...
    Authenticate( 4, 2 ) // authenticate to sector 1/block 4 with the new key A
    Read( 4, ... ) // read the data back for verifying

    Some remarks:
    Most interfaces/drivers have a LoadKey() function to save the key for the authenticate method. This is was we do with the first two commands. The Authenticate() function refers to a key-store number instead of a key value.

    Every Write() and Read() function read a complete 16-byte-block. In block 4 two variables are saved (with zero bytes in the middle). My_data2 is no binary data and must be saved as ASCII bytes.

    The last command is the write to the sector trailer. With this write you overwrite the keys and the access bytes (marked as XXXXXX, please use a bit combination which is useful for you). You know the key otherwise you could not authenticate successfully. But if you want to operate again on block 4, you have to authenticate with the new key! Any access to sector 1 is possible from now on with the new keys in the sector trailer.

    Now you can issue to card to the end-user.

    I hope, it is clearer now, to personalize the MIFARE Classic.
    The MIFARE Team
    + 0  |  - 0

    Re: KeyA and KeyB and how to protect the contacless card from cloning?

    15. February 2016 at 18:58
    Thank you mifare sdk.

    I will try to implement the steps tomorrow.

    1) My question on this topic is that how secure will be my card after I change the keys with the new keys that showed in your example?

    Write( 7, 1665FE2AE945XXXXXX003321FB75A356 ) // write to sector trailer the new keys


    2) At the moment I am using only one application in mifare classic. So is it possible to change all other sector trailer blocks key?
    3) What should I have to do to protect my card from cloning?
    4) Does mifare classic has any encryption or do I have to apply it by myself?
    5) I am using Ubuntu 12.04 and the Qt IDE for development. My Pos Terminal has embedded Linux. So what kind of the secure encryption can I use?

    Kind Regards,


    + 0  |  - 0

    Re: KeyA and KeyB and how to protect the contacless card from cloning?

    16. February 2016 at 10:50
    Hi,

    After you have changed the keys in the sector trailer, any access needs an authentication with one of the new keys first. The access condition bytes let you either key A or key B for protecting this sector. A third person have to check with all possible key combinations to get a successful authenticate.

    Cloning means to make a copy from each memory location. For copying each sector you need the keys. If you NOT use the default key, your data is protected. But take in mind: to use the card for more than one purpose is also a use case. Let us assume for example, you have an application for an access system in sectors 2 and 3. Then you can have a debit account on you card for the cafeteria in sector 4. The cafeteria maintainer knows his own sector keys, but not yours (and vice versa). So you would not block all other sectors for using and the cafeteria maintainer also not.

    The MIFARE Classic uses a built-in encryption. This is supported by most of the reader manufacturers. The encryption algorithm cannot be changed. If you want to use e.g. DES, Triple-DES or AES encryption, you have to use one of our other products like the MIFARE Plus or the MIFARE DESFire.

    For any contactless reader you use, there are driver files available for all desktop operating systems. Theses drivers implement the key management and the encryption. You have to look into the user manual or the developer guide how to use the interface.

    I do not know the driver you want to use, but also for Linux there are drivers available. The widely used interface is the so called PC/SC interface. There is a port to Linux available, called PCSC-Lite.

    The MIFARE Team
    + 0  |  - 0

    Re: KeyA and KeyB and how to protect the contacless card from cloning?

    16. February 2016 at 16:00
    Kind Thanks,

    I want to use only one application that can access only sectors 2 and 3. My card will be going to use only my pops terminal.
    I already change key A and key B from all sector. I am guessing I am protected. I will look into PCSC-Lite later.
    Thank you very much for all your help.

    Kind Regards



    + 0  |  - 0

    Re: KeyA and KeyB and how to protect the contacless card from cloning?

    19. February 2016 at 7:21
    Hi @mifaresdk

    One of the above post you mention the steps example as;

    LoadKey( 1, FFFFFFFFFFFF )   // default key
    LoadKey( 2, 1665FE2AE945 ) // your access key A
    Authenticate( 4, 1 ) // authenticate to block 4 with key store 1 = default key
    Write( 4, 58523376442200010000000000002153 ) // Write My_data1 and My_data3 to block 4
    Write( 5, “es56fg87p4f2 ” ) // Write My_data2 to block 5 as ASCII bytes (with space chars at the end)
    Write( 7, 1665FE2AE945XXXXXX003321FB75A356 ) // write to sector trailer the new keys
    ...
    Authenticate( 4, 2 ) // authenticate to sector 1/block 4 with the new key A
    Read( 4, ... ) // read the data back for verifying


    My Question is that in first Authentication is for the block 4. Should I be need to authenticate blcok 5, 6 and 7 as well?
    Before continue my coding I need to make sure that I am understand correctly.

    Here is my steps:
      Default key is in 0 (0x00) New key in 1 (0x01)

      I need to write each data for different block


    LoadKey( 0, FFFFFFFFFFFF )             // default key
    LoadKey( 1, 1665FE2AE945 ) // your access key A
    Authenticate( 4, 0 ) // authenticate to block 4 with key store 1 = default key
    Authenticate( 5, 0 ) // authenticate to block 4 with key store 1 = default key
    Authenticate( 6, 0 ) // authenticate to block 4 with key store 1 = default key
    Write( 4, 58523376442200010000000000000000 ) // Write My_data1 to block 4
    Write( 5, “es56fg87p4f2 ” ) // Write My_data2 to block 5 as ASCII bytes (with space chars at the end)
    Write( 6, 21530000000000000000000000000000 ) // Write My_data3 to block 6
    Write( 7, 1665FE2AE945XXXXXX003321FB75A356 ) // write to sector trailer the new keys
    Authenticate( 4, 1 ) // authenticate to sector 1/block 4 with the new key A
    Authenticate( 5, 1 ) // authenticate to sector 1/block 4 with the new key A
    Authenticate( 6, 1 ) // authenticate to sector 1/block 4 with the new key A
    Read( 4, ... ) // read the data back for verifying
    Read( 5, ... ) // read the data back for verifying
    Read( 6, ... ) // read the data back for verifying


    Can you tell me that my steps are correct?

    Kind Regards
    + 0  |  - 0

    Re: KeyA and KeyB and how to protect the contacless card from cloning?

    19. February 2016 at 9:06
    Hi,

    It is not required to authenticate to each block in a sector. You can imagine a sector as data container with three 16 bytes data variables and one access variable (the sector trailer). When you set the access conditions, you define the key assignment (which key should allow which access) for the three data blocks and the access condition block. Please have a look at the sample explanations in post:
    What is MIFARE Classic 1K Access Bits means? How to calculate and use it?

    With the successful authenticate to block 4 (sector 1) you have proven that you know the key and you can read or write (if the permissions allows that) to the data blocks. But there are two keys, so you are free to set the assess conditions e.g.: Key A or key B read a block and key B write a block (see table 8, page 14 of the data sheet – link above). In the case of only reading you use key A. But if you want to write you have to use key B and this means to authenticate with key B. To avoid authenticate twice, you find in the datasheet (table 8) for the reading access “key A or key B” and for the writing access “key B”.

    In the case where the MIFARE Classic is only read or a value is decremented, you use key A and at the issuer terminal where data is changed or a value is incremented you use key B. To make the long story short: you can remove the authenticate(5,…) and authenticate(6,…) commands in your snippet (the "read for verifying" is not required, I used it only for demonstration).

    I hope my explanation helps.
    The MIFARE Team
    + 0  |  - 0

    Re: KeyA and KeyB and how to protect the contacless card from cloning?

    19. February 2016 at 10:11
    Kind Thanks,

    I remove authenticate(5) and (6).

    But I leave it as it is for "read for verifying". I want to make sure I am doing someting right with card.
    It takes a second to verify anyhow. So there is no cost.

    For verification I will use new Key A. For Writing I will use new Key B. I will use writing with new Key B later in my card operation.

    Thank you very much. You saved my day.

    Kind Regards.
    + 0  |  - 0

    Re: KeyA and KeyB and how to protect the contacless card from cloning?

    21. February 2016 at 9:49
    Hi @mifaresdk,

    With the below steps 9 I cannot be able to Authenticate to read card for verification. In step 7 I have new key as:
    KeyA = 49DB59CFF2F3 AccesBits = 08778FFF KeyB = 2CBF23931A13

    Somewhere in the steps I am making big mistake so I cannot read my data anymore. With my gsm phone I download the mifare classic tool. And you can see the out put
    below in this post. As you can see Sector 1 is not readable. ?????

    1) Connect
    2) LoadKey( 0, FFFFFFFFFFFF ) // default key
    3) LoadKey( 1, 1665FE2AE945 ) // your access key A
    4) Authenticate( 4, 0 ) // authenticate to block 4 with key store 1 = default key
    5) Write( 4, 58523376442200010000000000000000 ) // Write My_data1 to block 4
    6) Write( 5, “es56fg87p4f2 ” ) // Write My_data2 to block 5 as ASCII bytes (with space chars at the end)
    7) Write( 6, 21530000000000000000000000000000 ) // Write My_data3 to block 6
    8) Write( 7, 49DB59CFF2F308778FFF2CBF23931A13 ) // write to sector trailer the new keys
    9) Authenticate( 4, 1 ) // authenticate to sector 1/block 4 with the new key A
    10) Read( 4, ... ) // read the data back for verifying
    11) Read( 5, ... ) // read the data back for verifying
    12) Read( 6, ... ) // read the data back for verifying
    13) Disconnect


    Reading Card with mfare classic tool:

    +Sector: 0
    F06D371DB7880400C206000000000013
    0F0003E103E103E103E103E103E103E1
    03E103E103E103E103E103E103E103E1
    A0A1A2A3A4A5787788C1FFFFFFFFFFFF
    +Sector: 2
    0
    0
    0
    FFFFFFFFFFFFFF078069FFFFFFFFFFFF
    +Sector: 3
    0
    0
    0
    FFFFFFFFFFFFFF078069FFFFFFFFFFFF
    +Sector: 4
    0
    0
    0
    FFFFFFFFFFFFFF078069FFFFFFFFFFFF


    Kind Regards
    + 0  |  - 0

    Re: KeyA and KeyB and how to protect the contacless card from cloning?

    22. February 2016 at 8:36
    Hi NTMS,

    I do not know the tool, but it expect using the default key or do you enter the new key into the tool? The default key does not work anymore for sector 1 after you have initialized it.

    Do you get any errors in the initializing process?

    The MIFARE Team
    + 0  |  - 0

    Re: KeyA and KeyB and how to protect the contacless card from cloning?

    22. February 2016 at 8:55
    Hi @mifaresdk,

    You can find the tool in here: h**ps://play.google.com/store/apps/details?id=de.syss.MifareClassicTool&hl=tr
    Yes default key doesn't work for sector 1. Because I change the key in step 8 with

    Write( 7, 49DB59CFF2F30 8778FF F2CBF23931A13 ) // write to sector trailer the new keys



    In step 9 I get 63 00 error that is not authenticate with new key. I am wondering is it possible to after writing in step 8 should I have to disconnect.
    Then connect again load new key and try to read? I am not sure if mifare classic card works that way.

    Now my Sector 2 is;
    +Sector: 2
    0
    0
    0
    FFFFFFFFFFFFFF078069FFFFFFFFFFFF


    I am going to change my code to write in block 8, 9 and 10. I will also write in sector trailer with new keys.
    Then in step 9 I will again try to authenticate with new key to read the sector 2 data on block 8, 9 and 10.

    Kind Regards,
    + 0  |  - 0

    Re: KeyA and KeyB and how to protect the contacless card from cloning?

    22. February 2016 at 9:11
    In above post I write less on the new key. My new key is:


    Write( 7, 49DB59CFF2F30 8778FFF  F2CBF23931A13 ) // write to sector trailer the new keys



    Kind Regards

    + 0  |  - 0
Viewing 15 posts - 1 through 15 (of 22 total)

You must be logged in to reply to this topic.