MIFARE Classic and SAM AV2 Authentication

Forum / MIFARE SmartCard IC`s / MIFARE Classic and SAM AV2 Authentication

  • 10. April 2018 at 18:47
    Hello,
    I did not find any information about the MF Classic and SAM AV2 Authentication. There is a doc.[AN10978 p.9] in nxp.docstore.com which explains it, but it is not very clear. I'm stuck at the first step. How can I start a communication with MF Classic card using my Pegoda reader and TestWinscard.exe (using APDU commands) to receive 32 bits RB from MF Classic.

    6000 (meaning Auth. with key A, block 00) is not enough. How should I complete the APDUs? Or how can I start the communication, for the SAM solution?

    This what I have here is not correct, because I do not have a key in my reader, but in the SAM. Thats why from this FF[CLA] 86[INS] 0000[P1P2] 05[Lc] 01 00 00[Sector no] 60[Key A] 00[Key no] I get 6982 (security status not satisfied).

    Can you please help me?

    Kind regards,
    Adnan
    + 0  |  - 0

    Re: MIFARE Classic and SAM AV2 Authentication

    12. April 2018 at 9:54
    Hi Adnan,

    The authentication is always initiated from the reader by sending the “start authentication command”. It is the same also for the other MIFARE products. If you want to authenticate with key A, you use command 0x60, for key B, you use 0x61. Additional you must add the block for which sector you want to authenticate. Let us say, the first sector. This is shown in the example on page 9. Therefore you send 0x6000.

    You should also read the details of the authentication in the datasheet on page 7 (see link below).
    Table 3 shows a calculated example of the communication between SAM and Classic.

    Datasheet

    The TapLinx team
    + 1  |  - 0

    Re: MIFARE Classic and SAM AV2 Authentication

    12. April 2018 at 12:11
    Hi,

    Thank you for the support. I understand what you say. But the 0x6000 command does not work. I need to add CLA, INS, P1, P2, Lc, "Data", and Le (if any Le). For example to read the MF Classic UID the APDU is: FFCA000000
    +------+------+------+------+------+
    | CLA | INS | P1 | P2 | Lc |
    +------+------+------+------+------+
    | 0xFF | 0xCA | 0x00 | 0x00 | 0x00 |
    +------+------+------+------+------+

    Now to authenticate what would the APDU cmd be?
    +------+------+------+------+------+--------------------------+----+
    | CLA | INS | P1 | P2 | Lc | Data | Le |
    +------+------+------+------+------+--------------------------+----+
    | 0xFF | 0x86 | 0x00 | 0x00 | 0x05 | 0x01 0x00 0x00 0x60 0x00 | -- |
    +------+------+------+------+------+--------------------------+----+

    Now this does not work using my Pegoda reader and TestWinscard.exe (using APDU commands)! And its true, because the last byte (0x00) in Data, indicates the key positioning in the reader! - but I did not load any key in the reader memory, because I want to use the SAM.

    If I use the "MIFAREdiscover" thats Ok, I have a solution, but that does not solve my problem. I need to work with APDU cmds.

    Example Logs:
    [10.04.2018 12:05:30] Info: phalMfc_Authenticate --------ENTRY-------- bBlockNo=3C, bKeyType=0A, wKeyNumber=003C, wKeyVersion=0000, pUid=xxxxxxxx
    [10.04.2018 12:05:30] Info: Send To Card = 603C [How should I build this in CLA INS P1 P2 Lc Data Le]
    [10.04.2018 12:05:30] Info: Recv From Card = 0A7D1949 , SUCCESS [to get this Rn 32 bits]
    [10.04.2018 12:05:30] Info: SentFrmHost = 80...
    [10.04.2018 12:05:30] Info: Send To SAM = 80...
    [10.04.2018 12:05:30] Info: Recv From SAM = ...90AF, SUCCESS
    ...
    ...
    [10.04.2018 12:05:30] Info: Recv From SAM = 9000, SUCCESS
    [10.04.2018 12:05:30] Info: GivenToHost = 9000
    [10.04.2018 12:05:30] Info: phalMfc_Authenticate --------LEAVE-------- [STATUS = SUCCESS]

    Kind regards,
    Adnan
    + 0  |  - 0

    Re: MIFARE Classic and SAM AV2 Authentication

    16. April 2018 at 16:43
    Hi Adnan,

    You want to use the Pegoda reader as well as contactless reader and also as contact reader for the built-in SAM? The PC/SC interface of the Pegoda reader is “limited”. Therefore a special library is provided for the Pegoda. Unfortunately, I never used this combination.

    Or do you have an own system with a separate NFC reader and contact interface to the SAM? Then you use the Pegoda/SAM only for testing and preparing the SAM?

    Sorry, it is not clear for me how your target system looks like.

    The TapLinx team

    + 0  |  - 0

    Re: MIFARE Classic and SAM AV2 Authentication

    16. April 2018 at 17:05
    Hi,

    I have the possibility to use both I believe, contactless and contact reader interface. As I have written, this is possible with MIFAREdiscover.

    603C is the command to use for Auth. with Key A, Block 3C. But how should I build this in CLA INS P1 P2 Lc Data Le? Sending ISO14443_4_TDX commands.

    My target system is to authenticate with this Mifare Classic card using the SAM. And you cannot send simply 603C because no reader will understand it. Even Pegoda. You need to write correctly the commands using CLA INS P1 P2 Lc Data Le.

    I'm able to do the DESFire - SAM authentication using all the APDU commands, But with the Classic I'm stuck at the first step, as I cannot get the 32 bit Random to proceed.

    Kind regards,
    Adnan
    + 0  |  - 0

    Re: MIFARE Classic and SAM AV2 Authentication

    17. April 2018 at 9:11
    Hi Adnan,

    How a MIFARE Classic is managed, is defined by reader manufacturer. You need definitely the user manual of the reader. For example, I have a HID Omnikey reader (contact and contactless). In the “Contactless Smart Card Readers - DEVELOPER GUIDE” from HID I found on page 17 a section about “MIFARE card”. The reader support the following commands: GetUID, Loadkey, Authenticate, Verify, Update Binary, Read Binary. This commands are implemented according PCSC 2.01. For the commands Increment and Decrement they have a proprietary extension of PCSC ADPU sequence, printed in the manual.

    The document “Interoperability Specification for ICCs and Personal Computer Systems - Part 3. Requirements for PC-Connected Interface Devices” define the APDU sequences for the MIFARE Classic, tagged as “MIFARE Card”. Due the Classic architecture, you must first load a key (the APDU sequence is shown in the paper) and then make an authentication against the loaded key number.

    Sorry, not straightforward, but with this information you should solve your problem.

    The TapLinx team
    + 0  |  - 0

    Re: MIFARE Classic and SAM AV2 Authentication

    17. April 2018 at 10:32
    Hi Adnan,

    An addendum: I want to know if it works what I have recommended you. I use the JCShell, a NXP tool. But you can use any shell. Please consider the comments beginning with a ‘#’:

    # Open connection to the MIFARE Classic EV1 (must be present on the reader)
    - /term SCComm:1:"OMNIKEY CardMan 5x21-CL 0"
    --Opening terminal
    # Load key (default key) "FFFFFFFFFFF" in key number 0
    > /send FF82200006FFFFFFFFFFFF
    => FF 82 20 00 06 FF FF FF FF FF FF .. ........
    (4796 usec [SYS], 4646 usecs [DEV])
    <= 90 00 ..
    Status: No Error
    # Authenticate to block 0 with the stored key number 0
    > /send FF860000050100006000
    => FF 86 00 00 05 01 00 00 60 00 ........`.
    (23549 usec [SYS], 23407 usecs [DEV])
    <= 90 00 ..
    Status: No Error
    # Read block 0 (contains UID)
    > /send FFB0000010
    => FF B0 00 00 10 .....
    (4999 usec [SYS], 4758 usecs [DEV])
    <= 04 7F 4E 6A F1 3B 80 88 44 00 C8 00 00 00 00 00 ..Nj.;..D.......
    90 00 ..
    Status: No Error
    # Read block 1 (contains zeros)
    > /send FFB0000110
    => FF B0 00 01 10 .....
    (4790 usec [SYS], 4622 usecs [DEV])
    <= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    90 00 ..
    Status: No Error
    # Read block 2 (contains FF)
    > /send FFB0000210
    => FF B0 00 02 10 .....
    (4731 usec [SYS], 4612 usecs [DEV])
    <= 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 ................
    90 00 ..
    Status: No Error
    # Read block 3 (contains keys A and B) key A is never shown
    > /send FFB0000310
    => FF B0 00 03 10 .....
    (4859 usec [SYS], 4631 usecs [DEV])
    <= 00 00 00 00 00 00 FF 07 80 69 FF FF FF FF FF FF .........i......
    90 00 ..
    Status: No Error


    It works!

    You will find the APDU sequences in the documentation referred in my previous post.

    The TapLinx team
    + 0  |  - 0
Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.