MIFARE DESFire EV2 – how to encrypt data with custom key

Forum / MIFARE general topics and applications / MIFARE DESFire EV2 – how to encrypt data with custom key

  • 22. May 2020 at 4:52
    I am trying to store custom master key based encrypted data into my EV2 card and implanted chip. Can someone please share any guidance on whether there's an app that can allow me to accomplish this please (either a PC or Android app) ?

    thanks in advance

    + 0  |  - 0

    Re: MIFARE DESFire EV2 – how to encrypt data with custom key

    22. May 2020 at 14:56
    Hi N0AGI,

    We do not have an Android app doing this, but I can provide some code snippets in TapLinx. It is easy to implement the task in Android with TapLinx, because TapLinx will implement the encrypted communication with the card and let you trigger the authentication or reading or writing data with a single command.

    Here are some examples:

    DESFire change key (2K3DES to AES)

    DESFire Simple AES authentication

    DESFire EV1 change key

    By the way, TapLinx is also available as Java Desktop SDK.

    The TapLinx team
    + 0  |  - 0

    Re: MIFARE DESFire EV2 – how to encrypt data with custom key

    29. May 2020 at 1:26
    hi TapLinx team
    apologies if I am sounding thick here. I looked at the above mentioned, "DESFire EV1 change key" but, still have a few newbie questions. I would much appreciate any guidance.

    I am working with my DESFire EV2 (card and an implant) and hoping to build a few useful end-user use case applications for it.

    1. Is it possible to change the default PICC master key. Not just the encryption type, but, the actual key ?
    2. I am trying to create an application with a custom key with an encryption type for it. In looking at the above example, it looks like this is doable by simply creating a new app level key. Correct ?
    3. How does one use individual application level folders? Is the notion of an "application" meant to be used as storage unit for files that are sandboxed within the confines of the application domain ? So, if I want to look at the contents of a file within an application, I would first AuthN against the Master PICC key and then another AuthN at application key level and then enumerate the files ?
    4. Do you have any examples of end-user use cases of how DESFire EV2 is being used ? If there are ready made applications/tools, I would rather purchase them and use them rather than building on my own. Any suggestions here ?

    Sorry if these questions are basic, but, I am fairly new to this space.


    + 0  |  - 0

    Re: MIFARE DESFire EV2 – how to encrypt data with custom key

    29. May 2020 at 13:01
    Hi N0AGI,

    For a blank MIFARE DESFire EV2 the Master PICC Key is all bytes zero and 2K3DES cipher. The settings are the defaults from the first MIFARE DESFire (D40).

    I urgently recommend to change the default key value AND also the cipher! 2K3DES is not “state of the art” anymore, you should use always AES (128). Another recommendation. Never use key values which you can easily write down like “01234…” or “fefefe…”. Use ALWAYS values from a random generator!

    Let us clear your open questions.

    1. Yes it is possible and you should change key value and key cipher. Take in mind, for the PICC Master Key you can do this. For all applications keys, the cipher is defined with the application settings at creation time.

    2. Yes. If you create an application, you define the cipher (2K3DES, 3K3DES or AES) for the whole application and also the number of keys you want to use within the application. You can have up to 14 keys.

    3. Yes, the term “application” shows that all content of an application is managed by one identity. Let me explain it with an example. Let us assume you are the issuer of the card and the purpose is to manage the automatic doors in your facility. You create one application, let say “000001” and put all files in that app. Now let us assume you have a cafeteria in your facility. You can allow the cafeteria operator to create a second app, let say “000002” on the card and put the balance file (which tracks the credit of the card user) in app “000002”. The keys and files of the door access and the keys and files of the cafeteria credit are separated and protected from each other.

    4. No, sorry. We do not have ready-to-use examples, because every customer has different needs. But to setup your application is not difficult. You can ask via this forum. In the case we need to talk about non-public content, we must communicate via email.

    This is my “recommendation list” for your setup:

    • Define the number of keys and the cipher you want to use. Let say you have one application key (only for modifying files), one write key and three read keys. Create the application with AES128 and 5 keys.

    • Define the files for your needs. Let say one standard data file which contains read only data like user name and user ID. Take in mind, you must also define the length of the file at creation time. A file size cannot be changed later. Let say your app can have three token files which permit (or denied) access to floor 1, 2 and 3. Let say, key #2 is a read key for accessing the 1st floor, key #3 for accessing 2nd floor etc. Then you could have the following setup:

    • File ID 1, standard data file, contains user name and ID, read access: 0xE (free access), all other permissions: 0x0 (admin key).

    • File ID 2, standard data file, contains token for 1st floor, read access 0x2 (1st floor key), all other permission: 0x0 (admin key).

    • File ID 3, standard data file, contains token for 2nd floor, read access 0x3 (2nd floor key), all other permission: 0x0 (admin key).

    • File ID 4, standard data file, contains token for 3th floor, read access 0x4 (3th floor key), all other permission: 0x0 (admin key).

    • At the end you have to change the default settings of PICC Master Key as mentioned in the beginning.

    There are finer tuning points to mention, but this will be too much for this briefly overview.
    In the sequence of using the card in your application, application ID “000000” is not used! The reader in the first floor will do the following:

    1. SelectApplication(000001); // Your application

    2. ReadData(<file ID1>); // File with user ID, can be read without authentication

    3. AuthenticateAES(<key #2>); // Read access key #2

    4. ReadData(<file ID2>); // File with access token for first floor

    This should be enough for beginning your own app.

    The TapLinx team
    + 0  |  - 0

    Re: MIFARE DESFire EV2 – how to encrypt data with custom key

    29. May 2020 at 20:46
    this is super helpful - thank you for the detailed input and guidance. I will review and try to implement these in my attempts this weekend.

    + 0  |  - 0

    Re: MIFARE DESFire EV2 – how to encrypt data with custom key

    14. June 2020 at 4:26
    A quick question pertaining to preventing "tear", chip brick-age (if that's even a word) and maintaining data integrity between writes and updates.

    Is there a recommendation of setting up a "transaction block" prior to begin of writes / updates and then commit or cancel transactions.

    I am working with DF-EV2 implanted chipset. I want to be super mindful of error handling and managing data integrity so that I don't end up w/ bricked implanted chipset.


    + 0  |  - 0

    Re: MIFARE DESFire EV2 – how to encrypt data with custom key

    15. June 2020 at 9:01
    Hi N0AGI,

    You must always take in mind, the user can remove the card from the reader at any time! In a read operation, all what can happen is the operation was not successful and the user must apply the card again. In a write operation you must prohibit to corrupt the file data.

    All files except the StandardDataFile, are BackupFiles. This means they have a main and a mirror area. In a write operation you write to the mirror area and with CommitTransaction() the mirror file is the new main area and the previous main is the new mirror area. If the write is interrupted, only the mirror area contains invalid data, but the main area contains the unchanged data. You start a transaction with the command BeginTransaction() and you can cancel it with AbortTransaction().

    The cost you have to pay is the file size. A backup file is twice as it is used data size. For files where you only read, you would use a StandardDataFile. It is a good idea to have a feedback for the user. Either a green LED or an acoustical beep can signal the removing of the card from the reader.

    The TapLinx team
    + 0  |  - 0

    Re: MIFARE DESFire EV2 – how to encrypt data with custom key

    15. June 2020 at 15:27
    Thanks - would you be so kind and point me to an example where this Transaction blocks are demonstrated. or a code snippet best practice? I assume we will want to wrap the Begin/Commit/Rollback within the try/catch blocks.

    + 0  |  - 0

    Re: MIFARE DESFire EV2 – how to encrypt data with custom key

    18. June 2020 at 10:21
    Hi N0AGI,

    There is no magic behind. With the first write access to one of the backup files, the write changes the mirror area of that file. You can change several files. With commitTransaction() all changes from all files are updated on the card.

    // File 0x02 is a value file
    debit(0x02, 5); // Decrease the account by $5

    // File 0x03 is linear record file
    byte[] byRec = new byte[REC_SIZE] { … };
    writeRecord(0x03, REC_SIZE, byRec);


    If you find out (before commitTransaction() will be called ) that the changes should not be made, you call abortTransaction(). This invalidates all changes, but you are still connected and authenticated.

    The TapLinx team
    + 0  |  - 0
Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.