Problem with ChangeKey on DesFire cards (3DES)

[Eyal Hartman]

Hi,
I am pretty new at DESFire coding, so hopefully my question will make sense.

I am having issues trying to change the key (from the initial 0x00.. keys to anything else 3DES).

I take a new/blank DESFire EV3 card
Perform authentication with the card using the master key (0000....) => successful.

Create a new application with the following configuration:
• Master key changeable
• Master key not needed for directory access/listing
• Master key authentication not needed to create/delete files
• Set the number of keys for the app to 5
• Key setting is changeable, master key auth. needed for key changing

I then create a data file under the application
The configuration is:
• Plain (un-encrypted)
• associate the file with 4 different keys (1,2,3,4 -> R,W,U,C)

Then, I write some numeric data to the file.

All the above is working well.

The problem begins when I try to change the keys (for example Key 0x01 which is the Read key for the file).

The initial key: 00000000000000000000000000000000 => 00....00 00 00 00 (00.....00 00 00 00)
The new key : 00000000000000000000000012341234 => 00....18 52 18 52 (00.....12 34 12 34)

Key number = 0x01
The command: 0xC4 0x01 …
CMD Key# Deciphered key data
(26 bytes in total)

The deciphered content is:
--------------------------
Key version = 0
SessionKey (after selecting the application and auth. with master key) =>
126 185 210 54 19 111 154 185 112 108 95 70 155 199 75 28 ( 7E B9 D2 36 13 6F 9A B9 70 6C 5F 46 9B C7 4B 1C)
The new key and old key are bit wise XOR-ed (16 bytes) => 0....18 52 18 52 (same as new key? Xor with 0?)
A CRC (2 bytes) is calculated over the XOR-ed data (using 0x8408 as poly and 0x6363 as initial value) => 85 216 (0x55D8)
A CRC (2 bytes) is calculated over the new key (the same as the Xored key?) => 85 216 (0x55D8)
A padding of 4 zeroes is added (to make the frame size a multiple of 8)
A 3DES deciphering operation is done (SEND mode) over the entire array (24 bytes length) with CBC and No-Padding,
(From my understanding the send mode deciphering operation is done by Xoring each 8 bytes with the deciphered previous 8 bytes)
IV=0x00... and key=SeesionKey from authentication =>
Result data : 6 12 55 192 233 19 63 102 228 58 137 120 146 250 129 14 149 255 189 15 88 55 98 102
(06 0C 37 C0 E9 13 3F 66 E4 3A 89 78 92 FA 81 0E 95 FF BD 0F 58 37 62 66)

I am getting 0x1E errors (INTEGRITY ERROR): CRC or MAC does not match data / Padding bytes not valid.

I though that it may be the CRC calculation so I did the update with a loop 1…65500 (basically brute force the CRC)
But that did not help either. So I may be doing something wrong with the processing of the data itself.

Any ideas will be appreciated

---

+ 0  |  - 0

[dapperr eindeer]

Could it be due to a software conflict?

---

+ 0  |  - 0

[Author]

Posts