Problems creating a virtual card on a MIFARE4Mobile capable SE

Forum / MIFARE general topics and applications / Problems creating a virtual card on a MIFARE4Mobile capable SE

  • 24. August 2015 at 14:36
    Dear All,

    I am trying to create a virtual card on a MIFARE4Mobile enabled SE. Unfortunately my command coding is not accepted due to an invalid MAC SW=63E9. I assume, that my derivation procedure of the mandatory keys is wrong, or at least the derivation input is incorrect. The document "MIFARE Virtual Card Creation" describes in chapter 3 how to derive the keys in the hierarchy. Basically a derivation input is used together with the parent key to compute a CMAC according to NIST Special Publication 800-38B. But the documentation does not provide any information about the length of the derivation input.

    Q: Whats the definition of the derivation input length?

    Chapter 4 describes the Create VC command, with all it's parameters. One of the parameter is the MAC, which is also calculated according to NIST800-38B. The TLV list states, that the MAC is 16 bytes in length. But the within the picture below the description, the MAC is depicted as MACt(K,M). According to the M4M terminology, MACt(K,M) is a CMAC with an applied truncation. I am confused, because the description of the MAC parameter does not state anything about truncation. Furthermore a CMAC result is always 16 bytes in length due to the underlying block cipher. The wording MACt(K,M) would imply that the MAC has to be truncated to 8 byte (or else?), which results in a SW=63D4 (parameter error) when sending it to the SE.

    Can you give me an advice?

    Thanks in advance,


    PS: I didn't know where i could post my question, so i placed it here.
    + 0  |  - 0

    Re: Problems creating a virtual card on a MIFARE4Mobile capable SE

    20. November 2015 at 11:37
    Hi Michael,

    We currently have no special column for MIFARE4Mobile questions, so your post is correct here.

    For the whole creation of the payload for the createVC command you need only a CMAC and an AES encryption function. This is the data block you enter with the createVC command, TLV 12.

    Please notice that you can use different settings of the padding for the CMAC and encryption. I recommend not to use padding. In this case you have to set the input data in blocks of multiple of 8 bytes. For example the Wholesale Licence for a MIFARE Classic might be seven bytes. Concatenated with the pre-byte 01 you get the Derivation Input 1 which is eight bytes. The Derivation Input 1 is “maced” with the VC Creation Key (16 bytes) to the Wholesale VC Creation Key which has 16 bytes.

    If you use the JCShell, then all calculations can be done very easily in the Shell. The Shell provides the embedded commands mac and encrypt for the calculation. You can write
    /set-var CMAC_OUTPUT $(mac -m M7 -p NOPAD -k ${KEY} ${INPUT})

    Here the variable
    holds the key string,
    the input data string and
    the CMAC of the operation.

    The MIFARE Team

    + 0  |  - 0
Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.