Forum / MIFARE general topics and applications / SAM_LockUnlock error switching a virgin MIFARE SAM AV2 from AV1 to AV2 Mode
-
Hello,
I'm trying to activate the AV2 mode using a SAM_LockUnlock APDU.
In the SAM_LockUnlock Part 1 APDU following parameters are used:
P1: 0x03
KeyNo: 0x00
KeyVer: 0x00
MaxChainBlocks: 0x00 0x00 0xFF
The SAM_LockUnlock Part 1 APDU is sent and Rnd2 with status 0x90AF is received.
In the SAM_LockUnlock Part 2 i generate the CMAC over the Rnd2, the P1 of part 1, and the MaxChainBlocks (12+1+3 = 16 Bytes no padding needed)
Next the generated CMAC with the Rnd1 appended is sent and i always get following error code: 0x901E (mismatching CMACs)
The CMAC is calculated according to "NIST Special Publication 800-38B, May 2005" as referenced in the "P5DF081 - MIFARE secure access module SAM AV2" - Documentation.
All test vectors of the "NIST Special Publication 800-38B" are calculated correct with my current implementation.
For the SAM_LockUnlock Part 2 a "truncated CMAC = MACt" is used (8 Bytes). For the MACt i use the first 8 bytes of the calculated 16 byte CMAC.
I have following questions regarding the error code 0x901E:
Do i use the wrong CMAC standard?
Is the MACt calculated wrong by using the first 8 bytes only?
Did i use the wrong parameters? (KeyNo, KeyVer, MaxChainBlocks)
Note: AES-128 is used on the SAM
Best regards,
Chris
+ 0 | - 0
I solved this issue of calculating the right CMACt.
The calculation of the CMACt is described in the "AN1823 - Key Management and Personalization" documentation.
Best regards,
Chris
+ 0 | - 0
Hi Christopher,
Good to hear. Your CMAC calculation was wrong?
I would like recommend you to “AN 1823 – MIFARE SAM AV2 – Key Management and Personalization”. There is a calculated example of Switch to AV2 Mode on page 17.
The TapLinx team
+ 1 | - 0
Hi Christ,
Please, could you give me the specific page in AN1823 on which the calculation procedure is indicated?
Thank you and best regards.
Claudio
+ 0 | - 0
-
AuthorPosts
Viewing 4 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic.