Forum / MIFARE general topics and applications / Trouble with GetCardUID
-
Hello everyone. I am working with a DESFire EV1 card and have some trouble with the GetCardUID command. No matter what I have tried, I cannot correctly decrypt the response from the card.
I am trying the following:
-- Select App
SEND : 5a 00 00 00
GOT : 91 00
-- Authenticate with the default 2K3DES key 0
SEND : 1a 00
GOT : db 33 0e 57 8c c8 c1 51 91 af
RndB : 8b d1 d0 a3 30 5f bc 4c (decrypted)
RndA : 43 db 12 62 de 8b bd 6e (generated)
SEND : af 5c 71 49 21 d7 04 40 c2 3e 6a 8b 46 2e bd 62 6a
GOT : f0 e8 33 22 5a cc 6f 55 91 00
(Decryped and matching RndA)
Calculated:
Session Key : 42 da 12 62 8a d0 d0 a2 de 8a bc 6e 30 5e bc 4c (Filled parity bits with 0)
CMAC K1 : 37 74 f5 a3 08 b9 36 a5
CMAC K2 : 6e e9 eb 46 11 72 6d 4a
-- Get card UID
SEND : 5x (GetCardUID)
GOT : 46 99 76 f2 18 55 0d 46 fc 16 65 8f 23 fc 46 ae 91 00
To decrypt this, I first calculate the CMAC over the data sent in order to update the session IV
I pad the INS to block-size : 5x 80 00 00 00 00 00 00
(Then I xor to K2, since it was padded, and encrypt using the session key, using a blank IV)
I calculated CMAC (and set the new IV) : 80 00 0e cc 1c f4 1c ff
Then I try to decrypt the response using the session key and the above IV:
Input: 46 99 76 f2 18 55 0d 46 fc 16 65 8f 23 fc 46 ae
Key: 42 da 12 62 8a d0 d0 a2 de 8a bc 6e 30 5e bc 4c
IV: 80 00 0e cc 1c f4 1c ff
Output: 02 31 9d ca 67 9b 17 75 cf a8 01 ec 14 67 fd 00
But it does not match the ID and of course the CRC does not match. Any ideas what could be wrong?
+ 0 | - 0
Hi Ioannis,
please take in mind that command GetCardUID is only available if your card is configured to use a random UID in the anti-collision procedure.
The TapLinx team
+ 0 | - 0
Oh, good to know. Indeed I haven't enabled random UID. I was thinking of using this command to debug the implementation of my crypto algorithm, since I am also getting integrity errors with the ChangeKey instruction...
Thank you for your feedback.
+ 0 | - 0
Hi Ioannis,
as a recommendation: it exists an application note with calculated examples for change key and encrypted communication. It is helpful to verify your implementation. You can obtain it via NXP DocStore:
“AN 0945 – MIFARE DESFire EV1 – Features and Hints”.
The TapLinx team
+ 0 | - 0
Thank you for your feedback!
Apparently I was wrongly assuming that the default key on the blank card was a 2K3DES key, and this lead me to compute the session key using the 2K3DES approach instead of the DES approach. Now I am back on track :)
And, by the way, the GetCardUID did now returns the correct card ID (that matches the ID that I received during a passive handshake) even though I haven't enabled random UID on the card.
+ 0 | - 0
Hi Ioannis,
You are right! This command works in both cases and the datasheet is wrong. It is fixed in the next release.
Thank you,
The TapLinx team
+ 0 | - 0
-
AuthorPosts
Viewing 6 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic.