Geek Answers Handbook

Sample Desfire EV1 Messages

There are many questions about Desfire EV1 cards here at Stackoverflow. But if you are looking for some example data, the only place you will find a few bytes is on the Ridrix Blog . But it is rather incomplete.

Many people wrote their problems there while developing code for Desfire cards. But basically, when they solved their problem, they were too lazy to post a solution. Thus, you will find many questions, but very few answers with sample data.

Even if you have Desfire EV1 documentation (I don’t have it, I learned the easypay code), you will need more than that, Documentation is just a theory. But what is the reason that your card returns an authentication error or an integrity error or an unexpected CMAC?

  • Is the session key OK?
  • Does CBC work in the correct mode?
  • Is CMAC calculated correctly?
  • Is CRC32 Right?
  • Is IV session key correct before / after function call?

Without examples, you are completely lost.

+8
arduino mifare contactless-smartcard
source share
2 answers

After spending several weeks developing Desfire EV1, I decided to publish some examples for all those who need input to supply their complex cryptographic functions and compare the results with the expected data. I know this is EXTREMELY useful.

Here you will find some debug output for the most important Desfire EV1 operations. You cannot find this information on the Internet at this time. If I had these examples, I would have saved MUCH time in developing my code.

Pitfalls for ISO and AES Authenticated Sessions

In ISO and AES mode, EVERY encryption / decryption passes through CBC . The IV session key is reset ONLY ONCE, when the key is created after authentication. The authentication key IV is reset ONLY ONCE when authentication begins.

During authentication:

  1. Random B received from card using RECEIVE + DECIPHER
  2. Random AB sent to card using SEND + ENCIPHER
  3. Random A obtained with RECEIVE + DECIPHER

CMAC is a copy of an IV session key. CMAC should mainly be calculated for data sent to the card and for data returned from the card. But all the commands that perform CBC encryption (for example, ChangeKeySettings) are different from this scheme. Commands that send / receive multiple frames (for example, GetApplicationID) should calculate the CMAC from the data of all frames that were sent / received (not including the 0xAF status byte). For TX data, CMAC is calculated by command byte + all parameter bytes. For RX data, CMAC is calculated for all response bytes + the last status byte (always 00 = Success), which must be added at the end!

Authentication invalidated :

  • when an error occurs (state! = 00 and! = AF),
  • when the SelectApplication application is running,
  • after changing the same key that was used for authentication,
  • when another card falls into the RF field (do not forget to reset the variables).

In these cases, the session key is no longer valid, so the CMAC should not be calculated.

The CRC32 of a new key is calculated only from the key data itself. CRC32 cryptograms are calculated by command, key number, and cryptogram not yet encrypted.

The following debug output was generated by my code running in Teensy 3.2 with the Adafruit PN532 board. See my source code for more information. C ++ source code was written for Arduino / Teensy, but it was designed multi-platform so that it can be compiled on Visual Studio, Linux, or other platforms. The zip file also contains a Visual Studio project.

In the following examples, all keys have a key version of 0x10.

ISO authentication with default key 2K3DES # 0

*** Authenticate(KeyNo= 0, Key= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (DES)) Sending: <1A 00> Response: <AF B8 90 04 7F 2D C8 D6 8B> * RndB_enc: B8 90 04 7F 2D C8 D6 8B * RndB: 74 B8 43 5F CB A0 B6 75 * RndB_rot: B8 43 5F CB A0 B6 75 74 * RndA: 92 31 34 8B 66 35 A8 AF * RndAB: 92 31 34 8B 66 35 A8 AF B8 43 5F CB A0 B6 75 74 * RndAB_enc: 7C 84 6A 50 7B 9B 6E 68 64 BC 33 72 A3 06 A8 C1 Sending: <AF 7C 84 6A 50 7B 9B 6E 68 64 BC 33 72 A3 06 A8 C1> Response: <00 B7 96 DD 3F 81 15 45 F3> * RndA_enc: B7 96 DD 3F 81 15 45 F3 * RndA_dec: 31 34 8B 66 35 A8 AF 92 * RndA_rot: 31 34 8B 66 35 A8 AF 92 * SessKey: 92 30 34 8A 74 B8 42 5E 92 30 34 8A 74 B8 42 5E (DES)

Change 2K3DES default key # 0

 *** ChangeKey(KeyNo= 0) * SessKey: B4 28 2E FA 9E B8 2C AE B4 28 2E FA 9E B8 2C AE (DES) * SessKey IV: 00 00 00 00 00 00 00 00 * New Key: 00 10 20 31 40 50 60 70 80 90 A0 B0 B0 A0 90 80 (2K3DES) * CRC Crypto: 0x5001FFC5 * Cryptogram: 00 10 20 31 40 50 60 70 80 90 A0 B0 B0 A0 90 80 C5 FF 01 50 00 00 00 00 * CryptogrEnc: 87 99 59 11 8B D7 7C 70 10 7B CD B0 C0 9C C7 DA 82 15 04 AA 1E 36 04 9C Sending: <C4 00 87 99 59 11 8B D7 7C 70 10 7B CD B0 C0 9C C7 DA 82 15 04 AA 1E 36 04 9C> Response: <00>

Change 2K3DES default key number 1

 *** ChangeKey(KeyNo= 1) * SessKey: 9C 70 56 82 5C 08 9E C8 9C 70 56 82 5C 08 9E C8 (DES) * SessKey IV: 00 00 00 00 00 00 00 00 * New Key: 00 10 20 31 40 50 60 70 80 90 A0 B0 B0 A0 90 80 (2K3DES) * Cur Key: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (DES) * CRC Crypto: 0xD7A73486 * CRC New Key: 0xC4EF3A3A * Cryptogram: 00 10 20 31 40 50 60 70 80 90 A0 B0 B0 A0 90 80 86 34 A7 D7 3A 3A EF C4 * CryptogrEnc: 7D 83 D3 4E FB 6C 84 98 48 E2 D6 37 AD A2 D0 87 14 36 1A E6 C4 63 14 52 Sending: <C4 01 7D 83 D3 4E FB 6C 84 98 48 E2 D6 37 AD A2 D0 87 14 36 1A E6 C4 63 14 52> Response: <00 1D 5C 27 97 10 86 30 8D> CMAC: 1D 5C 27 97 10 86 30 8D

ISO authentication with default key 3K3DES # 0

 *** Authenticate(KeyNo= 0, Key= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (3K3DES)) Sending: <1A 00> Response: <AF 14 65 76 AC 1B 7D B8 CA 24 84 C5 69 7F 80 12 E1> * RndB_enc: 14 65 76 AC 1B 7D B8 CA 24 84 C5 69 7F 80 12 E1 * RndB: BA 91 37 BB 7A 18 33 E7 39 F0 5E 8F 07 87 D0 C4 * RndB_rot: 91 37 BB 7A 18 33 E7 39 F0 5E 8F 07 87 D0 C4 BA * RndA: F5 68 6F 3A 39 1C D3 8E BD 10 77 22 81 44 5B F6 * RndAB: F5 68 6F 3A 39 1C D3 8E BD 10 77 22 81 44 5B F6 91 37 BB 7A 18 33 E7 39 F0 5E 8F 07 87 D0 C4 BA * RndAB_enc: D0 55 BD 5E A0 1E BF C3 02 93 D4 8A 54 A0 51 B4 0A 66 57 7A 38 3C 58 ED 77 5C 51 BC 97 D4 FA BD Sending: <AF D0 55 BD 5E A0 1E BF C3 02 93 D4 8A 54 A0 51 B4 0A 66 57 7A 38 3C 58 ED 77 5C 51 BC 97 D4 FA BD> Response: <00 E1 EE 93 F0 12 C8 D6 72 11 D4 33 7C AD 56 6A 40> * RndA_enc: E1 EE 93 F0 12 C8 D6 72 11 D4 33 7C AD 56 6A 40 * RndA_dec: 68 6F 3A 39 1C D3 8E BD 10 77 22 81 44 5B F6 F5 * RndA_rot: 68 6F 3A 39 1C D3 8E BD 10 77 22 81 44 5B F6 F5 * SessKey: F4 68 6E 3A BA 90 36 BA D2 8E BC 10 32 E6 38 F0 80 44 5A F6 06 86 D0 C4 (3K3DES)

Change 3K3DES default key number 0

 *** ChangeKey(KeyNo= 0) * SessKey: F4 68 6E 3A BA 90 36 BA D2 8E BC 10 32 E6 38 F0 80 44 5A F6 06 86 D0 C4 (3K3DES) * SessKey IV: 00 00 00 00 00 00 00 00 * New Key: 00 10 20 31 40 50 60 70 80 90 A0 B0 B0 A0 90 80 70 60 50 40 30 20 10 00 (3K3DES) * CRC Crypto: 0xA2003ED6 * Cryptogram: 00 10 20 31 40 50 60 70 80 90 A0 B0 B0 A0 90 80 70 60 50 40 30 20 10 00 D6 3E 00 A2 00 00 00 00 * CryptogrEnc: 7F 88 90 C7 CA B9 A4 22 81 73 A6 41 B6 5F 0F 43 FD 40 4A 01 13 71 A9 90 4A 62 9E 3C 20 B2 FF 63 Sending: <C4 00 7F 88 90 C7 CA B9 A4 22 81 73 A6 41 B6 5F 0F 43 FD 40 4A 01 13 71 A9 90 4A 62 9E 3C 20 B2 FF 63> Response: <00>

Change 3K3DES default key number 1

 *** ChangeKey(KeyNo= 1) * SessKey: 9C 52 0E 3C B4 5A B2 A4 A2 00 C4 DA 72 2C 0E F4 38 FE 8A 48 F8 18 9E 56 (3K3DES) * SessKey IV: 00 00 00 00 00 00 00 00 * New Key: 00 10 20 31 40 50 60 70 80 90 A0 B0 B0 A0 90 80 70 60 50 40 30 20 10 00 (3K3DES) * Cur Key: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (3K3DES) * CRC Crypto: 0x078BAED8 * CRC New Key: 0x12A6733E * Cryptogram: 00 10 20 31 40 50 60 70 80 90 A0 B0 B0 A0 90 80 70 60 50 40 30 20 10 00 D8 AE 8B 07 3E 73 A6 12 * CryptogrEnc: 72 18 2F 5B 0C F1 7E A0 86 A5 AE A5 64 ED 98 7A F3 90 CD B3 78 36 4E 2B C2 45 8B 3A E3 23 98 4D Sending: <C4 01 72 18 2F 5B 0C F1 7E A0 86 A5 AE A5 64 ED 98 7A F3 90 CD B3 78 36 4E 2B C2 45 8B 3A E3 23 98 4D> Response: <00 D2 E3 BD 0D 09 47 72 ED> CMAC: D2 E3 BD 0D 09 47 72 ED

AES authentication with default AES key No. 0

 *** Authenticate(KeyNo= 0, Key= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (AES)) Sending: <AA 00> Response: <AF FF 0A FB 10 B4 3F 3B 34 23 36 57 0F 7A 0E 8B 74> * RndB_enc: FF 0A FB 10 B4 3F 3B 34 23 36 57 0F 7A 0E 8B 74 * RndB: 1F 45 19 27 E7 C0 FC DE 60 9E E8 02 EF 69 76 04 * RndB_rot: 45 19 27 E7 C0 FC DE 60 9E E8 02 EF 69 76 04 1F * RndA: 73 AE 5D 30 17 42 21 64 FB 16 25 D8 1F 2A 69 8C * RndAB: 73 AE 5D 30 17 42 21 64 FB 16 25 D8 1F 2A 69 8C 45 19 27 E7 C0 FC DE 60 9E E8 02 EF 69 76 04 1F * RndAB_enc: B3 11 34 03 F5 73 95 35 CA 1A 5D 4B D4 38 BE 03 2B 54 28 32 3D 0A 83 4D 11 8F 35 06 C4 2C 5B 01 Sending: <AF B3 11 34 03 F5 73 95 35 CA 1A 5D 4B D4 38 BE 03 2B 54 28 32 3D 0A 83 4D 11 8F 35 06 C4 2C 5B 01> Response: <00 E2 AE 7D 31 29 48 19 69 E9 A0 C7 CC 89 1E DF 58> * RndA_enc: E2 AE 7D 31 29 48 19 69 E9 A0 C7 CC 89 1E DF 58 * RndA_dec: AE 5D 30 17 42 21 64 FB 16 25 D8 1F 2A 69 8C 73 * RndA_rot: AE 5D 30 17 42 21 64 FB 16 25 D8 1F 2A 69 8C 73 * SessKey: 73 AE 5D 30 1F 45 19 27 1F 2A 69 8C EF 69 76 04 (AES)

Change default AES key # 0

 *** ChangeKey(KeyNo= 0) * SessKey: 73 AE 5D 30 1F 45 19 27 1F 2A 69 8C EF 69 76 04 (AES) * SessKey IV: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 * New Key: 00 10 20 30 40 50 60 70 80 90 A0 B0 B0 A0 90 80 (AES) * CRC Crypto: 0x6BE6C6D2 * Cryptogram: 00 10 20 30 40 50 60 70 80 90 A0 B0 B0 A0 90 80 10 D2 C6 E6 6B 00 00 00 00 00 00 00 00 00 00 00 * CryptogrEnc: 97 41 8E 6C C0 1C 4E 6F AD 4D 87 4D 8D 42 5C EA 32 51 36 11 47 2C DA 04 E3 5E FB 77 9A 7D A0 E4 Sending: <C4 00 97 41 8E 6C C0 1C 4E 6F AD 4D 87 4D 8D 42 5C EA 32 51 36 11 47 2C DA 04 E3 5E FB 77 9A 7D A0 E4> Response: <00>

Change default AES key No. 1

 *** ChangeKey(KeyNo= 1) * SessKey: 1C D3 8E BD 95 F3 1C 8A B8 7F 0A C9 C4 EB 64 C6 (AES) * SessKey IV: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 * New Key: 00 10 20 30 40 50 60 70 80 90 A0 B0 B0 A0 90 80 (AES) * Cur Key: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (AES) * CRC Crypto: 0x84B47033 * CRC New Key: 0x1979E3BF * Cryptogram: 00 10 20 30 40 50 60 70 80 90 A0 B0 B0 A0 90 80 10 33 70 B4 84 BF E3 79 19 00 00 00 00 00 00 00 * CryptogrEnc: 30 23 FA 06 2D 25 0A 04 35 BA E9 45 CA BE 96 5D 62 2A 47 1D 32 5D 1D 42 EA 81 44 41 CB 1A 20 C3 Sending: <C4 01 30 23 FA 06 2D 25 0A 04 35 BA E9 45 CA BE 96 5D 62 2A 47 1D 32 5D 1D 42 EA 81 44 41 CB 1A 20 C3> Response: <00 9B 68 30 91 50 E0 72 5E> CMAC: 9B 68 30 91 50 E0 72 5E

CMAC calculation for AES 128

From: NIST

 AES Key: 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c SubKey1: fb ee d6 18 35 71 33 66 7c 85 e0 8f 72 36 a8 de SubKey2: f7 dd ac 30 6a e2 66 cc f9 0b c1 1e e4 6d 51 3b Message: <empty> CMAC: bb 1d 69 29 e9 59 37 28 7f a3 7d 12 9b 75 67 46 Message: 6b c1 be e2 2e 40 9f 96 e9 3d 7e 11 73 93 17 2a CMAC: 07 0a 16 b4 6b 4d 41 44 f7 9b dd 9d d0 4a 28 7c Message: 6b c1 be e2 2e 40 9f 96 e9 3d 7e 11 73 93 17 2a ae 2d 8a 57 1e 03 ac 9c 9e b7 6f ac 45 af 8e 51 30 c8 1c 46 a3 5c e4 11 CMAC: df a6 67 47 de 9a e6 30 30 ca 32 61 14 97 c8 27

If you need more examples (also for CreateApplication, SelectApplication, DeleteApplication, GetApplicationIDs, GetKeyVersion, GetKeySettings, ChangeKeySettings, GetCardVersion, FormatCard, CreateStdDataFile, GetFileIDs, GetFileSetata, DownloadFileSetata, DownloadFileSileFata, DownloadFileSileata, DownloadFileSileata, DownloadFileSileata, DownloadFileSileata, DownloadFileSileata, DownloadFileSileata, DownloadFileSileata, DownloadFileSileata, DownloadFileSileata, DownloadFileSileata, DownloadFileSileata, DownloadFileSileata, DownloadFileSileata, DownloadFileSileata, DownloadFileSileata, DownloadFileSileata, DownloadFileSileata, DownloadFileSileata, DownloadFileSileata, DownloadFileSileata You will find an HTML file with all the self tests in which all these commands are checked.

+16
source share

I am trying to read data from Mifare DESFire EV1 - AES. Authentication went well and I got 0x00 + RNDAR, which is the same as on my side.

Now I need to read the data using the 0xBD instruction, but in return I get 16 random bytes.

Questions:

What should be IV at the moment? I mean, should this change after authentication? and if so, how should I calculate this? How do I decrypt received bytes? with static keys did I use for authentication or with sessionKey? I have to recover 8 bits, which should always be the same. Any clue?

0
source share

More articles:


All Articles