• Registered: 2010-12-16
  • Posts: 6

Topic: Problem changing key

Hi,

I am trying to change the keyno1 of my application but I am having some problems.
The keySettings are defined to 0f 02. I am able to authenticate to key0 and get the session key.

The old key is 00..00 since I have not changed it. And the new key I want to set is 0x00112233445566778899AABBCCDDEEFF. When I send the command to the PICC always returns a 911E (apparently it doesn´t like the CRC or the padding).

Assuming that my key is 00.00 the XOR does not affect the key, so the first parameter I guess should be the new key itself. Then I calculate the CRC and I get 69CC (Is that correct???), so I have to append it twice (once for the XORed key and once for the new key), and then I append 4 0x00s as padding.

Here are the values I am receiving right now:

Session Key: D8 15 60 CE 33 55 7D BC 3E F4 34 EA 1D FF F9 28
Old Key: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
New Key: 00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF

Key Data: 00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF 69 CC 69 CC 00 00 00 00
Transmitted data: 71 66 0B 4C C6 EB A6 F9 D6 36 86 2F 6A ED 33 E5 D9 84 50 B0 04 6B A9 85

Can anyone complete the key changing using this values and pass mw the values I should receive in all the steps?? I must be doing something bad bat I have read the documentation and I don´t know where.


Thanks, Gorka

  • Registered: 2009-12-24
  • Posts: 51

Re: Problem changing key

Hi

There are two problems in your code:

  1. The CRC is a crc32, so is 4 bytes long.

  2. The second CRC is supposed to includes the frame headers, so both CRCs are different.

You can have a look at the libfreefare project in nfc-tools: if features all required functions to work with a Mifare DESFire, and Mifare DESFire EV1 support is currently being working on:
<http://code.google.com/p/nfc-tools/>

Romain

  • Registered: 2010-12-16
  • Posts: 6

Re: Problem changing key

Hi,

Thanks for your response. I have downloaded and installed the nfc-tools code but I cannot work directly in a Linux distribution and the vmware is giving me many problems. I will try to install nfc-tools in another linux machine and test the Desfire tools. I have to complete some operations soon, so I am using another tool to manage my Desfire card.

By the way, there is something I don´t understand in your response. The especification says: "The new key and the current key are bit-wise XORed (16 byte). A CRC (2 byte) is calculated over the XORed data and appended at the end. Additionally a CRC (2 byte) of the new key is appended". So, why do you say is a crc32 and 4 bytes long?? Can you explain this to me??

Well, if I try to get the crc32 for the key 0011..FF I get 7f601da6, is that correct?? Then, you say the second CRC is supposed to include the headers. Ok, so the input should be : 90 C4 0000 19 01 00 11 22 .. FF 7F 60 1D A6?? Hope you can clarify me this point.


Once again, thank you very much for your time.

Regards.

Last edited by g.hernando (2010-12-17 10:11:23)

  • Registered: 2009-12-24
  • Posts: 51

Re: Problem changing key

Oops!  I read too fast, I though you where authenticating using AES crypto.

You CRC seems to be BE instead of LE, give 0xCC69 a try ;-)

In case you are interested in new crypto schemes of EV1 cards, have a look to this code:
http://code.google.com/p/nfc-tools/sour … ?r=712#542

Romain

  • Registered: 2010-12-16
  • Posts: 6

Re: Problem changing key

Hi again,

There is no way to make that work !!! sad

Well, here is all I have done, maybe there is something else bad and that is why I cannot change the key.

Application creation:
90 CA 0000 05 11 EE EE 0F 02 00

Old key: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
New key: 00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF CC

Data Field: 00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF CC 69 CC 69 00 00 00 00

I authenticate to key 0 of the application
Session Key: D9 CE 99 89 BF 65 18 BF 0C DB C6 8C 8C 38 A5 F8

I encrypt the Data field using 3DES and the session key I have just get:
C9 70 F4 CE CB CD D8 2C 4F F7 2F 2D BC 44 EF DB 39 28 9F B2 3A 6E D3 69

And finally I add it to the APDU send it:
APDU: 90 C4 00 00 19 01 C9 70 F4 CE CB CD D8 2C 4F F7 2F 2D BC 44 EF DB 39 28 9F B2 3A 6E D3 69 00


Can someone please check which step is wrong??
I would appreciate if someone could try to change a key and send me a log like the one I have posted. That why I could repeat the steps using the indicated session key and see if I get the same values.

I don´t know if it can affect to the change key, so just say that I am using a Desfire EV1 8k card.

-----------------

I´ve been doing some tests regarding the writing/reading of encrypted data and the same thing happens to me. When I read a field I get the data encrypted. I decrypted it using the sessionkey and I can get the original data, the CRC16 and the padding bytes. Everything is ok. However, when I try to write something encrypted I cannot do it.

The data I received after I decrypt it is:
-->90 BD 0000 07 09 000000 100000 00
d(00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 77 F5 00 00 00 00 00 00)

So, then I try to send the same data to another file:
--> 90 3D 0000 1F 06 000000 100000 e(00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 77 F5 00 00 00 00 00 00) 00
<-- 911E

What could be the problem??


Thank you again and regards

Last edited by g.hernando (2010-12-20 08:21:49)

  • Registered: 2011-03-04
  • Posts: 3

Re: Problem changing key

I'm having exactly the same problem and i can't understand what i'm doing wrong. But the strangest thing is that DESFireUI, an specific DESFire Windows application provided by PHILLIPS(!) with it's Pegoda Reader isn't able to make the ChangeKey command work properly. It gets the same 1E (Integrity Error) that g.hernando and I are receiving using our own code.

I guess the problem isn't in the code itself but in the previous steps needed before sending the command code. However, I can't figure out which step are we missing, as I'm pretty sure that what g.hernando and I are doing is what is explained in the specs.

If someone has finally solved this problem, I'll be very thankful if he could share it with us.

Regards

  • Registered: 2011-03-04
  • Posts: 3

Re: Problem changing key

g.hernando, I've reread your previous post and i've realized that you are using the whole session key (16 bytes) so you are 3DES deciphering the changekey parameter, but as the authentication has been done with the old key (all zeros), you should use only the first 8 bytes (meaning a Single DES deciphering).

  • rconty
  • Administrator
  • Offline
  • Registered: 2009-04-22
  • Posts: 673

Re: Problem changing key

Hello,

I'm curious and i'm just wondering why you don't use libfreefare to do so ?

Romuald Conty
  • Registered: 2011-03-04
  • Posts: 3

Re: Problem changing key

because i need to implement my own Java lib for a project

I've just succeeded with the Change Key command. It was a CRCA problem...

  • Registered: 2010-12-16
  • Posts: 6

Re: Problem changing key

Hi,

I have just seen there are some responses to my post. I just want to say that I completed the changeKey procedure, it was an encryption problem because I was not doing the DES properly (all the send mode staff).

If someone needs a capture or something to test its values I could provide it. I have all the classes implemented in java (I am using a mobile with J2ME and JSR257 as a reader).

Regards.

  • Registered: 2009-08-22
  • Posts: 37

Re: Problem changing key

Dear

Can you upload it or may be send it for a try ?

Regards

  • Registered: 2011-05-31
  • Posts: 3

Re: Problem changing key

I mistakenly posted about changKey problems in
http://www.libnfc.org/community/post/2114/#p2114

  • Registered: 2011-11-16
  • Posts: 2

Re: Problem changing key

I also have a problem of this , who can help me ?
This is my script :

//Main entry
Main:
        //Reset card
        Reset SmartCard

        //Activate
        FF00000003 D4 1234;SW=9000
        //Set Retry time
        FF00000006 D43205000000;SW=9000
        //Enable the antenna
        FF00000004 D4320101;SW=9000
   
        //Authentication
        CALL AuthenFile
        //Select PICC AID
        5A 000000;SW=9000

        //Read KeySettings
        45;[00:03]
        CALL CheckCMD
        //Get Application AIDs
        6A;[00:03]
        CALL CheckCMD
        //Read KeyVersion
        6400;[00:03]
        CALL CheckCMD

        //Authentication
        CALL AuthenFile
        //Change KeySettings
        Fun_DesDeCBC(0000000000000000,09CC690000000000,[201:210],[21:28])       
        54 + [21:28];[00:03];SW=9000       
        CALL CheckCMD    //Here is not right , The response value is 0x911E (CRC or Mac is not right)

        //Authentication
        CALL AuthenFile
        //Change Key
        Fun_DesDeCBC(0000000000000000,00112233445566778899AABBCCDDEEFFCC69CC6900000000,[201:210],[51:68])
                                //Here is also not right if i can not execute the command "54", The response value is also 0x911E (CRC or Mac is not right)
        C400 + [51:68];[00:03];SW=9000
        CALL CheckCMD

       
       
END

//Authentication
AuthenFile:

    Label1:   
        //Authenticate
        0A00;[40:49]
        JUMP_EQ([42:43],9000,Label1)
        JUMP_EQ([41],AF,Label2)
    Label2:
        Fun_DesEnCBC(0000000000000000,[42:49],0000000000000000,[10:17])
        Fun_Load([10],[18])
        Fun_DesEnCBC(0000000000000000,1122334455667788+[11:18],0000000000000000,[21:30])
        AF + [21:30];[00:09]
        JUMP_EQ([02:03],9000,Error3)
        JUMP_EQ([01],00,Label3)
    Error3:
        Fun_MessageBox(Authentication Failed , Pls check !!!!!)
        Fun_Display(Authentication Failed , Pls check !!!!!)
    Label3:
        //Get session key
        Fun_Load(11223344+[42:45]+55667788+[46:49],[201:210])
        //Fun_DesDeCBC(0000000000000000,[201:210],0000000000000000,[201:210])
RET


//Command check
CheckCMD:
        JUMP_NE([01],00,Label5)
        JUMP_EQ([01],00,Label6)
    Label5:
        Fun_MessageBox(Command execution Failed,Pls check!!!!!)
        Fun_Display(Command execution Failed,Pls check!!!!!)
    Label6:

RET

  • Registered: 2011-11-16
  • Posts: 2

Re: Problem changing key

================================================================
No.1  —  On  Reset SmartCard
Execution  Time: 103 ms
(Expected)  ATR:
(Received)  ATR: 3B8180018080
================================================================
================================================================
No.2  —  In  Main
Execution  Time: 4 ms
RawApdu = FF00000003 D4 1234
Command = FF00000003D41234
(Expected)   SW: 9000    Data:
(Received)   SW: 9000    Data: D513
================================================================
================================================================
No.3  —  In  Main
Execution  Time: 4 ms
RawApdu = FF00000006 D43205000000
Command = FF00000006D43205000000
(Expected)   SW: 9000    Data:
(Received)   SW: 9000    Data: D533
================================================================
================================================================
No.4  —  In  Main
Execution  Time: 3 ms
RawApdu = FF00000004 D4320101
Command = FF00000004D4320101
(Expected)   SW: 9000    Data:
(Received)   SW: 9000    Data: D533
================================================================
================================================================
No.5  —  In  AuthenFile
Execution  Time: 16 ms
RawApdu = 0A00
Command = 0A00
(Expected)   SW:     Data:
(Received)   SW: C586    Data: AF41236F7C533A
================================================================
================================================================
No.6  —  In  AuthenFile
Execution  Time: 21 ms
RawApdu = AF + [21:30]
Command = AFCD72DFC6E6D040A41FAB6099FCB93C8A
(Expected)   SW:     Data:
(Received)   SW: FB7B    Data: 00AD6CC16025CC
================================================================
================================================================
No.7  —  In  Main
Execution  Time: 10 ms
RawApdu = 5A 000000
Command = 5A000000
(Expected)   SW: 9000    Data:
(Received)   SW: 9000    Data: 00
================================================================
================================================================
No.8  —  In  Main
Execution  Time: 10 ms
RawApdu = 45
Command = 45
(Expected)   SW:     Data:
(Received)   SW: 0F01    Data: 00
================================================================
================================================================
No.9  —  In  Main
Execution  Time: 10 ms
RawApdu = 6A
Command = 6A
(Expected)   SW:     Data:
(Received)   SW: C450    Data: 0004
================================================================
================================================================
No.10  —  In  Main
Execution  Time: 10 ms
RawApdu = 6400
Command = 6400
(Expected)   SW:     Data:
(Received)   SW: 0000    Data:
================================================================
================================================================
No.11  —  In  AuthenFile
Execution  Time: 16 ms
RawApdu = 0A00
Command = 0A00
(Expected)   SW:     Data:
(Received)   SW: BBA2    Data: AF08E5DD371AD0
================================================================
================================================================
No.12  —  In  AuthenFile
Execution  Time: 21 ms
RawApdu = AF + [21:30]
Command = AFCD72DFC6E6D040A41065AAA74053073F
(Expected)   SW:     Data:
(Received)   SW: FB7B    Data: 00AD6CC16025CC
================================================================
================================================================
No.13  —  In  Main
Execution  Time: 21 ms
RawApdu = C400 + [51:68]
Command = C40083C6719E44E146057A718F670679730E310973A4AD925949
(Expected)   SW: 9000    Data:
(Received)   SW: 9000    Data: 1E  // Here is not right
================================================================
================================================================

  • Registered: 2012-03-20
  • Posts: 2

Re: Problem changing key

Hi,
although it's an older topic, I got stuck with the same error...
g.hernando, you offered something to test my values wink Is this offer still valid?

Regards,

Matthias

  • Registered: 2012-03-16
  • Posts: 2

Re: Problem changing key

Hi

I am also facing the same issue when trying to change key-0 of application-0x111111 and my key settings are 0xef and I am using 4-keys for application.

I am authenticating with key-0 to change key-0.

Old Key: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
New Key: 00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF
Key Data: 00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF 69 CC 00 00 00 00 00 00

I am sure that we need to add CRC16 for the same key authenticated and changed.

I have done a DES deciphering on key data with old key. [What is the significance of session_key here].?
Is it correct that I can use either DES or 3DES?

I am also getting the 0x1e [integrity error], CRC error  for the key sent.

What am I missing/wrong here? Any help appreciated. I am taking reference from "libfreefare"

Thanks
Anil

  • Registered: 2012-03-16
  • Posts: 2

Re: Problem changing key

It is DES decrypt problem, it is working now.

Thanks
Anil

  • Registered: 2012-03-20
  • Posts: 2

Re: Problem changing key

Hi,
can you explain the problem you had in i little more detail? Maybe, it's the same over here...
Regards,
Matthias