27 Jan 2011

How to calculate MIFARE password

In my recent post “How to access MIFARE memory” I’ve received question how to calculate MIFARE password. So in this post I would like to explain it.
The calculation of MIFARE password (MF_password) has described in Philips Application Note AN02105. It is generated based on Key A and Key B as showed below:






As you can see it is 3DES algo. The start value is 8 bytes with value 00h.
The keys DKeyA and DKeyB are derived from MIFARE Key A and Key B keys of respective MIFARE sector. But Key A and Key B are 6 bytes long. To be able to use them as 3DES keys the following conventions have defined:


Representation of the MIFARE Sector Trailer:





Representation of bits of the MIFARE Key (each consists of 6 bytes):


BYTE 5 MSB BYTE 4 BYTE 3 BYTE 2 BYTE 1 BYTE 0 LSB
K57 K50 K47 K40 K37 K30 K27 K20 K17 K10 K07 K00

The 6 bytes MIFARE key will be mapped to the 64 bit 3DES keys DKeyB in the following way:

DES KEY BYTE BIT 7 BIT 6 BIT 5 BIT 4 BIT 3 BIT 2 BIT 1 BIT 0
7 K56 K55 K54 K53 K52 K51 K50 P
6 K46 K45 K44 K43 K42 K41 K40 P
5 K36 K35 K34 K33 K32 K31 K30 P
4 K26 K25 K24 K23 K22 K21 K20 P
3 K16 K15 K14 K13 K12 K11 K10 P
2 K06 K05 K04 K03 K02 K01 K00 P
1 0 K57 K47 K37 K27 K17 K07 P
0 0 0 0 0 0 0 0 P

P in BIT 0 means Parity Bit (not checked).
DKeyA will be generated in the same manner according to below table:

DES KEY BYTE BIT 7 BIT 6 BIT 5 BIT 4 BIT 3 BIT 2 BIT 1 BIT 0
7 0 0 0 0 0 0 0 P
6 0 K07 K17 K27 K37 K47 K57 P
5 K56 K55 K54 K53 K52 K51 K50 P
4 K46 K45 K44 K43 K42 K41 K40 P
3 K36 K35 K34 K33 K32 K31 K30 P
2 K26 K25 K24 K23 K22 K21 K20 P
1 K16 K15 K14 K13 K12 K11 K10 P
0 K06 K05 K04 K03 K02 K01 K00 P

Some examples:
  • Initial value: 00 00 00 00 00 00 00 00
  • The DES parity bits are regarded as 0
MIFARE KEYS (LSB -> MSB) 3DES KEYS (LSB –> MSB) MF_PASSWORD (LSB –> MSB)
Key A FF FF FF FF FF FF DKeyA FE FE FE FE FE FE 7E 00 0B 54 57 07 45 FE 3A E7
Key B FF FF FF FF FF FF DKeyB 00 7E FE FE FE FE FE FE
Key A A0 A1 A2 A3 A4 A5 DKeyA 40 42 44 46 48 4A 7E 00 8C 7F 46 D7 6C E0 12 66
Key B B0 B1 B2 B3 B4 B5 DKeyB 00 7E 60 62 64 66 68 6A

12 comments:

RM said...

Are you saying is it possible to crack a mifare password?

Unknown said...

No, I am not.
The values of Key A and Key B are secret. But you cannot use them from javacard API as it requires password. This post explains by knowing of values of Key A and Key B how to calculate Mifire password.

Verlop14 said...

It's OK for me to calculate the 3DES keys, but after that, the calculation of the password does not get the right result.

Here is the code I use :

// set the keys A and B
SecretKey secretKeyA = new SecretKeySpec(keyADES, "DES");
SecretKey secretKeyB = new SecretKeySpec(keyBDES, "DES");

// get 2 DES cipher object
Cipher cipherA = Cipher.getInstance("DES/ECB/NoPadding");
cipherA.init(Cipher.ENCRYPT_MODE, secretKeyA);
Cipher cipherB = Cipher.getInstance("DES/ECB/NoPadding");
cipherB.init(Cipher.DECRYPT_MODE, secretKeyB);

byte[] plainText = new byte[] {(byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00};
// encrypt using the keyA and the plaintext
byte[] cipherText = cipherA.doFinal(plainText);
// decrypt the ciphertext using the keyB
byte[] newPlainText = cipherB.doFinal(cipherText);
// encrypt using the keyA and the new plaintext
password = cipherA.doFinal(newPlainText);

An idea of where I am wrong ?

Unknown said...

Hi,
Sorry for late response. I was quite overloaded these days.
Actually I don't fully understand your code. You should use DESede algorithm for password calculation. Something like that:

.....
SecretKeyFactory kf = SecretKeyFactory.getInstance("DESede");
Cipher encipher = Cipher.getInstance("DESede/ECB/NoPadding");
DESedeKeySpec deskey = new DESedeKeySpec(desKey);
SecretKey secretKey = kf.generateSecret(deskey);

encipher.init(Cipher.ENCRYPT_MODE, secretKey);
byte[] data = new byte[8]; // all 0s
byte[] ciphered = encipher.doFinal(data, 0, 8);
ciphered = invert(ciphered);
.....

Hope it will help

Praveen P Teragaonkar said...

Hi,
I am trying to implement Crypto1 algorithm for simulating exact mifare card, and im referring to the following doc for Crypto1 algorithm flow
http://www.cs.ru.nl/~flaviog/publicat
ions/Pickpocketing.Mifare.pdf

But now im not able to verify my code for complete compliance with Crypto1 algo, is der is any tool to verify the same like which will take card challenge, reader challenge and mifare key to generate card and reader responses.

Thanks,

mifarecard said...

m not able to verify my code for complete compliance with Crypto1 algo, is der is any tool to verify the same like which will take card challenge, reader challenge and mifare key to generate card and reader responses.

Unknown said...

I think MifareWnd tool has similar functionality but I'm not sure it is public tool. Try to google it.

Unknown said...
This comment has been removed by the author.
mifarecard said...

im not able to verify my code for complete compliance with Crypto1 algo, is der is any tool to verify the same like which will take card challenge, reader challenge and mifare key to generate card and reader responses.
http://www.mifarecards-rfid.com

Rabbi Hossain said...


I am trying to implement Crypto1 algorithm for simulating exact mifare card, and im referring to the following doc for Crypto1 algorithm flow.
http://www.mifarecards-rfid.com

douniwan said...

Does this mean that as long as an applet has both KEYA and KEYB can reset the access bits no matter what the current access bits is ?

douniwan said...

Does this mean that as long as an applet has both KeyA and KeyB can reset the access bits, no matter what the access bits current is.