The calculation of MIFARE password (MF_password) has described in Philips Application Note AN02105. It is generated based on Key A and Key B as showed below:
As you can see it is 3DES algo. The start value is 8 bytes with value 00h.
The keys DKeyA and DKeyB are derived from MIFARE Key A and Key B keys of respective MIFARE sector. But Key A and Key B are 6 bytes long. To be able to use them as 3DES keys the following conventions have defined:
Representation of the MIFARE Sector Trailer:
Representation of bits of the MIFARE Key (each consists of 6 bytes):
| BYTE 5 MSB | BYTE 4 | BYTE 3 | BYTE 2 | BYTE 1 | BYTE 0 LSB | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| K57 | … | K50 | K47 | … | K40 | K37 | … | K30 | K27 | … | K20 | K17 | … | K10 | K07 | … | K00 |
The 6 bytes MIFARE key will be mapped to the 64 bit 3DES keys DKeyB in the following way:
| DES KEY BYTE | BIT 7 | BIT 6 | BIT 5 | BIT 4 | BIT 3 | BIT 2 | BIT 1 | BIT 0 |
|---|---|---|---|---|---|---|---|---|
| 7 | K56 | K55 | K54 | K53 | K52 | K51 | K50 | P |
| 6 | K46 | K45 | K44 | K43 | K42 | K41 | K40 | P |
| 5 | K36 | K35 | K34 | K33 | K32 | K31 | K30 | P |
| 4 | K26 | K25 | K24 | K23 | K22 | K21 | K20 | P |
| 3 | K16 | K15 | K14 | K13 | K12 | K11 | K10 | P |
| 2 | K06 | K05 | K04 | K03 | K02 | K01 | K00 | P |
| 1 | 0 | K57 | K47 | K37 | K27 | K17 | K07 | P |
| 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | P |
P in BIT 0 means Parity Bit (not checked).
DKeyA will be generated in the same manner according to below table:
| DES KEY BYTE | BIT 7 | BIT 6 | BIT 5 | BIT 4 | BIT 3 | BIT 2 | BIT 1 | BIT 0 |
|---|---|---|---|---|---|---|---|---|
| 7 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | P |
| 6 | 0 | K07 | K17 | K27 | K37 | K47 | K57 | P |
| 5 | K56 | K55 | K54 | K53 | K52 | K51 | K50 | P |
| 4 | K46 | K45 | K44 | K43 | K42 | K41 | K40 | P |
| 3 | K36 | K35 | K34 | K33 | K32 | K31 | K30 | P |
| 2 | K26 | K25 | K24 | K23 | K22 | K21 | K20 | P |
| 1 | K16 | K15 | K14 | K13 | K12 | K11 | K10 | P |
| 0 | K06 | K05 | K04 | K03 | K02 | K01 | K00 | P |
Some examples:
- Initial value: 00 00 00 00 00 00 00 00
- The DES parity bits are regarded as 0
| MIFARE KEYS (LSB -> MSB) | 3DES KEYS (LSB –> MSB) | MF_PASSWORD (LSB –> MSB) | ||
|---|---|---|---|---|
| Key A | FF FF FF FF FF FF | DKeyA | FE FE FE FE FE FE 7E 00 | 0B 54 57 07 45 FE 3A E7 |
| Key B | FF FF FF FF FF FF | DKeyB | 00 7E FE FE FE FE FE FE | |
| Key A | A0 A1 A2 A3 A4 A5 | DKeyA | 40 42 44 46 48 4A 7E 00 | 8C 7F 46 D7 6C E0 12 66 |
| Key B | B0 B1 B2 B3 B4 B5 | DKeyB | 00 7E 60 62 64 66 68 6A | |
12 comments:
Are you saying is it possible to crack a mifare password?
No, I am not.
The values of Key A and Key B are secret. But you cannot use them from javacard API as it requires password. This post explains by knowing of values of Key A and Key B how to calculate Mifire password.
It's OK for me to calculate the 3DES keys, but after that, the calculation of the password does not get the right result.
Here is the code I use :
// set the keys A and B
SecretKey secretKeyA = new SecretKeySpec(keyADES, "DES");
SecretKey secretKeyB = new SecretKeySpec(keyBDES, "DES");
// get 2 DES cipher object
Cipher cipherA = Cipher.getInstance("DES/ECB/NoPadding");
cipherA.init(Cipher.ENCRYPT_MODE, secretKeyA);
Cipher cipherB = Cipher.getInstance("DES/ECB/NoPadding");
cipherB.init(Cipher.DECRYPT_MODE, secretKeyB);
byte[] plainText = new byte[] {(byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00};
// encrypt using the keyA and the plaintext
byte[] cipherText = cipherA.doFinal(plainText);
// decrypt the ciphertext using the keyB
byte[] newPlainText = cipherB.doFinal(cipherText);
// encrypt using the keyA and the new plaintext
password = cipherA.doFinal(newPlainText);
An idea of where I am wrong ?
Hi,
Sorry for late response. I was quite overloaded these days.
Actually I don't fully understand your code. You should use DESede algorithm for password calculation. Something like that:
.....
SecretKeyFactory kf = SecretKeyFactory.getInstance("DESede");
Cipher encipher = Cipher.getInstance("DESede/ECB/NoPadding");
DESedeKeySpec deskey = new DESedeKeySpec(desKey);
SecretKey secretKey = kf.generateSecret(deskey);
encipher.init(Cipher.ENCRYPT_MODE, secretKey);
byte[] data = new byte[8]; // all 0s
byte[] ciphered = encipher.doFinal(data, 0, 8);
ciphered = invert(ciphered);
.....
Hope it will help
Hi,
I am trying to implement Crypto1 algorithm for simulating exact mifare card, and im referring to the following doc for Crypto1 algorithm flow
http://www.cs.ru.nl/~flaviog/publicat
ions/Pickpocketing.Mifare.pdf
But now im not able to verify my code for complete compliance with Crypto1 algo, is der is any tool to verify the same like which will take card challenge, reader challenge and mifare key to generate card and reader responses.
Thanks,
m not able to verify my code for complete compliance with Crypto1 algo, is der is any tool to verify the same like which will take card challenge, reader challenge and mifare key to generate card and reader responses.
I think MifareWnd tool has similar functionality but I'm not sure it is public tool. Try to google it.
im not able to verify my code for complete compliance with Crypto1 algo, is der is any tool to verify the same like which will take card challenge, reader challenge and mifare key to generate card and reader responses.
http://www.mifarecards-rfid.com
I am trying to implement Crypto1 algorithm for simulating exact mifare card, and im referring to the following doc for Crypto1 algorithm flow.
http://www.mifarecards-rfid.com
Does this mean that as long as an applet has both KEYA and KEYB can reset the access bits no matter what the current access bits is ?
Does this mean that as long as an applet has both KeyA and KeyB can reset the access bits, no matter what the access bits current is.
Post a Comment