• Registered: 2012-05-15
  • Posts: 5

Topic: MIFARE UltraLight C 3DES authentication APDUs

Hi guys,

I try to perform authentication to a MIFARE UltraLight C card, but I am stuck. I have already made some Google queries, the only thing that I found were an IEEE conference document (that contains test vectors) and the libfreefare sources that I could use.

The libfreefare, as a low-level tool seemed to be very good for first sight, but I found a thing that I do not understand: the sources contain DES_ecb_encrypt() function calls of OpenSSL to encrypt/decrypt data, but the MIFARE UltraLight C public document (MF0ICU2) says, that "ek() is 2 key 3DES encryption [...] in Cipher-Block Chaining (CBC) mode", and not in ECB mode!

The publicly available IEEE study ("Studying the Pseudo Random Number Generator of a low-cost RFID tag" for IEEE conference) that I also found contains some cute test vectors:

1. Auth1_apdu:
   FF:00:00:00:04:D4:42:1A:00
2. Auth1_resp:
   D5:43:00:AF:63:FC:19:90:6A:77:D1:3F:90:00
3. RndA:
   74bd85757bd28b77
4. RndB:
   c00c24ed61ea0f3e
5. RndA||RndB':
   74bd85757bd28b770c24ed61ea0f3ec0
6. Auth2_apdu:
   FF:00:00:00:13:D4:42:AF:89:81:7f:e2:a8:d7:18:08:f7:03:d9:1b:dc:40:01:6f
7. Auth2_apdu:
   D5:43:00:00:C6:FE:6C:74:2B:68:CE:E8:90:00
8. E(RndA'):
   C6FE6C742B68CEE8
9. RndA':
   bd85757bd28b7774

With the demo keys and OpenSSL I could decrypt ek(RndB) - retrieved from Auth1_resp -, converted RndB to RndB', concatenated RndA with RndB', and encrypted the whole data with the same parameters (keys, IV etc.), but I could not get the same value for Auth2_apdu (and also for my value I got an authentication error from the card).

Is there any other step before encrypting that is still have to be performed (e.g. I found an XOR-operation for some cases in libfreefare sources, but this did not even help).

Thanks in advance!

Aron

2 Reply by yobibe (edited by yobibe 2012-05-30 21:51:52)

  • yobibe
  • Administrator
  • Offline
  • Registered: 2011-04-08
  • Posts: 142

Re: MIFARE UltraLight C 3DES authentication APDUs

Hello Aron,

My guess is that you don't use the IV properly.
It should always contain the last 8 bytes transmitted (and zeroes the first time)
Here is the trace with the corresponding openssl calls:

1. Auth1_apdu:
   FF:00:00:00:04:D4:42:1A:00
2. Auth1_resp:
   D5:43:00:AF:63:FC:19:90:6A:77:D1:3F:90:00
so e_k(RndB) = 63:FC:19:90:6A:77:D1:3F
decrypt:
echo 63FC19906A77D13F|xxd -p -r|openssl enc -des-ede-cbc -d -K 49454D4B41455242214E4143554F5946 -iv 0000000000000000 -nopad |xxd -p
= c00c24ed61ea0f3e
3. RndA:
   74bd85757bd28b77
Amen
4. RndB:
   c00c24ed61ea0f3e
correct
5. RndA||RndB':
   74bd85757bd28b770c24ed61ea0f3ec0
correct
6. Auth2_apdu:
   FF:00:00:00:13:D4:42:AF:89:81:7f:e2:a8:d7:18:08:f7:03:d9:1b:dc:40:01:6f
encrypt RndA||RndB':
echo 74bd85757bd28b770c24ed61ea0f3ec0|xxd -p -r|openssl enc -des-ede-cbc -e -K 49454D4B41455242214E4143554F5946 -iv 63FC19906A77D13F -nopad |xxd -p
= 89817fe2a8d71808f703d91bdc40016f
correct
7. Auth2_apdu:
   D5:43:00:00:C6:FE:6C:74:2B:68:CE:E8:90:00
so e_k(RndA')
decrypt:
echo C6FE6C742B68CEE8|xxd -p -r|openssl enc -des-ede-cbc -d -K 49454D4B41455242214E4143554F5946 -iv f703d91bdc40016f -nopad |xxd -p
= bd85757bd28b7774
8. E(RndA'):
   C6FE6C742B68CEE8
9. RndA':
   bd85757bd28b7774
correct

If in libfreefare you don't see CBC but only EBC and XOR that's probably because EBC+XOR=CBC :-)
see https://en.wikipedia.org/wiki/Block_cip … _.28CBC.29
And BTW chaining mode matters only... when you have more than one block to encrypt.

Bye
Phil

yobibe's Website

  • Registered: 2012-05-15
  • Posts: 5

Re: MIFARE UltraLight C 3DES authentication APDUs

*facepalm*

I calculated XOR manually (together with setting IV to 0000000000000000), but not with correct data!

Now, it works! Thx, Phil! ;-)

By the way: if someone wants to execute all these steps, the auto polling of the card reader has to be disabled in order to keep session (at ACR122 use "FF 00 51 00 00")!

Aron

  • Registered: 2012-10-12
  • Posts: 1

Re: MIFARE UltraLight C 3DES authentication APDUs

Hey guys,

Can you provide a complete example on how to authenticate to a Mifare ultralight c, and write protect its the memory blocks ?

This post is one of the few examples on how to use the 3des authentication method on Mifare Ultralight C, as I have been looking for "how-to"s without any luck.

I'm trying to develop a NFC application and this, off course, is a really important step. Any help you be greatly appreciated.

Thanks,

5 Reply by yobibe (edited by yobibe 2012-11-14 09:37:04)

  • yobibe
  • Administrator
  • Offline
  • Registered: 2011-04-08
  • Posts: 142

Re: MIFARE UltraLight C 3DES authentication APDUs

Read libfreefare code (latest svn revision).
There is an example of authentication in https://code.google.com/p/nfc-tools/sou … ght-info.c
Then to write protect the whole tag via authentication, write {0x02, 0x00, 0x00, 0x00} to page 0x2A and  {0x01, 0x00, 0x00, 0x00} to page 0x2B
Have a look at those posts for more info:
* http://www.libnfc.org/community/topic/6 … -3des-key/
* http://www.libnfc.org/community/topic/7 … iguration/

Note that you can also use LOCK bytes to write protect *permanently* as it could be already done with a simple Ultralight.

Phil

yobibe's Website

  • Registered: 2013-11-12
  • Posts: 1

Re: MIFARE UltraLight C 3DES authentication APDUs

Where could I find documentation on the APDUs (FF:00:00:00:04:D4:42:1A:00, ...)
you are using for starting authentication ?
Thanks for help.

  • yobibe
  • Administrator
  • Offline
  • Registered: 2011-04-08
  • Posts: 142

Re: MIFARE UltraLight C 3DES authentication APDUs

FF:00:00:00:04:D4:42:1A:00 is more than the APDU, it contains framing for the reader and for the USB.
Pure protocol is:
-> 1A:00
<- AF: + 8 random bytes + 90:00
-> AF: + 16 encrypted bytes
<- 00: + 8 encrypted bytes + 90:00
The rest of this thread already illustrated the crypto behind.

yobibe's Website

  • awef
  • New member
  • Offline
  • Registered: 2014-06-01
  • Posts: 1

Re: MIFARE UltraLight C 3DES authentication APDUs

@yobibe - Thanks for the info on how to get the various IV's for different parts of the transaction.  Those openssl examples were really helpful!

  • Registered: 2014-09-01
  • Posts: 2

Re: MIFARE UltraLight C 3DES authentication APDUs

-> 1A:00
<- AF: + 8 random bytes + 90:00
-> AF: + 16 encrypted bytes
Answer:D5 43 02 90 00[$9000]????????Why?
Can you help me ?

  • Registered: 2014-09-01
  • Posts: 2

Re: MIFARE UltraLight C 3DES authentication APDUs

send:FF00000013D442AF4D A3 DA B1 57 15 30 D6 27 FF 05 E8 1B 56 45 75
Answer:D5 43 02 90 00[$9000]

Have encountered such a situation?
I can't get to the data.

  • Registered: 2014-12-10
  • Posts: 2

Re: MIFARE UltraLight C 3DES authentication APDUs

Hi guys,

i would like to implement some key card access using NFC. i dont want to use mifare ultralite C which uses 3DES for protection. I just want basic protection to prevent from unauthorized  user. so unauthorized  user cannot read NFC tag data. Do someone can explain to me how i can write a such application.

Thanks in advance,
John Kerry

  • rconty
  • Administrator
  • Offline
  • Registered: 2009-04-22
  • Posts: 926

Re: MIFARE UltraLight C 3DES authentication APDUs

Hi,

libfreefare is a project for you kerry9842 smile

Romuald Conty