Topic: DESFire ev1 session key

I'm calculating the sessionkey the following way:

first 4-bytes randA + first 4-bytes randB + last 4-bytes randA + last 4-bytes randB.

Is this correct? When I try using the session key to verify a CMAC I always get a different value.

Re: DESFire ev1 session key

This seems correct.
Are you sure to update properly the IV before computing the CMAC?
IV is 0 only once, just after the authentication.
You can have a look at libfreefare code, it may help: … e_crypto.c


Re: DESFire ev1 session key

Thank you for your response.

What I'm doing is:
1. Select one application
2. Authenticate using AES (key=0)
3. Get the files' IDs of that application (first command after authentication)

Response: 02 01 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 bb 52 08 c7 a8 9a a0 65
Where data is (16 bytes): 02 01 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10
and CMAC is (8 bytes): bb 52 08 c7 a8 9a a0 65

AES key is all zeros (didn't change it).
b8 62 94 00   10 26 cf c4   d8 71 a3 e1   81 be 62 9c
11 26 c5 ea   17 9b 86 a5   6c bc 82 65   81 74 83 8e
Session Key:
b8 62 94 00   11 26 c5 ea   81 be 62 9c   81 74 83 8e

Since it's my first CMAC computation I use a 16-byte IV all zeros, the session key, and that 16-byte data.
My CMAC output (16-byte), which is wrong, is:
a8 8f 18 13   b5 2c 83 94   47 16 e0 47   fc dc 0d 4c

I'm using a library for the CMAC calculation and I tested it against some values including the ones from "test/test_mifare_desfire_aes.c" and all works fine.

4 (edited by JaneDoe 2013-02-05 15:51:40)

Re: DESFire ev1 session key

It seems that in plain communication mode I still calculate the CMAC when seding from PCD to PICC (but don't actually send the CMAC).

So what I'm trying now is:
cmac_send=CMAC(session_key, empty_byte_array, IV_all_zeros, 128 bits output)
cmac_received=CMAC(session_key, data_received{02 01 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10}, IV_is_cmac_send, 128 bits output)

I still get the wrong result. Any idea of what I may be doing wrong?

Re: DESFire ev1 session key

I don't understand "empty_byte_array", CMAC is to be computed on the data you send to the card, right?

sth else:
Does your CMAC do a padding?
Your received data block is already a multiple of 8 but I think then you need to add a full block of padding (80 00 00 00 00 00 00 00)

Re: DESFire ev1 session key

With "empty_byte_array" I mean an array with size zero, which will then be padded with (80 00 00...)h. The reason to this is that to get the file ids I only need to send 0x6f, there is no actual data. So I'm calculating the CMAC on a byte array with size zero. I didn't mention before but I'm doing this in Java so I can have an array such as:

byte[] a = new byte[0];

My understanding is that we only calculate the CMAC of the data, the instructions are left out.
So, in this case with the get file ids, when sending: calculate CMAC of {}.
When receiving: calculate CMAC of {file_ids} (leaving out the response status codes 0x00=success).

7 (edited by JaneDoe 2013-02-14 10:38:46)

Re: DESFire ev1 session key

Thank you for your help yobibe. I was using the CMAC of a crypto library and was getting wrong results. With my own implementation it worked.

(Thread can be closed.)

Re: DESFire ev1 session key

Hi JaneDoe,

How is cmac_receive calculated?


9 (edited by Elmue 2016-07-11 13:39:02)

Re: DESFire ev1 session key

It is typical that people ask for help in a forum but when they finally solved their problem their are too lazy to post HOW they solved their problem. This JaneDoe is asking for help but he is not willing to help others. He is an egoist.

I struggled several weeks in writing my own Desfire EV1 code. It is very hard if you don't have the documentation.

For all those going through the same problems I posted some Desfire EV1 communication examples on Stackoverflow.
You can see there what is the input (key, random B) and what should be the output if your functions do the encryption stuff correctly.

If you have any further questions, please study the source code, which is well commented. You find the link in the same page:

Why don't you allow to post links here?