• Registered: 2010-12-16
  • Posts: 6

Topic: CMAC and IV management in AES

Hi,

I am trying to migrate the AES part of the DESFire Ev1 to the application I use in my mobile to read DESFire tags. I completed the authentication properly and now I have a problem trying to get the CMAC values and the IV vectors.

I know I have to implement the SP 800-38B specification to get the CMAC values. Actually, I can diversificate an AES Master Key, so the SubKey generation and the CMAC calculation shoul be ok. So, I guess it must bt a problem of concept. I tried to compare my code in JAVA with the one available in libnfc in C++ and I cannot get the wrong step.

Assume that I want to make a read and that I already have the sessionKey and a IV that is different from 0x00..000. When I start the subKey phase I think I have to use the 0x00..000 IV (not the new I got) and the sessionKey (not the application key) in order to get the k0 key , is that correct?

Well, once the SubKeys are correctly generated I have k1 and k2. The command I use to read is : BD010000000F0000. Then I guess I have to apply the padding to 32 bytes:     (byte) 0xBD, (byte) 0x02, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x0F, (byte) 0x00, (byte) 0x00, (byte) 0x80, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00. So now since I have applied padding I use k2 to xor the second half of my input and then I encrypt the result and encrypt it using the sessionKey and the IV (that is 0x93..32). The CMAC is 32 bytes long.

Can someone tell my what I am doing wrong or at least guide me, because I don´t know how to solve the problem.

Thanks a lot.

Gorka.

  • Registered: 2010-12-16
  • Posts: 6

Re: CMAC and IV management in AES

Hi,

I finally achieved to get the CMAC properly. I don´t know why I was doing the padding to 32 bytes, I think I read it somewhere but obviously I was wrong. I tried using a 16 bytes input XORed with the k2 key and I got the correct value.

Regards, Gorka

  • Registered: 2014-01-29
  • Posts: 1

Re: CMAC and IV management in AES

Hi g.hernando,

I am facing the same issue. I tried to develop a java application to communicate with DESFire EV1 card.
I also completed the authentication step (which include diversification of the master key and CMAC calculation ), and I can generate a session key. After the authentication, the IV is set to zero to generate the CMAC value to be able to update the IV.
In the CMAC function, I generate Subk1 and Subk2 once again from the session key and IV =0x00,0x00,...

Unfortunately, when I decrypt  the message send after a READ_DATA command, the first 16 bytes are wrongly deciphered. Which leads me to think of an error with my IV setting.

As you managed to found a solution , I though you could enlighten me on how to proceed.

Many thanks:

  • Registered: 2012-11-15
  • Posts: 11

Re: CMAC and IV management in AES

CMAC is the first 8 bytes of IV. So, when decrypting encrypted data from card, you have to XORed the IV with decrypted data!

5 Reply by Elmue (edited by Elmue 2016-07-12 03:45:36)

  • Elmue
  • New member
  • Offline
  • Registered: 2016-07-09
  • Posts: 6

Re: CMAC and IV management in AES

The CMAC stuff is highly complicated.
Not the alorithm itself, that is a tiny code, but the way NXP uses it.
It seems they make it complicated with intention.

FIRST: The IV must be reset only ONCE when you create the session key.
Later you must not touch the IV anymore.
You must keep it synchronized with the IV that the card calulates internally.
Otherwise you get an Integrity error when you use the sesion key the next time.

To keep the IV in sync with the card you MUST calulate the CMAC over all data frames that you send and that you receive.
BUT with some exceptions. Not all commands behave the same way.
If a command already does a CBC encryption (e.g. ChangeKeySettings) the CMAC is not calulated as usual.

To check your crypto functions you need input data and the expected output data.
I published some Desfire examples for ISO and AES authentication and key change.
You find them here:
stackoverflow.com/questions/38283998/desfire-ev1-communication-examples

And to study when and how and if to calulate the CMAC you need to study the source code.
You find it in my article on Codeproject:
codeproject.com/Articles/1096861/DIY-electronic-RFID-Door-Lock-with-Battery-Backup


P.D.
Why don't you allow to post links here?