Topic: CMAC and IV management in AES
Hi,
I am trying to migrate the AES part of the DESFire Ev1 to the application I use in my mobile to read DESFire tags. I completed the authentication properly and now I have a problem trying to get the CMAC values and the IV vectors.
I know I have to implement the SP 800-38B specification to get the CMAC values. Actually, I can diversificate an AES Master Key, so the SubKey generation and the CMAC calculation shoul be ok. So, I guess it must bt a problem of concept. I tried to compare my code in JAVA with the one available in libnfc in C++ and I cannot get the wrong step.
Assume that I want to make a read and that I already have the sessionKey and a IV that is different from 0x00..000. When I start the subKey phase I think I have to use the 0x00..000 IV (not the new I got) and the sessionKey (not the application key) in order to get the k0 key , is that correct?
Well, once the SubKeys are correctly generated I have k1 and k2. The command I use to read is : BD010000000F0000. Then I guess I have to apply the padding to 32 bytes: (byte) 0xBD, (byte) 0x02, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x0F, (byte) 0x00, (byte) 0x00, (byte) 0x80, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00. So now since I have applied padding I use k2 to xor the second half of my input and then I encrypt the result and encrypt it using the sessionKey and the IV (that is 0x93..32). The CMAC is 32 bytes long.
Can someone tell my what I am doing wrong or at least guide me, because I don´t know how to solve the problem.
Thanks a lot.
Gorka.