Authentication Error: DESfire against SAM with 3DES algorithm

571 views Asked by At

I can't finish the authentication phase. What I am using: SAM module by NXP Mifare Desfire PICC

I am following the next steps:

  1. Get PICC SerialNumber (or UID) with GetVersion.

    GET VERSION: Tx: 90 60 00 00 00 Rx: 04 01 01 00 02 18 05 91 AF

    GET VERSION 2: Tx: 90 AF 00 00 00 00 Rx: 04 01 01 00 06 18 05 91 AF

    GET VERSION 3: Tx: 90 AF 00 00 00 00 Rx: 04 65 41 49 65 1B 80 8E 65 58 51 30 46 07 91 00

  2. Get encrypted(RndB) from PICC.

    Tx: 90 0A 00 00 01 00 00 Rx: 31 15 1A 19 DB ED CD 5A 91 AF

  3. Send to SAM PICC_SN + ek(RndB).

    Tx: 80 41 01 03 0F 80 1B 65 49 41 65 04 31 15 1A 19 DB ED CD 5A Rx: 61 20

  4. Get from SAM encrypted(RndA + RndB_rotated) + 1st half Session Key

    Tx: 00 C0 00 00 20 Rx: F3 10 55 B1 D3 18 91 5B 92 48 16 1F E1 58 D5 CB E9 F3 51 04 41 8A 4E A5 A2 B5 67 CA FF D8 D2 35 90 00

  5. Send PICC encrypted(RndA + RndB_rotated).

    Tx: 90 AF 00 00 10 F3 10 55 B1 D3 18 91 5B 92 48 16 1F E1 58 D5 CB 00 Rx: 91 AE

So, this is a guide I have received from my suplier, and i don't have explanations about the apdus used; some i have found them on the internet, some others i guessed.

What I need to know is what does the next command i use: to SAM module: 80 41 01 03 Lc Data I need to know what encryption it deploys, why it needs PICC's UID (is this the IV), how can i know RndB, and what is expecting the PICC to end the authentication.

Thanks

Pd: Sorry for the text's format, it seems I'm unable to use correctly the tools for posting, everything gets in the same line it's disgusting...

1

There are 1 answers

0
Joster On BEST ANSWER

I solved the problem and finished authentication. The error was that i was requesting RndB encrypted with keyNo = 0, while corresponding key from SAM's key encryption should be keyNo = 2. So:

--> 90 0A 00 00 01 02 00
<-- 91 B6 08 CE 9F B5 34 3B 91 AF

Carrying on, i finnish authentication:

--> 90 AF 00 00 10 0F DC FA B6 37 5F 30 34 D7 93 2D A1 3D D6 11 10 00
<-- E9 C2 F2 69 FE 38 78 28 91 00

But now I have the next problem. I've authenticated and I can read PICC's data but i'm afraid it's encrypted. I suppose it is encrypted with session key, so I need some apdu command to be sent to SAM, with data and session key, in order to decrypt data retrieved from PICC. Am I right? if that is... which would be that SAM APDU?