Cryptography Reference
In-Depth Information
of up to 848 kBit/s. A communication with the cards can be performed in plain,
with an appended Message Authentication Code (MAC), or with full data en-
cryption. Mifare DESFire cards offer 4 kByte of storage and data encryption by
hardware DES and 3DES encryption. Mifare DESFire EV1 cards additionally
provide AES-128 data encryption and are sold in three variants with 2 kByte,
4 kByte and 8 kByte of non-volatile memory, respectively. Each card holds up
to 28 different applications with up to 14 different keys per application. For
DESFire, each application may contain up to 16 files, while for DESFire EV1
the maximum number of files is 32. As in Mifare Classic cards, the UID is un-
changeably programmed into the card at production time. Depending on the
access rights for each application a mutual authentication protocol (see Proto-
col 2 / Protocol 3), ensuring that the symmetric key of the card
K
C
and of the
reader
K
R
are identical, has to be completed before reading and manipulation
of the data.
Previous to the authentication, an application represented by its Application
Identifier (AID) is selected. The reader starts the authentication protocol [4]
with an authenticate command together with the key number that is to be used
during the authentication. Note that Mifare DESFire cards only perform (3)DES
en
cryptions
Enc
K
(
) employing the secret key
K
, hence, DESFire readers always
have to use (3)DES
de
cryption
Dec
K
(
·
).
As illustrated in Protocol 2, a DESFire card responds to the authentica-
tion command with an encrypted 64-bit random nonce
n
C
. The reader likewise
chooses a 64-bit random nonce
n
R
, decrypts the received
n
C
, rotates it eight
bits to the left and decrypts
n
R
as well as the rotated
n
C
. The card verifies if
the rotated value equals
n
C
after reverting the rotation. If so, the card encrypts
the first value to obtain
n
R
, rotates it eight bits to the right and encrypts the
result which is then sent to the reader. The rotated and encrypted nonce is ver-
ified by the reader and if this final step is successful, both parties are mutually
authenticated.
We furthermore reverse-engineered the DESFire EV1 authentication proto-
col, as presented in Protocol 3, by eavesdropping on genuine protocol runs. We
found that the protocol of Mifare DESFire EV1 cards using AES-128 diverges
from Protocol 2 as follows. In Protocol 3, en- and decryption are used in the
common sense, i.e., data that is to be sent is encrypted and data that was re-
ceived has to be decrypted. The CBC mode is modified in a way that all en-
or decryptions are chained, even though they operate on different cryptograms.
The Initialization Vector (IV) is not reset when en- or decrypting a new mes-
sage, but instead depends on the previous en- or decryption. The nonces are
extended to a length of 128 bit to match the block size of AES-128 and the sec-
ond rotation is executed in the opposite direction on both sides. Again, AES-128
en- and decryption involving the key
K
are denoted by
Enc
K
(
·
),
respectively. Apart from that, the protocol equals the authentication protocol of
Mifare DESFire cards and thus mutually authenticates both parties on successful
execution.
·
)and
Dec
K
(
·
Search WWH ::
Custom Search