Generic Access Control Data Model, MIFARE Plus, MIFARE DESFire EV1, MIFARE SAM AV2, SmartMX, a generic approach for physical access control applications.

Digital Signature / Originality Check

The signature of the data will be defined by a computed cryptographic message authentication coding ( CMAC ) that will authenticate that the data has not been altered or manipulated. The system will be able to compute the digital signature and compare it to the stored signature. The OCPSK key will only be known by the system and not stored on the card.

Mifare DESFire EV1 4K Proximity Contactless Cards,HF 13.56MHz DESFire EV1 4K Cards,Mifare DESFire EV1 4K Proximity Contactless Cards,

Fig 3. Digital Signature / Originality Check

Mifare DESFire EV1 4K Contactless Smart Cards,Mifare DESFire EV1 4K Proximity Smart Cards,Mifare DESFire 4K Smart Cards For Access Control systems,

Fig 4. Data Construction of Digital Signature

Example: Based on AES – 128 key
PACS Data Object :
Version Major – 0×01
Version Minor – 0×00
Site Code – 0×00 00 00 11 22
Credential ID – 0×00 00 00 00 00 06 55 30
Reissue Code – 0×00
Pin Code – 0×00 00 00 00
Customer Data – 0×00 11 22 33 44 55 66 77 88 99 00 11 22 33 44 55 66 77 88 99

UID : 0x04deadbeeffeed

AES DIV constant 1: 0×01 AES DIV constant 2: 0×02

Signature data – 0×01 00 00 00 00 11 22 00 00 00 00 00 06 55 30 00 00 00 00 00 00 11 22 33 44 55 66 77 88 99 00 11 22 33 44 55 66 77 88 99

Generate OCPSK Diversified Key

Step 1 :Generate subkeys

Generate K0: K0 = CIPHK(0b). Encrypt 0s using Secret Key. Here K0 = 0x6704a3af8af3d920a0a7594f5cebf9fd

Generate K1: If MSB(K0) = 0, then K1 = K0 << 1; Else K1 = (K0 << 1) XOR 0×00000000000000000000000000000087; Shift K0 one bit left. If Most Significant Bit of K0 is not 0, XOR shifted result with 0×00000000000000000000000000000087. Here K1 = 0xce09475f15e7b241414eb29eb9d7f3fa

Generate K2: If MSB(K1) = 0, then K2 = K1 << 1; Else K2 = (K1 << 1) XOR 0×00000000000000000000000000000087. Shift K1 one bit left. If Most Significant Bit of K1 is not 0 XOR shifted result with 0×00000000000000000000000000000087 Here K2 = 0x9c128ebe2bcf6482829d653d73afe773.

Step 2 : Create Div Input

Div Constant 1 + UID + Padding 0x0104deadbeeffeed800000000000000000000000000000000000000000000000

Step 3 : XOR string

Since padding occurred, K2 will be XOR’d with Div Input Result – 0x0104deadbeeffeed80000000000000009c128ebe2bcf6482829d653d73afe773

Step 4: Encrypt the above result with Secret Key Result – 0x901780466c3d5fb6c885ab59139e132f0bb408baff98b6ee9f2e1585777f6a51

Step 5 : Diversified Key would be the last 16 byte block ( Block 2 ) of the encryption result.

Diversified key is 0x0bb408baff98b6ee9f2e1585777f6a51

Generate Digital Signature using standard CMAC with Init Vector set to UID.

Init Vector 0x04deadbeeffeed80000000000000000000 Diversified Key 0x0bb408baff98b6ee9f2e1585777f6a51 Signature data – 0×01 00 00 00 00 11 22 00 00 00 00 00 06 55 30 00 00 00 00 00 00 11 22 33 44 55 66 77 88 99 00 11 22 33 44 55 66 77 88 99

Digital Signature is 0x8FB0EF8EB12AC1F3

–MIFARE SAM AV2 Key Diversification