mifare DESFire Functionality CAS - 2006
mifare DESFire Functionality Agenda Introduction Main Characteristics & Block Diagram DESFire File System Applications & Files File Types Key Management Access Rights Backup Management Memory Mapping Typical Transaction Time Delivery Types & Development Tools Semiconductors 2
mifare DESFire Main Characteristics Interface: Contactless only only Fully compliant to to the the ISO/IEC14443A (1-4) 7 bytes UID UID ( Double Size Size UID ) Operating distance up up to to 10cm Data transmission: 106 106 424 424kBd Compatible to to the the Mifare Reader CPU & OS: Asynchronous CPU core core (3) (3) DES DES coprocessor Fixed Command Set Set No No Customer ROM codes RF-Interface MF3ICD40 CPU EEPROM (3)DES-Co-proc. Buy the card and use it. Semiconductors 3
mifare DESFire Main Characteristics NV Memory: 4 kbyte EEPROM Erase + Write access: 1ms 1ms each R/W-Cycles: >100K Data retention: 10 10 years RF-Interface MF3ICD40 CPU EEPROM (3)DES-Co-proc. File System: up up to to 28 28 application // card card up up to to 16 16 files files // application up up to to 14 14 keys keys // application 1 masterkey for for card card maintenance Plain, (3)DES encrypted, or ormaced data data transmission On-Chip Backup management Semiconductors 4
mifare DESFire Block Diagram MF3 IC D40 CARD LA RF INTERFACE SECURITY UART ISO 14443A TRIPLE-DES CO-PROCESSOR TRUE RANDOM NUMBER GENERATOR COIL LB SENSORS POWER ON RESET VOLTAGE REGULATOR CPU / Logic Unit CRC CLOCK INPUT FILTER RESET GENERATOR ROM RAM EEPROM Semiconductors 5
mifare DESFire File System The 4kByte EEPROM can be used for: up to 28 different applications (like sub-directories on a HDD) 1 2 3 4... 28 One MasterKey (for (for card card maintenance) up to 16 files / application (like data-files within one sub-directory ) up to 14 (3)DES keys / application (valid only within the sub-directory ) includes One MasterKey (for (for application maintenance) 3 File types: 1) Data Files 2) Value Files 3) Record Files Semiconductors 6
mifare DESFire File Types: Standard Data File Standard Data File (0x00) File# 0x00... 0x0F User File size: = 1 byte... 4 kbyte Required EEPROM size: = File Size* General data file (e.g. card issuer data, card holder name) EEPROM Size [( StdData 1) / 32] * 32 + 32 = INT FileSize Create Standard Data File 1 1 1 2 3 CMD File # Com Set Access Rights File Size *Internally the NV-memory is allocated in blocks of 32 bytes. Semiconductors (E.g. every file with a size of 1-32 bytes internally always uses 32 bytes.) 7
mifare DESFire File Types: Backup Data File Backup Data File (0x01) File# 0x00... 0x07 File size: = 1 Byte... 2 kbyte Required EEPROM: = 2 x File size* General data file (e.g. card issuer data, card holder name) EEPROM Size [( BackupData 1) / 32] * 32 32 = 2 INT FileSize + Create Backup Data File 1 1 1 2 3 CMD File # Com Set Access Rights File Size *Internally the NV-memory is allocated in blocks of 32 bytes. Semiconductors (E.g. every file with a size of 1-32 bytes internally always uses 32 bytes.) 8
mifare DESFire File Types: Value Files Value File (0x02) Required EEPROM size: = 32 Bytes File# 0x00... 0x07 Value Range = -16 777 215...+16 777 216 (4 Byte signed integer) Lower Limit = -16 777 215...+16 777 215 Upper Limit = -16 777 214...+16 777 216 (Lower Limit < Upper Limit) Limited Credit enabled (0x01) / disabled (0x00) Create Value File 1 1 1 2 4 4 4 1 CMD File # Com Set Access Rights Lower Limit Upper Limit Value Credit Limited enabled Semiconductors 9
mifare DESFire File Types: Record File 3 Records can be read n Records can be read Record File Record #1 Record #2 Record #3 Record #4 Record #5 Record #n-1 Record #n Record Size # of Records after 3 Write commands after n Write commands A Record Record File File contains n Records. Each Each Record Record can can be be written written once. once. The The latest latest and and all all the the previous Records can can be be read read (at (at once). once). Semiconductors 10
mifare DESFire File Types: Record File Linear Record File Record #1 Record #2 Record #3 Record #n-1 Record #n Record File full after 3 Write commands Cyclic Record File Record #1 Record #2 Record #3 Record #n-1 after n Write commands Record #n after n+1 Write commands Record #1 after n+2 Write commands Record #2 n+1 Write: Error instead of ACK Semiconductors 11
mifare DESFire File Types: Linear Record File Linear Record Files (0x03) File# 0x00... 0x07 Required EEPROM size: = 32Bytes + Record Size # of Records* Record Size = 0x00 00 01... 0xff ff ff (1 Byte - 4k Byte) # of Records = 0x00 00 01... 0xff ff ff Create Record File 1 1 1 2 3 3 CMD File # Com Set Access Rights Record Size Max. # of Records * Internally the NV-memory is allocated in blocks of 32 bytes. (E.g. a Record File with 2 Records and a size of 10 Bytes/Record internally always uses 64 bytes.) Semiconductors 12
mifare DESFire File Types: Cyclic Record File Cyclic Record Files (0x03) File# 0x00... 0x07 Required EEPROM size: = 32Bytes + Record Size # of Records* Record Size = 0x00 00 01... 0xff ff ff (1 Byte - 4k Byte) # of Records = 0x00 00 02... 0xff ff ff Create Record File 1 1 1 2 3 3 CMD File # Com Set Access Rights Record Size Max. # of Records * Internally the NV-memory is allocated in blocks of 32 bytes. (E.g. a Record File with 2 Records and a size of 10 Bytes/Record internally always uses 64 bytes.) Semiconductors 13
mifare DESFire Encryption DESFire data transmission: Example Data: Plain Data MACed* Data Hello World Data 48 65 6C 6C 6F 20 57 6F 72 6C 64 Data MAC 48 65 6C 6C 6F 20 57 6F 72 6C 64 23 42 A1 2E (3)DES enciphered Data + 2Byte CRC -> filled up to n*8 -> (3)DES encrypted f2 45 2a e0 50 56 3c 02 43 4e 63 ac 04 bb 21 26 Coding of the Communication Settings: b7 b6 b5 b4 b3 b2 b1 b0 Hex Plain Data 0 0 0 0 0 0 x 0 0x00 MACed 0 0 0 0 0 0 0 1 0x01 (3)DES encrypted 0 0 0 0 0 0 1 1 0x03 *MAC: Message Authentication Code Semiconductors 14
mifare DESFire Keys DES and 3DES keys are stored in 16 bytes strings. DES: 1 st half = 2 nd half Single DES 00 11 22 33 44 55 66 77 00 11 22 33 44 55 66 77 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (default) 3DES: 1 st half = 2 nd half Triple DES 00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 Semiconductors 15
mifare DESFire Access Rights 4 different Access Rights are stored for each file. Access Rights are defined during creation of a file. Value File all other files R Get Value Debit Read W Get Value Debit Limited Credit Write R&W Get Value Debit Limited Credit Credit Read&Write C Change Config Key #0 always is the Masterkey on PICC level (if no application or AID 0x00 00 00 is selected) on Application level (if an Application is selected). Semiconductors 16
mifare DESFire Coding of Access Rights During creation of a file the Access Rights are defined with a 2-byte code: MSBit LSBit b15 b12 b11 b8 b7 b4 b3 b0 R W R&W C Remark: Remark: If If a file file is is accessed accessed without without valid valid authentication authentication but but free free access access (0xe) (0xe) is is possible, possible, the the communication communication mode mode is is forced forced to to plain plain (through (through at at least least one one relevant relevant access access right). right). Hex Key 0x0 0 0x1 1 0x2 2 0x3 3 0x4 4 0x5 5 0x6 6 0x7 7 0x8 8 0x9 9 0xa 10 0xb 11 0xc 12 0xd 13 0xe "free" 0xf never no authentication required no access Semiconductors 17
mifare DESFire Application Example Up to 28 different applications per card Up to 16 different files per application Application 0x 00 00 02 File 0x03 File Appl 0x07 File 0x 00 00 02 0x0C File 0x04 Appl 0x 00 00 03 Appl 0x 00 00 01 Semiconductors 18
mifare DESFire Application Example Application # 0x 00 00 02 contains 4 Files: File 0x03: Application Value File 0x 00 00 02 lower limit: -10 File upper 0x03 limit: +2000 File MACed Data 0x07 File 0x0C File 0x04 File 0x0C: File 0x07: Backup Data File File Size: 30 bytes 3DES encrypted Data Standard Data File File Size: 30 bytes Plain Data File 0x04: Cyclic Record File Record Size: 10 bytes # of Records: 21 MACed Data Semiconductors 19
mifare DESFire Application Example KEY 0 Application # 0x 00 00 02 contains 4 Files and 5 keys: KEY 1 KEY 2 KEY 3 KEY 4 Application 0x 00 00 02 File 0x03 File 0x0C File 0x07 File 0x04 free never R W R&W C R W R&W C R W R&W C R W R&W C File 0x0C: File 0x03: File 0x04: File 0x07: Value File Standard Data File Cyclic Record File Backup Data File Semiconductors 20
mifare DESFire Backup Management Transaction oriented approach On application level, Multiple write commands can be issued. Completed transaction has to be validated by a CommitTransaction command. If not validated or aborted, a full rollback of all writes happens. Either ALL writes are done or NO writes are done. Application data is always consistent Semiconductors 21
Backup Data File mifare DESFire Data File Backup Valid Image Image 1 Write updates mirror image Write Data Image 2 CommitTransaction validates updated Image Valid Image Image 1 Image 2 Semiconductors *Data File Backup Management requires a Backup Data File. 22
Value File mifare DESFire Value File Backup Valid Image Image 1 Image 2 Image 1 Image 2 Write updates mirror image Write Valid Image CommitTransaction validates updated Image Image 1 Image 2 Image 1 Image 2 Semiconductors 23
mifare DESFire Record File Backup Record File Current Record Write Data Current Record Record #1 Record #2 Record #3 Record #n-1 Record #n Record #1 Record #2 Record #3 Record #n-1 Record #n Write into next empty Record CommitTransaction validates new Record # Semiconductors 24
mifare DESFire Memory Mapping 1 The mifare DESFire EEPROM area is allocated in blocks of 32 bytes. Blank Chip The blank chip in delivery state uses 4 blocks for Manufacturer data and Administration. Card Administration The card administration requires 1 block per 4 created applications. This memory is re-used after Delete Application. Semiconductors 25
mifare DESFire Memory Mapping 2 Application For each created application n blocks are required with: n = 1+ int keys ( + 1) 2 blocks number of keys number of blocks 0 1 1 2 2 2 3 3 4 3 5 4 6 4...... This memory cannot be re-used after Delete Application, but only after FormatPICC. Semiconductors 26
mifare DESFire Memory Mapping 3 File Administration Every 2 nd file entry uses 1 block, beginning with 2 nd generated file. number of files number of blocks 1 0 2 1 3 1 4 2 5 2 6 3 7 3...... This memory is re-used after Delete File. Semiconductors 27
mifare DESFire Memory Mapping 4 Data The data of a Standard Data File requires n blocks with: n = 1+ int filesize ( + 31) blocks 32 Standard Data File Backup Data File file size number of blocks number of blocks 1 1 2 2 1 2... 1 2 32 1 2 33 2 4 34 2 4... 2 4 64 2 4 65 3 6......... Semiconductors 28
mifare DESFire Memory Mapping 5 The data of a Backup Data File requires 2x n blocks The Value Data File requires 1 block, independent on value or limits. The Record File requires n blocks with: n = 1+ int recordsize number of records ( + 31) blocks 32 Semiconductors 29
mifare DESFire Transaction Time Command Sequence (typical transport transaction): Establish protocol according to to ISO ISO 14443-4 Application Application Selection Selection mutual mutual 3pass 3pass Authentication Authentication Read Read Standard Standard Data Data File File (( 48 48 bytes bytes 3DES 3DES MACed MACed )) Read Read Backup Backup Data Data File File (( 48 48 bytes bytes 3DES 3DES MACed MACed )) Read Read Value Value (( 12 12 bytes bytes 3DES 3DES MACed MACed )) Read Read Record Record File File (( 48 48 bytes bytes 3DES 3DES MACed MACed )) Write Write to to backup backup file file (( 48 48 bytes bytes 3DES 3DES MACed MACed )) Append Append record record to to record record file file (( 48 48 bytes bytes 3DES 3DES MACed MACed )) Modify Modify value value file file (( 12 12 bytes bytes 3DES 3DES MACed MACed )) CommitTransaction CommitTransaction Deselect according to to ISO ISO 14443-4 Transaction Time Time 3DES 3DES MACed for for Read Read 156 156 byte, byte, Write Write 108 108 byte byte (incl. (incl. Backup): @ 106 kbaud: <130ms* @ 212 kbaud: <110ms* @ 424 kbaud: <100ms* * Includes communication PCD - PICC, does NOT include reader data handling Semiconductors 30
DESFire Delivery Types Sawn Wafer on FFC MOA4 Contactless Module 150µm thickness MF3ICD4001DW/V5 330µm thickness MOA4: MF3MOD4001DV/4 Semiconductors 31
mifare DESFire Development Tools MF EV70x based on on the the Pegoda Reader, contains: USB USB Pegoda Reader (RD70x) Datasheets & Documents on on a CD CD 5 Mifare Cards PEGODA Reader + mifare DESFire Sample Cards MF DESFire UI UI (Demo-SW) Debug Client SW C-library (incl. Source Code) Sample Cards Semiconductors 32
mifare DESFire Facts Fully ISO 14443A compliant, up to part 4 Unique 7 byte serial number ISO cascade level 2 4 KByte EEPROM, 1ms erase, 1ms program Fast Data Transfer, up to 424 Kbit/s Mutual Three Pass Authentication DES/3DES Data Encryption on RF-channel Data Authenticity by 4 byte 3DES MAC Flexible File System Up to 28 Applications per card Up to 14 3DES keys per Application, with key versioning Up to 16 Files per Application Automatic backup mechanism for all available file types Semiconductors 33