Mifare DESFire Training - read.pudn.comread.pudn.com/.../M306_Mifare_DESFire_Func_V1.pdf · • Typical Transaction Time ... • on PICC level (if no application or AID 0x00 00 00

mifaremifare®® DESFire FunctionalityDESFire Functionality

CAS - 2006

Semiconductors 2

mifaremifare®® DESFireDESFire Functionality AgendaFunctionality Agenda

• Introduction• Main Characteristics & Block Diagram• DESFire File System

• Typical Transaction Time• Delivery Types & Development Tools

Applications & FilesFile TypesKey Management Access RightsBackup Management Memory Mapping

Semiconductors 3

Interface:• Contactless only• Fully compliant to the ISO/IEC14443A (1-4)• 7 bytes UID (“Double Size UID”)• Operating distance up to 10cm• Data transmission: 106 – 424 kBd• Compatible to the Mifare Reader

Interface:• Contactless only• Fully compliant to the ISO/IEC14443A (1-4)• 7 bytes UID (“Double Size UID”)• Operating distance up to 10cm• Data transmission: 106 – 424 kBd• Compatible to the Mifare Reader

MF3ICD40MF3ICD40

RF-

Inte

rfac

e

CPUEEPROM(3)DES-Co-proc.

mifaremifare®® DESFire Main CharacteristicsDESFire Main Characteristics

CPU & OS:• Asynchronous CPU core• (3) DES coprocessor• Fixed Command Set• No Customer ROM codes

CPU & OS:• Asynchronous CPU core• (3) DES coprocessor• Fixed Command Set• No Customer ROM codes

„„Buy the card and use it.“Buy the card and use it.“

Semiconductors 4

mifaremifare®® DESFire Main CharacteristicsDESFire Main Characteristics

File System:• up to 28 application / card • up to 16 files / application• up to 14 keys / application• 1 masterkey for card maintenance• Plain, (3)DES encrypted, or MACed data transmission• On-Chip Backup management

File System:• up to 28 application / card • up to 16 files / application• up to 14 keys / application• 1 masterkey for card maintenance• Plain, (3)DES encrypted, or MACed data transmission• On-Chip Backup management

NV Memory:• 4 kByte EEPROM• Erase + Write access: 1ms each• R/W-Cycles: >100K• Data retention: 10 years

NV Memory:• 4 kByte EEPROM• Erase + Write access: 1ms each• R/W-Cycles: >100K• Data retention: 10 years

MF3ICD40MF3ICD40

RF-

Inte

rfac

e

CPUEEPROM(3)DES-Co-proc.

Semiconductors 5

CPU / Logic Unit

TRIPLE-DES

CO-PROCESSOR

UARTISO 14443A

RFINTERFACE

SECURITYSENSORS

POWER ONRESET

VOLTAGEREGULATOR

CLOCKINPUT FILTER

RESETGENERATOR

CARDCOIL

LA

LB

TRUE RANDOMNUMBER

GENERATOR

RAMROM RAM EEPROM

CRC

mifaremifare®® DESFire Block DiagramDESFire Block Diagram

MF3 IC D40

Semiconductors 6

up toup to 16 files / application(like data-files within one “sub-directory”)

mifare® mifare® DESFire File SystemDESFire File System

1) Data Files2) Value Files3) Record Files

3 File types:

The 4kByte EEPROM can be used for:The 4kByte EEPROM can be used for:

One MasterKey(for card maintenance)One MasterKey(for card maintenance)

up to 28 different applications(like “sub-directories” on a HDD)1 2 3 4 ... 28

up toup to 14 (3)DES keys / application(valid only within the “sub-directory” )

One MasterKey(for application maintenance)One MasterKey(for application maintenance)

includes

Semiconductors 7

mifaremifare®® DESFireDESFire File Types: Standard Data FileFile Types: Standard Data File

Standard Data File (0x00)Standard Data File (0x00)User File size: = 1 byte ... 4 kbyteRequired EEPROM size: = File Size*General data file (e.g. card issuer data, card holder name)

File# 0x00 ... 0x0F

Create Standard Data File1 1 1 2 3

CMD File # Com Set Access Rights File Size

[ ] 3232*32/)1( +−= FileSizeStdDataNTISizeEEPROM

*Internally the NV-memory is allocated in blocks of 32 bytes.(E.g. every file with a size of 1-32 bytes internally always uses 32 bytes.)

Semiconductors 8

mifaremifare®® DESFireDESFire File Types: Backup Data FileFile Types: Backup Data File

Backup Data File (0x01)Backup Data File (0x01)File size: = 1 Byte ... 2 kByteRequired EEPROM: = 2 x File size*General data file (e.g. card issuer data, card holder name)

File# 0x00 ... 0x07

[ ] 3232*32/)1(2 +−⋅= FileSizeBackupDataNTISizeEEPROM

Create Backup Data File1 1 1 2 3

CMD File # Com Set Access Rights File Size

*Internally the NV-memory is allocated in blocks of 32 bytes.(E.g. every file with a size of 1-32 bytes internally always uses 32 bytes.)

Semiconductors 9

mifaremifare®® DESFireDESFire File Types: Value FilesFile Types: Value Files

Create Value File1 1 1 2 4 4 4 1

CMD File # Com Set Access Rights Lower Limit Upper Limit Value Credit Limited enabled

Value File (0x02)Value File (0x02)Required EEPROM size: = 32 Bytes

Value Range = -16 777 215...+16 777 216(4 Byte signed integer)

Lower Limit = -16 777 215...+16 777 215

Upper Limit = -16 777 214...+16 777 216(Lower Limit < Upper Limit)

Limited Credit enabled (0x01) / disabled (0x00)

File# 0x00 ... 0x07

Semiconductors 10

Record #3 after 3 Write commands3 Records can be read

Record #n after n Write commandsn Records can be read

mifaremifare®® DESFireDESFire File Types: Record FileFile Types: Record File

Record #1Record #2Record #3

Record #n-1Record #n

after 3 Write commands

Record File

Record #4Record #5

after n Write commands

Record Size# of Records

• A Record File contains n Records. • Each Record can be written once.• The latest and all the previous Records can be read (at once).

• A Record File contains n Records. • Each Record can be written once.• The latest and all the previous Records can be read (at once).

Semiconductors 11

mifaremifare®® DESFireDESFire File Types: Record FileFile Types: Record File





after 3 Write commands

after n Write commands

Linear Record File Cyclic Record File

after n+2 Write commands Record #2after n+1 Write commands Record #1Record File full

n+1 Write: Error instead of ACK

Semiconductors 12

mifaremifare®® DESFireDESFire File Types: Linear Record FileFile Types: Linear Record File

Create Record File1 1 1 2 3 3

CMD File # Com Set Access Rights Record Size Max. # of Records

Linear Record Files (0x03)Linear Record Files (0x03)Required EEPROM size: = 32Bytes + Record Size • # of Records*

Record Size = 0x00 00 01 ... 0xff ff ff (1 Byte - 4k Byte)

# of Records = 0x00 00 01 ... 0xff ff ff

File# 0x00 ... 0x07

* Internally the NV-memory is allocated in blocks of 32 bytes.(E.g. a Record File with 2 Records and a size of 10 Bytes/Record internally always uses 64 bytes.)

Semiconductors 13

mifaremifare®® DESFireDESFire File Types: Cyclic Record FileFile Types: Cyclic Record File

Create Record File1 1 1 2 3 3

CMD File # Com Set Access Rights Record Size Max. # of Records

Cyclic Record Files (0x03)Cyclic Record Files (0x03)Required EEPROM size: = 32Bytes + Record Size • # of Records*

Record Size = 0x00 00 01 ... 0xff ff ff (1 Byte - 4k Byte)

# of Records = 0x00 00 02 ... 0xff ff ff

File# 0x00 ... 0x07

* Internally the NV-memory is allocated in blocks of 32 bytes.(E.g. a Record File with 2 Records and a size of 10 Bytes/Record internally always uses 64 bytes.)

Semiconductors 14

mifaremifare®® DESFire DESFire EncryptionEncryption

DESFireDESFire data transmission:data transmission:

Plain Data

Example Data: „Hello World“

48 65 6C 6C 6F 20 57 6F 72 6C 64Data

48 65 6C 6C 6F 20 57 6F 72 6C 64 23 42 A1 2E Data MAC

f2 45 2a e0 50 56 3c 02 43 4e 63 ac 04 bb 21 26Data + 2Byte CRC -> filled up to n*8 -> (3)DES encrypted

MACed* Data

(3)DES enciphered

*MAC: Message Authentication Code

b7 b6 b5 b4 b3 b2 b1 b0 HexPlain Data 0 0 0 0 0 0 x 0 0x00MACed 0 0 0 0 0 0 0 1 0x01(3)DES encrypted 0 0 0 0 0 0 1 1 0x03

Coding of the Communication Settings:

Semiconductors 15

mifaremifare®® DESFire DESFire KeysKeys

00 11 22 33 44 55 66 77 00 11 22 33 44 55 66 77

DES:

DES and 3DES keys are stored in 16 bytes strings.

1st half = 2nd half Single DES

00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff

00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00

3DES: 1st half = 2nd half Triple DES

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (default)

Semiconductors 16

mifaremifare®® DESFire DESFire Access RightsAccess Rights

4 different Access Rights are stored for each file. Access Rights are defined during creation of a file.

all other filesR Get Value Debit ReadW Get Value Debit Limited Credit Write

R&W Get Value Debit Limited Credit Credit Read&WriteC

Value File

Change Config

Key #0 always is the Masterkey• on PICC level (if no application or AID 0x00 00 00 is selected)• on Application level (if an Application is selected).

Semiconductors 17

mifaremifare®® DESFire Coding of DESFire Coding of Access RightsAccess Rights

b15 b12 b11 b8 b7 b4 b3 b0

R W R&W C

MSBit LSBitDuring creation of a file the Access Rights are defined with a 2-byte code:

Remark:If a file is accessed without valid authentication but free access (0xe) is possible, the communication mode is forced to plain (through at least one relevant access right).

Remark:If a file is accessed without valid authentication but free access (0xe) is possible, the communication mode is forced to plain (through at least one relevant access right).

Hex Key0x0 00x1 10x2 20x3 30x4 40x5 50x6 60x7 70x8 80x9 90xa 100xb 110xc 120xd 130xe "free"0xf never

no authentication requiredno access

Semiconductors 18

mifaremifare®® DESFireDESFire Application ExampleApplication Example

Up to 28 different applications per card

ApplAppl0x 00 00 020x 00 00 02

ApplAppl0x 00 00 010x 00 00 01

ApplAppl0x 00 00 030x 00 00 03

Application 0x 00 00 02Application 0x 00 00 02

File 0x03File 0x03

FileFile0x0C0x0C

File File 0x070x07

File 0x04File 0x04

Up to 16 different files per applicationUp to 16 different files per application

Semiconductors 19



File 0x03File 0x03

FileFile0x0C0x0C

File File 0x070x07

File 0x04File 0x04

File 0x03:

File 0x0C:

File 0x07:

File 0x04:

Application # 0x 00 00 02 contains 4 Files:

Value File lower limit: -10upper limit: +2000MACed Data

Cyclic Record File Record Size: 10 bytes# of Records: 21MACed Data

Backup Data File File Size: 30 bytes3DES encrypted Data

Standard Data File File Size: 30 bytesPlain Data

Semiconductors 20



File 0x03File 0x03

FileFile0x0C0x0C

File File 0x070x07

File 0x04File 0x04

File 0x03:File 0x0C: File 0x07:File 0x04:

Application # 0x 00 00 02 contains 4 Files and 5 keys:

Value File Cyclic Record File

Backup Data File

Standard Data File

R W R&W CR W R&W C R W R&W CR W R&W C R W R&W CR W R&W C R W R&W CR W R&W C

neverneverfreefreeKEY 1KEY 1 KEY 4KEY 4KEY 2KEY 2 KEY 3KEY 3

KEY 0KEY 0

Semiconductors 21

mifaremifare®® DESFireDESFire Backup ManagementBackup Management

Transaction oriented approachTransaction oriented approach

On application level, Multiple write commands can be issued.On application level, Multiple write commands can be issued.

→→ Application data is always consistentApplication data is always consistent

Completed transaction has to be validated by a Completed transaction has to be validated by a CommitTransactionCommitTransaction command.command.

If not validated or aborted, a full rollback of all writes happeIf not validated or aborted, a full rollback of all writes happens.ns.

Either ALL writes are done or NO writes are done.Either ALL writes are done or NO writes are done.

Semiconductors 22

Image 1Image 1

Image 2Image 2

Valid ImageValid Image

mifaremifare®® DESFire DESFire DataData File BackupFile Backup

Image 1Image 1

Image 2Image 2

Valid ImageValid Image

CommitTransactionCommitTransactionvalidates updated Imagevalidates updated Image

Write DataWrite Data Image 2Image 2

WriteWriteupdates mirror imageupdates mirror image

*Data File Backup Management requires a Backup Data File.

Backup Data File

Semiconductors 23

mifaremifare®® DESFire DESFire ValueValue File BackupFile Backup

Image 1 Image 2 Image 1 Image 2

Valid Image

Image 1 Image 2 Image 1 Image 2

Valid Image

CommitTransactionCommitTransactionvalidates updated Imagevalidates updated Image

Write

Image 2 Image 2WriteWriteupdates mirror imageupdates mirror image

Value File

Semiconductors 24

mifaremifare®® DESFire DESFire RecordRecord File BackupFile Backup



Record File

Current RecordWriteWriteinto next empty Recordinto next empty Record

Write DataRecord #3

CommitTransactionCommitTransactionvalidates new Record #validates new Record #



Current Record

Semiconductors 25

mifaremifare®® DESFire DESFire Memory MappingMemory Mapping 11

The mifare® DESFire EEPROM area is allocated in blocks of 32 bytes.

Blank Chip

The “blank” chip in delivery state uses 4 blocks for Manufacturer data and Administration.

Card Administration

The card administration requires 1 block per 4 created applications. This memory is re-used after “Delete Application”.

Semiconductors 26


Application

For each created application n blocks are required with:

blockskeysn ⎟⎠⎞⎜

⎝⎛ ++= 2

)1(int1number of keys number of blocks

0 11 22 23 34 35 46 4... ...

This memory cannot be re-used after “Delete Application”, but only after “FormatPICC”.

Semiconductors 27


File Administration

Every 2nd file entry uses 1 block, beginning with 2nd generated file.

number of files number of blocks1 02 13 14 25 26 37 3... ...

This memory is re-used after “Delete File”.

Semiconductors 28

mifaremifare®® DESFire DESFire Memory MappingMemory Mapping 44Data

The data of a Standard Data File requires n blocks with:

blocksfilesizen ⎟⎠⎞⎜

⎝⎛ ++= 32

)31(int1

Standard Data File Backup Data Filefile size number of blocks number of blocks

1 1 22 1 2... 1 232 1 233 2 434 2 4... 2 464 2 465 3 6... ... ...

Semiconductors 29

mifaremifare®® DESFire Memory Mapping 5DESFire Memory Mapping 5

The Value Data File requires 1 block, independent on value or limits.

The Record File requires n blocks with:

blocksrecordsofnumberrecordsizen ⎟⎠⎞⎜

⎝⎛ +⋅+= 32

)31__(int1

The data of a Backup Data File requires 2x n blocks

Semiconductors 30

mifaremifare®® DESFire DESFire Transaction TimeTransaction Time

Transaction Time 3DES MACed for Read 156 byte, Write 108 byte (incl. Backup):

@ 106 kbaud: <130ms*@ 212 kbaud: <110ms*@ 424 kbaud: <100ms*

Transaction Time 3DES MACed for Read 156 byte, Write 108 byte (incl. Backup):

@ 106 kbaud: <130ms*@ 212 kbaud: <110ms*@ 424 kbaud: <100ms*

* Includes communication PCD - PICC, does NOT include reader data handling

Command Sequence (typical transport transaction):–Establish protocol according to ISO 14443-4

•Application Selection•mutual 3pass Authentication•Read Standard Data File ( 48 bytes 3DES MACed )•Read Backup Data File ( 48 bytes 3DES MACed )•Read Value ( 12 bytes 3DES MACed )•Read Record File ( 48 bytes 3DES MACed )•Write to backup file ( 48 bytes 3DES MACed )•Append record to record file ( 48 bytes 3DES MACed ) •Modify value file ( 12 bytes 3DES MACed )•CommitTransaction

–Deselect according to ISO 14443-4

Command Sequence (typical transport transaction):–Establish protocol according to ISO 14443-4

•Application Selection•mutual 3pass Authentication•Read Standard Data File ( 48 bytes 3DES MACed )•Read Backup Data File ( 48 bytes 3DES MACed )•Read Value ( 12 bytes 3DES MACed )•Read Record File ( 48 bytes 3DES MACed )•Write to backup file ( 48 bytes 3DES MACed )•Append record to record file ( 48 bytes 3DES MACed ) •Modify value file ( 12 bytes 3DES MACed )•CommitTransaction

–Deselect according to ISO 14443-4

Semiconductors 31

Sawn Wafer on FFCSawn Wafer on FFC MOA4MOA4 ContactlessContactless ModuleModule

150µm thickness150µm thickness

MF3ICD4001DW/V5MF3ICD4001DW/V5

330µm thickness330µm thickness

MOA4: MF3MOD4001DV/4MOA4: MF3MOD4001DV/4

DESFireDESFire Delivery TypesDelivery Types

Semiconductors 32

mifaremifare®® DESFire DESFire DevelopmentDevelopment ToolsTools

MF EV70xbased on the Pegoda Reader, contains:• USB Pegoda Reader (RD70x)• Datasheets & Documents on a CD • 5 Mifare Cards

MF EV70xbased on the Pegoda Reader, contains:• USB Pegoda Reader (RD70x)• Datasheets & Documents on a CD • 5 Mifare Cards

PEGODA Reader

Sample Cards• mifare® DESFire Sample Cards• MF DESFire UI (Demo-SW)• Debug Client SW• C-library (incl. Source Code)

• mifare® DESFire Sample Cards• MF DESFire UI (Demo-SW)• Debug Client SW• C-library (incl. Source Code)

+

Semiconductors 33

•• Fully ISO 14443A compliant, up to part 4Fully ISO 14443A compliant, up to part 4

•• Unique 7 byte serial number Unique 7 byte serial number ISO cascade level 2ISO cascade level 2

•• 4 4 KByteKByte EEPROM, 1ms erase, 1ms program EEPROM, 1ms erase, 1ms program

•• Fast Data Transfer, up to 424Fast Data Transfer, up to 424 KbitKbit/s/s

•• Mutual Three Pass AuthenticationMutual Three Pass Authentication

•• DES/3DES Data Encryption on RFDES/3DES Data Encryption on RF--channelchannel

•• Data Authenticity by 4 byte 3DES MACData Authenticity by 4 byte 3DES MAC

•• Flexible File SystemFlexible File System

•• Up to 28 Applications per cardUp to 28 Applications per card

•• Up to 14 3DES keys per Application, with key versioningUp to 14 3DES keys per Application, with key versioning

•• Up to 16 Files per ApplicationUp to 16 Files per Application

•• Automatic backup mechanism for all available file types Automatic backup mechanism for all available file types

mifaremifare®® DESFireDESFire FactsFacts