Read data when key diversification is used

In Read secured data from DESFire cards or tags a single app key was used together with the card UID, application and file identifiers to select and decode the secured data in a particular file.

Some cards or passes can be set up so that each one carries a different key, although all are derived from the same master key. This is a feature of DESFire EV1 and EV2 cards, MIFARE2Go passes, Apple Wallet Access passes and others. One form of 'key diversification' scheme to support this is NXP AN10922. Your VTAP reader can decode data from cards or passes which have unique keys, set up in accordance with NXP AN10922 ("Symmetric Key Diversifications" Application Note v2.2 from NXP B.V. 2 July 2019).

If the card or pass UID is also hidden, you will need to provide an additional Privacy key, and Privacy key number, to authenticate in order to read the real UID. This is used together with System Identifier information (up to 16 bytes of data, saved as if it was another key) and the master key, to derive the card's unique read key. This is in addition to the usual settings needed to decode secured data in an encrypted application, described in Read secured data from DESFire cards and tags.

Extra configuration to support key diversification

This follows the same approach as when you first uploaded mobile pass key files.

  1. Save each of the keys you need to use in a file, with the name appkey#.txt, where # is replaced with a number from 1 to 9. Every file needs a unique name. Each text file should just contain one key with 32 hex digits, for example, key=bd6a15d1039e7527edfd01f37a220f3e

    Note: You cannot use more than 9 application key files.

  2. Load your keys by copying these files onto your VTAP reader. Just connect your VTAP reader to a PC via USB, so it appears as a mass storage device on the PC file system (unless disabled or locked), then you can drag and drop the files.

  3. Power cycle the VTAP reader. (Disconnect or eject the drive from the PC then reconnect it.) When you reboot the VTAP reader your key will have been stored in hardware, and will no longer be listed as a file on the device.

  1. Open the file config.txt in a text editor (such as Windows Notepad).

  2. Add lines to the file config.txt, using your own key slots and key number.

    Example: Settings in config.txt to read secured data from passes cards or tags using NXP AN10922 key diversification

    Copy 
    !VTAPconfig

    NFCType4=D
    DESFireCrypto=3            ; Crypto algorithm is AES (default)

    DESFireKeyDiversification=1; Use AN10922 key diversification

    DESFireAppID=123456        ; The DESFire application ID 
    DESFireFileID=0            ; The DESFire data file ID within the 
                               ;  application 
    DESFireKeyNum=2            ; Authenticate with key 02 ID within the 
                               ;  DESFire application to access the data 
                               ;  file
    DESFireKeySlot=2           ; The master read key for accessing the data 
                               ;  file is in VTAP appkey slot 2

    DESFirePrivacyKeyNum=1     ; Authenticate with key 01 ID within the 
                               ;  DESFire application to access the card’s 
                               ;  real UID
    DESFirePrivacyKeySlot=1    ; The privacy key for accessing the UID is 
                               ;  in VTAP appkey slot 1 
    DESFireSysIDKeySlot=3      ; The system ID for key diversification is 
                               ;  stored in VTAP appkey slot 3
    DESFireSysIDLength=6       ; The system ID length is 6 characters 
                               ;  (optional – if omitted the length of data  
                               ;  stored in the SysID appkey slot is used)
    DESFireReadLength=5        ; Read 5 bytes of data from the data file

  3. Save the amended config.txt file and these changes will take effect immediately.

Related Topics Link IconRelated reading: