Desfire ID template

Overview

Use this template to read the actual ID of a Desfire card, instead of the protocol-level ID (ISO/IEC 14443 type A UID or RID). This can be done in two situations:

  • When the application relies on protocol-level ID (UID) but need to "filter" IDs coming from mobile phones or other card technologies,
  • When the card is configured to randomize its protocol-level ID (RID). In this case a mutual authentication is required to get access to the actual UID.

Note

Current version SpringCore SmartReader Template Engine supports only EV0 and EV1 authentications and secure communication modes. Contact us should you need EV2 security.

Configuration

Register t0: select the Desfire ID template

Register 03t0 (1 byte) selects the template. Set it to 70 to select this template.

Register t1: output format

Register 03t1 (1 or 2 bytes) defines the output format.

Byte Bits Content
0 7-6 Direction
00 : direct direction (as it is transmitted on the RF interface) : 04..80
01 : RFU
10 : RFU
11 : reverse direction (swap bytes) : 80..04
5 RFU, must be 0
4 RFU, must be 0
3-0 Format and length
0000 : Decimal, 4 bytes as 10 digits
0001 : Raw/Hexadecimal, 4 bytes
0010 : Raw/Hexadecimal, 8 bytes
0011 : Raw/Hexadecimal, 5 bytes
0100 : Raw/Hexadecimal, 10 bytes
0101 : Raw/Hexadecimal, 7 bytes
0110 : Raw/Hexadecimal, 11 bytes
0111 : RFU
1000 : Raw/Hexadecimal, 16 bytes
1001 : Raw/Hexadecimal, 20 bytes
1010 : Raw/Hexadecimal, 24 bytes
1011 : Raw/Hexadecimal, 32 bytes
1100 : Decimal, 5 bytes as 12 digits
1101 : Decimal, 5 bytes as 13 digits
1110 : Decimal, variable length
1111 : Raw/Hexadecimal, variable length
1 7 RFU, must be 0
6-4 Drop first bits (000 i.e. 0 to 111 i.e. 7)
3-0 Drop first bytes (0000 i.e. 0 to 1111 i.e. 15)

Register t2: output prefix

Register 03t2 defines the output prefix. Refer to Template engine : Output Prefix.

Register t3: AID

Register 03t3 defines whether the reader shall issue a GET VERSION command to read the card's UID or perform a mutual authentication with the card and then issue an authenticated GET UID command.

If 03t3 is empty (0 byte), the GET VERSION command is used. The content of register 03t5 is ignored.

If 03t3 is not empty, it stores on 3 bytes the Application IDentifier (AID) of the Desfire application that has to be selected before performing the mutual authentication. Use 000000 to get authenticated onto the root application of the card.

Bytes Content
0-2 Desfire Application IDentifier (AID) for authenticated GET UID command
Leave empty to use the plain GET VERSION version

Register t5: secret key

If 03t3 is empty (0 byte), the content of this register is ignored.

The authentication key could be stored either directly in the non-volatile memory at address 03t5) or in the SpringCore device's Secure Element. The second method has to be preferred.

Secret key stored in the template

Register 03t5 (10, 18 or 24 bytes) stores the index of the key within the application, the type of the key, the authentication options, and the secret key itself. The length depends on the type of the key.

Bytes Bits Content
0 7-6 RFU, must be 00
5-4 00 : do not use key diversification
10 : use the Desfire SAM diversification algorithm
Other values are RFU and shall not be used
3-0 Index of the key within the Desfire application (Key No in Desfire docs)
1 7-4 RFU, must be 0000
3-0 Authentication mode
0001 : DES or 3DES using Desfire EV0 legacy mode (DesfireAuthenticate)
0010 : DES or 3DES using ISO mode (DesfireAuthenticateISO)
0011 : AES using ISO mode (DesfireAuthenticateAES)
Other values are RFU and shall not be used
2-N Value of the key
8 bytes for a single DES
16 bytes for a 3DES2K or AES key
24 bytes for a 3DES3K key

Secret key stored in the Secure Element

Register 03t5 (3 or 4 bytes) stores the index of the key within the application, the type of the key, the authentication options, and the address of the key in the Secure Element.

Bytes Bits Content
0 7-6 RFU, must be 00
5-4 00 : Do not use key diversification
10 : Use the Desfire SAM diversification algorithm
11 : Rely on the key entry in the SE to know whether diversification is enabled or not
Other values are RFU and shall not be used
3-0 Index of the key within the Desfire application (Key No in Desfire docs)
1 7-5 RFU, must be 0000
4 0 : Use the key version specified in byte 3
1 : Retrieve the key version from the Desfire card
3-0 Authentication mode
0001 : DES or 3DES using Desfire EV0 legacy mode (DesfireAuthenticate)
0010 : DES or 3DES using ISO mode (DesfireAuthenticateISO)
0011 : AES using ISO mode (DesfireAuthenticateAES)
1111 : rely on the key entry in the SE to know the authentication mode
Other values are RFU and shall not be used
2 7-0 Address of the key in the Secure Element. Use 11 for template 1, 12 for template 2, 13 for template 3 and 14 for template 4. Any other value is prohibited.
3 7-0 Version of the key in the Secure Element. This byte is optional and defaults to 00. If bit 4 is set in byte 1, the reader retrieves the version from the card and this byte is ignored.