Desfire data template

Overview

Use this template to read a data from a file of a Desfire card. The transaction with the card may involve mutual authentication and secure communication, if the card is formatted as such.

Note

Current version SpringCore SmartReader Template Engine supports only EV0 and EV1 authentications and secure communication modes. Contact us should you need EV2 security.

Configuration

Register t0: select of Desfire data template

Register 03t0 (1 byte) selects the template. Set it to 71 to select this template.

Register t1: output format

Register 03t1 defines the output format. Refer to Template engine : Output Format register.

Register t2: output prefix

Register 03t2 defines the output prefix. Refer to Template engine : Output Prefix.

Register t3: AID, file ID, offset / record, size

Register 03t3 (8 bytes) allows to finely specify where the data is stored in the card. Desfire cards support 2 read operations: DesfireReadData and DesfireReadRecords. Selecting the operation is done by bit 7 of byte 3.

Read Data

Bytes Bits Content
0-2 Desfire Application IDentifier (AID)
3 7 0 to select DesfireReadData operation
6-0 Desfire File IDentifier (FileNo) within the application
4-6 Offset inside the file (0 to max file size minus 1)
7 Length to read (1 to 240, 0 returns the complete file, the reader will discard a response longer than 240 bytes)

Read Record

Bytes Bits Content
0-2 Desfire Application IDentifier (AID)
3 7 1 to select DesfireReadRecords operation
6-0 Desfire File IDentifier (FileNo) within the application
4-6 Record number (Offset) inside the file (0 to number of existing records minus 1); the reader always reads one single record
7 Expected length of the record (must match the actual record size)

Register t5: secret key and communication mode

The authentication key could be stored either directly in the non-volatile memory at address 03t5) or in the SpringCore device's Secure Element. The second method has to be preferred.

The register also stores the communication mode: plain, MACed/CMACed, or fully enciphered.

Secret key stored in the template

Register 03t5 (10, 18 or 24 bytes) stores the index of the key within the application, the type of the key, the authentication options and the communication parameters, and the secret key itself. The length depends on the type of the key.

Bytes Bits Content
0 7-6 Communication mode:
00 : plain
01 : MACed/CMACed
11 : fully enciphered
5-4 00 : do not use key diversification
10 : use the Desfire SAM diversification algorithm
Other values are RFU and shall not be used
3-0 Index of the key within the Desfire application (KeyNo)
1 7-4 RFU, must be 0000
3-0 Authentication mode
0001 : DES or 3DES using Desfire EV0 legacy mode (DesfireAuthenticate)
0010 : DES or 3DES using ISO mode (DesfireAuthenticateISO)
0011 : AES using ISO mode (DesfireAuthenticateAES)
Other values are RFU and shall not be used
2-N Value of the key
8 bytes for a single DES
16 bytes for a 3DES2K or AES key
24 bytes for a 3DES3K key

Secret key stored in the Secure Element

Register 03t5 (3 or 4 bytes) stores the index of the key within the application, the type of the key, the authentication options and the communication parameters, and the address of the key in the Secure Element.

Bytes Bits Content
0 7-6 Communication mode:
00 : plain
01 : MACed/CMACed
11 : fully enciphered
5-4 00 : Do not use key diversification
10 : Use the Desfire SAM diversification algorithm
11 : Rely on the key entry in the SE to know whether diversification is enabled or not
Other values are RFU and shall not be used
3-0 Index of the key within the Desfire application (KeyNo)
1 7-5 RFU, must be 000
4 0 : Use the key version specified in byte 3
1 : Retrieve the key version from the Desfire card
3-0 Authentication mode
0001 : DES or 3DES using Desfire EV0 legacy mode (DesfireAuthenticate)
0010 : DES or 3DES using ISO mode (DesfireAuthenticateISO)
0011 : AES using ISO mode (DesfireAuthenticateAES)
1111 : rely on the key entry in the SE to know the authentication mode
Other values are RFU and shall not be used
2 7-0 Address of the key in the Secure Element. Use 11 for template 1, 12 for template 2, 13 for template 3 and 14 for template 4. Any other value is prohibited.
3 7-0 Version of the key in the Secure Element. This byte is optional and defaults to 00. If bit 4 is set in byte 1, the reader retrieves the version from the card and this byte is ignored.