3

Could anyone help me guide the calculation of MAC(4bytes) and CMAC(8bytes) for Mifare Desfire? I am getting unexpected results.

Deskey      =   0000000000000000
Block1(B1)  =   1122334455667788
Block2(B2)  =   9900112200000000
IV          =   0000000000000000
sessionkey  =   2923be84b1495461


R1 = Enc(B1 xor IV)         f2f13994d24714ca
R2 = Enc(R1 xor B2)         880fe38ab9e8a8d3
MAC   880fe38a

Expected MAC =  c8d70ad2 95a88a36

CMAC results

AESKey          =       00000000000000000000000000000000
Block           =       000102030405060708090a0b0c0d0e0f
Enc(Block)      =       7aca0fd9bcd6ec7c9f97466616e6a282
SubKey1         =       CDD297A9DF1458771099F4B39468565C
SubKey2         =       9BA52F53BE28B0EE2133E96728D0AC3F
CMAC(16bytes)   =       8A57896F795CB6ABF6867DAD41A5FB15

Is it true that CMAC is generated only by DES and TDES like DES encrypt all the blocks except the final block which should be TDES encrypted as in retail MAC calculation?

Gilles 'SO- stop being evil'
  • 104,111
  • 38
  • 209
  • 254
Studuino
  • 118
  • 2
  • 9
  • 1
    I'm pretty sure you are not supposed to distribute that documentation, Studuino. – Maarten Bodewes Sep 10 '12 at 20:05
  • hi owlstead, I got this from internet..is it related to phillipss NDA?? – Studuino Sep 11 '12 at 05:12
  • I could not Google that document and the fact that it has been stripped of the NXP logo suggests it is yes. – Maarten Bodewes Sep 11 '12 at 06:22
  • What are you using to produce the outputs above? Have you got code to share? Which language? – Duncan Jones Sep 11 '12 at 13:08
  • 1
    Side note: `0x0000000000000000` is not a valid DES key. DES keys require a parity bit set for each byte. `0x0101010101010101` would be valid. – Duncan Jones Sep 11 '12 at 13:16
  • @Studuino Also, your dropbox link is still valid and visible in the prior revisions page. Best you remove it or rename it on the site. – Duncan Jones Sep 12 '12 at 09:00
  • @DuncanJones, Having parity bit set might be necessary in other cases but in case of Desfire it is used for version number so the given key is valid and it has version number zero set on it. – AaA Dec 19 '12 at 01:35

1 Answers1

2

Regarding the MAC calculation, it appears to be 3DES CBC-mode encryption of the data, with zero padding on the plaintext and an all-zero IV. The 3DES key is created by XORing the session key with 24 zero bytes. Here is an example in Java:

import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.DESedeKeySpec;
import javax.crypto.spec.IvParameterSpec;
import javax.xml.bind.DatatypeConverter;

public class MACTest {

  public static void main(String[] args) throws Exception {

    final byte[] keyBytes = new byte[24];
    final byte[] paddedPlaintext = 
        hexStringToByteArray("11223344556677889900112200000000");
    final byte[] iv = new byte[8];
    final byte[] sessionKeyBytes = hexStringToByteArray("2923be84b1495461");

    final byte[] derivedKeyBytes = new byte[24];
    for (int i = 0; i < sessionKeyBytes.length; i++) {
      derivedKeyBytes[i] = (byte) (keyBytes[i] ^ sessionKeyBytes[i]);
    }

    System.out.println(toHexString(derivedKeyBytes));
    SecretKeyFactory factory = SecretKeyFactory.getInstance("DESede");
    SecretKey derivedKey = factory.generateSecret(new DESedeKeySpec(
        derivedKeyBytes));

    Cipher c = Cipher.getInstance("DESede/CBC/NoPadding");
    c.init(Cipher.ENCRYPT_MODE, derivedKey, new IvParameterSpec(iv));
    byte[] result = c.doFinal(paddedPlaintext);
    System.out.println(toHexString(result));
  }

  public static String toHexString(byte[] array) {
    return DatatypeConverter.printHexBinary(array);
  }

  public static byte[] hexStringToByteArray(String s) {
    return DatatypeConverter.parseHexBinary(s);
  }
}

Output:

2923BE84B149546100000000000000000000000000000000
F2F13994D24714CA880FE38AB9E8A8D3

You've not supplied enough information to understand what is required to compute the AES CMAC example, nor what your problem actually is. Presumably you are not getting the expected result?

Duncan Jones
  • 67,400
  • 29
  • 193
  • 254
  • Hi Duncan, thanks for your demonstration of mac calculation. I got this same output as in my question. But the correct mac is c8d70ad2 95a88a36. Actually the first four byte(C8D70AD2). I also tried according to ISO 9797 http://en.wikipedia.org/wiki/ISO/IEC_9797-1 but these algorithms also do not give me the that output. I do not know what I am missing. I cannot use TDES encryption as the session key is only 8 bytes long (but i've also tried that too). – Studuino Sep 14 '12 at 11:46
  • @Studuino I could have sworn that the document you originally linked contained the same MAC as my answer. Are you sure about what the correct answer is? Perhaps you can post the example values shown in the document (which I recall to be slightly different to your question). – Duncan Jones Sep 14 '12 at 19:15
  • The input in the example is DES Key 0000000000000000. Plain msg is 112233445566778899001122 hence the msg with padding is 11223344556677889900112200000000. Session key is 2923be84b1495461 and example output is f2f13994d24714cac8d70ad295a88a36 ,hence the data+mac(4 bytes) is 112233445566778899001122c8d70ad2 . regards – Studuino Sep 15 '12 at 01:16
  • @Studuino Ah, my mistake. I failed to notice the second block of my output was incorrect. I'll look into it. – Duncan Jones Sep 15 '12 at 07:25