Вы находитесь на странице: 1из 22

mifare DESFire & ISO14443

CAS - 2006

mifare DESFire & ISO14443 Agenda

mifare DESFire Type ID


mifare DESFire ATQA
mifare DESFire SAK
mifare DESFire UID
ISO14443A RATS & PPS
mifare DESFire (R)ATS
mifare DESFire PPS (Request)
Block Exchange via T=CL

Semiconductors

mifare DESFire Type ID


PCD

Start
Start

PICC

ATQA

ATQA
NO
Proprietary
Proprietary
frames
frames and
and
protocol
protocol

Bit
Bit frame
frame
ant
ant collision
collision
supported?
supported?

YES

Anticollision Loop
UID + SAK

ISO 14443-3 A

SAK

REQA

UID
YES
MIFARE
MIFARE NO SAK
SAK bit
bit 66 == 1?
1?
Classic
Classic

Semiconductors

ISO
ISO 14443-4
14443-4
(T=CL)
(T=CL)

mifare DESFire ATQA Coding


Bit no.

16

15

14

MSB ATQA
13
12
11

RFU

ISO/IEC 14443A-3

10

Proprietary coding

212 kbit/s

UID size

LSB ATQA
5
4

Bit frame anticollision

RFU1

424 kbit/s

848 kbit/s

Single UID
Double UID
Triple UID
RFU

0
0
1
1

0
1
0
1

Bit Frame Anticollision


Bit Frame Anticollision
Bit Frame Anticollision
Bit Frame Anticollision
Bit Frame Anticollision

1
0
0
0
0

0
1
0
0
0

0
0
1
0
0

0
0
0
1
0

0
0
0
0
1

ATQA of mifare ICs


MIFARE UL (0x0044)
MIFARE 1K (0x0004)
MIFARE 4K (0x0002)

0
0
0

0
0
0

0
0
0

0
0
0

0
0
0

0
0
0

0
0
0

0
0
0

0
0
0

1
0
0

0
0
0

0
0
0

0
0
0

1
1
0

0
0
1

0
0
0

MIFARE DESFire

(0x0344)

MIFARE ProX

1
2

Semiconductors

All RFU bits shall be set to 0


Depends on OS
4

mifare DESFire SAK Coding

SAK bit values as defined in the ISO/IEC 14443A-3


Bit no.

SAK
8

Cascade bit set: UID not complete

UID complete, PICC compliant with ISO/IEC 14443-4

UID complete, PICC not compliant with ISO/IEC 14443-4

SAK of mifare ICs


MIFARE ultralight (0x04) cascade level 1

MIFARE DESFire (0x20) cascade level 2

MIFARE ProX

MIFARE ultralight (0x00) cascade level 2


MIFARE 1K (0x08)
MIFARE 4K (0x18)
MIFARE DESFire (0x24) cascade level 1

Semiconductors

Depends on OS

mifare DESFire UID Coding


UID size
Single PCD 93
PICC

Double PCD 93

Triple

ISO/IEC 14443A3
UID0 UID1 UID2 UID3 BCC
95

PICC

CT UID0 UID1 UID2 BCC

PCD 93
PICC

CT UID0 UID1 UID2 BCC

UID3 UID4 UID5 UID6 BCC


95

97
CT UID3 UID4 UID5 BCC

UID6 UID7 UID8 UID9 BCC

Double or Triple Size UIDs:


ISO 14443

Philips

UID0

UID1 UID6 (resp. UID1 - UID9)

Manufacturer ID according to
the ISO/IEC 7816-6/AM1
0x04

PCD 93
DESFire PICC
0x88 0x04

Semiconductors

Each manufacturer is responsible for the uniqueness of the


value of the other bytes of the unique number.
x

95
xx

xx

xx

xx

xx

xx

xx

xx

mifare DESFire

ISO14443A RATS & PPS


PCD

PICC

mifare
mifare DESFire
DESFire
PICC
PICC selected
selected

Request for Answer to Select


(RATS)
Answer To Select (ATS)

PPS = Protocol Parameter Select

Semiconductors

ISO 14443 - 4

NO

PPS
PPS
supported?
supported?
YES

NO

Reader
Reader
PPS?
PPS?
YES

PPS Request
PPS Response

Set
Set parameter
parameter
Exchange
Exchange
Transparent
Transparent Data
Data
7

mifare DESFire (R)ATS


Request for Answer To Select (RATS)
FSD: Maximum frame size supported by the PCD:
FSDI
FSD

0
16

1
24

2
32

3
40

4
48

5
64

6
96

7
128

8
9-F
256 RFU

CID: Logical number of the addressed PICC (0 14)


FSDI
CID
b8 b7 b6 b5 b4 b3 b2 b1

PCD
Command

CMD

ARG

'E0'

'XX'

CRC

C0

C1

Note: Times units are not drawn to scale!


time

MF3 IC D40
Response

360s

Semiconductors

ATS (next slides)

80s

'06'

'75'

'33'

'62'

'02'

'XX'

TL

T0

TA(1)

TB(1)

TC(1)

T1

C0

C1

CRC

1490

ATS 1: Length Byte


TL
TL

Length Byte

T0
T0

Format Byte

TA(1)
TA(1)

TL

TB(1)
TB(1)

Interface Bytes
Optional

TC(1)
TC(1)
T1
T1
Tk
Tk

Historical Bytes

Optional
ISO/IEC 7816- 4
specifies the content

CRC1
CRC1
CRC2
CRC2

Semiconductors

ATS 2: Format Byte T0


TL
TL
T0
T0

00 11 11 11

FSCI
FSCI

Format Byte

TA(1)
TA(1)
TA(1)
TB(1)
TB(1)
TB(1)
TC(1)
TC(1)
TC(1)

FSCI to FSC conversion


T1
T1
Tk
Tk
CRC1
CRC1
CRC2
CRC2

Semiconductors

FSC defines the maximum size


of the PICC receive buffer.
FSCI Frame Size for proximity Card Integer
FSC Frame Size for proximity Card
10

ATS 3: Interface Byte TA(1)


Bit
Bit 22
Bit
Bit 11
Bit
Bit 00

TL
TL
T0
T0
TA(1)
TA(1)

D
D

DS
DS

DR=8
DR=8 (848
(848 kBaud)
kBaud) supported,
supported, ifif bit
bit is
is set
set to
to 11
DR=4
DR=4 (424
(424 kBaud)
kBaud) supported,
supported, ifif bit
bit is
is set
set to
to 11
DR=2
DR=2 (212
(212 kBaud)
kBaud) supported,
supported, ifif bit
bit is
is set
set to
to 11

00

DR
DR

TB(1)
TB(1)
TC(1)
TC(1)

Bit
Bit 66
Bit
Bit 55
Bit
Bit 44

DS=8
DS=8 (848
(848 kBaud)
kBaud) supported,
supported, ifif bit
bit is
is set
set to
to 11
DS=4
DS=4 (424
(424 kBaud)
kBaud) supported,
supported, ifif bit
bit is
is set
set to
to 11
DS=2
DS=2 (212
(212 kBaud)
kBaud) supported,
supported, ifif bit
bit is
is set
set to
to 11

T1
T1
Tk
Tk

00 .... Different
Different D
D for
for each
each direction
direction supported
supported
Bit
Bit 77 11 .... Only
Only the
the same
same D
D for
for both
both directions
directions supported.
supported.

CRC1
CRC1
CRC2
CRC2

Semiconductors

DR Divisor Receive (PCD -> PICC)


DS Divisor Send (PICC -> PCD)
11

ATS 4: Interface Byte TB(1)


TL
TL

Frame
Frame Waiting
Waiting Time:
Time:

Frame sent by PCD


Frame sent by PICC

T0
T0
t < FWT

TA(1)
TA(1)
TB(1)
TB(1)
TC(1)
TC(1)
T1
T1
Tk
Tk
CRC1
CRC1
CRC2
CRC2

Semiconductors

FWI
FWI

SFGI
SFGI

FWI
FWT = (256 x 16 / fc) x 2FWI
Example:
Example:

FWTMIN = 0: (256 x 16 / 13,56 * 106) x 1


FWT =

302 s

4: (256 x 16 / 13,56 * 106) x 24 4833 s

FWT =
9: (256 x 16 / 13,56 * 106) x 29 154 ms
FWTMAX =14: (256 x 16 / 13,56 * 106) x 214 4949 ms

FWI Frame Waiting Time Integer


FWT Frame Waiting Time
12

ATS 5: Interface Byte TA(1)


Start-up
Start-up Frame
Frame Guard
Guard Time:
Time:

TL
TL

Frame sent by PCD

T0
T0
ATS sent by PICC

t > SFG

TA(1)
TA(1)
TB(1)
TB(1)
TC(1)
TC(1)

FWI
FWI

SFGI
SFGI

SFGI
SFG = (256 x 16 / fc) x 2SFGI

T1
T1
Tk
Tk
CRC1
CRC1
CRC2
CRC2

Semiconductors

SFGI Start-up Frame Guard Time Integer


SFG Start-up Frame Guard Time
13

ATS 6: Interface Byte TC(1)


TL
TL
T0
T0
TA(1)
TA(1)
TB(1)
TB(1)
TC(1)
TC(1)

00 00 00 00 00 00
Bit
NAD supported,
supported, ifif bit
bit is
is set
set to
to 11
Bit 00 NAD
Bit
CID supported,
supported, ifif bit
bit is
is set
set to
to 11
Bit 11 CID

T1
T1
Tk
Tk
CRC1
CRC1
CRC2
CRC2

Semiconductors

CID Card Identifier


NAD Node Address
14

mifare DESFire ATS


Answer To Select (ATS)
'06'

'75'

'33'

'62'

'02'

'XX'

TL

T0

TA(1)

TB(1)

TC(1)

T1

C0

C1

CRC

T1: Historical character: shall be ignored by the


application software.
Interface byte TC(1): CID supported, NAD not supported
Interface byte TB(1):
High Nibble: Frame Waiting Time (FWT) (77.33 ms)
Low Nibble: Start-up frame guard time (SFGT) (604 s)
Interface byte TA(1): possible data rates supported by the PICC.
(The DESFire supports up to 424 kbaud in both directions.)
T0: Format Byte
High Nibble: presence of TA(1), TB(1) and TC(1)
Low Nibble: FSCI (maximum accepted size of a frame)
TL: Length Byte of the transmitted ATS
(including itself, but excluding the two CRC bytes)

Semiconductors

15

mifare DESFire PPS (Request)


Protocol Parameter Selection Request
CMD (PPSS)
CMD (PPSS)

RFU
CID
RFU
CID
b8 b7 b6 b5 b4 b3 b2 b1
b8 b7 b6 b5 b4 b3 b2 b1
1
1
0
1
1
1
0
1

PCD
Command

CMD

'DX'

ARG

'11'

'00'

PPS0:PPS1
PPS1follows
follows
PPS0:

CRC

C0

C1
time

MF3 IC D40

'D0'

Response

PPSS

C0

C1

CRC

PPS1
PPS1
RFU
DSI
DRI
RFU
DSI
DRI
b8 b7 b6 b5 b4 b3 b2 b1
b8 b7 b6 b5 b4 b3 b2 b1
0
0
0
0
0
0
0
0

DSI, DRI
Divisor
Baudrate

00*
1
106kBd

01
2
212kBd

10
4
424kBd

* 00 (106 kbaud in both directions) is the


default if no PPS command is sent

Semiconductors

16

Block Structure of T=CL

FSD ... Frame Size for PCD


FSC ... Frame Size for PICC
Semiconductors

17

Protocol Control Byte 1


b8
b7 b6
b6 b5
b5 b4
b4 b3
b3 b2
b2 b1
b1
b8 b7
00 00

Information Block (I-Block)


Exchange of Application Data Units (APDUs)

11 00

Receive Ready Block (R-Block)


ACK or NACK (containing no INF Field)

11 11

Supervisor Block (S-Block)


Waiting Time Extension (contains 1 INF Field)
Deselect (containing no INF Field)

Semiconductors

18

Protocol Control Byte 2

PCD

Bit
Bit 11
Bit
Bit 33
Bit
Bit 44
Bit
Bit 44

Block
Block Number
Number
NAD
NAD following,
following, ifif bit
bit is
is set
set to
to 11
CID
CID following,
following, ifif bit
bit is
is set
set to
to 11
Chaining,
Chaining, ifif bit
bit is
is set
set to
to 11
I-Block (0)0 (Command APDU)

t < FWT

PICC

I-Block (0)0(Response APDU)


I-Block (0)1 (Command APDU)

t < FWT

I-Block (0)1 (Response APDU)

ISO/IEC 14443 Part 4

b8
b8 b7
b7 b6
b6 b5
b5 b4
b4 b3
b3 b2
b2 b1
b1
00 00 00
11

I-Block (0)X I-Block with chaining bit not set and block number X
I-Block (1)X I-Block with chaining bit set and block number X

Semiconductors

19

mifare DESFire Block Exchange


Example of Block Exchange

no of bytes:
no of bytes:

Prologue Field
PCB [CID] [NAD]
1
1
0
1
0
1
0
1

Information Field
[INF]
max. 60
max. 61

Epilogue Field
EDC
2
2

If CID = 0, no CID byte is sent

0a 02 6a xx xx
EDC: CRC according to ISO14443A

PCB
CID

CMD: GetApplicationIDs()
Semiconductors

20

mifare DESFire command example


Example: - Write 2 Bytes of 0x ff ff into a
- DES encrypted DataFile with
- File number 1
- CID 4
Assumption:
Assumption:
TheDESFire
DESFirePICC
PICCisisselected,
selected,RATS
RATSisisperformed
performedwith
withCID
CID==4.4.The
Theaccording
accordingapplication
application
The
(whatevernumber)
number)ist
istselected,
selected,and
andthe
theauthentication
authenticationwith
withthe
theaccording
accordingkey
keyisisperformed.
performed.
(whatever

0a 04 3d 01 00 00 00 02 00 00 54 d6 cc 98 9f b2 4b 63 b8 00
Offset

PCB
CID

Length

(3)DES
deciphered data

File #

EDC (CRC)

CMD: WriteData(FileNo,Offset,Length)
Semiconductors

21