我最近正在使用DESFire卡。我现在决定更改 PICC 的defult 主密钥。
(我已经可以使用主密钥验证所有8字节0x00成功)
1-侮辱master key为8 byte为零。它是00 00 00 00 00 00 00 00。
master key是byte。
是:
byte[] newPICCKey= new byte[]{(byte)0x11, (byte)0x22, (byte)0x33, (byte)0x44,
(byte)0x55, (byte)0x66, (byte)0x77 ,(byte)0x88,
(byte)0x12, (byte)0x23, (byte)0x34 ,(byte)0x45 ,
(byte)0x56, (byte)0x67, (byte)0x78 ,(byte)0x89};
3-我使用旧主密钥进行身份验证(仍然没有更改,仍然是8字节零。)成功。 随机数是:
随机A = 8字节数
随机B = 8字节数
4 - 我每次使用随机A和随机B创建会话密钥: 会话密钥=随机A的前4个字节+随机B的前4个字节
//fill sessionKey with RandomA and RandomB
for(int i=0; i<4; i++)
sessionKey[i] = randomA[i];
for(int i=4; i<8; i++)
sessionKey[i] = randomB[i-4];
5 - 我用波纹管方法为新的主密钥创建CRC16。结果是:D8 EC (新的PICC主密钥可能是16字节?还是必须是8字节?顺便说一下,我为新的主密钥选择了一个16字节的值)
public class CRC16
{
public static short Crc16(byte[] buffer, short offset, short len)
{
short crcTmp = 0x6363;
for (int i = 0; i < len; ++i)
{
short temp = (short)(buffer[offset + i] ^ crcTmp);
temp = (short)((temp ^ (temp << 4)) & 0xff);
crcTmp = (short)(((crcTmp >> 8) & 0xff) ^ (temp << 8) ^ (temp << 3) ^ (temp >> 4));
}
return crcTmp;
}
}
6 - 我用crc和padding(破译)创建了新的PICC密钥
byte[] newPICCKey_deciphered = new byte[]{(byte)0x11, (byte)0x22, (byte)0x33, (byte)0x44,
(byte)0x55, (byte)0x66, (byte)0x77 ,(byte)0x88,
(byte)0x12, (byte)0x23, (byte)0x34 ,(byte)0x45 ,
(byte)0x56, (byte)0x67, (byte)0x78 ,(byte)0x89,
(byte)0x00 , (byte)0x00,
(byte)0x00 ,(byte)0x00 ,(byte)0x00 ,
(byte)0x00 ,(byte)0x00 ,(byte)0x00 };
txtNewPICCKeyDeciphered.setText(Utils.bytesToHex(newPICCKey_deciphered));
7-我计算crc16并将其添加到我的新密钥中:
short res = CRC16_3.Crc16(newPICCKey, (short)0, (short)16);
newPICCKey_deciphered[16] = (byte) (res & 0xFF);
newPICCKey_deciphered[17] = (byte) ((res >> 8) & 0xFF);
8 - 我用波纹管方法加密了新的主密钥,我得到了一个24字节的加密:
byte[] iv1=new byte[]{(byte)0x00 , (byte)0x00 , (byte)0x00 , (byte)0x00 ,
(byte)0x00 , (byte)0x00 , (byte)0x00 , (byte)0x00 };
byte[] newPICCKeyEnciphered = new byte[24];
//..............................
byte[] block1 = new byte[]{(byte)0x11, (byte)0x22, (byte)0x33, (byte)0x44,
(byte)0x55, (byte)0x66, (byte)0x77 ,(byte)0x88};
byte[] block2 = new byte[]{
(byte)0x11, (byte)0x22, (byte)0x33 ,(byte)0x44 ,
(byte)0x55, (byte)0x66, (byte)0x77 ,(byte)0x88};
byte[] block3 = new byte[]{(byte)0x00 , (byte)0x00,
(byte)0x00 ,(byte)0x00 ,(byte)0x00 ,
(byte)0x00 ,(byte)0x00 ,(byte)0x00};
block3[0] = newPICCKey_deciphered[16];
block3[1] = newPICCKey_deciphered[17];
try
{
Cipher cipher = Cipher.getInstance("DES/ECB/NoPadding");
SecretKeyFactory desKeyFact = SecretKeyFactory.getInstance("DES");
DESKeySpec desKeySpec = new DESKeySpec(sessionKey);
SecretKey s = desKeyFact.generateSecret(desKeySpec);
cipher.init(Cipher.DECRYPT_MODE, s);
byte[] r1 = new byte[8];
r1 =Utils.doXorTwoByteArray(block1, iv1);
byte[] r2 = new byte[8];
r2 = cipher.doFinal(r1, 0, 8);
//...............
byte[] r3 = new byte[8];
r3 =Utils.doXorTwoByteArray(block2, r2);
byte[] r4 = new byte[8];
r4 =cipher.doFinal(r3, 0, 8);
//................
byte[] r5 = new byte[8];
r5 =Utils.doXorTwoByteArray(block3, r4);
byte[] r6 = new byte[8];
r6 =cipher.doFinal(r5, 0, 8);
for(int i=0; i<8;i++)
newPICCKeyEnciphered[i] = r2[i];
for(int i=8; i<16;i++)
newPICCKeyEnciphered[i] = r4[i-8];
for(int i=16; i<24;i++)
newPICCKeyEnciphered[i] = r6[i-16];
}
catch(Exception e)
{
e.printStackTrace();
}
这是在加密时使用的类DES:
public class DES {
public static byte[] doDecryptData(byte[] OriginalData,byte[]key , int sizeKey , byte[] iv , int sizeIV)
{
byte[] masterKeyBytes =new byte[sizeKey];
masterKeyBytes = key;
byte[] ivBytes = new byte[sizeIV];
ivBytes = iv;
byte[] encipheredData=new byte[sizeIV];
try{
DESKeySpec desKeySpec = new DESKeySpec(masterKeyBytes);
SecretKeyFactory desKeyFact = SecretKeyFactory.getInstance("DES");
SecretKey s = desKeyFact.generateSecret(desKeySpec);
Cipher aliceCipher = Cipher.getInstance("DES/CBC/NoPadding");
aliceCipher.init(Cipher.DECRYPT_MODE, s, new IvParameterSpec(ivBytes));
encipheredData= aliceCipher.doFinal(OriginalData);
return encipheredData;
}
catch(Exception e)
{
Log.e("error", "111"+e.toString());
}
return null;
}
9-最后我填充参数字节数组并将其与指令(c4)一起发送到
byte[] cmd = new byte[]{(byte)0x00 ,
(byte)0x00 ,(byte)0x00 ,(byte)0x00 ,(byte)0x00
,(byte)0x00 ,(byte)0x00 ,(byte)0x00 ,(byte)0x00
,(byte)0x00 ,(byte)0x00 ,(byte)0x00 ,(byte)0x00
,(byte)0x00 ,(byte)0x00 ,(byte)0x00 ,(byte)0x00
,(byte)0x00 ,(byte)0x00 ,(byte)0x00 ,(byte)0x00
,(byte)0x00 ,(byte)0x00 ,(byte)0x00 ,(byte)0x00 };
//fill cmd
for(int i=1 ;i<cmd.length ; i++)
cmd[i] = newPICCKeyEnciphered[i -1];
try {
responseChangeKey = isodep.transceive(Utils.wrapMessage((byte)0xC4, cmd));
} catch (IOException e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
} catch (Exception e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
}
这是Utils类:
public class Utils {
public static byte[] wrapMessage (byte command, byte[] parameters) throws Exception {
ByteArrayOutputStream stream = new ByteArrayOutputStream();
stream.write((byte) 0x90);
stream.write(command);
stream.write((byte) 0x00);
stream.write((byte) 0x00);
if (parameters != null) {
stream.write((byte) parameters.length);
stream.write(parameters);
}
stream.write((byte) 0x00);
byte[] b = stream.toByteArray();
return b;
}
}
我在最后一步(发送apdu将主密钥更改为卡)收到异常0x1E错误,这意味着完整性错误:CRC或MAC与数据不匹配 填充字节无效。 如何正确执行更改密钥?这对我来说是必要的。谢谢。
答案 0 :(得分:2)
0xFFFF,但DESFire需要0x6363。这可能会导致您的完整性错误。newPICCKey_deciphered数组解密的DEC / CBC加密。加密时你真的必须使用DECRYPTION MODE而不是ENCRYPTION MODE(虽然看起来很奇怪)。这意味着: aliceCipher.init(Cipher.DECRYPT_MODE, s, new IvParameterSpec(ivBytes));
并且由于CBC解密模式与加密的CBC模式不同,您必须实现自己的CBC模式,并且只使用aliceCipher一个块仅使用正确的IV。