Hi everyone,
I'm currently starting to build a prototype based on EV3 cards.
I would love to base everything on AES encryption as 3DES is now officially deprecated from a security perspective: https://www.encryptionconsulting.com/why-3des-or-triple-des-is-officially-being-retired/
How may I change the default key with type THREEDES and [0,...,] value to a key with type AES?
Would also be great to get an example on how one can add additional application keys.
Greetings from Germany.
Dear Mixermachine,
Great that you found a way and thank you for posting a solution.
For PICC Keys, the KeyType can be changed via ChangeKey commands. Simply, the new key should be an AES key.
Inside applications, its a different topic. You can not change the type of an application key, as the key type used in an application is set at application creation. The only possible way would be to use keySets, this allows to migrate from TDES to AES during lifetime, but also that needs to be set up and planned during application creation. So, if during application creation it was not planned to migrate to AES, unfortunately its not possible. Only way is to create a new application with AES keys. Also, its not possible to add keys after app creation.
Best regards,
TapLinx team
Hi ukcas,
thanks for your answer.
Good info about not being able to change the key type on applications.
I'm currently working on the prototype and thus have no existing applications.
Can you extend a bit more on keySets?
It would be great to have a write and read key for an application and the belonging files.
Do I need KeySets for this? Or are they used for a different scenario?
Kind regards
Mixermachine
After trying some things it was not that hard after all.
The Java Documentation of the API already helps a lot.
@nxp_TEAM I hope I do not break any NDA by posting this info.
If this is the case feel free to delete this post.
The goal is to help other people, saving some time and making the dev experience better.
My solution was:
idesFireEV3.changeKey(0, KeyType.AES128, OLD_DES_KEY, NEW_AES_KEY, KEY_VERSION)
You can find the current KEY_VERSION of the master key (0) by executing:
idesFireEV3.getKeyVersionFor(0)
and then increase the version by 1.
The authentication then no longer works with
val keyData = KeyData()
keyData.key = SecretKeySpec(OLD_DES_KEY, "DESede")
idesFireEV3.authenticate(0, IDESFireEV1.AuthType.Native, KeyType.THREEDES, keyData)
but with
val keyData = KeyData()
keyData.key = SecretKeySpec(NEW_AES_KEY, "AES")
idesFireEV3.authenticate(0, IDESFireEV1.AuthType.AES, KeyType.AES128, keyData)
I also saw the method
authenticateEV2First
and are currently looking into it.
Seems like a more secure authentication method starting from EV2 cards?
Kind regards from Germany