FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

How to change default EV3 key type from THREEDES to AES

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to change default EV3 key type from THREEDES to AES

‎10-23-2024 01:26 PM
2,084 Views
Mixermachine
Contributor II

Hi everyone,

I'm currently starting to build a prototype based on EV3 cards.
I would love to base everything on AES encryption as 3DES is now officially deprecated from a security perspective: https://www.encryptionconsulting.com/why-3des-or-triple-des-is-officially-being-retired/

How may I change the default key with type THREEDES and [0,...,] value to a key with type AES?


Would also be great to get an example on how one can add additional application keys.


Greetings from Germany.

Labels (1)
Labels
0 Kudos
Reply
3 Replies

‎10-30-2024 12:14 AM
2,052 Views
ukcas
NXP Employee
NXP Employee

Dear Mixermachine,

 

Great that you found a way and thank you for posting a solution.

For PICC Keys, the KeyType can be changed via ChangeKey commands. Simply, the new key should be an AES key.

Inside applications, its a different topic. You can not change the type of an application key, as the key type used in an application is set at application creation. The only possible way would be to use keySets, this allows to migrate from TDES to AES during lifetime, but also that needs to be set up and planned during application creation. So, if during application creation it was not planned to migrate to AES, unfortunately its not possible. Only way is to create a new application with AES keys. Also, its not possible to add keys after app creation.

Best regards,

TapLinx team

0 Kudos
Reply

‎10-31-2024 02:05 PM
2,044 Views
Mixermachine
Contributor II

Hi ukcas,

thanks for your answer.
Good info about not being able to change the key type on applications.
I'm currently working on the prototype and thus have no existing applications.

Can you extend a bit more on keySets?

It would be great to have a write and read key for an application and the belonging files.
Do I need KeySets for this? Or are they used for a different scenario?

Kind regards

Mixermachine

0 Kudos
Reply

‎10-29-2024 12:45 PM
2,060 Views
Mixermachine
Contributor II

After trying some things it was not that hard after all.
The Java Documentation of the API already helps a lot.

@nxp_TEAM I hope I do not break any NDA by posting this info.
If this is the case feel free to delete this post.
The goal is to help other people, saving some time and making the dev experience better.

My solution was:

 

idesFireEV3.changeKey(0, KeyType.AES128, OLD_DES_KEY, NEW_AES_KEY, KEY_VERSION)

 


You can find the current KEY_VERSION of the master key (0) by executing:

idesFireEV3.getKeyVersionFor(0)

and then increase the version by 1.

The authentication then no longer works with

val keyData = KeyData()
keyData.key = SecretKeySpec(OLD_DES_KEY, "DESede")

idesFireEV3.authenticate(0, IDESFireEV1.AuthType.Native, KeyType.THREEDES, keyData)

but with

val keyData = KeyData()
keyData.key = SecretKeySpec(NEW_AES_KEY, "AES")

idesFireEV3.authenticate(0, IDESFireEV1.AuthType.AES, KeyType.AES128, keyData)


I also saw the method

authenticateEV2First

and are currently looking into it.
Seems like a more secure authentication method starting from EV2 cards?

 

Kind regards from Germany

0 Kudos
Reply