Mifare DESFire Key Settings

PICC Master Key Settings

PICC Master Key Settings are eight bits long.

Bit 0: Allows changing the Master Key.
- "0": The Master Key is not changeable.
- "1": The Master Key is changeable.
Bit 1: Allows listing applications and/or files.
- "0": Master Key authentication is required to list applications and/or files.
- "1": Master Key authentication is not required.
Bit 2: Allows creating and deleting applications and/or files without Master Key authentication.
- "0": Master Key authentication is required to create and delete applications and/or files.
- "1": Maser Key authentication is not required.
Bit 3: Allows changing the PICC configuration.
- "0": Master Key authentication is required to change the PICC configuration.
- "1": Master Key authentication is not required.
Bits 4-7: Determine key change access rights. Applying only to applications, the default value for PICC is "0000".
- "1110": Authentication with the key to be changed is required.
- "1111": Keys are frozen and cannot be changed
- "0001"-"1101": Authentication with the specified key number is required.

PICC Master Key Setting Examples

Hexadecimal Value	Authentication Requirement	Changeable Master Key?	Listing Applications/Files Authentication Requirement	Create/Delete	PICC Configuration Change
0x0F	Master Key authentication required to change any key	Yes	Does not require Master Key authentication	Permitted without Master Key authentication	Requires Master Key authentication
0xEF	Authentication with key to be changed required to change any key	Yes	Does not require Master Key authentication	Permitted without Master Key authentication	Requires Master key authentication
0x1F	Authentication with key 1 required to change any key	Yes	Does not require Master Key authentication	Permitted without Master Key authentication	Requires Master Key authentication
0x0E	Master Key authentication required to change any key	No	Does not require Master Key authentication	Permitted without master key authentication	Requires Master Key authentication
0x07	Master Key authentication required to change any key	Yes	Does not require Master Key authentication	Permitted without Master Key authentication	Does not require Master Key authentication

Application Auxiliary Key Settings

Application Auxiliary Key Settings are one byte (2 characters) long that must be in the hexadecimal range (0-9 or A-F), such as "00", "01", "AA", "FF", etc.

The rightmost (least significant) digit defines the number of keys stored in an application. 0-9 or A-D are the only values allowed. For example, with an Auxiliary Key Settings value of "01", the rightmost digit ("1") defines that the application will only be created with one key, whereas with a value of "0D", the rightmost digit ("D") defines that the application will on be created with thirteen keys.

The leftmost (most significant) digit defines the encryption type and whether or not the two-byte file ID is used. The encryption type determines whether the application has a Key Type of AES, DES, or Triple DES. The appropriate Auxiliary Key Settings for each Key Type are determined by bit values as follows.

Bit 0 is reserved for further use and is not used; should always be set to 0.
Bit 1 determines if the two-byte file ID is used.
- "__0_": The two-byte file ID is not used
- "__1_": The two-byte file ID is used.
Bits 2-3 determine the Key Type.
- "00__": DES
- "01__": Triple DES
- "10__": AES

Accordingly, the hexadecimal values of Application Auxiliary Key Settings for: DES applications will contain a leftmost digit of "0" if the two-byte file ID is not used, or of "2" if it is used; AES applications will contain a leftmost digit of "8" if the two-byte file ID is not used, or of "A" if it is used; Triple DES applications will contain a leftmost value of "4" if the two-byte file ID is not used, and of "6" if it is used.

Application Auxiliary Key Setting Examples

Hexadecimal Value	Key Type	Two-Byte File IDs?	# of Keys	Key IDs
05	DES	No	5	0-4
0A	DES	No	10	0-9
85	AES	No	5	0-4
A5	AES	Yes	5	0-4