Configuring MIFARE DESFire cryptographic keys in Security Center - Security Center 5.12

Security Center Administrator Guide 5.12

Product
Security Center
Content type
Guides > Administrator guides
Version
5.12
Language
English
Last updated
2024-11-05

You can use the MIFARE DESFire configuration task in Config Tool to configure and store cryptographic keys.

Before you begin

Ensure the following:
  • Your Security Center license supports the following options:
    • MIFARE DESFire configuration
    • Smart card encoding
  • You’re granted the Export configurations and keys and Modify keys user privileges.

What you should know

  • MIFARE DESFire EV1/EV2/EV3 is a 128-bit, Advanced Encryption Standard (AES)-based protocol for which you define the keys.
  • A cryptographic key has three attributes:
    Name
    The key name corresponds to the key index in the Configuration page. It takes the form index xxxx. A given name can have up to three versions.
    Version
    The key version can be any number from 0 to 255. The name and version together identify a unique key value. Security Center only encodes version 0. If the key is to be used by an external system, a version other than 0 can be used if the latter accepts it.
    Value
    The key value can have multiple components. Each component is a 32-character hexadecimal value.
  • To read a DESFire badge that has been encoded, these three attributes must match between the encoding system (typically Security Center) and the reading system (Synergis™ Cloud Link).
  • You configure cryptographic keys from the Key vault page of the MIFARE DESFire configuration task for two reasons:
    • To store the keys that Security Center uses to encode badges. In this case, only key version 0 is allowed.
    • To export the keys to Synergis Cloud Link units. In this case, the key version may differ from 0 if a third-party system encoded the card, allowing this variation.
  • After a key has been added, it can no longer be modified. To modify a key, you must delete it and add a new one.

Procedure

  1. From the Config Tool homepage, open the MIFARE DESFire configuration task.
  2. Click the Key vault tab.
  3. Create keys in the key store by doing one of the following:
  4. In the Key configurations dialog box, select a Name from the list.
  5. Click Add an item (), and then enter the following:
    Version
    The key version. Enter 0 if the key is to be used by Security Center to encode badges.
    Key
    The component that forms the key. Each component is a 32-character hexadecimal value.
  6. Click Add component.
  7. (Optional) Add more components to the same key version.
    To improve security, different persons can add different components to the same key version. Each person knows only the component that they have added. The system combines all the components with XOR and generates a unique key known only to the system. In this way, nobody knows the final key. This operation is known as a key ceremony.
    1. Enter a new 32-character hexadecimal string or click Generate random key () to generate a random value.
    2. Click Add component.
    3. Repeat as necessary.
  8. Click Create new version.
    A new version of the key is created.
  9. (Optional) Enter a description for the key.
  10. (Optional) Add up to two other versions of the key by clicking Add an item (), entering the version and the key components for the version, and then clicking Create new version.
  11. Click OK, and then click Save.
    The new keys are listed.
  12. (Optional) From the Hash list, select a different hash method to verify the keys.
    Two keys with the same value necessarily produce the same hash value. Hashing is a convenient way of comparing key values without knowing them.