Cryptographic key management in the MIFARE DESFire configuration task - Security Center 5.12

Security Center Administrator Guide 5.12

Product
Security Center
Content type
Guides > Administrator guides
Version
5.12
Language
English
Last updated
2024-11-05

All keys used for reading and writing information to MIFARE DESFire badges benefit from the same management functions in the MIFARE DESFire configuration task.

Types of keys

In the MIFARE DESFire configuration task, you can configure different types of keys:
  • Card master key
  • UID retrieval key (commonly known as GetUID key)
  • Application master key
  • Old application master key (commonly known as Transport application master key)
  • Read key (commonly known as File read privilege key)
  • Write key (commonly known as File write privilege key)
  • Read-write key (commonly known as File read/write privilege key)
  • Change access key (commonly known as File change access privilege key)

Key locations

When configuring a key, you can select where the key is stored and how to access the file from the Type drop-down.
Preloaded
Preloaded indicates that the current configuration, exportable as an XML file, lacks cryptographic keys. These keys can be set up for USB or wall readers.
STid USB reader
(For encoding purpose) If the reader is set to transparent mode, the keys are stored on the Security Center DESFire key vault. If the reader is set to non-transparent mode, the keys are stored in the desktop encoder memory. You need a Secure Key Bundle (SKB) card for this purpose.
Wall reader
(For reading purpose) If the reader is set to transparent mode, the keys are stored either on the Synergis™ unit or on the SAM card. If the reader is set to non-transparent mode, the keys are stored in the wall-mounted reader memory. You can select the key location in the Configuration > Hardware page of the Synergis™ Appliance Portal. For more information, see Enabling transparent mode on STid readers that use the SSCP protocol.
Inline
Inline keys, which are embedded in plain text within XML configuration files stored in the Security Center, are solely used for encoding cards. This method is now considered obsolete and is maintained only for legacy compatibility. Due to security concerns, the use of inline keys is not recommended.
Free access
(File access only) Free access means that the file is public. No key is required to authenticate to the badge.
Application master key
(File access only) Use the application master key to access the file.
NOTE: The reader operation mode is configured in the Encoder settings page of the MIFARE DESFire configuration task.

Configuring inline keys

To configure an inline key in the MIFARE DESFire configuration task, you can either enter the key manually or click Generate random key ().

NOTE: In the following screenshots, the Read key configuration is used as an example.
Inline Read key showing the generated random value in the MIFARE DESFire configuration task.
Before you save your configuration, you can do the following:
  • Click Show key () to show the key value.
  • Click Copy key to clipboard () to copy the key to the clipboard. This action requires the Copy keys user privilege.
  • Click Generate random key () to generate a new value. This action requires the Generate cryptographic keys user privilege.
NOTE: After you’ve saved your configuration, you can no longer show nor copy the key to the clipboard.
Saved inline Read key showing the hidden value in the MIFARE DESFire configuration task.

If you need to know the value of the key and didn’t save it when it was generated, you should remove the current key. Then, generate a new one and copy it to the clipboard before you click.

Only the default key value made up of 32 zeros is always visible.