Mifare DESFire EVx NFC tag: Change the Master Application Key from DES to AES (Android/Java)

AndroidCrypto
4 min readJun 19, 2024

--

This article shows you how to change the Master Application Key on a Mifare DESFire NFC tag from DES key type to AES key type. This will be done on an Android smartphone and Android Studio using Java. The complete source code and a “ready to use app” (compiled in Debug mode) is available in my GitHub repository (see the link at the end of this article).

You bought a fabric new Mifare DESFire NFC tag and want to use it with a “state of the art” library. Of course, you can create a new AES key based application and create files within the application, write to the files and read from them and personalize (change) the AES keys to personal ones. That all sounds good, but there is still a situation that is unsatisfying: the “Master Application” has one Master Application Key (key number 0) that remains unchanged because the key type of this application is of DES key type.

It is right — an unwanted attacker is not been able to get the (AES key secured) data in your application without knowing the right key value. But he is been able to delete your application on the tag and makes the tag unusable. This of a prepaid canteen card where the deposit is gone… you don’t want this situation.

So it is always a good idea to change all keys within an application to custom ones, even if they are not in use now. But that is the problem with modern libraries — they often use the modern “AuthenticateEV2First” or “AuthenticateLRPFirst” methods, but they don’t work with outdated DES keys.

For this reason I setup a small app that changed the key type of the Master Application Key from DES to AES. Additionally you can switch the key back to DES if you should need a tag with the old DES key type.

Please note: my app is been able to change from Default DES key to a Default AES key and vice versa only. That means: the key value needs to be a “nulled” value: 8 “null” bytes for a DES and 16 “null” bytes for an AES key.

As the “ChangeKey” command requires to send encrypted data I’m using the “DESFire tools for Android” library as background for this task, written by Thomas Skjølberg (“skjolber”).

A warning at the beginning: the app will try to change the Master Application key as soon a tag is tapped to the NFC reader of the Android device without any further confirmation. The good news are: if the action is wanted you can easily change it back to DES mode:

The app runs 3 steps for changing the key:

  1. After detecting a tag the app sends the “Select Master Application” to the tag. If you tap a non DESFire tag to the reader the tag will deny the command and the app will stop any further changes.
  2. The app will run an authentication sequence for key number 0 — depending on your choice it will use a Default DES Key (“Change Key Type to AES”) or Default AES Key (“Change Key Type to DES”). If the tag responses with a “non success” message the app will stop any further attempts to change the key.
  3. The app runs the “Change Key” sequence and tries to change the key from DES to AES (first option) or AES to DES (second option).

This is the result after a successful key changing from DES to AES:

Congratulations: you managed it to change the Master Application Key from DES to AES. You can check this with the NFC TagInfo by NXP app (available at Google Play Store: link):

You can find the complete source code of this app in my GitHub repository DESFireChangeMasterAppKey. In the subfolder “debug” you can download a “ready to use” app, compiled in debug mode. The app is running Gradle 8.6 and is compiled for Android SDK versions 21 to 34.

Happy coding !

--

--