Mifare 1K authentication keys

Andrea picture Andrea · Jan 20, 2015 · Viewed 9.9k times · Source

I have a MIFARE 1K tag. Some blocks can be written/read using authentication key A, while other block can be written using authentication key B. Why? How can I change all blocks to be written/read, for example, with key A?

For example, I can write the key block 07 using key A, and I can also change the key A for this key block, but I can't write on it using key B, and I can't change the key B for this key block.

Why should I write/read using key A instead of key B? What's the difference?

Answer

Michael Roland picture Michael Roland · Jan 20, 2015

Each sector of a MIFARE Classic card has two authentication keys: key A and key B. These two keys together with access conditions are stored in the last block of each sector (the so-called sector trailer). The sector trailer looks like this:

+-----------------------------+--------------+----+-----------------------------+
|  0 |  1 |  2 |  3 |  4 |  5 |  6 |  7 |  8 |  9 | 10 | 11 | 12 | 13 | 14 | 15 |
+-----------------------------+--------------+----+-----------------------------+
|            Key A            | Access Conditions |            Key B            |
|          (6 bytes)          |     (4 bytes)     |          (6 bytes)          |
+-----------------------------+--------------+----+-----------------------------+

The access conditions define how you can access the blocks in the sector:

  • the commands you can issue after authenticating with key A (read, write, value block operations),
  • the commands you can issue after authenticating with key B (read, write, value block operations),
  • if key B is used as an authentication key at all.

Typical scenarios are:

  • Authentication is only possible with key A. Key A has read-only access.
  • Authentication is only possible with key A. Key A has read/write access.
  • Authentication is possible with both keys. Key A has read-only access. Key B has read/write access.
  • Authentication is possible with both keys. Key A and B have read-only access.

You can find a full description of the possible access conditions in the MIFARE datasheet.