AccessGrid DESFire application structures

The goal of this guide is to show you how the AccessGrid DESFire application structure's work. We will go over two different structures that are available to all AccessGrid customers:

1. Simple structure
2. Key diversified structure

Both structures have some common info, as follows. For our sample passes, you must use the terminal capabilities identifier `020000`. The value of the AID (app id) depends on if you need a big endian or little endian value.

The application ID is F56401 or 0164F5.

We have 2 static keys, master (id: 00), and read (id: 01). We use a single standard file (id: 00) of default size 32 bytes, but up to 64 bytes that uses encrypted communication with MACing for reads and can be read ideally by the read key (but also the master key).

The master key (id: 00) for sample keys is:

The read key (id: 01) for sample keys is:

Sample file (id: 00) payload:

The application ID is ACCE55 or 55CEAC.

For key diversification we have 3 static keys, master (id: 00), read (id: 01), and privacy (id: 02). We use a single standard file (id: 00) of max size 4096 bytes that uses encrypted communication with MACing for reads and can be read by using NXP’s AN10922 standard for key diversification. For the sample passes we’ve issued, the keys are as follows:

The master key (00) is:

The read key (01) is:

The privacy key (02) is:

Sample file (00) payload:

One other very important thing to note is that we use the UID and the read key for key diversification, if you're trying to implement this, you can find the (real) UID in the `tag_id` field of a access pass created with key diversification. 

Further, you will need to authenticate with the privacy key (id: 02) within the DESFire application to access the card’s real UID. The UID should be 7 bytes or 14 chars. 

Once you have your UID, here's a high level of what you can try to get your diversified key:

If you are using our API and making use of the `site_code` AND `card_number` properties for DESFire, then the payload will contain a value that follows this format:

1. First 3 bytes: 0’s (ex: 00 00 00)
2. Next byte static value 00
3. Next byte static value 00
4. Next byte is number of bits in card data (ex: 00)
5. Everything after is card data (ex: 2A303D )
6. The rest is padding to reach expected file size (see below)

All together:

If you are using our API and making use of the `file_data` properties for DESFire, then the payload will be determined by whoever issued the pass, and will be up to 64 hex characters (32 bytes) of whatever format they choose. For example they may send in a 37 bit credential (card number 8678015114, no facility code):

Congrats, now you understand the AccessGrid DESFire application structure. Hopefully you can use AccessGrid.com to make your life easier and issue mobile credentials. If you need any help getting started, just use the chat or email [email protected].