What encryption types are available and how do I create custom encryptions?
This guide explains how to set up RFID encryption for Kentix SmartAccess: "Off", "Kentix" (default) or "Custom". You'll also learn how to upload a custom DESFire configuration as JSON.
Prerequisites
- Access to the KentixONE web interface
- Role with permissions to edit configuration
- For "Custom": JSON configuration file according to DESFire profile (see example)
Step-by-step guide
1. Navigate to Security
Open Configuration → Security and scroll to the "RFID Settings" section.
2. Choose "RFID Encryption" option
- Off: Only reads the token's UID. No encryption — suitable for testing, but clonable and insecure.
- Kentix: Kentix-specific encryption (default). In addition to the UID, an encrypted area is checked.
- Custom: Use a self-defined DESFire configuration. This allows you to use organization-specific keys and structures.
Kentix-specific encryption: Only works with tokens delivered by Kentix after 06/2018.
"Off" allows reading/cloning the UID with any MIFARE DESFire reader. Do not use this setting in production.
Tokens with Kentix-specific encryption cannot be combined with "Custom".
3. Upload custom encryption (optional)
Select "Custom" and upload your JSON configuration file. Use "Download Template" to get a sample.
The JSON defines e.g. App ID, file number, read offset and authentication method. Example:
{
"mifare_desfire": {
"app_id": "0xb2c3d4",
"file_number": 0,
"file_offset": 0,
"file_length": 32,
"file_type": 1,
"auth_method": 2,
"des_key": "0xa1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4",
"key_number": 1,
"card": {
"data": [
{
"name": "OEM Code",
"position_start": 1,
"position_end": 64,
"encoding": "hexadecimal"
},
{
"name": "Card Number",
"position_start": 65,
"position_end": 128,
"encoding": "hexadecimal"
}
]
}
}
}
4. Save and test
Save the settings. Then verify the booking of an authorized token at a DoorLock/WA3.
Card Configuration Template
Note: Please only fill in the fields marked in green.
- Providing for the card manufacturer
- The included data and parameters can be used directly by the card manufacturer for card personalization.
- The standardized structure of the template enables automated processing in production systems.
- Own use with a card reader
- The template can also be used with compatible readers.
- The contained information serves as configuration and reference data for initializing, verifying or managing the card.
Example Template:
Example_Template.pdf
↑ Not working yet!
Example_Template.pdf as JSON
{
"mifare_desfire": {
"app_id": "0x012345", //Enter Application ID (Template page 3)
"file_number": 0,
"file_offset": 0,
"file_length": 16,
"file_type": 1,
"auth_method": 2,
"des_key": "0x0123456789ABCDEF0123456789ABCDEF", //Enter Key Number (Template page 2&3)
"key_number": 1,
"card": {
"data": [
{
"name": "number",
"position_start": 65,
"position_end": 128,
"encoding": "hexadecimal"
}
]
}
}
}
Tips & Tricks
- Use "Kentix" as a secure default unless custom key management is required.
- Keep "key_number" and permissions consistent across all cards/readers.
- Document your JSON profiles with version control and restrict access to key material.
Troubleshooting
- Token not recognized: Check if the selected encryption type matches the token (Kentix vs. Custom vs. Off).
- Custom JSON fails: Length/offset do not match the file on the card; authentication method/keys do not match; wrong App ID or file_number.
- Older tokens (before 06/2018): May not support Kentix encryption - use "Off" or new media.
Glossary
-
App ID: 3-byte identifier for identifying a DESFire application.
-
file_number: The file number is a 1-byte number between 0 and 31.
-
file_offset: The offset specifies from which byte the file is read.
-
file_length: The file size specifies the length of the file to be read in bytes.
-
file_type: 0 unencrypted, 1 stored encrypted.
-
auth_method: 0 no auth., 1 2TDEA (DES/3DES), 2 AES-128.
-
des_key: Key for authentication (depends on auth_method).
-
key_number: Key index within the application/file.
-
name: Each sector requires an identifier which is stored as a string.
-
position_start: The sector to be read is defined by specifying the start and stop bits.
-
position_end: End of the sector.
-
encoding: Type of interpretation (binary, ascii, bcd, hexadecimal).
-
test_value: The static test value is a string and is always checked when reading the card. Only after successfully comparing the test value on the card with the test value in the configuration file are the data processed in KentixONE.