Overview Document

Encoding Mifare Multiple Applications

Many organisations require cardholders to carry a single card which will allow them
access to multiple sites. The scenarios presented below describe how to encode and use
one Mifare access card across multiple Gallagher Command Centre sites with Command
Centre v7.00 onwards.
Scenario 1:
The site issuing the Mifare Classic, Plus or DESFire cards encodes their Gallagher data to
the cards and the other sites create a card type that corresponds to the Facility Code
encoded on the cards. If Mifare Plus or DESFire cards are used, the issuing site must give
their Mifare site key to the other sites (if the default site key is not being used). This
may not be an appropriate solution for sites that require a higher level of security.

Scenario 2:
Mifare cards will be used on two or more sites that have a common Mifare site key e.g.
the default Mifare key. Each site encodes cards with their Gallagher data to a different
sector (or application for DESFire cards) using the common Mifare key and their own
Facility Code.

Scenario 3:
Mifare Plus or DESFire cards will be used on two or more sites. This solution involves
multiple independent Gallagher access applications written to the same card. Each site

August 2011 Page 1

 Mifare Multiple Application Encoding Overview Document

has a unique Mifare site key and each site encodes the cards with their Gallagher data to
a different sector (application) using their own Mifare key and Facility Code.

The Gallagher Card Application Directory (CAD)

For the Scenarios 2 and 3, it will be necessary to support multiple applications on a
single access card.
Readers presented with a card containing multiple Gallagher applications must
determine which application is the correct one for the site based on the site’s Facility
Code and Mifare site key.
To optimise reader performance, from Command Centre v7.00 all Mifare cards are
encoded with a lookup table that maps the Facility Codes on the card to the access
applications on the card. This lookup table is named the ‘Card Application Directory’
(CAD).
The CAD:
Mifare CAD read key Default Application Maximum number
card sector* ID of entries
Classic Same as MAD A key 14 0x4811 12
Plus Same as MAD A key 14 0x4811 12
DESFire None (open for reading) N/A 0xF4812F 15
*If sector 14 is not available, the CAD will be encoded to the first unused sector (starting
from sector 1 upwards).
Notes:
• The MAD is the Mifare Application Directory. The MAD is always encoded on sectors
0 and 16.
• Mifare Plus cards that will be used for multiple applications should not be encoded
with the Random ID’s feature enabled.
Mifare Classic and Plus card example:
Next is an example of the MAD and CAD sectors on a Mifare Classic or Plus card,
showing which sectors contain Gallagher applications and the Facility Codes encoded on
each sector.
MAD (Sector 0) CAD (default sector 14)
Sector Application ID Entry Facility Code Sector
1 0 A11111 15
2 1 B22222 13
3 2 C33333 12
4 3
5 4
6 5
7 6
8 7
9 8
10 9
11 10
12 0x4812 (Gallagher Access) 11
13 0x4812 (Gallagher Access)
14 0x4811 (CAD)
15 0x4812 (Gallagher Access)

2 August 2011
 Overview Document Mifare Multiple Application Encoding

Scenario 1 (refer to Diagram 1 on page 5):

1. Site 1 and Site 2 use the same Mifare site key.
2. Site 1 issues Mifare cards encoded with the Mifare site key and their Facility Code,
(e.g. A11111).
3. Site 2 creates a Card Type with Facility Code A11111 and enrols cardholders with
cards using Card Type A11111 and the same card numbers as Site 1.
4. If Mifare Plus or DESFire cards are being used and the Mifare site key used is not the
default site key, a key change Admin card needs to be encoded and presented to
each T Series reader to change the readers’ Mifare key (refer to the Admin Cards
section later).
Note: Any Mifare Plus or DESFire cards encoded prior to the key change will need to
be re-encoded with the new key.
5. Readers on either site will read the single access application on the card.

Scenario 2 (refer to Diagram 1 on page 5):

1. Site 1 and Site 2 use the same Mifare site key.
2. Site 1 issues Mifare cards encoded with the Mifare site key and their Facility Code,
(e.g. A11111).
3. Site 2 re-encodes the Mifare cards to a different sector/application with the same
Mifare site key and their Facility Code, (e.g. B22222).
4. Site 1 and Site 2 encodes their own Facility Code list (and if necessary key change)
Admin card (refer Admin Cards section later) and presents them at their Cardax IV
connected T Series readers to update the list of Facility Codes on the readers. This
will ensure the correct card sector/application is read.

Scenario 3 (refer to Diagram 2 on page 6):

1. Site 1 issues Mifare Plus or DESFire cards encoded with their own unique Mifare site
key and Facility Code, (e.g. A11111).
2. Site 1 provides Site 2 with the Mifare Plus MAD write key or the Mifare DESFire
default application key (from Server Properties – Card Security -- Advanced) to enter
into the encoding objects properties (refer User Guide).
3. Site 2 re-encodes the Mifare cards to a different sector/application with their own
unique Mifare site key and Facility Code, (e.g. B22222).
4. Site 1 and Site 2 encode their own Key Change and Facility Code List Admin card
(refer Admin Cards section later) and presents them at their T Series readers to
change the Mifare site key and list of Facility Codes on the readers. This will ensure
the correct card sector/application is read.

August 2011 Page 3

Mifare Multiple Application Encoding Overview Document

Diagram 1 - Encoding Mifare Classic, Plus or DESFire cards

Scenario 1 or Scenario 2 - Sites use the same Mifare site key

4 August 2011
Overview Document Mifare Multiple Application Encoding

Diagram 2 - Encoding Mifare Plus or DESFire cards

Scenario 3 - Sites use a different Mifare site key

*Note: If the DESFire cards require CMK authentication, refer to the separate document
Encoding Mifare DESFire cards without the Card Master Key (DESFireCards.pdf).

August 2011 Page 5

 Mifare Multiple Application Encoding Overview Document

Admin Cards
Key change Admin Cards allow a site to change the Mifare site key of readers to allow
them to read Mifare Plus and Mifare DESFire cards encoded with their unique Mifare
site key.
Facility code list Admin Cards will load a list of allowed facility codes on to a reader,
enabling the reader to quickly locate the correct application on the card for their site.
Admin cards are configured and encoded from the Command Centre Server Properties –
Card Security – General property page. Refer to the Command Centre User Guide for
further information regarding configuring and encoding Admin Cards.
If Allow Admin card update at readers is enabled, when readers are presented with an
Admin Card they will read and update their Mifare site key and/or Facility Code list, and
will indicate this has occurred as follows:
• White LED flashes and three beeps from the readers will indicate the Admin Card has
been read and the new Mifare site key and/or Facility Code list have been received.
For Scenario 2:
• Site is using the default Mifare site key
• Site is using access cards encoded with multiple applications
1. Create Card Types for any non-licenced Facility Codes.
2. Enable Update Facility Code list on Server Properties – Card Security – General
page.
3. Encode the Facility Code list Admin Card.
4. Enable Allow Admin Card update at readers.
5. Present Admin card at Cardax IV connected T Series readers.
6. New Facility Codes automatically sent to HBUS readers.
7. Disable Allow Admin Card update at readers.

For Scenario 3:
Option 1 - HBUS Readers Mifare key will be changed over the network.
• Site is using a unique Mifare site key
• Site is using access cards encoded with multiple applications
• Send reader key updates via the network is enabled on Server Properties – Card
Security – Advanced page.
1. Create Card Types for any non-licenced Facility Codes.
2. Enter unique Mifare site key on Server Properties – Card Security – General
page.
3. Enable Add Mifare site key to the Admin Card.
4. Enable Update Facility Code list.
5. Encode Key change and Facility Code list Admin Card.
6. Enable Allow Admin Card update at readers.
7. Present Admin card at Cardax IV connected T Series readers.
8. New Mifare site key automatically sent to HBUS readers over the network.
9. New Facility Codes automatically sent to HBUS readers.
10. Disable Allow Admin Card update at readers.

6 August 2011
 Overview Document Mifare Multiple Application Encoding

Option 2 – HBUS readers Mifare key will be changed via Admin Card.
• Send reader key updates via the network is disabled on Server Properties – Card
Security – Advanced page.
1. Create Card Types for any non-licenced Facility Codes.
2. Enter unique Mifare site key on Server Properties – Card Security – General
page.
3. Enable Add Mifare site key to the Admin Card.
4. Enable Update Facility Code list.
5. Encode Key change and Facility Code list Admin Card.
6. Enable Allow Admin Card update at readers.
7. Present Admin card at Cardax IV readers T Series readers.
8. Present Admin card at HBUS readers.
9. New Facility Codes automatically sent to HBUS readers.
10. Disable Allow Admin Card update at readers.

Reader process for reading cards

T Series readers can be loaded with a list of Facility Codes (using an appropriately
encoded Admin Card) which will be compared to the cards list of Facility Codes in the
CAD to find the correct application for the site.
The readers’ process for reading a Mifare Classic or Plus access control card that has a
CAD encoded:
1. Read the MAD Sector.
2. Locate the CAD application in the MAD.
3. Read the CAD sector referenced by the MAD.
4. Scan the CAD until a Facility Code is found that matches a Facility Code in the readers
list of Facility Codes.
5. Read the application sector referenced by the CAD.
6. If the application sector cannot be read, scan the card for another Gallagher
application that can be read.

The readers’ process for reading a Mifare DESFire access control card:
1. Locate the CAD application (application ID: 0xF4812F).
2. Scan the CAD until a Facility Code is found that matches a Facility Code in the readers
list of Facility Codes.
3. Read the application referenced by the CAD.
4. If the application cannot be read, scan the card for another Gallagher application that
can be read.

August 2011 Page 7

 Mifare Multiple Application Encoding Overview Document

Disclaimer
This document gives certain information about products and/or services provided by
Gallagher Group Limited or its related companies (referred to as “Gallagher Group”).

The information is indicative only and is subject to change without notice meaning it
may be out of date at any given time. Although every commercially reasonable effort
has been taken to ensure the quality and accuracy of the information, Gallagher Group
makes no representation as to its accuracy or completeness and it should not be relied
on as such. To the extent permitted by law, all express or implied, or other
representations or warranties in relation to the information are expressly excluded.

Neither Gallagher Group nor any of its directors, employees or other representatives
shall be responsible for any loss that you may incur, either directly or indirectly, arising
from any use or decisions based on the information provided.

Except where stated otherwise, the information is subject to copyright owned by

Gallagher Group and you may not sell it without permission. Gallagher Group is the
owner of all trademarks reproduced in this information. All trademarks which are not
the property of Gallagher Group, are acknowledged.

Copyright © Gallagher Group Limited 2015. All rights reserved.

8 August 2011