Symmetric key diversifications, MIFARE Plus, MIFARE DESFire EV1, MIFARE SAM AV2, Key diversification, CMAC, TDEA, AES.

2TDEA key diversification example
Master key (K) = 00112233445566778899AABBCCDDEEFF, which will be diversified.
Table 4. Example – 2TDEA key diversification

step Indication   Data / Message Comment
CMAC sub key generation   
1 Master key (K) = 001122334455667788 99AABBCCDDEEFF The key, which is going to be diversified
2 K0 = FB09759972301AF4 CIPHK(0b), 2DEA(K, 8-byte 0s).
3 K1 = F612EB32E46035F3 The first sub key, see in [CMAC].
4 K2 = EC25D665C8C06BFD The second sub key, see in [CMAC].
Diversified key generation  
5 UID = 04782E21801D80 7-byte UID of  PICC
6 Application ID = 3042F5 3- byte DESFire AID
7 System Identifier = 4E58502041 ASCII of system identifier name
8 Diversification input (M) = 04782E21801D80304 2F54E58502041 Data from step 5 to step 7. It doesn’t matter how you specify your diversification input, the main thing, Diversification input must be unique for unique PICC e.g. here the UID is unique and the same diversification input must be used in personalization and validation of the PICC. This has to be up to 16 bytes.
9 Add the TDEA Div Constant 1 at the beginning of M = 2104782E21801D803 042F54E58502041 It is fixed, must be ‘21’ for 2TDEA keys.
10 Do I need Padding = No The algorithm always needs 16-byte block for TDEA, Here message is 16 bytes.
11 CMAC input D1 = 2104782E21801D803 042F54E58502041 16 bytes
12 Last 8-byte is XORed with K1 = 2104782E21801D80C 6501E7CBC3015B2 As the padding is NOT added the last block is XORed with K1, if padding is added, then XOR with K2. 
13 Encryption using  K = 5B7B81DCDE98A6BE 16F8597C9E8910C8 Standard TDEA encryption with IV = 00s in CBC mode
14 Derived Key 1 = 16F8597C9E8910C8 CMAC
15 Add the TDEA Div Constant 2 at the beginning of M   2204782E21801D803 042F54E58502041  
16 Do I need Padding = No The algorithm always needs 16-byte block for TDEA, Here message is 16 bytes.
17 CMAC input D1   2204782E21801D803 042F54E58502041 16 bytes
18 Last 8-byte is XORed with K1 = 2204782E21801D80C 6501E7CBC3015B2 As the padding is NOT added the last block is XORed with K1, if padding is added, then XOR with K2. 
19 Encryption using  K = D2292CCE0B8106CE 6B9648D006107DD7 Standard TDEA encryption with IV = 00s in CBC mode
20 Derived Key 2 = 6B9648D006107DD7 CMAC
21 2TDEA diversified key (without restoring the key version) = 16F8597C9E8910C8 6B9648D006107DD7 Step 15 + step 20.
The lowest significant bit of every key byte is not used in DES calculation. MIFARE DESFire and SAMs use the lowest significant bit of first eight bytes key as the key version. In this example the version of master key = 0×55 (01010101b). These version bits are required to insert in the diversified key as well, to make the same key version for master key and diversified keys.
22 2TDEA diversified key (after inserting the key version) = 16F9587D9E8910C9 6B9648D006107DD7  

If the length of M is more than 7 bytes, standard CMAC algorithm can be used, without taking care of padding, X-ORing and encryption. The message for standard CMAC is then the data of step 9 and data of step 15.

3TDEA key

Input:
  • 1 to 15 bytes of diversification input (let’s name it “M”)
  • 24 bytes 3TDEA master key (let’s name it “K”)

Output:

• 24 bytes 3TDEA diversified key.

Algorithm:

1) Calculate CMAC input D1, D2 and D3: D1 ← 0×31 || M || Padding D2 ← 0×32 || M || Padding D3 ← 0×33 || M || Padding Padding is chosen such that D1, D2 and D3 always have a length of 16 bytes.

Padding bytes are according to the CMAC padding, i.e. 80h followed by 00h bytes. So the length of Padding is 0 to 14 bytes.

2) Calculate the boolean flag ‘Padded’, which is true if M is less than 15 bytes long, false otherwise. The Boolean argument “Padded” is needed because it must be known in TDEACMAC which K1 or K2 is to be used in the last computation round.

3) Calculate output:

DerivedKey1 = TDEACMAC(K, D1, Padded) DerivedKey2 = TDEACMAC(K, D2, Padded) DerivedKey3 = TDEACMAC(K, D3, Padded) 16-byte diversified key = DerivedKey1 || DerivedKey2 || DerivedKey3.

Processing load: one 3TDEA key load, 9 3TDEA computations

Remark: The master key can only be used about 1 million times if one wants to comply to SP 800-38B. This means that the construction suggested here can be used for about 330000 cards. If more than 330000 cards are needed, and if duplicate keys are not acceptable for the application, a two level key diversification mechanism is used.

The Boolean argument “Padded” is needed because it must be known in TDEACMAC which K1 or K2 is to be used in the last computation round.

Fig 5 shows the algorithm as a block diagram.

 

RFID Mifare DESFire EV1 4K Printing Cards,Mifare DESFire EV1 4K Full Color Offset Printing Cards,Mifare DESFire EV1 4K Access Control Cards,

Fig 5. Diversification of 3TDEA key

MIFARE DESFire products store key version information in the lowest significant bits of the first 8 bytes 3TDEA key. If this versioning information is to be preserved, it is to be copied from the master key into the diversified key.