3TDEA key diversification example
Master key (K) = 00112233445566778899AABBCCDDEEFF0102030405060708, which will be diversified.
Table 5. Example – 3TDEA key diversification

step Indication   Data / Message Comment
CMAC sub key generation   
1 Master key (K) = 001122334455667788 99AABBCCDDEEFF0 102030405060708 The key, which is going to be diversified
2 K0 = 51F6AC7C734A0DE5 CIPHK(0b); 2DEA(K, 8-byte 0s).
3 K1 = A3ED58F8E6941BCA The first sub key, see in [CMAC].
4 K2 = 47DAB1F1CD28378F The second sub key, see in [CMAC].
Diversified key generation  
5 UID = 04782E21801D80 7-byte UID of  PICC
6 Application ID = 3042F5 3- byte DESFire AID
7 System Identifier = 4E5850 ASCII of system identifier name
8 Diversification input (M) = 04782E21801D80304 2F54E5850 Data from step 5 to step 7. It doesn’t matter how you specify your diversification input, the main thing, Diversification input must be unique for unique PICC e.g. here the UID is unique and the same diversification input must be used in personalization and validation of the PICC. This has to be up to 16 bytes.
9 After inserting TDEA Div constant 3 = 3104782E21801D803 042F54E5850 It is fixed, must be ‘31’ for 3TDEA keys.
10 Do I need

Padding

= Yes The algorithm always needs 16-byte block

for TDEA, here message is 14 bytes.

11 CMAC input D1 = 3104782E21801D803 042F54E58508000 8000 padding added
12 Last 8-byte is XORed with K2 = 3104782E21801D807 79844BF9578B78F As the padding is added the last block is XORed with K2, if padding is NOT added, then XOR with K1.
13 Encryption using  K = 4C294A83A6829EC1 2F0DD03675D3FB9A Standard TDEA encryption with IV = 00s in CBC mode
14 Derived Key 1 = 2F0DD03675D3FB9A CMAC
15 After inserting TDEA Div constant 4 in M = 3204782E21801D803 042F54E5850 It is fixed, must be ‘32’ for 3TDEA keys.
16 Do I need Padding = Yes The algorithm always needs 16-byte block for TDEA, here message is 14 bytes.
17 CMAC input D2 = 3204782E21801D803 042F54E58508000 8000 padding added
18 Last 8-byte is XORed with K2 = 3204782E21801D807 79844BF9578B78F Diversification constant and diversification input. Here the constant must be ‘32’
19 Encryption using  K = 41A9459AB5B209905 705AB0BDA91CA0B Standard TDEA encryption with IV = 00s in CBC mode
20 Derived Key 2 = 5705AB0BDA91CA0B CMAC
21 After inserting TDEA Div constant 5 in M = 3304782E21801D803 042F54E5850 It is fixed, must be ‘33’ for 3TDEA keys.
22 Do I need Padding = Yes The algorithm always needs 16-byte block for TDEA, here message is 14 bytes.
23 CMAC input D3 = 3304782E21801D803 042F54E58508000 8000 padding added
24 Last 8-byte is XORed with K2 = 3304782E21801D807 79844BF9578B78F Diversification constant and diversification input. Here the constant must be ‘33’
25 Encryption using  K = 7FABF1B71419AF155 5B8E07FCDBF10EC Standard TDEA encryption with IV = 00s in CBC mode
26 Derived Key 3 = 55B8E07FCDBF10EC CMAC
27 Diversified 3TDEA  key (without restoring the key version) = 2F0DD03675D3FB9A 5705AB0BDA91CA0B 55B8E07FCDBF10EC 24-byte 3TDEA key. (Step 14 + step 20 + step 26).
The lowest significant bit of every key byte is not used in DES calculation. MIFARE DESFire and SAMs use the lowest significant bit of first eight bytes key as the key version. In this example the version of master key = 0×55 (01010101b). These version bits are required to insert in the diversified key as well, to make the same key version for master key and diversified keys.
28 Diversified 3TDEA  key (after restoring the key version) = 2E0DD03774D3FA9B 5705AB0BDA91CA0B 55B8E07FCDBF10EC  

If the length of M is more than 7 bytes, standard CMAC algorithm can be used, without taking care of padding, X-ORing and encryption. The message for standard CMAC is then the data of step 9, step 15 and step 21.

The master keys must be stored securely if the algorithms are implemented in software. MIFARE SAM AV2 offers secure storage of the master keys and dynamic diversifications. For the optimum security, using MIFARE SAM AV2 can be the best solution. The user shall take care for defining his master keys, shall avoid the weak keys whenever necessary. Neither the SAM nor the algorithms analyze the keys. NXP recommends using AES instead of TDEA as the experts consider.