Symmetric key diversifications, MIFARE Plus, MIFARE DESFire EV1, MIFARE SAM AV2, Key diversification, CMAC, TDEA, AES.

AES-128 key diversification example
Master key (K) = 00112233445566778899AABBCCDDEEFF, which will be diversified.
Table 2. Example – AES 128 key diversification

step Indication   Data / Message Comment
CMAC sub key generation         
1 Master key (K) = 001122334455667788 99AABBCCDDEEFF The key, which is going to be diversified
2 K0 = FDE4FBAE4A09E020 EFF722969F83832B CIPHK(0b), AES (K, 16-byte 0s). 
3 K1 = FBC9F75C9413C041 DFEE452D3F0706D1 The first sub key, see in [CMAC].
4 K2 = F793EEB928278083B FDC8A5A7E0E0D25 The second sub key, see in [CMAC].
step Indication   Data / Message Comment
Diversified key generation  
5 UID = 04782E21801D80 7-byte UID of  PICC
6 Application ID = 3042F5 3- byte DESFire AID
7 System Identifier = 4E585020416275 ASCII of system identifier name
8 Diversification input (M) = 04782E21801D80304 2F54E585020416275 Data from step 5 to step 7. It doesn’t matter how you make your diversification input, diversification input must be unique for unique PICC e.g. here the UID is unique and the same diversification input must be used in personalization and validation of the PICC. Maximum length of M is 31 bytes.
9 Add the Div Constant 1 at the beginning of M = 0104782E21801D803 042F54E5850204162 75 Div constant is fixed, must be 0×01 for AES 128 keys.
10 Do I need Padding = Yes The algorithm always needs 32-byte block for AES; so far we have 18 bytes (step 9).
11 Padding = 800000000000000000 0000000000 14-byte padding to make 32-byte block.
12 CMAC input D = 0104782E21801D803 042F54E5850204162 758000000000000000 000000000000 32 bytes.
13 Last 16-byte is XORed with K2 = 0104782E21801D803 042F54E5850204195 E66EB928278083BF DC8A5A7E0E0D25 As the padding is added the last block is XORed with K2, if padding is not added, then XORed with K1. 
14 Encryption using  K = 351DB989A47CCA64 84CCE346FD5AE767 A8DD63A3B89D54B3 7CA802473FDA9175 Standard AES encryption with IV = 00s in CBC mode
15 Diversified key = A8DD63A3B89D54B3 7CA802473FDA9175 Last 16-byte block. (CMAC)

If the length of M is more than 15 bytes, standard CMAC algorithm can be used, without taking care of padding, X-ORing and encryption. The message for standard CMAC is then the data of step 9. 

AES-192 key

Input:
  • 1 to 31 bytes of diversification input (let’s name it “M”).
  • 24 bytes AES 192 bits master key (let’s name it “K”).

Output:

• 24 bytes AES 192 bits diversified key.

Algorithm:

1) Calculate CMAC input D1 and D2: D1 ← 0×11 || M || Padding D2 ← 0×12 || M || Padding Padding is chosen such that D1 and D2 always have a length of 32 bytes.

Padding bytes are according to the CMAC padding, i.e. 80h followed by 00h bytes. So the length of Padding is 0 to 30 bytes.

2) Calculate the boolean flag ‘Padded’, which is true if M is less than 31 bytes long, false otherwise. The Boolean argument “Padded” is needed because it must be known in AES192CMAC which K1 or K2 is to be used in the last computation round.

3) Calculate output: DerivedKeyA ← AES192CMAC(K, D1, Padded) DerivedKeyB ← AES192CMAC(K, D2, Padded) DiversifiedKey ← first 8 bytes of DerivedKeyA || (next 8 bytes of

DerivedKeyA XOR first 8 bytes of DerivedKeyB) || next 8 bytes of DerivedKeyB

Processing load:

One AES 192 key load, 6 AES 192 computations

If the special CMAC keys K1 and/or K2 can be reused from one to the following AES_CMAC operation then we will need only 5 AES computations. But this depends on the HW implementation of the CMAC operation.

Fig 3 shows the algorithm as a block diagram.

DESFire 4K Pre-printed Card,Mifare DESFire 4K Full Colour Printing Cards,Mifare DESFire EV1 4K Contactless Smart Cards,

Fig 3. Diversification of 192-bit AES key