Symmetric key diversifications, MIFARE Plus, MIFARE DESFire EV1, MIFARE SAM AV2, Key diversification, CMAC, TDEA, AES.

AES-192 key diversification example
Master key (K) = 00112233445566778899AABBCCDDEEFF0102030405060708, which
will be diversified

step Indication   Data / Message Comment
CMAC sub key generation   
1 Master key (K) = 001122334455667788 99AABBCCDDEEFF0 102030405060708 The key, which is going to be diversified
2 K0 = 52DB5AFE7B64EFFA B1E92EEA983C5F73 CIPHK(0b); AES(K, 16-byte 0s). 
3 K1 = A5B6B5FCF6C9DFF5 63D25DD53078BEE6 The first sub key, see in [CMAC].
4 K2 = 4B6D6BF9ED93BFEA C7A4BBAA60F17D4B The second sub key, see in [CMAC].
Diversified key generation  
5 UID = 04782E21801D80 7-byte UID of  PICC
6 Application ID = 3042F5 3- byte DESFire AID
7 System Identifier = 4E585020416275 ASCII of system identifier name
8 Diversification input (M) = 04782E21801D80304 2F54E585020416275 Data from step 5 to step 7. It doesn’t matter how you make your diversification input, diversification input must be unique for unique PICC e.g. here the UID is unique and the same diversification input must be used in personalization and validation of the PICC. Maximum length of M is 31 bytes.
9 Add the Div Constant 2 at the beginning of M = 1104782E21801D80 3042F54E58502041 6275 Div Constant 2 is fixed, must be 0×11 for AES 192 keys.
10 Do I need Padding = Yes The algorithm always needs 32-byte block for AES, so far the message is 18 bytes.
11 Padding = 80000000000000000 00000000000 14-byte padding to make 32-byte block.
12 CMAC input D1 = 1104782E21801D803 042F54E5850204162 758000000000000000

000000000000  

32 bytes.
13 Last 16-byte is XORed with K2 = 1104782E21801D803 042F54E5850204129 18EBF9ED93BFEAC7 A4BBAA60F17D4B As the padding is added the last block is XORed with K2, if padding is not added, then XORed with K1. 
14 Encryption using  K = C09ADDAE085769A6 E25DE29E51DA3669 CE39C8E1CD82D9A7 869FE6A2EF75725D Standard AES encryption with IV = 00s in CBC mode
15 Derived key A = CE39C8E1CD82D9A7 869FE6A2EF75725D Last 16-byte block. (CMAC)
16 Add the Div Constant 3 at the beginning of M = 1204782E21801D803 042F54E5850204162 75 Div Constant 3 is fixed, must be 0×12 for AES 192 keys.
17 CMAC input D2 = 1204782E21801D803 042F54E5850204162 758000000000000000 000000000000 Here the only difference is Div Constant 3, which is ‘12’ fixed for AES 192.
18 Last 16-byte is XORed with K2 = 1204782E21801D803 042F54E5850204129 18EBF9ED93BFEAC7 A4BBAA60F17D4B As the padding is added the last block is XORed with K2, if padding is not added, then XORed with K1. 
19 Encryption using  K = D052C22EA94BEFE1 F748A9F5A675188A 38440F75A580E97E 176755EE7586E12C Standard AES encryption with IV = 00s in CBC mode
20 Derived key B   38440F75A580E97E 176755EE7586E12C Last 16-byte block. (CMAC)
21 First 8-byte of derived key A = CE39C8E1CD82D9A7  
22 Last 8-byte of derived key A = 869FE6A2EF75725D  
23 First 8-byte of derived key B = 38440F75A580E97E  
24 Step 22 XOR Step 23 = BEDBE9D74AF59B23  
25 Last 8-byte of derived key B = 176755EE7586E12C  
26 Diversified Key = CE39C8E1CD82D9A7 EDBE9D74AF59B2317 6755EE7586E12C Step 21 + Step 24 + step 25

 

If the length of M is more than 15 bytes, standard CMAC algorithm can be used, without taking care of padding, X-ORing and encryption. The message for standard CMAC is then the data of step 9 and data of step 16.

TDEA key

Input:
  • 1 to 15 bytes of diversification input (let’s name it “M”)
  • 16 bytes 2TDEA master key (let’s name it “K”)

Output:

• 16 bytes 2TDEA diversified key.

Algorithm:

1) Calculate CMAC input D1 and D2:

D1 ← 0×21 || M || Padding

D2 ← 0×22 || M || Padding

Padding is chosen such that D1 and D2 always have a length of 16 bytes. Padding bytes are according to the CMAC padding, i.e. 80h followed by 00h bytes. So the length of Padding is 0 to 14 bytes.

2) Calculate the boolean flag ‘Padded’, which is true if M is less than 15 bytes long, false otherwise. The Boolean argument “Padded” is needed because it must be known in TDEACMAC which K1 or K2 is to be used in the last computation round.

3) Calculate output:

DerivedKey1 = TDEACMAC(K, D1, Padded) DerivedKey2 = TDEACMAC(K, D2, Padded) 16-byte diversified key = DerivedKey1 || DerivedKey2.  

Processing load: one 2TDEA key load, 6 2TDEA computations We can reduce the TDEA operations to 5 if the CMAC K1 and/or K2 can be reused. The Boolean argument “Padded” is needed because it must be known in TDEACMAC which K1 or K2 is to be used in the last computation round.
Remark: The master key can only be used about 1 million times if one wants to comply to SP 800-38B. This means that the construction suggested here can be used for 500000 cards. If more than 500000 cards are needed, and if duplicate keys are not acceptable for the application, a two level key diversification mechanism could be used.
Fig 4 shows the algorithm as a block diagram.

Mifare DESFire 4K Full Colour Printing Cards,Mifare DESFire 4K Full Colour Printing Cards,ISO Mifare DESFire EV1 4K Card,Mifare DESFire 4K Card,

MIFARE DESFire products store key version information in the lowest significant bits of the first 8 bytes 2TDEA key. If this versioning information is to be preserved, it is to be copied from the master key into the diversified key.