Symmetric key diversifications, MIFARE Plus, MIFARE DESFire EV1, MIFARE SAM AV2, Key diversification, CMAC, TDEA, AES.

Key diversification is a process of deriving the keys from a master (base) key using some unique input. Each card is getting a different value for each key, so that if one key is broken somehow (maybe from the terminal); the vulnerability is limited to that key on that card rather than the whole system being affected.

The diversified keys are generated and given (stored) to the PICC at its personalization phase, so all cards get unique keys. In the validation process, the POS terminal gets the information to generate the unique key for that unique card which is presented. MIFARE SAM AV2 can be an optimum secure solution for this key diversification process. The master (base) key can be stored securely in the MIFARE SAM AV2 and can be used to generate or use only the diversified keys.

MIFARE SAM AV2 supports two types of key diversification:

• old method, based on classical encryption and backwards compatible with SAM AV1, and

• new method, based on CMAC calculation

In this document, only the key diversification based on CMAC calculation is discussed, as it is the recommended one and new to the MIFARE SAM product. AES (128 and 192bit key length) and TDEA (2-key and 3-key TDES) keys can be diversified using this CMAC based key diversification method.

In this document the algorithms are explained in a way that, they can be implemented easily in the SW in the installations without SAM today, but tomorrow using SAM.

All keys in a card can be derived from one master key however it is also possible to use a different master key for one set of keys versus another set of keys.

Table 1. Abbreviations

Abbreviation Meaning
AES Advanced Encryption Standard
AID Application ID
CBC Cipher-Block Chaining
CMAC Cipher based MAC
DES Data Encryption Standard
DF DESFire
IV Init Vector
LSB Lowest Significant Byte
MAC Message Authentication Code
MSB Most Significant Byte
PCD Proximity Coupling Device (reader/writer unit)
PICC Proximity Integrated Circuit Card
POS Point of Service
TDEA Triple Data Encryption Algorithm
UID Unique IDentification number

Examples presented in this document

The following symbols have been used to mention the operations in the examples: = Preparation of data by SAM, PICC or host.

Please note, that the numerical data are used solely as examples. They appear in the text in order to clarify the commands and command data.

Any data, values, cryptograms are expressed as hex string format if not otherwise mentioned e.g. 0×563412 in hex string format represented as “123456”. Byte [0] = 0×12, Byte [1] = 0×34, Byte [2] = 0×56   

Key Diversification

Construction

For diversification the recommended way by NXP is to use the CMAC construction of an amount of data using a master key. See [CMAC].

The pre-requisite is that there is enough input “diversification data” in order to make it a MAC. A MAC is used rather than encryption to make it a one way function.

Mifare DESFire EV1 4K Cards manufacturer,We produce Mifare DESFire 4K Card,Mifare DESFire EV1 ISO Card,Mifare DESFire EV1 4K Contactless Cards,

Fig 1. CMAC construction (2 cases: left without padding, right with padding)

Fig 1 illustrates the standard CMAC constructions (see [CMAC]) in two possible padding cases.

According to [CMAC], to avoid certain classes of attack (in the CMAC), the last block is modified before ciphering by being XORed with one of two possible “sub key” values (denoted K1 or K2), derived from an encryption of the zero vector under the key in use; the choice of which sub key to use is determined by whether the last message block contains padding or not.

These computations can be abstracted by the function CMAC (K, D, padded). In the context of the key derivations described further in this document another primitive is used because the padding is performed in a non-CMAC standard way. The corresponding computations can be abstracted by the function CMAC(K, D, Padded), where K is the key to be diversified, D the diversification input data and Padded is a Boolean flag that signals to the CMAC(.,.,.) function whether M had to be padded or not.

It the keys are to be diversified per card, it is recommended to use for the diversification input at least the UID of the card concatenated with e.g.

  • For MIFARE Plus: the block number where the key is stored. Note however that if multi-sector authentication is desired, all keys that need to be the same need to be generated using same block number.
  • For MIFARE DESFire: key number concatenated with application number.

Note: In this implementation always two blocks (two times 16-byte for AES and two times 8-byte for TDEA) of message have been used.

AES-128 key Input:

  • 1 to 31 bytes of diversification input (let’s name it “M”)
  • 16 bytes AES 128 bits master key (let’s name it “K”)

Output:

• 16 bytes AES 128 bits diversified key.

Algorithm:

1) Calculate CMAC input D:

D ← 0×01 || M || Padding

Padding is chosen such that D always has a length of 32 bytes. Padding bytes are according to the CMAC padding, i.e. 80h followed by 00h bytes. So the length of Padding is 0 to 30 bytes.

2) Calculate the boolean flag ‘Padded’, which is true if M is less than 31 bytes long, false otherwise. The Boolean argument “Padded” is needed because it must be known in AES128CMAC which K1 or K2 is to be used in the last computation round.

3) Calculate output:

Diversified Key ← AES128CMAC (K, D, Padded)

Processing load:

One AES 128 key load, 3 AES 128 computations Fig 2 shows the algorithm as a block diagram.

Mifare DESFire 4K ISO14443A Cards,Mifare DESFire EV1 4K Contactless Smart Cards,NXP DESFire 4K Pre-printed Card,NXP Mifare DESFire EV1 4K Card,

Fig 2. Diversification of 128-bit AES key