AN10922

Symmetric key diversifications

Rev. 2.2 — 2 July 2019 Application note
165322 COMPANY PUBLIC

Document information
Information Content
Keywords MIFARE Plus, MIFARE DESFire, MIFARE SAM AV3, Key diversification,
CMAC, TDEA, AES.
Abstract This Application note describes CMAC based symmetric key diversification
algorithms supported by NXP’s MIFARE SAM AV3.
NXP Semiconductors
AN10922
Symmetric key diversifications

Revision history
Rev Date Description
2.2 20190702 Fixed the AES256 key diversification example
2.1 20190417 Update for MIFARE SAM AV3
2.0 20170208 General update
1.3 20100317 Re-organization, addition of examples
1.2 20100129 Addition of AES-192, 2TDEA, 3TDEA key diversification algorithms
1.1 20090813 Editorial changes, no content change
1.0 20081112 Preliminary version

AN10922 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved.

Application note Rev. 2.2 — 2 July 2019

COMPANY PUBLIC 165322 2 / 26
NXP Semiconductors
AN10922
Symmetric key diversifications

1 Introduction
Key diversification is a process of deriving the keys from a master (base) key using some
unique input. Each card is getting a different value for each key, so that if one key is
broken somehow (maybe from the terminal). The vulnerability is limited to that key on
that card rather than the whole system being affected.
The diversified keys are generated and given (stored) to the PICC at its personalization
phase, so all cards get unique keys. In the validation process, the POS terminal gets the
information to generate the unique key for that unique card which is presented. MIFARE
SAM AV3 can be an optimum secure solution for this key diversification process. The
master (base) key can be stored securely in the MIFARE SAM AV3 and can be used to
generate or use only the diversified keys.
MIFARE SAM AV3 supports two types of key diversification:
• old method, based on classical encryption, and
• new method, based on CMAC calculation
In this document, only the key diversification based on CMAC calculation is discussed, as
it is the recommended algorithm. AES (128 and 192-bit key length) and TDEA (2-key and
3-key TDES) keys can be diversified using this CMAC-based key diversification method.
In this document, the algorithms are explained in a way that they can be implemented
easily in SW without SAM today, but tomorrow using SAM.
All keys in a card can be derived from one master key however it is also possible to use a
different master key for one set of keys versus another set of keys.

1.1 Abbreviations
Table 1. Abbreviations
Abbreviations Meaning
AES Advanced Encryption Standard
AID Application ID
CBC Cipher Block Chaining
CMAC Cipher based MAC
DES Data Encryption Standard
DF DESFire
IV Init Vector
LSB Lowest Significant Bit
MAC Message Authentication Code
MSB Most Significant Bit
PCD Proximity Coupling Device (reader/ writer unit)
PICC Proximity Integrated Circuit Card
POS Point Of Sales
SW Software
TDEA Triple Data Encryption Algorithm
UID Unique Identification number

AN10922 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved.

Application note Rev. 2.2 — 2 July 2019

COMPANY PUBLIC 165322 3 / 26
NXP Semiconductors
AN10922
Symmetric key diversifications

1.2 Examples presented in this document

The following symbols have been used to mention the operations in the examples:
= Preparation of data by SAM, PICC or host.
Please note, that the numerical data are used solely as examples. They appear in
the text, in order to clarify the commands and command data.
Any data, values, cryptograms are expressed as hex string format if not otherwise
mentioned e.g. 0x563412 in hex string format represented as “123456”. Byte [0] = 0x12,
Byte [1] = 0x34, Byte [2] = 0x56.

AN10922 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved.

Application note Rev. 2.2 — 2 July 2019

COMPANY PUBLIC 165322 4 / 26
NXP Semiconductors
AN10922
Symmetric key diversifications

2 Key Diversification

2.1 Construction
For diversification, the recommended way by NXP is to use the CMAC construction of an
amount of data using a master key. See [CMAC].
The pre-requisite is that there is enough input “diversification data” in order to make it a
MAC. A MAC is used rather than encryption to make it a one-way function.

Figure 1. CMAC construction (2 cases: left without padding, right with padding)

Fig 1 illustrates the standard CMAC constructions (see [CMAC]) in two possible padding
cases.
According to [CMAC], to avoid certain classes of attack (in the CMAC), the last block
is modified before ciphering by being XORed with one of two possible “sub key” values
(denoted K1 or K2), derived from an encryption of the zero vector under the key in use;
the choice of which sub key to use is determined by whether the last message block
contains padding or not.
These computations can be abstracted by the function CMAC (K, D, padded). In the
context of the key derivations described further in this document another primitive is used
because the padding is performed in a non-CMAC standard way. The corresponding
computations can be abstracted by the function CMAC (K, D, Padded), where K is the
key to be diversified, D the diversification input data and Padded is a Boolean flag that
signals to the CMAC(.,.,.) function whether M had to be padded or not.
If the keys are to be diversified per card, it is recommended to use for the diversification
input at least the UID of the card concatenated with e.g.
• For MIFARE Plus family: the block number where the key is stored. Note however that
if multi-sector authentication is desired, all keys that need to be the same need to be
generated using same block number.
• For MIFARE DESFire family: key number concatenated with application number.
Note: In this implementation, always two blocks (two times 16-byte for AES and
two times 8-byte for TDEA) of message have been used.

2.2 AES-128 key

Input:
AN10922 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved.

Application note Rev. 2.2 — 2 July 2019

COMPANY PUBLIC 165322 5 / 26
NXP Semiconductors
AN10922
Symmetric key diversifications

• 1 to 31 bytes of diversification input (let’s name it “M”)

• 16 bytes AES 128 bits master key (let's name it “K”)
Output:
• 16 bytes AES 128 bits diversified key.
Algorithm:
1. Calculate CMAC input D:
2. D 0x01 || M || Padding
3. Padding is chosen such that D always has a length of 32 bytes. Padding bytes are
according to the CMAC padding, i.e. 80h followed by 00h bytes. So the length of
Padding is 0 to 30 bytes.
4. Calculate the Boolean flag ‘Padded’, which is true if M is less than 31 bytes long, false
otherwise. The Boolean argument “Padded” is needed because it must be known in
AES128CMAC which K1 or K2 is to be used in the last computation round.
5. Calculate output:
6. Diversified Key AES128CMAC (K, D, Padded)
Processing load:
One AES 128 key load, 3 AES 128 computations
Fig 2 shows the algorithm as a block diagram.

Figure 2. Diversification of 128-bit AES key

AN10922 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved.

Application note Rev. 2.2 — 2 July 2019

COMPANY PUBLIC 165322 6 / 26
NXP Semiconductors
AN10922
Symmetric key diversifications

2.2.1 AES-128 key diversification example

Master key (K) = 00112233445566778899AABBCCDDEEFF, which will be diversified.

Table 2. Example – AES 128 key diversification

step Indication Data/ Message Comment
CMAC sub key generation
1 Master key (K) = 001122334455667788 The key, which is going to be
99AABBCCDDEEFF diversified
2 K0 = FDE4FBAE4A09E020 CIPHK(0b), AES (K, 16-byte 0s).
EFF722969F83832B
3 K1 = FBC9F75C9413C041D The first sub key, see in [CMAC].
FEE452D3F0706D1
4 K2 = F793EEB928278083B The second sub key, see in [CMAC].
FDC8A5A7E0E0D25
Diversified key generation
5 UID = 04782E21801D80 7-byte UID of PICC
6 Application ID = 3042F5 3- byte DESFire AID
7 System Identifier = 4E585020416275 ASCII of system identifier name
8 Diversification input = 04782E21801D803042 Data from step 5 to step 7. It
(M) F54E585020416275 doesn’t matter how you make your
diversification input, diversification
input must be unique for unique
PICC e.g. here the UID is unique
and the same diversification input
must be used in personalization and
validation of the PICC. Maximum
length of M is 31 bytes.
9 Add the Div = 0104782E21801D8030 Div constant is fixed, must be 0x01
Constant 1 at the 42F54E585020416275 for AES 128 keys.
beginning of M
10 Do I need Padding = Yes The algorithm always needs 32-byte
block for AES; so far we have 18
bytes (step 9).
11 Padding = 800000000000000000 14-byte padding to make 32-byte
0000000000 block.
12 CMAC input D = 0104782E21801D8030 32 bytes
42F54E585020416275
800000000000000000
0000000000
13 Last 16-byte is = 0104782E21801D8030 As the padding is added the last
XORed with K2 42F54E5850204195E6 block is XORed with K2, if padding is
6EB928278083BFDC8 not added, then XORed with K1.
A5A7E0E0D25

AN10922 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved.

Application note Rev. 2.2 — 2 July 2019

COMPANY PUBLIC 165322 7 / 26
NXP Semiconductors
AN10922
Symmetric key diversifications

step Indication Data/ Message Comment

14 Encryption using K = 351DB989A47CCA648 Standard AES encryption with IV =
4CCE346FD5AE767A 00s in CBC mode
8DD63A3B89D54B37
CA802473FDA9175
15 Diversified key = A8DD63A3B89D54B37 Last 16-byte block. (CMAC)
CA802473FDA9175

If the length of M is more than 15 bytes, standard CMAC algorithm can be used, without
taking care of padding, XOR and encryption. The message for standard CMAC is then
the data of step 9.

2.3 AES-192 key

Input:
• 1 to 31 bytes of diversification input (let’s name it “M”).
• 24 bytes AES 192 bits master key (let's name it “K”).
Output:
• 24 bytes AES 192 bits diversified key.
Algorithm:
1. Calculate CMAC input D1 and D2:
2. D1 0x11 || M || Padding
3. D2 0x12 || M || Padding
4. Padding is chosen such that D1 and D2 always have a length of 32 bytes. Padding
bytes are according to the CMAC padding, i.e. 80h followed by 00h bytes. So the
length of Padding is 0 to 30 bytes.
5. Calculate the Boolean flag ‘Padded’, which is true if M is less than 31 bytes long, false
otherwise. The Boolean argument “Padded” is needed because it must be known in
AES192CMAC which K1 or K2 is to be used in the last computation round.
6. Calculate output:
7. DerivedKeyA AES192CMAC(K, D1, Padded)
8. DerivedKeyB AES192CMAC(K, D2, Padded)
9. DiversifiedKey first 8 bytes of DerivedKeyA || (next 8 bytes of DerivedKeyA XOR first
8 bytes of DerivedKeyB) || next 8 bytes of DerivedKeyB
Processing load:
One AES 192 key load, 6 AES 192 computations
If the special CMAC keys K1 and/or K2 can be reused from one to the following
AES_CMAC operation, then we will need only 5 AES computations. But this depends on
the HW implementation of the CMAC operation.
Fig 3 shows the algorithm as a block diagram.

AN10922 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved.

Application note Rev. 2.2 — 2 July 2019

COMPANY PUBLIC 165322 8 / 26
NXP Semiconductors
AN10922
Symmetric key diversifications

Figure 3. Diversification of 192-bit AES key

2.3.1 AES-192 key diversification example

Master key (K) = 00112233445566778899AABBCCDDEEFF0102030405060708, which
will be diversified.

Table 3. Example – AES 192 key diversification

step Indication Data/ Message Comment
CMAC sub key generation
1 Master key (K) = 001122334455667788 The key, which is going to be
99AABBCCDDEEFF01 diversified
02030405060708
2 K0 = 52DB5AFE7B64EFFA CIPHK(0b), AES (K, 16-byte 0s).
B1E92EEA983C5F73
3 K1 = A5B6B5FCF6C9DFF5 The first sub key, see in [CMAC].
63D25DD53078BEE6
4 K2 = 4B6D6BF9ED93BFEA The second sub key, see in [CMAC].
C7A4BBAA60F17D4B

AN10922 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved.

Application note Rev. 2.2 — 2 July 2019

COMPANY PUBLIC 165322 9 / 26
NXP Semiconductors
AN10922
Symmetric key diversifications

step Indication Data/ Message Comment

Diversified key generation
5 UID = 04782E21801D80 7-byte UID of PICC
6 Application ID = 3042F5 3- byte DESFire AID
7 System Identifier = 4E585020416275 ASCII of system identifier name
8 Diversification input = 04782E21801D803042 Data from step 5 to step 7. It
(M) F54E585020416275 doesn’t matter how you make your
diversification input, diversification
input must be unique for unique
PICC e.g. here the UID is unique
and the same diversification input
must be used in personalization and
validation of the PICC. Maximum
length of M is 31 bytes.
9 Add the Div = 1104782E21801D8030 Div constant 2 is fixed, must be 0x11
Constant 2 at the 42F54E585020416275 for AES 192 keys.
beginning of M
10 Do I need Padding = Yes The algorithm always needs 32-byte
block for AES; so far we have 18
bytes.
11 Padding = 800000000000000000 14-byte padding to make 32-byte
0000000000 block.
12 CMAC input D1 = 104782E21801D80304 32 bytes
2F54E5850204162758
000000000000000000
000000000
13 Last 16-byte is = 1104782E21801D8030 As the padding is added the last
XORed with K2 42F54E585020412918 block is XORed with K2, if padding is
EBF9ED93BFEAC7A4 not added, then XORed with K1.
BBAA60F17D4B
14 Encryption using K = C09ADDAE085769A6 Standard AES encryption with IV =
E25DE29E51DA3669C 00s in CBC mode
E39C8E1CD82D9A78
69FE6A2EF75725D
15 Diversified key A = CE39C8E1CD82D9A7 Last 16-byte block. (CMAC)
869FE6A2EF75725D
16 Add the Div = 1204782E21801D8030 Div Constant 3 is fixed, must be 0x12
Constant 3 at the 42F54E585020416275 for AES 192 keys.
beginning of M
17 CMAC input D2 = 1204782E21801D8030 Here the only difference is Div
42F54E585020416275 Constant 3, which is ‘12’ fixed for
800000000000000000 AES 192.
0000000000
18 Last 16-byte is = 1204782E21801D8030 As the padding is added the last
XORed with K2 42F54E585020412918 block is XORed with K2, if padding is
EBF9ED93BFEAC7A4 not added, then XORed with K1.
BBAA60F17D4B

AN10922 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved.

Application note Rev. 2.2 — 2 July 2019

COMPANY PUBLIC 165322 10 / 26
NXP Semiconductors
AN10922
Symmetric key diversifications

step Indication Data/ Message Comment

19 Encryption using K = D052C22EA94BEFE1 Standard AES encryption with IV =
F748A9F5A675188A3 00s in CBC mode
8440F75A580E97E176
755EE7586E12C
20 Derived key B = 38440F75A580E97E Last 16-byte block. (CMAC)
176755EE7586E12C
21 First 8-byte of = CE39C8E1CD82D9A7
derived key A
22 Last 8-byte of = 869FE6A2EF75725D
derived key A
23 First 8-byte of = 38440F75A580E97E
derived key B
24 Step 22 XOR step = BEDBE9D74AF59B23
23
25 Last 8-byte of = 176755EE7586E12C
derived key B
26 Diversified Key = CE39C8E1CD82D9A7 Step 21 + Step 24 + step 25
BEDBE9D74AF59B23
176755EE7586E12C

If the length of M is more than 15 bytes, standard CMAC algorithm can be used, without
taking care of padding, XOR and encryption. The message for standard CMAC is then
the data of step 9 and data of step 16.

2.4 AES-256 key

Input:
• 1 to 31 bytes of diversification input (let’s name it “M”).
• 32 bytes AES 256 bits master key (let's name it “K”).
Output:
• 32 bytes AES 256 bits diversified key.
Algorithm:
1. Calculate CMAC input D1 and D2:
2. D1 0x41 || M || Padding
3. D2 0x42 || M || Padding
4. Padding is chosen such that D1 and D2 always have a length of 32 bytes. Padding
bytes are according to the CMAC padding, i.e. 80h followed by 00h bytes. So the
length of Padding is 0 to 30 bytes.
5. Calculate the Boolean flag ‘Padded’, which is true if M is less than 31 bytes long, false
otherwise. The Boolean argument “Padded” is needed because it must be known in
AES256CMAC which K1 or K2 is to be used in the last computation round.
6. Calculate output:
7. DerivedKeyA AES256CMAC(K, D1, Padded)
8. DerivedKeyB AES256CMAC(K, D2, Padded)
9. DiversifiedKey DerivedKeyA || DerivedKeyB
Processing load:
AN10922 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved.

Application note Rev. 2.2 — 2 July 2019

COMPANY PUBLIC 165322 11 / 26
NXP Semiconductors
AN10922
Symmetric key diversifications

One AES 256 key load, 6 AES 256 computations

If the special CMAC keys K1 and/or K2 can be reused from one to the following
AES_CMAC operation, then we will need only 5 AES computations. But this depends on
the HW implementation of the CMAC operation.
Fig 3 shows the algorithm as a block diagram.

Figure 4. Diversification of 256-bit AES key

2.4.1 AES-256 key diversification example

Master key (K) =
00112233445566778899AABBCCDDEEFF0102030405060708090A0B0C0D0E0F00,
which will be diversified.

Table 4. Example – AES 256 key diversification

step Indication Data/ Message Comment
CMAC sub key generation

AN10922 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved.

Application note Rev. 2.2 — 2 July 2019

COMPANY PUBLIC 165322 12 / 26
NXP Semiconductors
AN10922
Symmetric key diversifications

step Indication Data/ Message Comment

1 Master key (K) = 001122334455667788 The key, which is going to be
99AABBCCDDEEFF01 diversified
02030405060708090A
0B0C0D0E0F00
2 K0 = 07FFEC1BEDF68CE6 CIPHK(0b), AES (K, 16-byte 0s).
D3D1BAE8512F9813
3 K1 = 0FFFD837DBED19CD The first sub key, see in [CMAC].
A7A375D0A25F3026
4 K2 = 1FFFB06FB7DA339B4 The second sub key, see in [CMAC].
F46EBA144BE604C
Diversified key generation
5 UID = 04782E21801D80 7-byte UID of PICC
6 Application ID = 3042F5 3- byte DESFire AID
7 System Identifier = 4E585020416275 ASCII of system identifier name
8 Diversification input = 04782E21801D803042 Data from step 5 to step 7. It
(M) F54E585020416275 doesn’t matter how you make your
diversification input, diversification
input must be unique for unique
PICC e.g. here the UID is unique
and the same diversification input
must be used in personalization and
validation of the PICC. Maximum
length of M is 31 bytes.
9 Add the Div = 4104782E21801D8030 Div constant 2 is fixed, must be 0x41
Constant 2 at the 42F54E585020416275 for AES 256 keys.
beginning of M
10 Do I need Padding = Yes The algorithm always needs 32-byte
block for AES; so far we have 18
bytes.
11 Padding = 800000000000000000 14-byte padding to make 32-byte
0000000000 block.
12 CMAC input D1 = 4104782E21801D8030 32 bytes
42F54E585020416275
800000000000000000
0000000000
13 Last 16-byte is = 4104782E21801D8030 As the padding is added the last
XORed with K2 42F54E585020417D8 block is XORed with K2, if padding is
A306FB7DA339B4F46 not added, then XORed with K1.
EBA144BE604C
14 Encryption using K = 05FC00C95DD7AEFF Standard AES encryption with IV =
203CCF3006839F204 00s in CBC mode
FC6EEC820B4C54314
990B8611662DB6
15 Derived key A = 4FC6EEC820B4C5431 Last 16-byte block. (CMAC)
4990B8611662DB6
16 Add the Div = 4204782E21801D8030 Div Constant 3 is fixed, must be 0x42
Constant 3 at the 42F54E585020416275 for AES 256 keys.
beginning of M

AN10922 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved.

Application note Rev. 2.2 — 2 July 2019

COMPANY PUBLIC 165322 13 / 26
NXP Semiconductors
AN10922
Symmetric key diversifications

step Indication Data/ Message Comment

17 CMAC input D2 = 4204782E21801D8030 Here the only difference is Div
42F54E585020416275 Constant 3, which is ‘12’ fixed for
800000000000000000 AES 256.
0000000000
18 Last 16-byte is = 4204782E21801D8030 As the padding is added the last
XORed with K2 42F54E585020417D8 block is XORed with K2, if padding is
A306FB7DA339B4F46 not added, then XORed with K1.
EBA144BE604C
19 Encryption using K = 3EC9D8E4279BBC0B Standard AES encryption with IV =
652E903618A41EFA9 00s in CBC mode
5E7880982C0001E606
7488346100AED
20 Derived key B = 95E7880982C0001E60 Last 16-byte block. (CMAC)
67488346100AED
21 Diversified Key = 4FC6EEC820B4C5431 Derived Key A || Derived Key B
4990B8611662DB695
E7880982C0001E6067
488346100AED

If the length of M is more than 15 bytes, standard CMAC algorithm can be used, without
taking care of padding, XOR and encryption. The message for standard CMAC is then
the data of step 9 and data of step 16.

2.5 2TDEA key

Input:
• 1 to 15 bytes of diversification input (let’s name it “M”)
• 16 bytes 2TDEA master key (let's name it “K”)
Output:
• 16 bytes 2TDEA diversified key.
Algorithm:
1. Calculate CMAC input D1 and D2:
2. D1 0x21 || M || Padding
3. D2 0x22 || M || Padding
4. Padding is chosen such that D1 and D2 always have a length of 16 bytes. Padding
bytes are according to the CMAC padding, i.e. 80h followed by 00h bytes. So the
length of Padding is 0 to 14 bytes.
5. Calculate the boolean flag ‘Padded’, which is true if M is less than 15 bytes long, false
otherwise. The Boolean argument “Padded” is needed because it must be known in
TDEACMAC which K1 or K2 is to be used in the last computation round.
6. Calculate output:
• DerivedKey1 = TDEACMAC(K, D1, Padded)
• DerivedKey2 = TDEACMAC(K, D2, Padded)
• 16-byte diversified key = DerivedKey1 || DerivedKey2.
Processing load: one 2TDEA key load, 6 2TDEA computations
We can reduce the TDEA operations to 5 if the CMAC K1 and/or K2 can be reused.

AN10922 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved.

Application note Rev. 2.2 — 2 July 2019

COMPANY PUBLIC 165322 14 / 26
NXP Semiconductors
AN10922
Symmetric key diversifications

The Boolean argument “Padded” is needed because it must be known in TDEACMAC

which K1 or K2 is to be used in the last computation round.
Remark: The master key can only be used about 1 million times if one wants to comply
with SP 800-38B. This means that the construction suggested here can be used for
500000 cards. If more than 500000 cards are needed, and if duplicate keys are not
acceptable for the application, a two level key diversification mechanism could be used.
Fig 5 shows the algorithm as a block diagram.

Figure 5. Diversification of 2TDEA key

MIFARE DESFire products store key version information in the lowest significant bits of
the first 8 bytes 2TDEA key. If this versioning information is to be preserved, it is to be
copied from the master key into the diversified key.

2.5.1 2TDEA key diversification example

Master key (K) = 00112233445566778899AABBCCDDEEFF, which will be diversified.

Table 5. Example – 2TDEA key diversification

step Indication Data/ Message Comment
CMAC sub key generation
1 Master key (K) = 001122334455667788 The key, which is going to be
99AABBCCDDEEFF diversified

AN10922 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved.

Application note Rev. 2.2 — 2 July 2019

COMPANY PUBLIC 165322 15 / 26
NXP Semiconductors
AN10922
Symmetric key diversifications

step Indication Data/ Message Comment

2 K0 = FB09759972301AF4 CIPHK(0b), 2DEA (K, 8-byte 0s).
3 K1 = F612EB32E46035F3 The first sub key, see in [CMAC].
4 K2 = EC25D665C8C06BFD The second sub key, see in [CMAC].
Diversified key generation
5 UID = 04782E21801D80 7-byte UID of PICC
6 Application ID = 3042F5 3- byte DESFire AID
7 System Identifier = 4E58502041 ASCII of system identifier name
8 Diversification input = 04782E21801D803042 Data from step 5 to step 7. It
(M) F54E58502041 doesn’t matter how you specify your
diversification input, the main thing,
Diversification input must be unique
for unique PICC e.g. here the UID is
unique and the same diversification
input must be used in personalization
and validation of the PICC. This has
to be up to 16 bytes.
9 Add the TDEA Div = 2104782E21801D8030 It is fixed, must be ‘21’ for 2TDEA
Constant 1 at the 42F54E58502041 keys.
beginning of M
10 Do I need Padding = No The algorithm always needs 16-byte
block for TDEA, Here message is 16
bytes.
11 CMAC input D1 = 2104782E21801D8030 16 bytes
42F54E58502041
12 Last 16-byte is = 2104782E21801D80C As the padding is NOT added the
XORed with K1 6501E7CBC3015B2 last block is XORed with K1, if
padding is added, then XOR with K2.
13 Encryption using K = 5B7B81DCDE98A6BE Standard TDEA encryption with IV =
16F8597C9E8910C8 00s in CBC mode
14 Derived Key 1 = 16F8597C9E8910C8 CMAC
15 Add the TDEA Div = 2204782E21801D8030
Constant 2 at the 42F54E58502041
beginning of M
16 Do I need Padding = No
17 CMAC input D1 = 2204782E21801D8030 16 bytes
42F54E58502041
18 Last 8-byte is = 2204782E21801D80C As the padding is NOT added the
XORed with K1 6501E7CBC3015B2 last block is XORed with K1, if
padding is added, then XOR with K2.
19 Encryption using K = D2292CCE0B8106CE Standard TDEA encryption with IV =
6B9648D006107DD7 00s in CBC mode
20 Derived Key 2 = 6B9648D006107DD7 CMAC
21 2TDEA diversified = 16F8597C9E8910C86 Step 15 + step 20
key (without B9648D006107DD7
restoring the key
version)

AN10922 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved.

Application note Rev. 2.2 — 2 July 2019

COMPANY PUBLIC 165322 16 / 26
NXP Semiconductors
AN10922
Symmetric key diversifications

step Indication Data/ Message Comment

The lowest significant bit of every key byte is not used in DES calculation. MIFARE DESFire and
SAMs use the lowest significant bit of first eight bytes key as the key version. In this example
the version of master key = 0x55 (01010101b). These version bits are required to insert in the
diversified key as well, to make the same key version for master key and diversified keys.
22 2TDEA diversified = 16F9587D9E8910C9
key 6B9648D006107DD7
(after inserting the
key version)

If the length of M is more than 7 bytes, standard CMAC algorithm can be used, without
taking care of padding, XOR and encryption. The message for standard CMAC is then
the data of step 9 and data of step 15.

2.6 3TDEA key

Input:
• 1 to 15 bytes of diversification input (let’s name it “M”)
• 24 bytes 3TDEA master key (let's name it “K”)
Output:
• 24 bytes 3TDEA diversified key.
Algorithm:
1. Calculate CMAC input D1, D2 and D3:
2. D1 0x31 || M || Padding
3. D2 0x32 || M || Padding
4. D3 0x33 || M || Padding
5. Padding is chosen such that D1, D2 and D3 always have a length of 16 bytes.
Padding bytes are according to the CMAC padding, i.e. 80h followed by 00h bytes. So
the length of Padding is 0 to 14 bytes.
6. Calculate the Boolean flag ‘Padded’, which is true if M is less than 15 bytes long, false
otherwise. The Boolean argument “Padded” is needed because it must be known in
TDEACMAC which K1 or K2 is to be used in the last computation round.
7. Calculate output:
• DerivedKey1 = TDEACMAC(K, D1, Padded)
• DerivedKey2 = TDEACMAC(K, D2, Padded)
• DerivedKey3 = TDEACMAC(K, D3, Padded)
• 16-byte diversified key = DerivedKey1 || DerivedKey2 || DerivedKey3.
Processing load: one 3TDEA key load, 9 3TDEA computations
Remark: The master key can only be used about 1 million times if one wants to comply
to SP 800-38B. This means that the construction suggested here can be used for about
330000 cards. If more than 330000 cards are needed, and if duplicate keys are not
acceptable for the application, a two level key diversification mechanism is used.
The Boolean argument “Padded” is needed because it must be known in TDEACMAC
which K1 or K2 is to be used in the last computation round.
Fig 6 shows the algorithm as a block diagram.

AN10922 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved.

Application note Rev. 2.2 — 2 July 2019

COMPANY PUBLIC 165322 17 / 26
NXP Semiconductors
AN10922
Symmetric key diversifications

Figure 6. Diversification of 3TDEA key

MIFARE DESFire products store key version information in the lowest significant bits of
the first 8 bytes 3TDEA key. If this versioning information is to be preserved, it is to be
copied from the master key into the diversified key.

2.6.1 3TDEA key diversification example

Master key (K) = 00112233445566778899AABBCCDDEEFF0102030405060708, which
will be diversified.

Table 6. Example – 3TDEA key diversification

step Indication Data/ Message Comment
CMAC sub key generation
1 Master key = 001122334455667788 The key, which is going to be
99AABBCCDDEEFF01 diversified
02030405060708
2 K0 = 51F6AC7C734A0DE5 CIPHK(0b), 2DEA (K, 8-byte 0s).
3 K1 = A3ED58F8E6941BCA The first sub key, see in [CMAC].
4 K2 = 47DAB1F1CD28378F The second sub key, see in [CMAC].
Diversified key generation
AN10922 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved.

Application note Rev. 2.2 — 2 July 2019

COMPANY PUBLIC 165322 18 / 26
NXP Semiconductors
AN10922
Symmetric key diversifications

step Indication Data/ Message Comment

5 UID = 04782E21801D80 7-byte UID of PICC
6 Application ID = 3042F5 3- byte DESFire AID
7 System Identifier = 4E5850 ASCII of system identifier name
8 Diversification input = 04782E21801D803042 Data from step 5 to step 7. It
(M) F54E5850 doesn’t matter how you specify your
diversification input, the main thing,
Diversification input must be unique
for unique PICC e.g. here the UID is
unique and the same diversification
input must be used in personalization
and validation of the PICC. This has
to be up to 16 bytes.
9 After inserting = 3104782E21801D8030 It is fixed, must be ‘31’ for 3TDEA
TDEA Div constant 42F54E5850 keys.
3
10 Do I need Padding = Yes The algorithm always needs 16-byte
block for TDEA, here message is 14
bytes.
11 CMAC input D1 = 3104782E21801D8030 8000 padding added
42F54E58508000
12 Last 8-byte is = 3104782E21801D8077 As the padding is added the last
XORed with K2 9844BF9578B78F block is XORed with K2, if padding is
NOT added, then XOR with K1.
13 Encryption using K = 4C294A83A6829EC12 Standard TDEA encryption with IV =
F0DD03675D3FB9A 00s in CBC mode
14 Derived Key 1 = 2F0DD03675D3FB9A CMAC
15 After inserting = 3204782E21801D8030 It is fixed, must be ‘32’ for 3TDEA
TDEA Div constant 42F54E5850 keys.
4 in M
16 Do I need Padding = Yes The algorithm always needs 16-byte
block for TDEA, here message is 14
bytes.
17 CMAC input D2 = 3204782E21801D8030 8000 padding added
42F54E58508000
18 Last 8-byte is = 3204782E21801D8077 Diversification constant and
XORed with K2 9844BF9578B78F diversification input. Here the
constant must be ‘32’
19 Encryption using K = 41A9459AB5B209905 Standard TDEA encryption with IV =
705AB0BDA91CA0B 00s in CBC mode
20 Derived Key 2 = 5705AB0BDA91CA0B CMAC
21 After inserting = 3304782E21801D8030 It is fixed, must be ‘33’ for 3TDEA
TDEA Div constant 42F54E5850 keys.
5 in M
22 Do I need Padding = Yes The algorithm always needs 16-byte
block for TDEA, here message is 14
bytes

AN10922 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved.

Application note Rev. 2.2 — 2 July 2019

COMPANY PUBLIC 165322 19 / 26
NXP Semiconductors
AN10922
Symmetric key diversifications

step Indication Data/ Message Comment

23 CMAC input D3 = 3304782E21801D8030 8000 padding added
42F54E58508000
24 Last 8-byte is = 3304782E21801D8077 Diversification constant and
XORed with K2 9844BF9578B78F diversification input. Here the
constant must be ‘33’
25 Encryption using K = 7FABF1B71419AF155 Standard TDEA encryption with IV =
5B8E07FCDBF10EC 00s in CBC mode
26 Derived Key 3 = 55B8E07FCDBF10EC CMAC
27 Diversified 3TDEA = 2F0DD03675D3FB9A5 24-byte 3TDEA key. (Step 14 + step
key (without 705AB0BDA91CA0B5 20 + step 26).
restoring the key 5B8E07FCDBF10EC
version)
The lowest significant bit of every key byte is not used in DES calculation. MIFARE DESFire and
SAMs use the lowest significant bit of first eight bytes key as the key version. In this example
the version of master key = 0x55 (01010101b). These version bits are required to insert in the
diversified key as well, to make the same key version for master key and diversified keys.
28 Diversified 3TDEA = 2E0DD03774D3FA9B5
key 705AB0BDA91CA0B5
(after restoring the 5B8E07FCDBF10EC
key version)

If the length of M is more than 7 bytes, standard CMAC algorithm can be used, without
taking care of padding, XOR and encryption. The message for standard CMAC is then
the data of step 9, step 15 and step 21.

AN10922 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved.

Application note Rev. 2.2 — 2 July 2019

COMPANY PUBLIC 165322 20 / 26
NXP Semiconductors
AN10922
Symmetric key diversifications

3 Conclusion
The master keys must be stored securely if the algorithms are implemented in
software. MIFARE SAM AV3 offers secure storage of the master keys and dynamic
diversifications. For the optimum security, using MIFARE SAM AV3 can be the best
solution. The user shall take care for defining his master keys, shall avoid the weak
keys whenever necessary. Neither the SAM nor the algorithms analyze the keys. NXP
recommends using AES instead of TDEA.

AN10922 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved.

Application note Rev. 2.2 — 2 July 2019

COMPANY PUBLIC 165322 21 / 26
NXP Semiconductors
AN10922
Symmetric key diversifications

4 References
1. CMAC specification: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/
NIST.SP.800-38b.pdf

AN10922 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved.

Application note Rev. 2.2 — 2 July 2019

COMPANY PUBLIC 165322 22 / 26
NXP Semiconductors
5 Legal information
5.1 Definitions
Draft — The document is a draft version only. The content is still under
internal review and subject to formal approval, which may result in
modifications or additions. NXP Semiconductors does not give any
representations or warranties as to the accuracy or completeness of
information included herein and shall have no liability for the consequences
of use of such information.
5.2 Disclaimers
Limited warranty and liability — Information in this document is believed
to be accurate and reliable. However, NXP Semiconductors does not
give any representations or warranties, expressed or implied, as to the
accuracy or completeness of such information and shall have no liability
for the consequences of use of such information. NXP Semiconductors
takes no responsibility for the content in this document if provided by an
information source outside of NXP Semiconductors. In no event shall NXP
Semiconductors be liable for any indirect, incidental, punitive, special or
consequential damages (including - without limitation - lost profits, lost
savings, business interruption, costs related to the removal or replacement
of any products or rework charges) whether or not such damages are based
on tort (including negligence), warranty, breach of contract or any other
legal theory. Notwithstanding any damages that customer might incur for
any reason whatsoever, NXP Semiconductors’ aggregate and cumulative
liability towards customer for the products described herein shall be limited
in accordance with the Terms and conditions of commercial sale of NXP
Semiconductors.
Right to make changes — NXP Semiconductors reserves the right to
make changes to information published in this document, including without
limitation specifications and product descriptions, at any time and without
notice. This document supersedes and replaces all information supplied prior
to the publication hereof.
Suitability for use — NXP Semiconductors products are not designed,
authorized or warranted to be suitable for use in life support, life-critical or
safety-critical systems or equipment, nor in applications where failure or
malfunction of an NXP Semiconductors product can reasonably be expected
to result in personal injury, death or severe property or environmental
damage. NXP Semiconductors and its suppliers accept no liability for
inclusion and/or use of NXP Semiconductors products in such equipment or
applications and therefore such inclusion and/or use is at the customer’s own
risk.
Applications — Applications that are described herein for any of these
products are for illustrative purposes only. NXP Semiconductors makes
no representation or warranty that such applications will be suitable
for the specified use without further testing or modification. Customers
are responsible for the design and operation of their applications and
products using NXP Semiconductors products, and NXP Semiconductors
accepts no liability for any assistance with applications or customer product
design. It is customer’s sole responsibility to determine whether the NXP
AN10922 All information provided in this document is subject to legal disclaimers.
Application note Rev. 2.2 — 2 July 2019
COMPANY PUBLIC
AN10922
Symmetric key diversifications
Semiconductors product is suitable and fit for the customer’s applications
and products planned, as well as for the planned application and use of
customer’s third party customer(s). Customers should provide appropriate
design and operating safeguards to minimize the risks associated with
their applications and products. NXP Semiconductors does not accept any
liability related to any default, damage, costs or problem which is based
on any weakness or default in the customer’s applications or products, or
the application or use by customer’s third party customer(s). Customer is
responsible for doing all necessary testing for the customer’s applications
and products using NXP Semiconductors products in order to avoid a
default of the applications and the products or of the application or use by
customer’s third party customer(s). NXP does not accept any liability in this
respect.
Export control — This document as well as the item(s) described herein
may be subject to export control regulations. Export might require a prior
authorization from competent authorities.
Evaluation products — This product is provided on an “as is” and “with all
faults” basis for evaluation purposes only. NXP Semiconductors, its affiliates
and their suppliers expressly disclaim all warranties, whether express,
implied or statutory, including but not limited to the implied warranties of
non-infringement, merchantability and fitness for a particular purpose. The
entire risk as to the quality, or arising out of the use or performance, of this
product remains with customer. In no event shall NXP Semiconductors, its
affiliates or their suppliers be liable to customer for any special, indirect,
consequential, punitive or incidental damages (including without limitation
damages for loss of business, business interruption, loss of use, loss of
data or information, and the like) arising out the use of or inability to use
the product, whether or not based on tort (including negligence), strict
liability, breach of contract, breach of warranty or any other theory, even if
advised of the possibility of such damages. Notwithstanding any damages
that customer might incur for any reason whatsoever (including without
limitation, all damages referenced above and all direct or general damages),
the entire liability of NXP Semiconductors, its affiliates and their suppliers
and customer’s exclusive remedy for all of the foregoing shall be limited to
actual damages incurred by customer based on reasonable reliance up to
the greater of the amount actually paid by customer for the product or five
dollars (US$5.00). The foregoing limitations, exclusions and disclaimers
shall apply to the maximum extent permitted by applicable law, even if any
remedy fails of its essential purpose.
Translations — A non-English (translated) version of a document is for
reference only. The English version shall prevail in case of any discrepancy
between the translated and English versions.
5.3 Trademarks
Notice: All referenced brands, product names, service names and
trademarks are the property of their respective owners.
MIFARE — is a trademark of NXP B.V.
DESFire — is a trademark of NXP B.V.
MIFARE Plus — is a trademark of NXP B.V.
© NXP B.V. 2019. All rights reserved.
165322 23 / 26
NXP Semiconductors
AN10922
Symmetric key diversifications

Tables
Tab. 1. Abbreviations .....................................................3 Tab. 4. Example – AES 256 key diversification ........... 12
Tab. 2. Example – AES 128 key diversification .............7 Tab. 5. Example – 2TDEA key diversification ............. 15
Tab. 3. Example – AES 192 key diversification .............9 Tab. 6. Example – 3TDEA key diversification ............. 18

AN10922 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved.

Application note Rev. 2.2 — 2 July 2019

COMPANY PUBLIC 165322 24 / 26
NXP Semiconductors
AN10922
Symmetric key diversifications

Figures
Fig. 1. CMAC construction (2 cases: left without Fig. 4. Diversification of 256-bit AES key ................... 12
padding, right with padding) .............................. 5 Fig. 5. Diversification of 2TDEA key ...........................15
Fig. 2. Diversification of 128-bit AES key ..................... 6 Fig. 6. Diversification of 3TDEA key ...........................18
Fig. 3. Diversification of 192-bit AES key ..................... 9

AN10922 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2019. All rights reserved.

Application note Rev. 2.2 — 2 July 2019

COMPANY PUBLIC 165322 25 / 26
NXP Semiconductors
AN10922
Symmetric key diversifications

Contents
1 Introduction ......................................................... 3
1.1 Abbreviations ..................................................... 3
1.2 Examples presented in this document ...............4
2 Key Diversification ..............................................5
2.1 Construction .......................................................5
2.2 AES-128 key ......................................................5
2.2.1 AES-128 key diversification example ................ 7
2.3 AES-192 key ......................................................8
2.3.1 AES-192 key diversification example ................ 9
2.4 AES-256 key ....................................................11
2.4.1 AES-256 key diversification example ...............12
2.5 2TDEA key ...................................................... 14
2.5.1 2TDEA key diversification example ................. 15
2.6 3TDEA key ...................................................... 17
2.6.1 3TDEA key diversification example ................. 18
3 Conclusion .........................................................21
4 References ......................................................... 22
5 Legal information .............................................. 23

Please be aware that important notices concerning this document and the product(s)
described herein, have been included in section 'Legal information'.

© NXP B.V. 2019. All rights reserved.

For more information, please visit: http://www.nxp.com
For sales office addresses, please send an email to: [email protected]
Date of release: 2 July 2019
Document identifier: AN10922
Document number: 165322