A simple key diversification implementation
As IC card’s use becomes more widespread, and even more are used for transaction, authentication, data encryption and decryption, key management of a distributed IC card system becomes a critical security issue.
Although the traditional way of asymmetric key management and exchange is more secure, however, it is more complicated to manage, and requires more resources to implement. Given the limited computing power and resources in an IC card, it is quite a challenge, and more expensive, to implement asymmetric encryption algorithm in the chip hardware or the chip operating system (COS). Therefore, the simpler solution of symmetric key solution is usually adopted.
Nevertheless, managing the encryption key of hundreds of thousands of IC cards is a challenge by itself. The common solution is to derive the IC card key from a master key (or root key) and a property value known between both parties. This is called the key diversification algorithm. Key diversification is a one-way function, defined as:
Diversified key = Function(Master key, user input)
where user input is the property value shared between the client device and the back-end key management system. In most systems, this is the IC card serial number. In the point-of-sale (POS) terminal, the serial number of the SAM (Security Access Module) card is used as the shared property.
After a key is diversified, it is written into the IC card, to be used later for data encryption or authentication. The management system does not need to store the client key. When the encryption or authentication package from the client device is received by the back-end system, the system can derive the client key again from the master key and the shared value, and perform data decryption or user authentication from the diversified key.
Given the same mechanism, it is possible to manage multiple levels of key diversification. For example, in an electronic toll collection (ETC) system, ETC cards issued to drivers are usually managed by regions (or by cities). The central system can thus derive a master key from the root key for each region, then the key in each ETC card is derived from the regional master key. Another use case is the POS terminal transaction system, where each merchant system has been assigned a master key, and the key in each POS terminal belonging to that merchant is derived from the merchant’s master key.
The People’s Bank of China (PBOC) has released a specifications document, in which a key diversification algorithm to be used in the financial industry is defined.
In China, a commonly implementation key diversification algorithm is based on the Triple DES (3DES) encryption algorithm, where MK is the master key (16-byte long), I is the shared input value (16-byte or 8-byte long), E() is the 3DES encryption function, and D() is the 3DES decryption function. The algorithm is defined as follows:
- I is split into two parts, the left part L and the right part R.
- Do E(MK, L) to encrypt the left part with the master key.
- Flip all bits in the right part R to get R2.
- Do E(MK, R2) to encrypt the right part with the master key.
- Take the first 8 bytes of encrypted L and the first 8 bytes of the encrypted R2, concatenate them to get a diversified 16-byte key DK.
DK is the diversified key to be used on the client device.
Here, I’m implementing a simple key diversification implementation in Java, using a similar algorithm. However, the encryption algorithm is changed to the AES instead of 3DES. Source code of the implementation is available from here.