Key Diversification
SecurityA technique generating unique per-card keys from a master key and card-specific data (e.g., serial number), so that compromise of one card key does not expose the master or other card keys.
What Is Key Diversification?
Key diversificationKey diversificationSecurityDeriving unique per-card keys from a master key.Click to view → is a cryptographic technique that generates unique per-card keys from a single master key combined with card-specific data -- typically the card serial number (CSN), chip ID, or AID. The resulting diversified key is unique to each card, ensuring that compromise of one card's key does not expose the master key or any other card's key.
This technique is fundamental to the security architecture of every large-scale smart card deployment, from EMV payment networks to transit systems and government PIV programs.
How Diversification Works
The general process follows three steps:
- Master key storage -- the issuer stores the master key exclusively inside an HSM that never exports it in plaintext.
- Diversification input -- card-specific data (serial number, CPLC data, or a custom diversification value) is combined with the master key.
- Key derivation -- a deterministic function (typically AESAESCryptographyNIST symmetric block cipher for smart card encryption.Click to view →-CBC or CMAC-based) produces the diversified key that is loaded onto the card during electrical personalization.
Common Diversification Schemes
| Scheme | Algorithm | Used By |
|---|---|---|
| EMVEMVApplicationGlobal chip payment card standard.Click to view → CSK | 3DES3DESCryptographyLegacy triple-DES symmetric cipher in payment smart cards.Click to view →-CBC on PAN + PSN | EMV issuer scripts |
| GP SCP03SCP03SoftwareAES-based secure channel protocol.Click to view → | AES-CMAC on card identity data | GlobalPlatform secure channels |
| MIFARE SAM | AES on UID + diversification constant | Transit cards |
| PIVPIVIdentityUS federal identity card standard.Click to view → | SP 800-73 KDF | US government PIV cards |
Why Diversification Matters
Without diversification, every card in a deployment would share the same symmetric key. A single compromised card -- through side-channel attack, fault injection, or physical probing -- would expose the shared key, compromising the entire card population.
With diversification, an attacker who extracts one card's key gains only that card's key. Recovering the master key from a diversified key is computationally infeasible when the derivation function is correctly implemented.
Key Management Infrastructure
Diversification is one step in a broader key management lifecycle managed by HSMs. The master keys themselves are generated during a formal key ceremony and stored in split-knowledge form across multiple key custodians. The HSMHSMSecurityPhysical device for key management.Click to view → performs the diversification computation during personalization, never exposing the master key outside its tamper-resistant boundary.
Related Content
GlobalPlatform Card Management
Standards & Protocols…UPDATE (card returns a challenge and card-unique key diversification data), followed by EXTERNAL AUTHENTICATE (host proves…
Secure Channel Protocols (SCP02/SCP03)
Standards & Protocols…00 00 08 [8-byte host challenge] 00 Response: [28 bytes] Key Diversification Data (10 bytes) Key Information (2 bytes) Sequence Counter…
Smart Card Cryptography
SecurityKey Management for Smart Cards
Security…recommended key lifetimes by algorithm and key type. Key Diversification Issuing every card with the same master key is a…
HSM Integration for Smart Cards
Security…IMK-AC, IMK-SMC, IMK-DEK EMVCo Book 2 Card personalisation key diversification Per-card derived keys GP SCP02/SCP03 PIN block generation…
ePassport Technology
Industry ApplicationsSmart Card Access Control Systems
Industry Applications…(Card Management Key) challenge. Deployment Considerations Key diversification : Use site-unique diversification of DESFire keys derived…
Smart Card Loyalty Programs
Industry Applications…online at the next top-up. Security Best Practices Key diversification : Derive per-card keys as CMAC(masterKey, UID) . A…
Frequently Asked Questions
The smart card glossary is a comprehensive reference of technical terms, acronyms, and concepts used in smart card technology. It covers protocols (APDU, T=0, T=1), security (Common Criteria, EAL, HSM), hardware (SE, EEPROM, contact pad), and applications (EMV, ePassport, eSIM). It serves developers, product managers, and engineers.
Yes. SmartCardFYI provides glossary definitions in 15 languages including English, Korean, Japanese, Chinese, Spanish, Portuguese, Hindi, Arabic, French, Russian, German, Turkish, Vietnamese, Indonesian, and Thai.