E.5 Key derivation

This appendix deals with the process of key derivation, which is useful at least in the following two situations, which are typical for the design of electronic payment systems.

Since tamper-resistant devices cannot be completely trusted, the issuer stores in the EEPROM of the device cryptographic material that is unique to the device but is derived from some master key of the issuer. Thus, the secret key that is specific to the device is derived as K _d = F ₁ ( MK )[ Diversification_Info ]. According to its key management policies, the issuer establishes the content of the diversification information Diversification_Info . It may contain items like the serial number of the device, the identifier of the master key used for key derivation, and/or other information specific either to the device or to the issuer. The specific form of the derivation function F ₁ and the features of the master key MK are also particular choices of the issuer.
Since the repeated use of one single key for performing CBC encryption can lead to the leakage of information about the plaintext (see Section E.2), it is highly recommended that the confidentiality service for each communication session be implemented with a session key. The value of the session key K _S is derived from the same permanent key K _P , which is known to both parties, using as diversification information a time-variant byte sequence, like a random number or the value of a counter, which is incremented for each new transaction performed. Thus, the session key is computed as K _S = F ₂ ( K _P )[ time_variant ]. The communicating parties jointly convene the algorithm describing the function F ₂ and the features of the permanent key K _P .

Specific details on these algorithms are provided in the descriptions of some business cases presented in the book.