I was reading MIFARE DESFire EV1 document and noticed this:
MIFARE DESFire EV1 and the reader device show in an encrypted way
that they possess the same secret which especially means the same key;
this not only confirms that both entities are permitted to perform
operations on each other but also creates a session key which can be
used to keep the further communication path secure; as the name
“session key” implicitly indicates, each time a new authentication
procedure is successfully completed a new key for further cryptographic
operations is generated
The not only part is easy to achieve. In the simplest form, ‘server’ can throw a random number at the card, and the card can reply with the hash of the secret + the random number.
The but also part, which is the establishment of a session key, is a bit hand-wavy. Since both side already have a common secret, why do you need a session key, and not just use the common secret as a session key?
Note that this question has nothing to do with public key systems or asymmetric encryption or digital signature. In this case, both sides know the same secret.
Continue reading How is a NFC session key created?→
