I am planning to make a SaaS to verify SDM/PICC URL params for NTAG424 and I'm also planning to make desktop/mobile app to "initialize" user tags and register them to my server.
The idea is anyone can use these apps to initialize their tags and then use my service to verify them.
In the page 24 of AN12196 (personalization), NXP suggests diversifying the keys with a master key. I plan on using that suggested method but the "master key" and "system key" is different for each user.
My question is, if my service doesn't care about editing users' tags, is it enough for me to save on my server for each tag, the final keys generated in the diversification method without having to know their master key and system keys?
I will be able to verify/decrypt SDM/PICC data with the diversified keys without knowing the master/system keys, right? I'm thinking the answer is yes, but just needed a sanity check or if there are other future pitfalls I hadn't thought of.
If so then I could just give them 5 random md5 and don't even need the key diversification process!
Now that I think about it, I think the only reason you need the master key/system key is to be able to generate the same keys if the UID is already in the URL in plaintext, right?
Thanks, V
Derivation of die-individual keys from a known Master Key simply makes it easier for the integration, as there is no need for a database, e.g. useful in an offline context. The tags themselves simply know their 5 application keys, they don't know how these keys were created - so it is up to you whether you derive them from a Master Key, or create random keys (16 bytes) for each tag. For using this concept with multiple customers, it might make sense to have a plain-text reference to the customer as part of the NDEF URL, so that based on that reference the PICC decryption key can be picked from the database. Then the key for checking/decrypting SDM can be derived or looked up.