5.3.5.2 Diversified MAC

A diversified MAC includes the serial number of the device. The serial number will be unique for each device and therefore, will always generate a unique SHA256 digest. The MAC is always calculated over a total of 88 bytes and always creates a 32-byte SHA256 digest.

Table 5-89. Input Parameters - Diversified MAC

Opcode
(1 Byte)

Mode
(1 Byte)

KeyID
(2 Bytes)

Data(2)
(0-32 Bytes)

Mode Descriptions
0x080x400x00 0[Slot]32 bytes
  • First 32 bytes loaded from data slot
  • Second 32 bytes are taken from the input challenge
0x41 or 0x45(1)0x00 0[Slot]0 bytes
  • First 32 bytes loaded from data slot
  • Second 32 bytes are taken from TempKey
0x42 or 0x46(1)0x00 0032 bytes
  • First 32 bytes loaded with TempKey
  • Second 32 bytes are taken from the input challenge
Note:

(1) Mode[2] must match the TempKey.SourceFlag.
(2) When present, the Data parameter corresponds to the input challenge.

Table 5-90. Output Response - Diversified MAC
NameSizeDescription
Response1 byteIf the command fails
32 bytesSHA-256 digest
Table 5-91. Diversified MAC Calculation
# of BytesMode 0x40Mode 0x41 or 0x45Mode 0x42 or 0x46

32
32
1
1
2
11
1
4
2
2

Data Slot
Input Challenge
Opcode (0x08)
Mode
KeyID
Zeros
SN[8]0x01
SN[4:7]
SN[0:1] 0x01 0x23
SN[2:3]

Data Slot
TempKey
Opcode (0x08)
Mode
KeyID
Zeros
SN[8]  0x01
SN[4:7]
SN[0:1] 0x01 0x23
SN[2:3]

TempKey
Input Challenge
Opcode (0x08)
Mode
KeyID
Zeros
SN[8]  0x01
SN[4:7]
SN[0:1] 0x01 0x23
SN[2:3]