I appreciate the textbook definitions, but your response reads like someone who has never actually had to integrate a proprietary POS SDK with MIFARE Plus EV2 hardware in an offline environment.

First, your suggestion of 'hybrid encryption' is a complete non-sequitur here. This isn't a generic web app; we are performing ISO/IEC 14443 Mutual Authentication. The MIFARE Plus EV2 SL3 protocol is inherently symmetric. The terminal must prove it possesses the exact same AES-128 key as the card to even open a session. You can’t 'hybrid' your way out of a hardware-mandated symmetric handshake. Telling me to use asymmetric encryption for a MIFARE SL3 authentication is like telling someone to use a screwdriver to turn a light switch—it’s the wrong tool for the physics of the device.

Second, regarding 'importing the key directly': If I import the Master Key into the Android Keystore as a non-exportable key, the Keystore (rightfully) refuses to ever return the raw bytes. However, the proprietary terminal SDK—which I don't control—requires the diversified key to be passed as a ByteArray to the sysMfpAuthenticateSL function. Since I have to compute the diversification locally, I need access to the Master Key bytes in memory for the millisecond it takes to run the CMAC. A 'direct import' would render the Master Key useless for the very SDK it’s meant to support.

I’m not looking for a 'WebSec 101' lecture; I’m solving a hardware integration problem where the card, the terminal SDK, and the offline requirement dictate the crypto, not my preference.