Wallet keys generation
The key is generated on the card using a hardware random number generator during card activation. The entropy for the random number is taken from the chip’s physical sensors. This means that no one can ever know your private key. The hardware random number generator is a component of the Samsung-produced chip. You can read the safety assessment document via this link.
Wallet keys cloning
When a backup is created, a secure communication channel is established between the cards using the Diffie-Hellman key exchange protocol, after which the keys are transferred from one card to the other. This mechanism is fully protected against man-in-the-middle attacks since the first step involves the cards authenticating each other with a two-way attestation, and the encryption is done with a 256-bit key. This is a top-level encryption protocol, and the application cannot decrypt the keys.