AES-DUKPT reference
Read the contained information about the use of AES keys with derived unique key per transaction (AES-DUKPT) processing.
Types of keys used in AES-DUKPT processing
In AES-DUKPT processes, three kinds of keys are distinguished:
- Base derivation key (BDK)
- This key is used in a derivation process to generate initial DUKPT keys using the CSNBUKD verb. A BDK is generated using the verbs CSNBKTB2 and CSNBKGN2. This key must be CCA type AES DKYGENKY key with KUF bits set indicating this key is allowed to be used as BDK.
- initial derivation key
- This is a unique key loaded into a secure device such as PIN entry device or POS terminal. It is derived from the DUKPT BDK and information in the Derived Data structure. Within X9.24 documentation, this key is sometimes also called initial terminal key or just terminal key. The only CCA verb that can derive an initial derivation key is CSNBUKD. For the purpose of AES-DUKPT, the initial derivation key can only be an AES key, within CCA specifically an AES DKYGENKY key with KUF bits set indicating this key is allowed to be used as BDK.
- working key
- This is the output key from the AES-DUKPT algorithm and it is used in cryptographic operations to encrypt, decrypt, authenticate or validate the transaction data. A working key is sometimes also called the transaction key. Working keys are derived from the initial derivation key and information in the Derived Data structure. A user can derive working keys using verb CSNBUKD and then use that key for the transaction and use that key as input parameter in other CCA verbs for the given transaction. Working keys are discarded once transaction is completed. A user can also instruct several CCA verbs to derive working keys inline. CCA verbs that support this inline DUKPT key derivations are CSNBPTR2, CSNBPTRE, CSNBPVR, CSNBFPEE, CSNBFPET and CSNBFPED. These verbs support AES-DUKPT derivation methods.
AES-DUKPT derivation data
The following data structure is used to specify input parameters for both initial derivation keys and working keys. The initial terminal DUKPT key or initial key is used together with the transaction counter to derive the transaction key, which is also called the working key. Once the transaction key has been derived, the terminal does not preserve any information that could be used to derive the transaction key after the transaction has been completed.
Table 1 specifies the derivation data. For the most part,
initial terminal key value ranges are a subset of the overall value ranges. One exception to that
rule is the value for the key usage indicator field, X'8001', which can only be used when deriving
an initial terminal key.
| Offset | Length of field (bytes) | Field name | Description |
|---|---|---|---|
| 0 | 1 | Version | Version ID of this table structure. Allowed value: X'01'. |
| 1 | 1 | Key block counter | A counter that is incremented for each 16-byte block of keying material generated for a pair
of encryption and MAC keys. Starts at 1 for each key being generated. Allowed values: X'01' – X'02'. |
| 2 | 2 | Key usage indicator | Indicates how the key to be derived is to be used. The initial terminal key is always a key
derivation key. Allowed values:
Note: X'2000', X'2001', X'3000', and X'3001' do not represent complementary
keys. A key derived using X'2000' will not be the same key as is derived for the X'2001' usage
value. Instead, the values represent the viewpoint of the terminal operator (for example, whether
the terminal will use the key for that purpose). |
| 4 | 2 | Algorithm indicator | Indicates the encipherment algorithm that is going to use the derived key. Allowed values:
|
| 6 | 2 | Length | Length, in bits, of the keying material being generated. Allowed values:
|
| 8 | 8 | Initial key ID | The terminal’s initial key ID, the leftmost 64 bits of the key serial number. Allowed range: X'0000000000000000' to X'FFFFFFFFFFFFFFFF'. |
| 16 | 4 | Transaction counter | The 32-bit transaction counter. Allowed range: X'00000000' to X'FFFFFFFF'. |
Supported CCA key types for AES-DUKPT derived working keys
The following table lists the types of CCA keys that can be derived using the AES-DUKPT algorithm:
| Derived working key | AES key type | 2-Key TDES/3-Key TDES key type |
|---|---|---|
| PIN Encryption | PINPROT | IPINENC/OPINENC |
| MAC | MAC | MAC / MACVER |
| Key encrypting key | IMPORTER/EXPORTER | IMPORTER/EXPORTER |
| Key derivation key | DKYGENKY | KEYGENKY (2-Key TDES only) |
| Data encryption | CIPHER | CIPHER/ENCIPHER/DECIPHER |
| HMAC | N/A | N/A |
AES-DUKPT allowed derived working key sizes
ANSI X9.24 specifies that working keys shall be the same strength or weaker than the key from which they are derived. The following table shows allowed working key sizes per AES Base Derivation Key size:
| Derived working key | AES-128 base derivation key | AES-192 base derivation key | AES-256 base derivation key |
|---|---|---|---|
| 2TDES | allowed | allowed | allowed |
| 3TDES | allowed | allowed | allowed |
| AES-128 | allowed | allowed | allowed |
| AES-192 | not allowed | allowed | allowed |
| AES-256 | not allowed | not allowed | allowed |
| HMAC-128 | allowed | allowed | allowed |
| HMAC-192 | not allowed | allowed | allowed |
| HMAC-256 | not allowed | not allowed | allowed |