The Derived Unique Key Per Transaction (DUKPT) System of “derived” keys is used in a point-of-sale (POS) environment where any one acquirer can accept transactions from a large number of PIN entry devices.
This technique involves the use of a non-secret “key serial number” and a secret “base derivation key”. On each transaction, the PIN pad uses a unique key based on a previous key and the key serial number, which contains a transaction counter. It encrypts the PIN with this key, then returns both the encrypted PIN and the key serial number to the acquirer. In the HSM the key generated by the PIN pad is “derived”, using the original base derivation key and the key serial number supplied by the PIN pad.
The same base derivation key can be used by thousands of PIN pads because each PIN pad has a unique serial number. Therefore each PIN pad produces a unique key for every transaction and a successful cryptographic attack on one PIN pad will have no effect on any other. The acquirer only has to manage a relatively small number of base derivation keys, and the algorithm to derive a given transaction key is designed in such a way as to require very little overhead in the HSM.
The Host has the responsibility for maintaining the base derivation keys. For each transaction, the Host verifies that the serial number supplied by the PIN pad is valid and extracts from internal storage the appropriate encrypted base derivation key identified by the left-most portion of the serial number. The Host controls base derivation key generation.
This section describes the facilities in the HSM to manage the POS-derived key environment: generating the base derivation keys and online PIN translation and verification transactions.
Single-DES and Triple-DES variants of DUKPT
The HSM supports both single DES and Triple-DES variants of DUKPT. The Triple-DES version was introduced in the 2002 version of the ANSI X9.24 standard.
The single-DES version of DUKPT is provided with all HSM models in standard software. Triple-DES DUKPT is available as an optional extra for both RG7xx0 and HSM 8000 ranges.
The Key Serial Number (KSN) is a variable-length hexadecimal value which uniquely identifies each PIN pad. This number consists of several fields, as follows:
· Base derivation key identifier (mandatory): five to nine hexadecimal characters.
· Sub-key identifier (optional): reserved for future use. Currently set to zero.
· Device identifier (mandatory), used to ensure that this key serial number is unique: two to five hexadecimal digits. No two PIN pads with the same base derivation key and sub-key identifiers may be given the same device identifier. Because the PIN pad packs the left-most bit of the transaction counter as the right-most bit of the device identifier, this field is always even (the right-most bit is set to zero).
· Transaction counter supplied by the PIN pad to identify a particular transaction: 21 bits. Used by the HSM to compute the actual PIN key. The left-most bit is supplied as the right-most bit of the device identifier.
The PIN pad cannot accept a serial number longer than 20 characters, so the Host ensures that the total length of the first three fields does not exceed 15 characters.
The Host also supplies to the HSM a three-character KSN descriptor, which defines the length of each field in characters. It is included with the KSN in Host storage, and is used by the Host to identify the base derivation key. The KSN descriptor consists of:
· Left character: base derivation key identifier length.
· Middle character: sub-key identifier key length (0 if no sub-key is defined).
· Right character: device identifier length.
The HSM supports single-length Zone Master Keys (ZMKs), 16 hexadecimal characters (64 bits); and double-length Zone Master Keys (*ZMKs), 32 hexadecimal characters (128 bits). (A double-length key is indicated by an asterisk (*) preceding the key type). The DUKPT command set ignores the S/D (single/double length) parameter set by the CS (Configure Security) command.
Base Derivation Keys (*BDKs) are double-length keys. There are three Host transactions to generate and translate *BDKs. The BI command generates a random *BDK and returns it to the Host encrypted under Local Master Key (LMK) pair 28-29. The DW command accepts a *BDK encrypted under a Zone Master Key (*ZMK) and translates it to LMK pair 28-29. The DY command translates a *BDK from LMK to *ZMK encryption.
The HSM performs two functions for the Host communicating with POS terminals:
· It translates a PIN from encryption under the base derivation key to encryption under the appropriate interchange key shared between the acquirer and the issuer or switch.
· It verifies the PINs received from a terminal using base derivation keys. All four HSM verification methods (IBM, Diebold, VISA PVV and Encrypted PIN) are supported.
· MAC Generation and Verification