Can A Virtual Hsm Generate Dukpt Keys

Can A Virtual Hsm Generate Dukpt Keys 7,1/10 3812 votes

Virtual Keys and Virtual Character Keys. With ordinary rules, you can match any key that produces a character. However, sometimes you may want to match other keys, for example Backspace, or Ctrl- or Alt-combinations. In order to match keys like these you need to use virtual keys. Every key on the keyboard is identified by a virtual key code. Gemalto is the leading provider of general purpose hardware security modules (HSMs) worldwide. Our SafeNet HSM product family – formerly known as Luna HSMs ndash; represents the highest-performing, most secure, and easiest-to-integrate HSM solution available on the market today.

In cryptography, Derived Unique Key Per Transaction (DUKPT) is a key management scheme in which for every transaction, a unique key is used which is derived from a fixed key. Therefore, if a derived key is compromised, future and past transaction data are still protected since the next or prior keys cannot be determined easily. DUKPT is specified in ANSI X9.24 part 1.

Overview[edit]

DUKPT allows the processing of the encryption to be moved away from the devices that hold the shared secret. The encryption is done with a derived key, which is not re-used after the transaction. DUKPT is used to encrypt electronic commerce transactions. While it can be used to protect information between two companies or banks, it is typically used to encrypt PIN information acquired by Point-Of-Sale (POS) devices.

DUKPT is not itself an encryption standard; rather it is a key management technique. The features of the DUKPT scheme are:

  • enable both originating and receiving parties to be in agreement as to the key being used for a given transaction,
  • each transaction will have a distinct key from all other transactions, except by coincidence,
  • if a present derived key is compromised, past and future keys (and thus the transactional data encrypted under them) remain uncompromised,
  • each device generates a different key sequence,
  • originators and receivers of encrypted messages do not have to perform an interactive key-agreement protocol beforehand.

History[edit]

DUKPT was invented in the late 1980s at Visa but didn’t receive much acceptance until the 1990s, when industry practices shifted towards recommending, and later requiring, that each device have a distinct encryption key.

Before DUKPT, state of the art was known as Master/Session, which required every PIN-encrypting device to be initialized with a unique master key. In handling transactions originating from devices using Master/Session key management, an unwanted side effect was the need for a table of encryption keys as numerous as the devices deployed. At a major merchant acquirer the table could become quite large indeed. DUKPT resolved this. In DUKPT each device is still initialized with a distinct key, but all of the initialization keys of an entire family of devices are derived from a single key, the base derivation key (BDK). To decrypt encrypted messages from devices in the field, the recipient need only store the BDK.

Keys[edit]

As stated above, the algorithm needs an initial single key which in the original description of the algorithm was called the super-secret key, but was later renamed to—in a more official-sounding way—Base Derivation Key (or BDK). The original name perhaps conveys better the true nature of this key, because if it is compromised then all devices and all transactions are similarly compromised.

This is mitigated by the fact that there are only two parties that know the BDK:

  • the recipient of the encrypted messages (typically a merchant acquirer)
  • the party which initializes the encryption devices (typically the manufacturer of the device).

The BDK is usually stored inside a tamper-resistant security module (TRSM), or hardware security module (HSM). It must remain clear that this key is not the one used to initialize the encryption device that will participate in DUKPT operations. See below for the actual encryption key generation process.

  • First: A key derived from the BDK, this is known as the IPEK (Initial PIN Encryption Key)
  • Second: The IPEK is then injected into the devices, so any compromise of that key compromises only the device, not the BDK. This creates yet another set of keys (inside the device) irreversibly derived from it (nominally called the Future Keys)
  • Fourth: Afterwards the IPEK is then immediately discarded. NOTE: This step contradicts 'Session Keys' section where it indicates that only 21 'Future Keys' are generated. The IPEK must be retained by the terminal in order generate the next batch of 21 Future Keys.
  • Fifth: Future Keys are used to encrypt transactions in the DUKPT process.

Upon detection of compromise the device itself a new is derived inside the and the Derived Key Generation Process

Communication[edit]

Origination[edit]

On the originating (encrypting) end, the system works as follows:

  1. A transaction is initiated which involves data to be encrypted. The typical case is a customer's PIN.
  2. A key is retrieved from the set of “Future Keys”
  3. This is used to encrypt the message, creating a cryptogram.
  4. An identifier known as the “Key Serial Number” (KSN) is returned from the encrypting device, along with the cryptogram. The KSN is formed from the device’s unique identifier, and an internal transaction counter.
  5. The (cryptogram, KSN) pair is forwarded on to the intended recipient, typically the merchant acquirer, where it is decrypted and processed further.
  6. Internally, the device does the following:
    1. Increments the transaction count (using an internal counter)
    2. Invalidates the key just used, and
    3. If necessary generates more future keys

Receiving[edit]

On the receiving (decrypting) end, the system works as follows:

  1. The (cryptogram, KSN) pair are received.
  2. The appropriate BDK (if the system has more than one) is located.
  3. The receiving system first regenerates the IPEK, and then goes through a process similar to that used on the originating system to arrive at the same encrypting key that was used (the session key). The Key Serial Number (KSN) provides the information needed to do this.
  4. The cryptogram is decrypted with session key.
  5. Any further processing is done. For merchant acquirers, this usually means encrypting under another key to forward on to a switch (doing a “translate”), but for certain closed-loop operations may involve directly processing the data, such as verifying the PIN.

Session Keys[edit]

The method for arriving at session keys is somewhat different on the originating side as it is on the receiving side. On the originating side, there is considerable state information retained between transactions, including a transaction counter, a serial number, and an array of up to 21 “Future Keys”. On the receiving side there is no state information retained; only the BDK is persistent across processing operations. This arrangement provides convenience to the receiver (a large number of devices may be serviced while only storing one key). It also provides some additional security with respect to the originator (PIN capture devices are often deployed in security-averse environments; the security parameters in the devices are ‘distant’ from the sensitive BDK, and if the device is compromised, other devices are not implicitly compromised).

Registers Usage[edit]

Backup Registers[edit]

The following storage areas relating to key management are maintained from the time of the 'Load Initial Key' command for the life of the PIN Entry Device:

Initial Key Serial Number Register (59 bits)[edit]

Holds the left-most 59 bits of the key serial number, that was initially injected into the PIN Entry Device along with the initial PIN encryption key during the 'Load Initial Key' command. The contents of this register remain fixed for the service-life of the PIN Entry Device or until another 'Load Initial Key' command.

Encryption Counter (21 bits)[edit]

A counter of the number of PIN encryptions that have occurred since the PIN Entry Device was first initialized. Certain counter values are skipped (as explained below), so that over 1 million PIN encryption operations are possible. Note: The concatenation (left to right) of the Initial Key Serial Number Register and the Encryption Counter form the 80-bit (20 hexadecimal digits) Key Serial Number Register.

Future Key Registers (21 registers of 34 hexadecimal digits each)[edit]

A set of 21 registers, numbered #1 to #21, used to store future PIN encryption keys. Each register includes a 2 hexadecimal digit longitudinal redundancy check (LRC) or a 2 hexadecimal digit cyclical redundancy check (CRC).


Temporary Registers[edit]

The following storage areas relating to key management are required on a temporary basis and may be used for other purposes by other PIN processing routines:

Current Key Pointer (approximately 4 hexadecimal digits)[edit]

Contains the address of that Future Key Register whose contents are being used in the current cryptographic operation. It identifies the contents of that Future Key Register whose address is contained in the Current Key Pointer.

Shift Register (21 bits)[edit]

A 21-bit register, whose bits are numbered left to right as #1 to #21. This register normally contains 20 'zero' bits and a single 'one' bit. One use of this register is to select one of the Future Key Registers. The Future Key Register to be selected is the one numbered identically to the bit in the Shift Register containing the single 'one'.

Crypto Register-1 (16 hexadecimal digits)[edit]

A register used in performing cryptographic operations.

Crypto Register-2 (16 hexadecimal digits)[edit]

A second register used in performing cryptographic operations.

Key Register (32 hexadecimal digits)[edit]

A register used to hold a cryptographic key.

Practical Matters (KSN scheme)[edit]

In practical applications, one would have several BDKs on record, possibly for different customers, or to contain the scope of key compromise. When processing transactions, it is important for the receiver to know which BDK was used to initialize the originating device. To achieve this, the 80-bit KSN is structured into three parts: as Key Set ID, a TRSM ID, and the transaction counter. The algorithm specifies that the transaction counter is 21-bits, but treats the remaining 59 bits opaquely (the algorithm only specifies that unused bits be 0-padded to a nibble boundary, and then 'f' padded to the 80-bit boundary). Because of this, the entity managing the creation of the DUKPT devices (typically a merchant acquirer) is free to subdivide the 59 bits according to their preference.

The industry practice is to designate the partitioning as a series of three digits, indicating the number of hex digits used in each part: the Key Set ID, the TRSM ID, and the transaction counter. A common choice is '6-5-5', meaning that the first 6 hex digits of the KSN indicate the Key Set ID (i.e., which BDK is to be used), the next 5 are the TRSM ID (i.e. a device serial number within the range being initialized via a common BDK), and the last 5 are the transaction counter.

This notational scheme is not strictly accurate, because the transaction counter is 21 bits, which is not an even multiple of 4 (the number of bits in a hex digit). Consequently, the transaction counter actually consumes one bit of the field that is the TRSM ID (in this example that means that the TRSM ID field can accommodate 2(5*4-1) devices, instead of 2(5*4), or about half a million).

Also, it is common practice in the industry to use only 64-bits of the KSN (probably for reasons pertinent to legacy systems, and DES encryption), which would imply that the full KSN is padded to the left with four ‘f’ hex digits. Ea all games key generator. The remaining 4 hex digits (16-bits) are available, nonetheless, to systems which can accommodate them.

The 6-5-5 scheme mentioned above would permit about 16 million BDKs, 500,000 devices per BDK, and 1 million transactions per device.

Retrieved from 'https://en.wikipedia.org/w/index.php?title=Derived_unique_key_per_transaction&oldid=933255734'

Dukpt.NET is a C# implementation of the Derived Unique Key Per Transaction (DUKPT) process that's described in Annex A of ANS X9.24-2004.

To install Dukpt.NET, run the following command in the Package Manager Console:

Can A Virtual Hsm Generate Dukpt Keys Download

Usage

Overview

It's no secret that Annex A is hard to understand, and the entire process isn't explained in a manner that's easy to follow or translate into code. One of the reasons it's difficult to understand is that it was written from the perspective of an electrical/computer engineer that would directly implement these instruction on the devices/swipers themselves, and as a result it mentions various registers and operations that most of us don't have much experience with. So it's not necessarily for high-level software developers looking to use the process either for new software, backwards compatibility with existing technology, or logging/testing purposes.

I wrote this implementation of DUKPT for fun. This library only has about 100 lines of code and only focuses on DUKPT encryption and decryption.

It still amazes me how scarcely documented this process is, even though it seems like a fairly standard practice. Unfortunately, the advice people usually receive it to purchase the spec for $140.

Key Management

Can A Virtual Hsm Generate Dukpt Keys On Mac

I'm sure you can find a more extensive overview of this process somewhere else, but here's a basic outline of the technique:

  1. You're given a Base Derivation Key (BDK), which you assign to a swiper (note that the same BDK can be assigned to multiple swipers).
  2. You'll use the BDK along with the device's own unique Key Serial Number (KSN) to generate an Initial PIN Encryption Key (IPEK) for the device.
  3. You'll assign this IPEK to a swiper, which uses it to irreversibly generate a list of future keys, which it'll use to encrypt its messages.
  4. The swiper's KSN is used along with one of its future keys to encrypt a message, and after each swipe it'll increment the value of its KSN.
  5. Whenever a swiper takes a card it formats the card's information into a series of tracks, each track having a particular set of information (e.g. card number, holder's name, expiration date).
  6. The swiper usually encrypts these tracks using one of its generated future keys (called the 'Session Key') along with its current KSN. It'll then increment the value of its KSN and discard the future key it used.
  7. At this point you'll probably have an encrypted track along with the KSN the swiper used to encrypt it.
  8. It's your responsibility to determine what BDK was used to initialize this device, and from there you'll use the BDK and KSN to rederive the IPEK, which is used to rederive the Session Key, which is finally used to decrypt the message.

There's a lot of technical information to be said about key management, but this isn't the place for that. In some cases your provider/manufacturer (e.g. MagTek) will supply you with swipers that need to be initialized with an IPEK, and your supplier will usually have a manual that walks you through that process. If you're doing encryption/decryption through a third party who also supplies swipers, they may have already loaded the devices with that information; what's more is they may not even given you the BDK that belongs to your device in order to reduce the risk of security threats.

Note: Key management is beyond the scope of this project and this explanation. Whatever you do with your keys, just make sure it's secure.

One methodology I've seen that'll allow you to associate a particular KSN to a BDK is to take the current KSN you've been given, mask it to retrieve the Initial Key Serial Number (IKSN), and look up the BDK in a table that maps IKSNs to BDKs:

Example:

You'd then have a table that looks like:

IKSNBDK
0xFFFF9876543210E000000123456789ABCDEFFEDCBA9876543210
....

From which you could easily grab the BDK 0123456789ABCDEFFEDCBA9876543210.

Algorithm

Note: Assume that all numeric values are hexadecimal numbers, or the representation of a sequence of bytes as a hexadecimal number.

The following are the BDK, KSN, and encrypted track message (cryptogram) we've been given:

Here's an example of the unencrypted track 1 data (cryptogram above), and below that is its value in hex; this is what we'll get after successfully decrypting the cryptogram:

Note: As you're probably already aware, this algorithm is best described using big numbers, which can't be represented as literals in some programming languages (like Java or C#). However, many languages have classes that allow you to represent big numbers in other ways (e.g., java.math.BigInteger, System.Numerics.BigInteger). It's your job to adapt this algorithm so that it can be represented in your language of choice. Two small problems I encountered were ensuring the correct endianness and signedness were being used (this algorithm requires the byte order to be big endian and that unsigned integers are used). I made a utility class called BigInt to do this for me.

First, let's define a few standard functions:

  • DES and Triple DES refer to their respective cryptographic algorithms. Most programming languages have access to some implementation of these ciphers either through OpenSSL or Bouncy Castle. These ciphers are initialized with a zeroed out IV of 8 bytes, they're zero-padded, and use Cipher-Block Chaining (CBC). Let's define the signatures for these standard functions that'll be used throughout this algorithm:
    • DesEncrypt(key, message) -> returns cryptogram
    • DesDecrypt(key, cryptogram) -> returns message
    • TripleDesEncrypt(key, message) -> returns cryptogram
    • TripleDesDecrypt(key, cryptogram) -> returns message

First we must create the IPEK given then KSN and BDK:

Now we can get the IPEK:

After that we need a way to get the Session Key (this one is more complicated):

The DeriveKey method finds the IKSN and generates session keys until it gets to the one that corresponds to the current KSN. We define this method as:

Where the GenerateKey method looks like:

Can A Virtual Hsm Generate Dukpt Keys On Iphone

And EncryptRegister looks like:

Then you can generate the Session Key given the IPEK and KSN:

Which can be used to decrypt the cryptogram:

Can A Virtual Hsm Generate Dukpt Keys On Computer

That's it, you're done!