*** Welcome to piglix ***

Derived unique key per transaction


In cryptography, Derived Unique Key Per Transaction (DUKPT) is a key management scheme in which for every transaction, a unique key is used which is derived from a fixed key. Therefore, if a derived key is compromised, future and past transaction data are still protected since the next or prior keys cannot be determined easily. DUKPT is specified in ANSI X9.24 part 1.

DUKPT allows the processing of the encryption to be moved away from the devices that hold the shared secret. The encryption is done with a derived key, which is not re-used after the transaction. DUKPT is used to encrypt electronic commerce transactions. While it can be used to protect information between two companies or banks, it is typically used to encrypt PIN information acquired by Point-Of-Sale (POS) devices.

DUKPT is not itself an encryption standard; rather it is a key management technique. The features of the DUKPT scheme are:

DUKPT was first invented in the late 1980s at Visa, but it didn’t receive much acceptance until the 1990s. It was during this later period that the industry practices shifted towards recommending (and later requiring) that each device have a distinct encryption key.

Before DUKPT, state-of-the-art at the time scheme was known as Master/Session. This required every PIN encrypting device to be initialized with a unique master key. This created the unwanted side effect where a table of encryption keys as large as the number of devices deployed was needed, when handling transactions originating from devices using Master/Session key management, given the need for unique keys per device. This table could become quite large for a major merchant acquirer. DUKPT solved this problem because—although each device is still initialized with a distinct key—this device initialization key is derived from a different key which an entire family of devices may share. Hence, the recipient of encrypted messages needs only to store one key to support a large number of devices in the field, while simultaneously meeting the unique-key-per-device requirement.

As stated above, the algorithm needs an initial single key which in the original description of the algorithm was called the super-secret key, but was later renamed to—in a more official-sounding way—Base Derivation Key (or BDK). The original name perhaps conveys better the true nature of this key, because if it is compromised then all devices and all transactions are similarly compromised.

This is mitigated by the fact that there are only two parties that know the BDK:

The BDK is usually stored inside a Tamper-Resistant security module (TRSM), or Hardware Security Module (HSM). It must remain clear that this key is not the one used to initialize the encryption device that will participate in DUKPT operations. See below for the actual encryption key generation process.


...
Wikipedia

...