Key management

Key management — Methods and types to perform key management.

Functions

void dukpt_compute_ipek ()
void dukpt_compute_key ()

Types and Values

typedef dukpt_ksn_t
#define DUKPT_KSN_SIZE
typedef dukpt_key_t
#define DUKPT_KEY_SIZE
enum dukpt_key_type_t

Description

This section defines the types and methods required to perform key generations based on DUKPT.

Functions

dukpt_compute_ipek ()

void
dukpt_compute_ipek (const dukpt_key_t *bdk,
                    const dukpt_ksn_t *ksn,
                    dukpt_key_t *out_ipek);

Computes the device-specific IPEK (Initial Pin Encryption Key) from a given bdk and serial number (as given in the ksn ).

The 21 bits for the counter in ksn are ignored when computing the IPEK.

Example 1. Generate IPEK

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
 
static const dukpt_ksn_t ksn = {
    0x62, 0x99, 0x49, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x01
};
static const dukpt_key_t bdk = {
    0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
    0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10
};
static const dukpt_key_t expected_ipek = {
    0xb5, 0x61, 0x06, 0x50, 0xeb, 0xc2, 0x4c, 0xa3,
    0xca, 0xcd, 0xd0, 0x8d, 0xda, 0xfe, 0x8c, 0xe3
};
dukpt_key_t ipek;

dukpt_compute_ipek (&bdk, &ksn, &ipek);

if (memcmp (ipek, expected_ipek, DUKPT_KEY_SIZE) == 0) {
    printf ("Correct IPEK generated\n");
}

Parameters

bdk

location of a dukpt_key_t with the Base Derivation Key.

  

ksn

location of a dukpt_ksn_t with the Key Serial Number.

  

out_ipek

output location of a dukpt_key_t where to store the generated IPEK.

  

dukpt_compute_key ()

void
dukpt_compute_key (const dukpt_key_t *ipek,
                   const dukpt_ksn_t *ksn,
                   dukpt_key_type_t type,
                   dukpt_key_t *out_key);

Computes a derived transaction key from a given device-specific ipek and transaction-specific ksn .

Example 2. Generate PIN key

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
 
static const dukpt_ksn_t ksn = {
    0x62, 0x99, 0x49, 0x01, 0x2c,
    0x00, 0x00, 0x00, 0x00, 0x03
};
static const dukpt_key_t ipek = {
    0xd2, 0x94, 0x3c, 0xcf, 0x80, 0xf4, 0x2e, 0x88,
    0xe2, 0x3c, 0x12, 0xd1, 0x16, 0x2f, 0xd5, 0x47
};
static const dukpt_key_t expected_key = {
    0x84, 0x1a, 0xb7, 0xb9, 0x4e, 0xd0, 0x86, 0x14,
    0xc2, 0xb8, 0xa8, 0x38, 0x5d, 0xa7, 0xdf, 0x35
};
dukpt_key_t key;

dukpt_compute_key (&ipek, &ksn, DUKPT_KEY_TYPE_PIN_ENCRYPTION, &key);

if (memcmp (key, expected_key, DUKPT_KEY_SIZE) == 0) {
    printf ("Correct PIN key generated\n");
}

Parameters

ipek

location of a dukpt_key_t specifying the device-specific IPEK.

  

ksn

location of a dukpt_ksn_t specifying the KSN for the specific transaction.

  

type

the dukpt_key_type_t to generate.

  

out_key

output location of a dukpt_key_t where to store the generated key.

  

Types and Values

dukpt_ksn_t

typedef uint8_t dukpt_ksn_t [10];

The Key Serial Number, an 80-bit field that is formed from the device unique identifier and a transaction counter.

DUKPT_KSN_SIZE

#define DUKPT_KSN_SIZE sizeof (dukpt_ksn_t)

The size of a dukpt_ksn_t (10 bytes).

dukpt_key_t

typedef uint8_t dukpt_key_t [16];

A 16-byte key.

DUKPT_KEY_SIZE

#define DUKPT_KEY_SIZE sizeof (dukpt_key_t)

The size of a dukpt_key_t (16 bytes).

enum dukpt_key_type_t

The type of key that may be derived from a given IPEK and KSN for a specific device transaction.

The DUKPT_KEY_TYPE_DERIVED value is really given for completeness, it shouldn't have any real world use case.

Members

DUKPT_KEY_TYPE_DERIVED

Base derived key.

  

DUKPT_KEY_TYPE_PIN_ENCRYPTION

PIN encryption variant derived key.

  

DUKPT_KEY_TYPE_MAC_REQUEST

MAC request variant derived key.

  

DUKPT_KEY_TYPE_MAC_RESPONSE

MAC response variant derived key.

  

DUKPT_KEY_TYPE_DATA_REQUEST

Data request variant derived key.

  

DUKPT_KEY_TYPE_DATA_RESPONSE

Data response variant derived key.

  
Generated by GTK-Doc V1.25.1