Deriving an ANS X9.24 DUKPT key

Edit online

To determine the current-transaction encrypting key used by a terminal which is encrypting PIN-blocks under the ANS X9.24 standard, the ANS X9.24 algorithm uses a derivation key and the current-key serial number (CKSN) as inputs.

The derivation key must be a double-length KEYGENKY key-type with the UKPT control vector bit set on. The right half of the derivation key cannot be the same as the left half of the derivation key.
The initial key serial number is a 59-bit value that contains terminal identification information that is unique among the set of terminals initialized under a given derivation key.
The encryption counter is a 21-bit counter value. The value in the counter is set to 0 when the terminal is initialized. The counter increments each time the terminal performs a PIN-block encryption. The counter increments such that a maximum of 10 bits can be set on; the counter can record 1.000.000 encryptions.
The CKSN is the concatenation of the initial key serial number and the encryption counter. This concatenation is an 80-bit (10-byte) value.

The calculation method consists of the following steps:

Calculate the initial encrypting key. To calculate the initial encrypting key, do the following:
1. Move the leftmost 8 bytes of the CKSN to a work area (C_a).
2. Perform an AND operation with the last byte of C_a and X'EO'. This operation clears the high-order bits of the encryption counter. The value that C_a now contains is the initial serial number that was loaded when the PIN keypad was initialized.
3. Encrypt C_a, using the left half of the derivation key; name the result C_b.
4. Decrypt C_b, using the right half of the derivation key; name the result C_c.
5. Encrypt C_c, using the left half of the derivation key; name the result C_d. C_d is the initial PIN encrypting key that was loaded when the terminal was initialized.
6. Rename C_d to be K_a, the initial PIN encrypting key.
Calculate the current encrypting key. To calculate the current encrypting key, do the following:
1. Move the rightmost 8 bytes of the CKSN to a work area (W_a).
2. Move the rightmost 3 bytes of W_a to another work area (C_a).
3. Perform an AND operation with the rightmost 3 bytes of W_a with X'E00000'. This operation clears the encryption counter from W_a.
4. Perform an AND operation with C_a and X'1FFFFF'. This operation clears the low-order bits of the initial serial number from the encryption counter.
5. Initialize a 3-byte area to X'100000'; name the result S_a.
6. Initialize a 1-byte counter to X'00'; name the result B_a.
7. Test each bit of the encryption counter, looking for B'1' bits by doing the following loop:
  - When a B'1' bit is found, it ORs this bit into the initial serial number. It then special encrypts the result with K_a.
  - The result of this special encryption is the new K_a.
  - When all B'1' bits are processed, a variant of the value in K_a becomes the current encrypting key.
  Use the following procedure to do this loop:
```
DO i=1 to 21
 a. IF (C_a AND S_a) is not equal to 0 THEN DO
    1) ADD 1 to B_a
    2) IF B_a > 10 THEN exit algorithm with an error
       indicating too many B'1' bits were set in the encryption
       counter
    3) OR S_a into the rightmost 3 bytes of W_a;
       store the result in T_a
    4) XOR T_a and K_a; store the result in T_b
    5) Encrypt T_b with K_a; store the result in T_c
    6) XOR T_c with K_a; store the result in K_a
 b. END IF
 c. Shift S_a one bit to the right.
    Fill in on the left with a B'0' bit.
 END DO
```
  The value in K_a is the current encrypting key.
  Note: The CCA implementation does not adjust key parity on any of the bytes of the derived encrypting key before encrypting them under its master key. Parity adjustment is not done because the key value is used in two XOR operations during the special decrypt process of recovering the clear PIN-block.

The following is an example of calculating the initial PIN encrypting key:

Derivation key = X'5152 5457 585B 5D5E 6162 6467 686B 6D6E'
Current key serial number = X'0123 4567 89AB CDF0 0001'
 
C_a = X'0123 4567 89AB CDE0'
C_b = X'6497 E2F4 C59D 952E'
C_c = X'0163 CE85 359F F599'
 
Initial PIN encrypting key = K_a₁ = C_d = X'21EE 7C08 DBE8 20AB'

The following is an example of calculating the current PIN encrypting key:

W_a = X'4567 89AB CDE0 0000'
C_a = X'10001'
S_a₁ = X'100000'
 
 
T_a₁ = X'4567 89AB CDF0 0000'
T_b₁ = X'6489 F5A3 1618 20AB'
T_c₁ = X'F9AC C638 1939 44BC'
K_a₂ = X'D842 BA30 C2D1 6417'
...
...
...
S_a₂₀ = X'000001'
T_a₂₀ = X'4567 89AB CDF0 0001'
T_b₂₀ = X'9D25 339B 0F21 6416'
T_c₂₀ = X'BF49 836E AE2A 042A'
K_a₂₀ = X'670B 395E 6CFB 603D'
 
Current PIN encrypting key = X'670B 395E 6CFB 60C2'