Performing the special encryption and special decryption processes
Learn about the steps to perform the encryption and decryption processes for deriving unique keys per transaction.
The special encryption process consists of the following steps:
- Name the derived unique key for the current transaction Ku.
- Name the clear PIN-block that was built from the user-entered PIN Pc.
- Perform an XOR operation with the rightmost byte of Ku and X'FF' to produce a variant of the key; name the result Kuv. Table 1 provides a list of all the variant constants for DUKPT keys.
- Perform an XOR operation with Kuv and Pc; store the result in T1.
- Encrypt T1 with Kuv; store the result in T2.
- Perform an XOR operation with Kuv; store the result in Pe.
The value in Pe is the encrypted PIN-block that the POS terminal sends.
| Key purpose | Variant constant, left | Variant constant, right |
|---|---|---|
| PIN encryption | X'00 00 00 00 00 00 00 FF' | X'00 00 00 00 00 00 00 FF' |
| Message authentication, request or both ways | X'00 00 00 00 00 00 FF 00' | X'00 00 00 00 00 00 FF 00' |
| Message authentication, response | X'00 00 00 00 FF 00 00 00' | X'00 00 00 00 FF 00 00 00' |
| Data encryption, request or both ways | X'00 00 00 00 00 FF 00 00' | X'00 00 00 00 00 FF 00 00' |
| Data encryption, response | X'00 00 00 FF 00 00 00 00' | X'00 00 00 FF 00 00 00 00' |
The special decryption process consists of the previous steps, but in reverse.
The following is an example of the special encryption process:
Current encrypting key = Ku = X'670B 395E 6CFB 603D'
User-entered PIN = 1234
User’s primary account-number = X'4012 3456 7890'
Clear PIN-block (unformatted) = X'0412 34FF FFFF FFFF'
Primary account-number (formatted) = X'0000 4012 3456 7890'
Clear PIN-block (ANS format) = Pc = X'0412 74ED CBA9 876F'
Variant of PIN encrypting key = Kuv = X'670B 395E 6CFB 60C2'
T1 = X'6319 4DB3 A752 E7AD'
T2 = X'5145 3CA3 E474 2148'
Pe = X'364E 05FD 888F 418A'