Usage notes

The usage notes for CSNBUKD.

The DUKPT key derivation process of the ANS X9.24 standard defines methods for deriving keys for these separate purposes:

PIN encryption – PIN encryption and decryption
Message authentication (MAC) – MAC generation and MAC verification
Data encryption – data encryption and data decryption

These separate variations of the DUKPT key derivation process provide key separation between the keys derived for PIN purposes, message authentication, and data encryption purposes. Unique Key Derive can produce from one to three derived keys, up to one for each variation depending on the desired key purpose, in operational DES key tokens. The combination of key tokens for these three purposes is based on the specified output key selection rule array keywords.

The verb can optionally produce an external initial PIN encryption key (IPEK), either in a non-CCA key-token or TR-31 key block, TDES-wrapped using the key identified by the transport_key_identifier parameter. The IPEK is created by taking the base derivation key and encrypting the 59-bit initial key serial number that is contained within the derivation data (the same value that was loaded when the PIN keypad was initialized).

The DUKPT key derivation process that is defined in the ANS X9.24 standard describes the use of the derived keys in terms of a terminal, which sends requests, and a host, which processes those requests and sends responses.

Beginning with Release 5.5, two direction or initiation rule-array keyword groups are added, one group for deriving MAC keys, and the other group for deriving data encryption keys. The use of these keywords is to specify the purpose of the key (MAC or data encryption) and whether the key is to be used to send or receive a request or to send or receive a response.

When a key is derived, it must be understood whether that key is used as a terminal-side key (term) or a host-side key (host). The key usage provided in the skeleton key token (for example, a MACVER key usage of MAC verify) determines the key usage for the derived key. In cases where DUKPT produces different key usages for the terminal and host keys, the correct usage must be chosen as shown in Table 1. The table also shows the key variant that is used in the derivation process for each DUKPT key usage.

Table 1. DUKPT key variants for derived keys
DUKPT key usage description	DUKPT variant (hexadecimal)	Direction or initiation keyword	CCA key type (key usage)
PIN encryption	00 00 00 00 00 00 00 FF 00 00 00 00 00 00 00 FF	N/A	DATA IPINENC OPINENC
Message authentication, request or both ways	00 00 00 00 00 00 FF 00 00 00 00 00 00 00 FF 00	No direction keyword	MAC MAC (GENONLY)
Message authentication, request or both ways	00 00 00 00 00 00 FF 00 00 00 00 00 00 00 FF 00	REQ-MAC	MAC
Message authentication, response	00 00 00 00 FF 00 00 00 00 00 00 00 FF 00 00 00	No direction keyword	MACVER
		RSP-MAC (term)	MACVER
		RSP-MAC (host)	MAC (GENONLY)
Data encryption, request or both ways	00 00 00 00 00 FF 00 00 00 00 00 00 00 FF 00 00	No direction keyword	CIPHER ENCIPHER
Data encryption, request or both ways	00 00 00 00 00 FF 00 00 00 00 00 00 00 FF 00 00	REQ-ENC	CIPHER
Data encryption, response	00 00 00 FF 00 00 00 00 00 00 00 FF 00 00 00 00	No direction keyword	DECIPHER
		RSP-ENC (term)	DECIPHER
		RSP-ENC (host)	ENCIPHER
Note: A default DES MAC key has usage of generate and verify. The Key Token Build verb can be used to build a skeleton DES MAC key that has usage of generate only (MAC-GENONLY). Call the verb by specifying keywords INTERNAL, DES, DOUBLE or DOUBLE-O, and CV, and use this 16-byte value for the control_vector variable: X'0005480003410000 0005480003210000'.