1

I'm new to DUKPT, so I'm not entirely clear about DUKPT and HSM. Right now, I'm trying to decrypt data (PAN number) from terminal.

So far, when I receive KSN and encrypted data, I understand that I need to find encryption key. From my HSM I can get IPEK based on (KSN, BDK). But here is the confusion, based on articles I read, and terminal vendor's doc, encryption key will be one of the Future Keys.

  1. How would I know which Future Keys terminal uses as encryption key?
  2. How can HSM create Future Keys from IPEK?

Once I get correct Future Keys then I can derive data key variant and do decrypting in my HSM. I'm just stuck with these two questions.

Any explanation would be really helpful.

Thurairaj Letchumanan
  • 11
  • 1
  • A 'host-side' HSM should be able to derive the transaction key for any KSN directly (not just the IDK for the IKSN i.e. counter 0). But if you really need to do 'future keys' yourself see (my) https://crypto.stackexchange.com/questions/53371/questions-about-future-and-session-key-generation-in-dukpt-process – dave_thompson_085 May 07 '21 at 02:20
  • Actually I just need to find transaction key directly. We have Luna HSM, I'm actually struggling to find a command for getting transaction key directly from KSN. Because the HSM only provide command to get direct Session keys if AES DUKPT (AES BDK), doesn't support direct session key for 3DES DUKPT. – Thurairaj Letchumanan May 07 '21 at 04:52

1 Answers1

0

I don't need to get Future Keys. I already have BDK and KSN, I need to make it to Format20 when calling encrypt/decrypt command. The function will automatically derive the appropriate key from BDK for encrypt and decrypt operations.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Thurairaj Letchumanan
  • 11
  • 1
  • 1
    Correct me if I'm wrong, but this looks more like a comment than an answer to your two questions. – Sir Muffington May 16 '22 at 18:38
  • Please use the edit link on your question to add additional information. The Post Answer button should be used only for complete answers to the question. - [From Review](/review/late-answers/178028) – mentallurg May 16 '22 at 20:40
  • I'm not sure if this should be in comment or answer, because previously I was struggling to decrypt PAN data in DUKPT flow, I thought I need to get Future Keys. But in my particular HSM ( LunaEFT) I had to use format20 for keys and the HSM will calculated Future Keys automatically for encrypt/decrypt process. – Thurairaj Letchumanan May 19 '22 at 06:20