Implementing DUKPT Key Management [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.

---

Want to improve this question? Update the question so it focuses on one problem only by editing this post.

Closed 7 years ago.

Improve this question

I am currently looking to implement DUKPT (Derived Unique Key per Transaction) and am lost on how to successfully implement it. Does anyone know a step-by-step guide/existing implementation out there, or some more information on the actual implementation of the solution in a client-server application?

An introduction to DUKPT:

In cryptography, Derived Unique Key Per Transaction (DUKPT) is a key management scheme in which for every transaction, a unique key is used which is derived from a fixed key. Therefore, if a derived key is compromised, future and past transaction data are still protected since the next or prior keys cannot be determined easily. DUKPT is specified in ANSI X9.24 part 1.

DUKPT allows the processing of the encryption to be moved away from the devices that hold the shared secret. The encryption is done with a derived key, which is not re-used after the transaction. DUKPT is used to encrypt electronic commerce transactions. While it can be used to protect information between two companies or banks, it is typically used to encrypt PIN information acquired by Point-Of-Sale (POS) devices. DUKPT is not itself an encryption standard; rather it is a key management technique. The features of the DUKPT scheme are:

• Enable both originating and receiving parties to be in agreement as to the key being used for a given transaction,
• Each t开发者_StackOverflowransaction will have a distinct key from all other transactions, except by coincidence,
• If a present key is compromised, past and future keys (and thus the transactional data encrypted under them) remain uncompromised,
• Each device generates a different key sequence,
• Originators and receivers of encrypted messages do not have to perform an interactive key-agreement protocol beforehand.

---

I recently went through the same pains which resulted in this iOS DUKPT implementation.

https://github.com/mburshteyn1/DUKPT

---

This is an interesting protocol, it is also exotic. The Jpos project has working java code of DUKPT. I think the best place to start is with a already working implementation.

If you are implementing a real world system perhaps Kerberos would be better suited to your needs.

---

DUKPT is explained in ANSI X9.24 specs, including pretty straight forward pseudo code that you can implement in any language.