Skip to content
CryptoHub is 2024 Data Protection Solution of the Year!
Learn More
  • There are no suggestions because the search field is empty.
Check out the CryptoHub press release.
Learn More

Derived Unique Key Per Transaction (DUKPT)

DUKPT: Breaking Down the Process

 

In This Article: 

OVERVIEW OF DUKPT

Derived Unique Key Per Transaction (DUKPT) is a type of encryption key management used for PIN encryption and safeguarding cardholder data. This document provides a high-level overview of the DUKPT process, outlining how derived keys are made and what they are used for.

For more detailed information, consult the American National Standards Institute’s ANS X9.24-1:2017 publication. DUKPT is one of many encryption techniques but plays a significant role in an end to end enterprise data encryption solutions.

Customers who use a Point of Sale terminal to make purchases expect their information to be kept secure. With countless electronic payment transactions occurring daily, merchants need ways to ensure that sensitive data stays safe from malicious individuals.

They use key management technologies such as Derived Unique Key Per Transaction, or DUKPT.

What is DUKPT?

DUKPT is a key generation method defined by the American National Standards Institute, a regulatory standard responsible for specifying the requirements for key management and the secure processing of cardholder data throughout payment transactions.

DUKPT safeguards data, such as Personal Identification Numbers (PIN) or cardholder Primary Account Numbers (PAN), by providing unique encryption keys for every transaction. Each key cannot lead back to the original key upon which it was based. Furthermore, each transaction key is erased after use.

While several key management methods allow for unique keys per transaction, DUKPT saves organizations time and money while increasing security by significantly reducing the effort required for key management.

Instead of storing a unique key for every single device, organizations can compliantly store one base derivation key for hundreds of thousands of devices.

DUKPT_Efficient and Secure Key Management

Key loading devices are used by merchants and POS manufacturers to inject DUKPT keys.

Performing key injection using a hardware security module (HSM) ensures that knowledge of the BDK is kept to an absolute minimum. The HSM’s physical and logical security keep the key secure during both storage and transit. 

Key injection must be done under dual control to enhance security, but can be performed locally in a physically secure environment or remotely utilizing a Public Key Infrastructure.

How DUKPT Works

The process of deriving keys is twofold; each device goes through initial configuration and then repeats the act of creating keys. The following process uses PIN encryption as an example, although DUKPT has many other uses.

DUKPT_Process Overview_blog image (1)

Key Components of DUKPT

Creating a DUKPT transaction environment involves two main components: a Base Derivation Key (BDK) and a unique Key Serial Number (KSN).

The hardware security module responsible for injecting keys contains a counter that increments whenever a new device is added to the network. This counter is encrypted using the BDK, resulting in the injection of the DUKPT initial key into the device.

This initial key is used later to create a pool of transaction keys, each with a modifier for different key usages. The counter is also used to form the device’s KSN.

All transactions using DUKPT will include the KSN.

Key Serial Numbers play an integral role in the DUKPT process by enabling the HSM to identify which initial key was used to encrypt the data.

DUKPT_DUKPT Transaction Environment_blog image

As specified by ANS X9.24-1, DUKPT uses a 10-byte KSN, most often represented as a sequence of 20 hexadecimal characters in which a pair of hexadecimal characters represent each byte of the KSN.

The general format of the KSN is as follows:

  • Right-most 21 bits: Transaction counter for each successively derived key.
  • Following 43 bits: Unique data for each HSM using the same derivation key.
  • Left-most 16 bits: Data for initial key derivation.

Applications of DUKPT

When a PIN is entered into the POS terminal, it is formatted into a PIN block. This PIN block is then encrypted using Triple DES using the current transaction key, which is chosen from the pool of keys created by the initial key.

Along with information such as the KSN, the PIN block is sent to the host application, where the information is used to verify the identity of the originating device.

Once the host application is in the hands of the PIN block, it can be translated using a different key management scheme.

After the PIN block is sent to the host application, the KSN is incremented by a user-defined amount, usually 1, and then used with the current transaction key to create more future keys.

Once the future keys have been generated, the current transaction key is erased from the system, removing any information about a previous transaction from the device. Afterward, the device will be ready to pull a future key for the next transaction.

DUKPT forms a self-recycling system that promotes security, efficiency, and ease of implementation by using the current encryption key to form the key for the next transaction.

Sources:

  1. “ANS 24-1:2017.” American National Standards Institute.
  2. Key Management Server – Futurex KMES Operations Guide.
  3. PKI Solutions – Futurex Public Key Infrastructure Products & Solutions

ARTICLE UPDATED: January 2025
,
Share: