« Five Challenges (Acquirer Side Implementation) | Main | Five Challenges (Issuer Side Implementation) »

Thursday, November 09, 2006


Feed You can follow this conversation by subscribing to the comment feed for this post.

Hi Andy, I have a question regarding Danie's process above. Here's what I have:
KSN=FFFF1A1E120000100000(padded with FF's)

In step 3, do I really use the *SAME* BDK to encrypt, decrypt and encrypt the most significant 8 byte (FFFF1A1E12000010)? Wouldn't it produce the same result as just encrypting FFFF1A1E12000010 with the BDK once?

By the way, is Initial PIN Encryption Key (IPEK) equivalent to DUKPT Initial Key (DIK)?

Thanks a bunch!

A further clarification on the Triple DES version of the PIN Translation command (i.e, where you're going from DUKPT to Interchange Key encryption). This small point tripped me up, so I'm passing it along: The command exchange is G0/G1. The Thales manual uses a sans serif font, making it appear that the command exchange is 'G Oh, G Eye'. It's not. It's 'G Zero, G One'.

I try to apply the TDES DUKPT procedure to verify the DUKPT test sample data provided in Annex A.4, X9.24-2002, but the result (initial PED-key) is different. Can anyone help to validate the test sample data below? Thank you.

Here are the test sample data:
Derivation Key: 0123456789ABCDEFFEDCBA9876543210

Initially Loaded Key Serial Number (KSN): FFFF9876543210E00000

Initially Loaded PIN Entry Device Key: 6AC292FAA1315B4D 50731AE1601A2431

My Initially Loaded PIN Entry Device Key: 6AC292FAA1315B4D 858AB3A3D7D5933A

I tried the test data Andy posted and get the same results:
6AC292FAA1315B4D 858AB3A3D7D5933A
Has anyone found a resolution?
Are the procedures described above correct for deriving the right half of the IPEK?

Sorry, I am referring to the post by KC above, not Andy.

KC, the test data you have from Annex A.4 is incorrect. The example IPEK that I have from X9.24-2004 is 6AC292FAA1315B4D 858AB3A3D7D5933A, which is the results we have calculated.

Andy, first of all it is very useful the information you have posted.
I am trying to understand DUKPT so I need more examples. According to the IPEK of the example, what are the next Pin Encryption Keys?.
The Thales command CI implies the use of ANSI X9.8 for the PIN Block, does it mean that the Pin Encryption Keys are DES keys? Could you post an example that shows the Pin Encryption Key and the encrypting Pin Block?.

what is ksn & KSN descriptor,how we find it?
is ther any hsm command through which, can able to find it.
kindly help me on this account.

how we encrypt the format 01 PIN Block?
thanks in advance :)

Hi Zaim,

Take a look at this post (both the main body of the post and the extensive commentary afterwards):


Hi everybody!

I have the TIK value... but if I want the next derived key (for example the transaction counter of the KSN is 1), what is the algorithm to get the next key??


I am assuming that the ANSI Test Key the manufacturer of my device talks about is this 0123456789ABCDEFFEDCBA9876543210 BDK that everyone seems to use in examples. Is this correct?

The comments to this entry are closed.

AddThis Social Bookmark Button


  • Alejandro's jPOS Project
    Faced with payment systems challenges? Start here to learn more about Alejandro Revilla's jPOS project.
  • Dave Bergert's Blog
    Insights from my OLS colleague, Dave Bergert, CISSP, CISA, CompTIA Security+, and former Visa-certified QSA.
  • Glenbrook's Blog List
    Glenbrook Partners has compiled "a current summary of the latest content from some of our favorite payments and banking blogs." Dave, Alejandro and I are on the list.
  • soliSYSTEMS
    My friend Roque Solis is our go-to guy for RFID, smart cards, chip cards, integrated circuit cards, HSMs, cryptographic accelerators and public-key cryptography.
  • Specs Online - AMEX
    American Express puts its acquirer specs online for public retrieval.
  • Specs Online - FDMS
    First Data Merchant Services puts its acquirer specs online for public retrieval.
    [NOTE: This repository is accessible only via IE; this link will not work with Firefox or other browsers.]


  • The PCI Split
    Depicts how we split an implementation into PCI and non-PCI halves.
  • The Virtuous Spiral
    A good payment system unleashes customer creativity. Does yours?
Blog Widget by LinkWithin

  • Your attention to detail is a great asset. Use it wisely.