DUKPT spec version number?
128 views
Skip to first unread message
melvin1...@yahoo.com
Apr 25, 2006, 1:36:31 PM4/25/06
to jPOS Users
Does anyone know what version of X9.24 part 1 describes the single-DES
DUKPT scheme?
I have X9.24-2004 but it describes the triple-DES version.
thanks,
-m
Andy Orrock
Apr 25, 2006, 1:50:29 PM4/25/06
to jpos-...@googlegroups.com
Melvin -
This doesn't answer your question directly, but please note you may be head down a shaky path: the Racal (Thales) HSM, for example, only supports double-length BDKs (i.e., the Triple DES implementation). I suspect others may have similar limitations.
Andy Orrock
This doesn't answer your question directly, but please note you may be head down a shaky path: the Racal (Thales) HSM, for example, only supports double-length BDKs (i.e., the Triple DES implementation). I suspect others may have similar limitations.
Andy Orrock
melvin1...@yahoo.com
Apr 25, 2006, 2:17:39 PM4/25/06
to jPOS Users
The company who does our PINpad key injection claims that although they
use
double length BDKs they use singleDES DUKPT.
This combination doesn't make sense to me as I've never heard of using
double length keys with single DES.
I notice looking at the documentation for the Atalla Ax100 that they
seem to use a single DES DUKPT with single length BDKs.
I guess I need to go back to our injection company and ask them to
recheck their claims...
Andy Orrock
Apr 25, 2006, 2:26:24 PM4/25/06
to jpos-...@googlegroups.com
Yeah, I would recommend you do that. Because in addition to your technical concerns, you have audit concerns. No PCI-compliant auditor in the world is going to signoff on a single DES implementation in light of Visa's dictates and roadmaps.
See here: http://www.itug.org/client_files/archives/summit/2003/MEA14U.pdf and elsewhere. [Go to Page 5 of that presentation.]
Andy Orrock
See here: http://www.itug.org/client_files/archives/summit/2003/MEA14U.pdf and elsewhere. [Go to Page 5 of that presentation.]
Andy Orrock
On 4/25/06, melvin1...@yahoo.com <melvin1...@yahoo.com
> wrote:
Mark Salter
Apr 25, 2006, 4:51:15 PM4/25/06
to jpos-...@googlegroups.com
melvin1...@yahoo.com wrote:
>
> The company who does our PINpad key injection claims that although they
> use
> double length BDKs they use singleDES DUKPT.
Could these double length keys simply be a single length key repeated?>
> The company who does our PINpad key injection claims that although they
> use
> double length BDKs they use singleDES DUKPT.
This will result in a 'single DES' result although applying a triple DES
algorithm.
It does seem an odd statement to make even so.
--
Mark
Alejandro Revilla
Apr 25, 2006, 9:08:57 PM4/25/06
to jpos-...@googlegroups.com
> This will result in a 'single DES' result although applying a triple DES
> algorithm.
>
That's a very interesting observation. > algorithm.
>
A good way to waste some CPU cycles :) :) :)
melvin1...@yahoo.com
May 12, 2006, 7:24:11 PM5/12/06
to jPOS Users
It turns out the version of the spec I was looking for was
X9.24-part1-1998.
This version describes how a double length BDK is used to derive
a single length initial terminal key. It also describes how to
derive the single length transaction keys used in the single DES
version of DUKPT.
It seems that this version of the spec it used by the majority of PIN
pads in service today.
(And it seems like the changeover to TDES will be a pain.)
Reply all
Reply to author
Forward
0 new messages