TR-31 Key Block

TR-31 Key Block Type

A TR-31(X9.143) key block consists of three parts:

The Key Block Header(KBH) which contains attribute information about the key and the key block and is not encrypted. It is always treated as ASCII.

The first section is 16 bytes with a fixed format defined below.
The second section is optional within the standard, but required for current products.

The Confidential Data, which is encrypted and always binary.

Two bytes indicating the key length (in bits, AES-128 is 128 bits, so length will be 0080).
The secret key and/or sensitive data.
Padding as required (random bytes 0x00 to 0xFF).

The MAC, which is of varying length as follows:

64 bits if the TDEA key derivation method is used (typically not used for this device).
128 bits if the AES key derivation method is used.

Header

Header (optional)

Key Length

Key

Key Padding

Block Padding

MAC

<-----------

Encrypted

--------------

------------>

<--------

------------

MAC

--------------

------------>

Symmetric keys are padded with Block Padding to the maximum length for the algorithm, 192 bits for TDEA or 256 bits for AES, to hide the true length of short keys.

The data to be encrypted and the MAC are always binary for calculation purposes. The encrypted data and the MAC are converted to ASCII hex as the last step.

Date and time strings specified within the TR-31 block are represented according to the rules described in ISO 8601 and TR-31. Year is 4 digits. Time uses UTC 24 hour clock. Some functions like ‘toISOString()’ will produce a string of format yyyy-mm-ddThh:mm:ss.fffZwhere fff is a decimal fraction of a second, Z is UTC time zone. The device ignores ‘Z’ and ‘.fff’ if they are present. Seconds ‘:ss’ are optional. Date, hours, and minutes are required. For example, March 23, 2020 4:19PM is encoded as 2020-03-23T16:19at minimum, but could also be 2020-03-23T16:19:00.000Z.

Table - TR-31 Block Fixed Header

Offset

Name

Fixed Value

Variable

Key Block V ID

‘D’

1..4

Key Block Length

Calculated (in decimal, e.g. 138 bytes shown as ‘0138’

5..6

Usage

Look up the desired Key Type in Table 55 below and select this value from the Usage column.

Algorithm

Look up the desired Key Type in Table 55 below and select this value from the Algorithm column.

Mode of Use

Look up the desired Key Typein Table 55 below and select this value from the Mode of Usecolumn.

9..10

Key Version #

‘00’

Always ‘00’

Exportability

‘N’

Always no export allowed

12..13

# option blocks

Calculated

14..15

Reserved

‘00’

Table - TR-31 Key Type Table - Usage/Algorithm/Mode

Key Type

Usage

Algorithm AES/TDEA

Mode of Use (Both, To, From)

Transport (KBPK)

‘K1’

‘A’ / ‘T’

‘D’

Initial DUKPT Key

‘B1’

‘A’ / ‘T’

‘X’

Fixed MAC (CMAC)

‘M6’

‘A’ / ‘T’

(‘C’, ’G’, ’V’)

Fixed Encrypt

‘D0’

‘A’ / ‘T’

(‘B’, ‘E’, ‘D’)

Table - TR-31 Optional Blocks

Purpose

‘IK’

DUKPT KSID

‘KS’

Key Set Identifier (e.g. data used by host to find and/or derive this key).

‘KC’

Key Check Value (KCV) (Legacy or CMAC)

‘PB’

Padding Field

‘TS’

Current Time Stamp (optional) see description in previous section.

‘KP’

KCV of KBPK that created this Key Block (optional-preferred)

‘21’

MagTek Additional Key Info From Table - MagTek Custom TR-31 Small Optional Block

Table - MagTek Custom TR-31 Small Optional Block

Offset

Name

Value

Variable

0.1

Block ID

'21'

MagTek Added Key Info Block

2..3

Block Length

var

ASCII Hex (Length 01-FF from offset 0)

4..7

Owner Tag

‘MGTK’

Avoid collision with others using Block ID ‘21’

8..9

Data Tag

‘10’

Field ID

10..11

Data Len

‘01’

Field Length (ASCII Hex 00-FF)

Data

‘T’,’P’, or ‘0’

Field Data for Key Environment

T = Test
P = Production
0 = Erase Key

13…

Added elements

More Fields (Tags, Lengths, and Data)

Table - MagTek Custom Key Data Fields

Field ID

Length

Purpose

‘10’

‘01’

Key Environment

T = Test
P = Production
0 = Erase Key

‘11’

‘04’

Key Slot ID See Table 59 - Key Slot ID.

‘12’

‘04’

Key Slot ID of Transport Key

‘20’

Reserved

‘21’

‘04’

DUKPT Data Type Restriction Bitmask This is for Transport Keys and DUKPT keys. Default to 0.

‘31’

‘07’

Device Serial Number

‘32’

‘10’

Challenge Token 10h = 16 characters

‘33’

‘10’ ..‘18’

Expiration Date/Time This is in UTC format, use short form if possible. Reserved.

Table - Key Slot IDs

Label

Description

Load Transport Key

TR31-F

10xx

Transport Keys (KBPK)

1000

TMPTK

Temporary KBPK

Key agreement process from Command 0xF017 - Establish Ephemeral KBPK

N/A

1001

MTK

Master Transport Key

TMPTK

K1AD

1002

DEVTK

Device Master Transport Key

MTK

K1AD

1003

FINTK

Financial Master Transport Key

MTK

K1AD

Table - Key Slot IDs

Label

Description

Load Transport Key

TR31-F

1021

PRODTK

(MAGTEK INTERNAL ONLY) Production Transport Key

DEVTK

K1AD

1022

MFGTK

(MAGTEK INTERNAL ONLY) Manufacturing Transport Key

DEVTK

K1AD

1081

MKIFTK

MagTek KIF Financial Transport Keys

FINTK

K1AD

1101

FREQMK

Factory Request MAC Key

PRODTK

M6AV

1102

MREQMK

Manufacturer Device Request MAC Key

MFGTK

M6AV

1111

MFRQMK

Manufacturer Financial Request MAC (Configuration) Key

MKIFTK

M6AV

0x2000 to 0x201F

DKPTM0 to DKPTM1F

DUKPT Initial Keys,

MKIFTK

B1TX

DUKPT Key Mapping

Terms and Definitions

DUKPT – Derived Unique Key Per Transaction OID– Object Identifier

SRED- Secure Reading and Exchange of Data

There are 7 new OIDs defined for these 7 SRED Data IDs.

Each OID value contains a two-byte DUKPT slot ID and a one-byte transformation ID.

Table - SRED Data IDs and OIDs

SRED Data ID

OID

OID Size

0: Not assigned

N/A

1: PIN-TDES (supported on PED devices Only)

0x010102040101

2: Account Data

0x010102040102

3: MAC

0x010102040103

4: Magneprint (supported on devices with MSR Only)

0x010102040104

5: MagTek Token

0x010102040105

6: User Data 1

0x010102040106

7: PIN-AES (supported on PED devices Only)

0x010102040107

DUKPT Slot IDs

The existing TR31 Module supports 32 MagTek DUKPT Slot IDs, from 0x2000 to 0x201F. The Key Injection Software Tool shall inject DUKPT keys through these DUKPT Slot IDs.

Transformation IDs

This is the list of DUKPT transformations defined in both the Legacy and AES specifications.

Restrictions of a DUKPT Slot ID

Table - Transformation IDs for DUKPT Legacy and AES

Transformation ID #

Usage Name

Type

Data for calculation

Reserved

PIN Encryption

Legacy

00 00 00 00 00 00 00 FF

MAC Generate/Verify

Legacy

00 00 00 00 00 00 FF 00

MAC Verify

Legacy

00 00 00 00 FF 00 00 00

Data Enc/Decryption

Legacy

00 00 00 00 00 FF 00 00

Data Encryption

Legacy

00 00 00 FF 00 00 00 00

Reserved

PIN Encryption

AES

0x1000

MAC Generate

AES

0x2000

MAC Verify

AES

0x2001

MAC Generate/Verify

AES

0x2002

Data Encryption

AES

0x3000

Data Decryption

AES

0x3001

Data Enc/Decryption

AES

0x3002

Table - The definition of Restriction bit map

Bit #

Data Type

User Data (RFU)

Token (RFU)

Magneprint

MAC

Account Data

During TR31 Key Injection, each DUKPT Slot ID contains a parameter indicates the purpose of a Key Set.

Example 1: The restriction value is 0x3F

This Key Set can be used for all purposes.

Example 2: The restriction value is 0x3E

This Key Set can be used for all purposes, except PIN Encryption.

Example 3: The restriction value is 0x01

This Key Set can be used for PIN Encryption only.

The Rules of Key Mapping

SRED Data ID map configuration values (Slot ID and Transformation ID) must be checked and rejected if they don’t meet the following conditions.

The DUKPT Slot ID must be loaded. (Table 63)
The loaded DUKPT Slot ID must allows this type of SRED Data ID. (Table 62)
The transformation must be allowed by (Table 64).

The settings of DUKPT Slot IDs injected through TR31

Here is the list of parameters of 4 DUKPT Slot IDs based on the existing Key Injection Tool.

Table - Settings of Injected DUKPT Slot IDs

DUKPT Slot ID

Key Type

Restrictions

DKPTM0-2000

TDES

0x3E

DKPTM2-2002

AES-128

0x3F

DKPTM3-2003

AES-256

0x3F

DKPTM7-2007

TDES

0x3F

The Allowed Key Mapping Table

Table - Allowed Key Mapping Table

SRED Data ID

Data Type (Working Key Purpose)

Allowed Legacy DUKPT Transforms

Allowed AES DUKPT Transforms

Not assigned

PIN-TDES (supported on PED devices Only)

Not allowed

Account Data

01, 04, 05

0B, 0D

Transaction MAC

08, 0A

MagnePrint (supported on devices with MSR Only)

01, 04, 05

0B, 0D

MagTek Token (RFU)

RFU

User Data #1 (RFU)

RFU

PIN-AES (supported on PED devices Only)

Not allowed

…

RFU

Note: If SRED Data ID 2 and 4 are mapped to the same Key Set, then they must have the same Transformation ID. If the Transformation ID of the latest key mapping request is different, then the original OID setting of the other SRED Data ID will be forced to match the latest OID setting. For example, SRED Data ID 2 has been mapped to 0x2007 0x04, user wants to map SRED Data ID 4 to 0x2007 0x05, then the OID setting of SRED Data ID 2 will be forced to 0x2007 0x05.

Examples of Key Mapping

The following OID Values indicate that:

200701: Map PIN-TDES to DKPTM7-2007 PIN Encryption Variant.
20020B: Map Account Data to DKPTM2-2002 Data Encryption Usage.
200702: Map MAC to DKPTM7-2007 MAC Generate/Verify Variant.
20030B: Map MangePrint to DKPTM3-2003 Data Encryption Usage.
000004: MagTek Token is RFU, 0000 ID does not exist (this is default value).
000004: User Data is RFU, 0000 ID does not exist (this is default value).
200207: Map PIN-AES to DKPTM2-2002 PIN Encryption Usage.

Figure 4.20-1 - Configuration Usage Values

Last updated 17 hours ago