How to Determine the Key
Last updated
⌘Ctrlk
When the device and the host are using TDES DUKPT key and the device is encrypting data, the host software must generate a key (the “derived key”) to use for decryption.
The lookup methods the host software uses depend on the overall solution architecture and are outside the scope of this document. Most solutions do this in one of two ways, both of which use the Initial Key Serial Number that arrives with the encrypted data:
Look up the value of the Base Derivation Key using the Initial KSN portion of the current KSN as an index value, then use TDES DUKPT algorithms to calculate the value of the Initial Key; or
Look up the value of the Initial Key directly, using the Initial KSN portion of the current KSN as an index value.
Determine which variant of the current key the device used to encrypt. The variants are defined in ANS X9.24-1:2009 Annex A. Which variant the host should use depends on the type of data the host is decrypting. The encrypted portions of EMV ARQC and EMV Batch Data both use the Data Encryption, Request or Both Ways variant.
Use the variant algorithm with the current key to calculate that variant, then decrypt the data according to the steps in "How to Decrypt Data".
Last updated