User's Manual
PIN Pad 791 Programmer’s Manual (PCI POS-A) UDN PM0103-U Rev. 06
Appendix A – Key management 2015-04-20
Page322
Uniform Industrial Corp. Proprietary and Confidential Total 342 pages
Optional KBH (For DUKPT use only):
[2byte: Optional Block ID, fixed as “KS”][2byte: Optional Block Length, fixed as “18”][20byte:
Optional Block Data, put key serial number (refer to ANSI X9.24 SMID) in this field]
Encrypted KEY Block:
1. Derive Key1 by XOR KLK with 0x45
2. Generate new key block, [2byte number indicate the key in bits][key][random padding]
3. Encrypt the new key block by Key1 with first 8byte of KBH as IV in CBC mode and get
encrypted key block.
MAC:
1. Derive Key2 by XOR KLK with 0x4D
2. Concatenate KBH with Optional KBH (if any) and encrypted key block and get new key block
2.
3. Encrypt the new key block 2 by Key2 without IV in CBC mode and get the last 8 bytes.
4. Get the first 4 bytes of result as MAC value
Example 1:
KLK: 0123456789ABCDEFFEDCBA9876543210
New MK (Key ID = 1, key usage = “K0”): 89E88CF7931444F334BD7547FC3F380C
Generate KBH:
KBH = A | 0072 | K0 | T | D | 00 | N | 0000
Generate Encrypted KEY Block:
1. Derive K1 for encryption: 44660022CCEE88AABB99FFDD33117755
K2 for MAC value: 4C6E082AC4E680A2B391F7D53B197F5D
2. Key length = 16 bytes (128 bits = 0x80), 6 byte random padding = 720DF563BB07,
New key block = 008089E88CF7931444F334BD7547FC3F380C720DF563BB07.
3. IV = first 8 byte of KBH (“A0072K0T”) = 41303037324B3054, apply TDES-CBC on new
key block by K1 with IV and get encrypted key block = D078A2657E5B57972CD3
D308E05E1FE519B316309AA6354A
MAC:
1. Concatenate KBH and encrypted key block = 41303037324B30544430304E303
03030D078A2657E5B57972CD3 D308E05E1FE519B316309AA6354A
2. Apply TDES-CBC on new key block 2 by K2 without IV and get last 8 byte result =
668071B5B73CC024
3. MAC value = 668071B5
4. The final TR31 block = A0072K0TD00N0000 - D078A2657E5B57972CD3D308E05E
1FE519B316309AA6354A - 668071B5
Send message 02 to load this new key in cipher-text: