User's Manual
PIN Pad 791 Programmer’s Manual (PCI POS-A) UDN PM0103-U Rev. 06
Appendix A – Key management 2015-04-20
Page324
Uniform Industrial Corp. Proprietary and Confidential Total 342 pages
5. Second DUKPT Key Set of PP791:
PP791 provides 2
nd
key set of DUKPT operation for customer’s scalability. Message 90 is used to
initialize first key set, with message 94 to initialize second key set. User must issue message 96 to
select preferred key set before doing DUKPT transactions. These two key set are independent
with each other, and both accepts double length key for TDES capability. Ether key set reaches
1million transaction limit will lock down PP791.
In real operation, authorized user can load a 8byte DES initial key to key set 1 and a 16byte TDES
initial key to key set 2 before PIN pad is deployed. At first use can transact with key set 1. When
backbone system ready, user can use message 96 to select key set 2 to switch to TDES
transaction immediately.
6. Triple DES (TDES) capability:
TDES means that DES algorithm is applied three times on the data to be encrypted before it is
sent over the line. PP791 can detect key length when loading keys (message 02 for
Master/Session key and message 90/94 for DUKPT) and doing transactions (Master/Session key
message 70, Z60, Z62). If a 32 or 48 characters (16 or 24 byte) key is used, PP791 will treat all
transactions using this key as TDES enabled, else PP791 use DES operation.
TDES algorithm needs a 16-byte key, which separated as L-key (leftmost 8 bytes) and R-key
(rightmost 8 bytes). PP791 defaults EDE order for TDES encrypting operation as follows:
Clear Text
DES
encryption
via L-key
DES
decryption
via R-key
DES
encryption
via L-key
Ciphered
Text
EDE order of TDES operation – 16 byte key. (Data decrypting process is the reverse of encrypting process.)
Clear Text
DES
encryption
via L-key
DES
decryption
via
Middle-key
DES
encryption
via R-key
Ciphered
Text
EDE order of TDES operation – 24 byte key. (Data decrypting process is the reverse of encrypting process.)