Written by Andrew McKenna, PCI QSA, PCIP at Foregenix
The encryption key infrastructure usually used in PCI P2PE solutions is based on the DUKPT (pronounced duck-putt) model. This key hierarchy was initially designed by Visa in 1987 and is documented in ANSI x9.24. DUKPT means Derived Unique Key Per Transaction and means that every transaction is protected using a different encryption key such that compromise of a single encryption key will not compromise the overall solution. In a P2PE solution, this works as follows:
Subscribe to our Blog
A BDK (Base Derivation Key) is created on the HSM (Hardware Security Module). The BDK is the top level key in the hierarchy. In a P2PE solution, all encryption will take place on the PED (PIN Entry Device) and all decryption will take place on the HSM. The BDK on the HSM must be able to identify which encryption key was used to encrypt the transaction data in order to derive the appropriate key for decryption.
Once the BDK has been created, it is possible to derive an IPEK (Initial PIN Encryption Key) from the BDK by using the inputs of the BDK reference ID and the terminal serial number. We can consider the IPEK to be the second level in the key hierarchy. We have the top level BDK and we have an IPEK per payment terminal. The IPEK is injected to the payment terminal and the future keys which will be used for encryption of transaction data are derived from the IPEK. Typically this derivation will permit circa one million future keys per device.
At this point we have three levels of keys, the BDK, of which there is one, the IPEK, of which there is one per terminal and the future keys, of which there are circa one million per terminal.
Note that while the BDK is created on the HSM, the BDK will often have been transported to Key Injection Facilities in order that the IPEK can be derived from the BDK for each device and the IPEK injected to derive the future keys on the terminal. This process can also be automated for remote key distribution though the mechanisms are the same.
The above describes the general key hierarchy so how does this work in a transaction?
A terminal receives a transaction and encrypts the data with an encryption key. This key has a KSN (Key Serial Number). The message is returned to the decryption environment containing the reference of the device serial number (the input for the BDK) and the KSN. This allows the BDK to generate the appropriate IPEK (using the terminal ID input) and the future keys from that IPEK and to identify the key corresponding to the KSN provided in the transaction message. Once that key has been used, the KSN counter increments such that that key was unique for that transaction and will not be used again.
Note that the key management in a P2PE solution will also feature a number of other keys. For example, there will likely be a separate DUKPT key infrastructure for PIN (note that each key must be for its own purpose so the PAN and PIN BDKs cannot be shared). Similarly, there will likely be a key for exporting keys between devices (for keys encrypting other keys, the encrypting key must be of equivalent strength to the key it is encrypting). Finally, if the above is taking place with asymmetric key distribution, there are requirements for the management of the PKI and the specific uses of that PKI.