Calculation of derived key

Oct 27, 2010 at 2:19 PM
Edited Oct 27, 2010 at 2:20 PM

In your method calculateDerivedKey of class Cryptography.DUKPT.DerivedKey you seem to assume that the size of the unpadded KSN is 16. What happens when the size is 20 (no padding at all)? How would you change the code to work correctly?

Oct 29, 2010 at 6:52 PM

Sorry for the delayed response kristaq. DUKPT code was contributed by webbr23 and I'm not intimately familiar with it. To what part of the code are you referring exactly?

Oct 11, 2012 at 5:44 PM

I know this topic is old (almost 2 years!), but I since it was never really answered I figured I would resurrect it since I have a similar question.

I am working on a DUKPT implementation using the Thales Simulator code, and I have a KSN that is 20 bytes (no padding).  I have walked through the ANSI documentation on how the DUKPT implementation creates the derived keys, and have a pretty good understanding of what is involved and how Thales is working.  Now, theoretically, it shouldn't matter if the KSN is 16 bytes + padding, or 20 bytes with no padding, as long as you change the KSN Descriptor to properly identify the transaction counter portion of the KSN (last 21 bites).  So, if you have a KSN that is 95959876543210E00000, you would use a KSN Descriptor that adds up to 15 instead of 11 (i.e. use "906" instead of "605").  

Is this correct?  

I ask because I am attempting to do just this.  I can work through examples in the ANSI documentation on DUKPT that use a 16 byte KSN, and all my results are as expected.  As soon as I try to use "live" data with a real KSN that is 20 bytes, my data decryption does not work.  I am trying to figure out if it is related to the KSN, or something else...