IPP MS AND DUKPT COMMUNICATIONS PACKETS
IPP7
M
X
800 SERIES PROGRAMMERS GUIDE 281
The terminal or master device uses Packet 02: Transfer Master Key to transfer the
master keys into the IPP for MS.
DUKPT Initial PIN Encryption Key Insertion
The terminal or master device uses DUKPT Packet 90: Load Initial Key Request
to load the initial PIN encryption key into the IPP for DUKPT.
Entering a PIN
Packets Z60, Z63, and Z69 are used to get and encrypt a PIN from the user. Z63
is similar to Z60, but allows more options for PIN entry, such as minimum and
maximum PIN length and echo character. Z69 is similar to Z60, but does DUKPT
MAC processing as well as PIN encryption using the same DUKPT key.
Restrict the Speed
of the PIN
Encryption
Operation
PIN encryption is limited to one per 30 seconds on average to deter an exhaustive
PIN search. The algorithm is best explained in terms of tokens in a bucket.
A PIN encryption request is only accepted if there is a token in a bucket. A token
is placed in the bucket every 30 seconds, with a maximum of 127 tokens allowed
in the bucket. (The number of tokens in the bucket is maintained across power
cycles.) Every time a PIN is entered, a token is removed from the bucket. If there
is no token in the bucket, the PIN entry request returns an error.
This allows an average of one PIN encryption per 30 seconds, but over a long
period of time. The intention is that under normal use PIN entry is not denied.
IPP7
This section discusses IPP7-specific features for Omni 33XX IPP. Omni 33XX
IPP7 is backward compatible with IPP6 and IPP5. Exceptions to this rule are
noted.
GISKE
GISKE (Global Interoperable Secure Key Exchange) is an industry standard key
block format for secure transfer of secret keys between two devices that share a
secret key. Both master and session keys can be in GISKE format. The GISKE
KLK (Key Loading Key) is used to encrypt and authenticate master keys. Master
keys can be remotely updated using this key. GISKE is designed for secure
transfer of double- and triple-length 3DES keys. For more details on GISKE refer
GISKE Key Block Spec, VPN 22986.
Key Management
Switching
The rules for key management switching (see Packet 17: Set IPP7 Key
Management Mode) are shown in
Table 26.
Key • NC = no change
• E = all keys erased
• 1K = valid 1DES keys (single-length keys) retained, other keys erased
• 2/3K = valid 3DES keys (double- and triple-length keys) retained, other keys
erased
To Next Page
Loading...
Need help?
General
