Encryption, Decryption, And Key Management; About Encryption And Decryption; How To Determine The Key - Magtek mDynamo Programmer's Manual

5 - Encryption, Decryption, and Key Management

5 Encryption, Decryption, and Key Management
5.1

About Encryption and Decryption

Some data exchanged between the device and the host is encrypted. This includes parts of the ARQC
Messages (EMV Only) and Transaction Result Messages (EMV Only). To decrypt this data, the host
must first determine what key to use, then decrypt the data.
5.2

How to Determine the Key

When the device and the host are using TDES DUKPT key management [see Property 0x6B - Key
Management Scheme (Fixed Key Only)] and the device is encrypting data (see Security Levels), the
host software must do the following to generate a key (the "derived key") to use for decryption:
1) Determine the value of the Initial Key loaded into the device. The lookup methods the host
software uses depend on the overall solution architecture, and are outside the scope of this document.
However, most solutions do this in one of two ways, both of which use the Initial Key Serial Number
that arrives with the encrypted data (see Command 0x09 - Get Current TDES DUKPT KSN for
details about interpreting the KSN):
a) Look up the value of the Base Derivation Key using the Initial KSN portion of the current KSN
as an index value, then use TDES DUKPT algorithms to calculate the value of the Initial Key; or
b) Look up the value of the Initial Key directly, using the Initial KSN portion of the current KSN as
an index value.
2) Derive the current key. Apply TDES DUKPT algorithms to the Initial Key value and the encryption
counter portion of the KSN that arrives with the encrypted data.
3) Determine which variant of the current key the device used to encrypt. The variants are defined
in ANS X9.24-1:2009 Annex A, which programmers of host software must be familiar with. Which
variant the host should use depends on the type of data the host is decrypting or encrypting, and on
device settings:
a) EMV data is encrypted according to the setting in Property 0x67 - EMV Data Encryption
Variant (EMV Only).
4) Use the variant algorithm with the current key to calculate that variant.
5) Decrypt the data according to the steps in section 5.3 How to Decrypt Data.
(Fixed Key Only)
As an alternative to TDES DUKPT key management, the device can also be configured to allow the host
to manage keys by changing Property 0x6B - Key Management Scheme (Fixed Key Only) to use fixed
keys. In this case, the host must load fixed keys using Command 0x4E - Load Fixed Key (Fixed Key
Only) and keep track of which key is currently loaded. All operations that would ordinarily use DUKPT
then used fixed keys instead.
The device can be set to require proof that the host knows the current key before it allows the host to load
a new fixed key.
The device ships with the following defaults:
•
Initial Fixed Key: 0000000000000000 (16 zeroes)
•
Initial Fixed Key Key Serial Number (KSN): 0000000000 (10 zeroes)
•
Initial Fixed Key Key Check Value (KCV): 0x8CA64D
mDynamo| OEM Secure Card Reader Authenticator | Programmer's Manual (COMMANDS)
Page 30 of 167 (D998200151-200)