DUKPT BDK Key Length

TL;DR

Yes, a DUKPT Base Derivation Key (BDK) can be 192 bits long. However, it’s not the standard and comes with considerations regarding key management and compatibility.

Understanding DUKPT & BDKs

DUKPT (Dual Present Key Derivation Technique) is a widely used method for generating session keys in payment systems. It relies on a Base Derivation Key (BDK) combined with a unique key serial number to create these session keys.

The BDK is the master secret and needs strong protection. Its length directly impacts security; longer keys are harder to crack.

Standard DUKPT BDK Lengths

Traditionally, DUKPT implementations use 128-bit BDKs. This has been well-vetted and is supported by most payment processors and standards bodies (like PCI).

Can You Use a 192-bit BDK?

1. Yes, technically possible: DUKPT algorithms support key lengths beyond 128 bits. A 192-bit BDK is perfectly valid from an algorithmic perspective.
2. Increased Security: A 192-bit BDK offers a higher level of security compared to a 128-bit one, as the search space for potential keys is larger.

Considerations When Using a 192-bit BDK

1. Compatibility: This is the biggest hurdle. Not all payment processing systems or HSMs (Hardware Security Modules) fully support 192-bit keys for DUKPT. You *must* verify compatibility with your entire chain of trust – from the point-of-sale terminal to the acquiring bank. Contact your processor and HSM vendor before implementing this.
2. Key Management: Managing a larger key requires more robust security procedures. Ensure your HSM is configured correctly, access controls are strict, and key rotation policies are in place.
3. Performance: While usually minimal, there might be slight performance differences when using longer keys due to increased computational overhead during session key derivation. Test thoroughly.
4. PCI Compliance: PCI DSS doesn’t explicitly forbid 192-bit BDKs, but it requires you to demonstrate that your implementation is secure and meets the overall requirements for cryptographic key management. You’ll need strong documentation.

Implementation Steps (If Compatible)

1. HSM Configuration: Configure your HSM to generate and store a 192-bit BDK. The specific commands will vary depending on the HSM model. Example (Thales Luna HSM):

   lunacm:> keygen -keytype AES -length 192 -label my_dukpt_bdk

2. Key Injection: Securely inject the BDK into your payment processing system. This is a critical step; follow your HSM vendor’s best practices.
3. DUKPT Key Derivation: Ensure your DUKPT key derivation software correctly handles 192-bit keys. You may need to update libraries or configurations.
4. Testing: Rigorously test the entire process – from session key generation to transaction processing – with a variety of scenarios and key serial numbers.

Alternatives

If compatibility is an issue, consider sticking with 128-bit BDKs and focusing on strengthening other aspects of your cyber security posture, such as:

• Strong HSM controls
• Regular key rotation
• Secure communication protocols (TLS)
• Robust intrusion detection systems