Can DUKPT BDK be 192 bits?



  • All examples seem to be with 128 bits. Can it be 192 bits?



  • Maybe sort of.

    The DUKPT algorithm is defined to use "two-key triple-DES", or formally TDEA Keying Option 2 from SP800-57 or originally FIPS46-3. Every key in this algorithm (BDK, device initialization key(s), future keys, and working key(s)) is a "double-length key" consisting of two classic-DES (DEA) keys, each 56 real key bits plus 8 bits reserved for parity and today often ignored, stored and transmitted and used as 64 bits, totalling 128-bits.

    Some implementations of triple-DES aka TDEA aka DESede (possibly including yours) require you always represent the key in full-length 192-bit or 24-octet form. Given a double-length key, you create a triple-length key by duplicating the first half, i.e. if the double-length key is (k1) (k2) then the triple-length key is (k1) (k2) (k1) . The result occupies 192-bits but only contains 112-bits of "real cryptographic keyosity".




Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2