DUKPT (3DES)

Derived Unique Key Per Transaction — derives all variant keys from a BDK or IPEK and KSN. Supports PIN block encryption/decryption, MAC calculation (X9.9/X9.19), and data encryption/decryption with Request/Response key variants. Includes Data Variant vs PIN Variant toggle for legacy compatibility.

Inputs

• Key Type: BDK (Base Derivation Key) or IPEK (Initial PIN Encryption Key). Use IPEK if you already have the initial key from a terminal dump or HSM log.
• BDK / IPEK: The key in hexadecimal (16 bytes / 32 hex chars).
• KSN: Key Serial Number (10 bytes / 20 hex chars). Contains the device ID and transaction counter.
• PIN Block: PIN block in hexadecimal (8 bytes / 16 hex chars). Used in the PIN tab for encryption/decryption with the derived PEK.
• Data: Hex or ASCII data for MAC calculation or data encryption/decryption.
• Key Usage: Request or Response — selects which derived key variant to use.
• MAC Algorithm: X9.19 (3DES MAC, default) or X9.9 (single DES MAC).
• Use Data Variant: When checked, uses the Data Variant key mask. When unchecked, uses the PIN Encryption Variant for data operations.
• Mode: ECB or CBC — block cipher mode for the Data tab.
• IV: Initialization Vector (8 bytes / 16 hex chars) — required for CBC mode.

Tips

• DUKPT ensures that compromising one transaction key does not compromise others.
• Use BDK when you have the base key. Use IPEK when you have the terminal's initial key directly.
• After deriving keys in the first tab, the IPEK auto-fills when switching to operation tabs.
• PIN tab: encrypts/decrypts a PIN block using the derived PEK with 3DES ECB.
• MAC tab: supports both X9.19 (3DES) and X9.9 (DES) algorithms with Request or Response key.
• Data tab: supports Request/Response key variants, ECB/CBC modes, and HEX/ASCII input.
• Use Data Variant toggles between the Data key mask and PIN key mask for backward compatibility.

Standards: ANSI X9.24-1:2009

Open the DUKPT (3DES) tool — free, runs entirely in your browser.

Related Key Management tools