This section covers the AES 256-bit DUKPT, AES ZMK and its components
AES DUKPT Overview
AES DUKPT is the new security key management standard that was approved as an American National Standard in October 2017 by the Accredited Standards Committee X9 (ASC X9) or ANSI X9.24-3-2017. It incorporates the AES cryptographic algorithm to encrypt transaction data with greater security and processing speed than Triple Data Encryption Standard DUKPT.
AES DUKPT is a major improvement over the previously used algorithms because, among other benefits, it provides a much larger set of unique secret keys. The main advantage of AES DUKPT is AES itself, as it provides the best security cryptography has to offer with 256-bit keys, which are immune to all known methods of attack—even quantum computing attacks.
While Triple-DES DUKPT supports just over one million transactions, AES DUKPT can support over 2.4 billion, providing the ability for a terminal or a payment processor to handle more transactions using a single key that is expected for its full lifespan.
AES PIN Block / ISO Format 4
Together with AES DUKPT, we use AES PIN Block compliant with ISO Format 4 to protect the PIN in the transaction.
Cryptography protects a PIN for most of its life cycle. Per ISO 9564-1, "the adopted encipherment procedure shall ensure that the encipherment of a plaintext PIN value using a particular cryptographic key does not predictably produce the same enciphered value when the same PIN value is associated with different accounts." To facilitate such encipherment, the PIN is formatted into a PIN Block.
ISO Format 4, an extended PIN Block format is a PIN Block format for supporting AES. it combines the PIN (128-bit block) with the PAN (128-bit block) by formatting each to a consistent length, and then encrypting them. Please see the AES 128-bit PIN Block section below for more information.