In a context of encryption of confidential codes or encryption of data pertaining to a card bearer (a personal access number, an expiry date, etc), the American National Standards Institute (ANSI) requires the use of a scheme of management of encryption keys compliant with the ANSI X9.24 standard. This document proposes three possible methods for encryption, including the “Derive Unique Key Per Transaction” (DUKPT) method. This method is universally recognized as being the most advanced in terms of security.
This DUKPT technique for managing encryption keys is being increasingly implemented and is naturally becoming prevalent as the standard for encrypting data (such as a confidential code, a personal access number, an expiry date, etc) relating to a card carrier.
According to this DUKPT technique, whenever there is a transaction, a new key is derived in a terminal to encrypt the sensitive data, data that will be sent at the same time as a counter thereafter enabling the server to retrieve the key used by the terminal (naturally, a secret is deemed to shared between the terminal and the server once the system is initialized).
For further information on the DUKPT technique, reference may be made to the document ANSI X9.24.
This method has two advantages in terms of security. Firstly, the encryption keys derived will all be different for each transaction. This greatly limits physical attacks on the transaction keys since each of them will be used once and only once. Furthermore, the DUKPT is a “forward secure” method: at any point in time, if a part of the secret information contained in the terminal or its integrity is compromised, the attacker will be unable to retrieve the encryption keys used for the previous transactions. This greatly limits the impact that might be had by any compromised terminal (for example a payment terminal).
The DUKPT technique however suffers from a few drawbacks which are retarding its spread.
In a practical way, the DUKPT described in the document ANSI X9.24 enables the generation of slightly more than a million keys (and therefore the management of an equivalent number of transactions). These advantages in terms of security entail drawbacks. First of all, a terminal implementing DUKPT must reserve twenty one registers of keys in a secured memory throughout the lifecycle of the DUKPT. These registers are used to compute the derived keys. The secured memory is fairly limited in practice and this limit becomes very soon a source of problems when it is desired to use several DUKPTs on a same terminal (which is often the case). A register is a specific location of the memory dedicated to a particular use in the context of the present disclosure.
Furthermore, at the level of the server, once the counter has been received from the terminal, a certain number of computations are needed to enable the server to derive the key used by the terminal. The DUKPT guarantees that the key is derived at the end of a maximum of ten iterations. It must be noted that these computations are relatively lengthy and represent a predominant part of the processing load of the server. In other words, the DUKPT technique:                requires a great deal of secured memory in the terminal;        requires many computations at the decrypting server;        is a solution that is complex to implant and not modulable.        
Thus, to promote the solution proposed by DUKPT, there is a need to provide a key-derivation technique that resolves the above described drawbacks.