# CXPI\_AES DUKPT\_ReferenceGuide\_Ver1.0
## Introduction
This purpose of this document is to provide details on AES DUKPT, the configuration settings of CXPI-AES DUKPT and CXPI commands with AES DUKPT.
AES DUKPT allows financial institutions to use the Advanced Encryption Standard (AES) algorithm in a secure and inter-operable way to provide confidentiality through encryption of PINs and cardholder data, transaction authentication and much more.
The AES DUKPT algorithm, which uses the U.S. government approved Advanced Encryption Standard, is intended to replace a nearly 40-year-old standard based on DES technology. AES DUKPT is a major improvement over the previously used algorithm because, among other benefits, it provides a much larger set of unique secret keys. The new algorithm can generate 2.5 billion unique keys versus about 1 million for the prior version. The keys generated by the DUKPT algorithm can be used for a variety of functions, such as encryption of card PINs, card and financial data or other keys, for derivation of other keys, for message authentication, etc.
### Intended audience
This document is a reference guide that provides encryption information to the integrators, sales engineers, other Verifone project teams, and accredited Verifone customers who wants to use this encryption with CXPI.
### System Requirements
* OS Version - 30950101 or greater
* VCL Version - 9.0.0.30S or greater
### Knowledge prerequisites
It is assumed that the user of this guide is familiar with these concepts:
* CAM-XPI application
* Application Programming Interface (API) to the Verifone programmable PIN Pads
* Different payment devices and Verifone terminals
* Magnetic Stripe, Contactless (MSD & EMV), and Contact EMV transactions
* Processing of credit, debit, and loyalty or gift card transactions
### Definition of Terms
The following terms and abbreviations are used throughout this document.
| Term | Description |
| --------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| AES DUKPT | Advanced Encryption Standard DUKPT (Derived Unique Key Per Transaction). AES DUKPT allows financial institutions to use the AES algorithm in a secure and inter-operable way to provide confidentiality through encryption of PINs, cardholder data, transaction authentication and much more. |
| | |
| | |
### Reference Documents
Following are the list of related documents that can be referred for more details on any associated section:
* EPP Interface Functional Specification Guide
* Forms Processor Application Guide
* Engage WIC Specifications Guide
* Barcode Application Programmers Guide
## Overview
### AES DUKPT Features and Benefits
* Key Injection is a separate process not involving VCL. The VRK system will inject the AES DUKPT Initial key.
* A new vcl\_settings\_aesdukpt file will be used to trigger VCL to go into AES DUKPT mode.
* The vcl\_settings\_aesdukpt file does not contain wrapped keys, key components, or anything to do with keys.
* Track data that meets ISO-7813 specifications will be encrypted via AES as a cryptogram and put into eParms.
* All administrative commands such as Registart, Advance DDK, etc., all are not used in AES DUKPT mode and are not required.
* All command override transactions that were generated after bin table updates or VCL settings update changes are no longer generated. The current Bin Table ID and/or VCL Settings token is included in each eParms transaction.
* There are three (3) AES DUKPT operating modes:
* Backward Compatibility Mode
* Modified Mode for P2PE
* Future Use: Payment App compatibility mode
* Eparms is REQUIRED to operate in AES DUKPT mode. The track data is encrypted via AES using AES\_DUKPT keys and put in eParms as a Cryptogram. The visible track data provided to the POS is masked via random numbers using the same FPE logic as before (in DDK Mode). In AES DUKPT the digits that were encrypted under DDK Mode are now masked with random digits.
* The AES encryption scheme uses AES DUKPT keys, which are 128 bits (16 bytes) in length.
* The AES encryption scheme uses zero padding when the block size is not a multiple of 128 bits (16 bytes).
* The AES encryption scheme uses a Random IV.
{% hint style="info" %}
NOTE — Operating Mode: CXPI application will operate in Backward Compatibility Mode.
{% endhint %}
### AES DUKPT Config File
The vcl\_settings\_aesdukpt file is the AES DUKPT Config File, which is used to trigger the device into AES DUKPT and to immediately enable encryption. Refer to Initial Config File (vcl\_settings\_aesdukpt) for more details on VCL config file.
### AES DUKPT EParms
Eparms is REQUIRED to operate in AES DUKPT mode. The track data is encrypted via AES using AES\_DUKPT keys and put in eParms as a Cryptogram. In AES DUKPT the digits that were encrypted under DDK Mode are now masked with random digits. Refer to [EParms format, Cryptogram, and Encryption Error Codes](https://confluence.verifone.com:8443/display/P2PE/EParms+format%2C+Cryptogram%2C+and+Encryption+Error+Codes) for more details on AES DUKPT Eparms format.
## Configuration Settings
#### CXPI VSP Config Parameter
| Parameter | Description | DDK Mode | AES DUKPT Mode |
| ------------- | ----------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| TAVE | If the TAVE parameter is enabled, and VSP is supported, then Tag 5F24 is in clear. | Values: 0 - Tag 5F24 is encrypted.
1 - Tag 5F24 is in the clear.
2 - Tag 5F24 is encrypted and clear expiry is appended in E3 tag. NOTE: If Eparms is enabled, expiry date is not encrypted.
| In AES DUKPT mode, expiry date will always be in clear. 0 - Tag 5F24 is in clear.
1 - Tag 5F24 is in clear.
2 - Tag 5F24 is in clear and clear expiry is also appended in E3 tag.
|
| CLEAR\_EXPIRY | Appends the tag 0x9FA020 in F30 response, in which the card expiry value will be in clear | Values - 0 - Do not append the custom clear expiry tag
1 - Append custom clear expiry tag
| In AES DUKPT mode, expiry date will always be in clear. 0 - Do not append the custom clear expiry tag
1 - Append custom clear expiry tag
|
## CXPI Commands
#### E22 - Get VSP Version Information
This command is used to get the version information related to VSP. E22 returns the following information in response:
| Information | Description | DDK Mode | AES DUKPT |
| -------------------- | ----------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------- |
| VSP Key | Contain the key status for VSP. 1 if VSP in enabled | Values - 0 or 1 | Values - 0 or 1 |
| VSP Firmware Version | Contains the VSP firmware version string. | Firmware version | Firmware version |
| MDK Label | Contains the MDK label string | MDK Label provided in the Initial config file | MDK label will always be "*AES DUKPT MODE*" |
| Encryption State | Indicates if the VSP encryption is currently active | Values - On (Enabled) Off - (Disabled - Before DEVICE\_REG) | |
| VSP State | Contains VCL module state. | DDK mode possible states - 00 - Initial
01 - XOR KEY1
02 - XOR KEY2
03 - FILE\_UNLOCKED
04 - Normal Operations
05 - Secure SRED Mode
| In AES DUKPT mode there are 2 possible states - 00 - Initial
05 - Secure SRED Mode
|
| VSP Mode | Indicates whether VSP is configured for shared or unique DK mode. | Values - Shared and Unique | UNKNOWN |
**Additional Information**
Following are the additional information on E22 command for AES DUKPT, which will be sent in E22 and XGKS command if AESDUKPT\_INFO parameter is set.
| Parameter | Description | Values |
| -------------- | ------------------------------------------------------- | --------------------------------------------------------------- |
| AESDUKPT\_INFO | This parameter is used to append AES DUKPT information. | Flag. 0/1 — 0 – Do not append AES DUKPT information. 1 – Append |
| Information | Description | Values | Notes |
| -------------------- | ------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------- |
| Encryption Algorithm | Encryption algorithm used | 1 = AES
3 = VAES3
4 = VAES4
| In AES DUKPT mode this value will always be 1. |
| Operation Mode | Current operation mode | 0 = DDK Mode
1 = AES DUKPT Backward Compatibility Mode
2 = AES DUKPT Modified Mode (RFU)
3 = AES DUKPT Payment Application Mode (RFU)
| CXPI will currently support only AES DUKPT in Backward Compatibility mode. |
| Initial Key ID | The Initial Key ID that was injected by the VRK payload | Sample Value - 1234567890123456 | |
| Config ID | The config ID from the vcl\_settings\_aesdukpt file | Sample Value - 00000000123 | |
| KSN | Key Serial Number for the injected AES DUKPT key | KSN | |
{% hint style="info" %}
NOTE — Above mentioned information is also applicable for XGKS command.
{% endhint %}
**Sample E22 Response**
{% code title="E22 Response" %}
```
```
{% endcode %}
**Sample XGKS Response**
{% code title="XGKS Response" %}
```
```
{% endcode %}
#### E00 - Get Encryption Mode
This command is used to inquire XPI for the current encryption mode. E00 returns the following information in E01 response.
| Information | Description | DDK Mode |
| --------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------ |
| Encryption Mode | Current encryption mode. | VSP - VSP Encryption
PKI - PKI Encryption
DKT - (DUKPT - Reserved)
VSD - Verifone Secure Data
NOE - No Encryption
|
**Additional Information**
Following are the additional information on E00 command for AES DUKPT. Application will send AES DUKPT status in E00 command if AESDUKPT\_INFO parameter is set and VSP encryption is enabled.
| Information | Description | AES DUKPT |
| ---------------- | ------------------------ | ----------------------------------------- |
| Encryption Mode | Current encryption mode. | VSP - VSP Encryption |
| Separator | (\*) | FS Separator |
| AES DUKPT Status | 1N (\*) | Values - 0 - AES Disabled 1 - AES Enabled |
(\*) - Appended only if VSP encryption is enabled and AESDUKPT\_INFO is set to 1.
**Sample E00 Response**
{% code title="E01 Response" %}
```
```
{% endcode %}
#### E02 - Retrieve EParms Data
This command is used to request EParms data after controller receives the card data returned from the PIN pad. In AES DUKPT mode, CXPI application will also return the EParms data in E02 response.
**C30 - Enable Card Reading**
| Information | Description | DDK Mode | AES DUKPT Mode |
| ----------- | ----------------------------------------- | -------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ |
| Tag 57 | Track-2 Equivalent Data | Track data encrypted using VAES format preserving encryption (FPE) algorithm. | Track data will be masked via random numbers using the same FPE logic. **NOTE:** Expiry date will be always in clear in AES DUKPT mode. |
| Tag 5A | PAN | Encrypted using VAES algorithm. | PAN data will be masked via random numbers. |
| Tag 5F24 | Expiry Date | Expiry date is encrypted when Eparms are **not** enabled. | Expiry date will always be in clear in AES DUKPT mode. |
| Tag 9F20 | Track 2 Discretionary Data | Discretionary data encrypted using VAES FPE algorithm | Discretionary data will be masked via random numbers using the same FPE logic. |
| Tag 9F1F | Track 1 Discretionary Data | Discretionary data encrypted using VAES FPE algorithm | Discretionary data encrypted using VAES FPE algorithm |
| Eparms | POS request EParms data using E02 command | Eparms data is required only if EParms support was enabled in the Initial config file. | Eparms is **REQUIRED** to operate in AES DUKPT mode. The track data is encrypted via AES using AES DUKPT keys and put in eParms as a Cryptogram. |
#### F30 - EMV Chip Command
| Information | Description | DDK Mode | AES DUKPT Mode |
| --------------------- | --------------------------------- | ----------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------- |
| Tag 57 | Track-2 Equivalent Data | Track data encrypted using VAES format preserving encryption (FPE) algorithm. | Track data will be masked via random numbers using the same FPE logic. **NOTE:** Expiry date will be always in clear in AES DUKPT mode. |
| Tag 5A | PAN | Encrypted using VAES algorithm. | PAN data will be masked via random numbers. |
| Tag 5F24 | Expiry Date | Expiry date is encrypted when Eparms are **not** enabled | Expiry date will always be in clear in AES DUKPT mode. |
| Tag 9F20 | Track 2 Discretionary Data | Discretionary data encrypted using VAES FPE algorithm | Discretionary data will be masked via random numbers using the same FPE logic. |
| Tag 9F1F | Track 1 Discretionary Data | Discretionary data encrypted using VAES FPE algorithm | Discretionary data encrypted using VAES FPE algorithm |
| Tag 9FA034 Tag 9FA035 | Eparms Data and Eparms Result Tag | CXPI application append the Eparms data and Eparms result tag if Eparms is enabled. | In AES DUKPT mode, application will **ALWAYS** append the Eparms data and result tag in F30 response. |
#### S20 - Obtain Card Data (Swipe or Tap)
| Information | Description | DDK Mode | AES DUKPT Mode |
| ----------- | -------------------- | ----------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------- |
| Track-2 | MSR/MSD Track-2 Data | Track data encrypted using VAES format preserving encryption (FPE) algorithm. | Track data will be masked via random numbers using the same FPE logic. **NOTE:** Expiry date will be always in clear in AES DUKPT mode. |
| Track-1 | MSR/MSD Track-1 Data | Track data encrypted using VAES format preserving encryption (FPE) algorithm. | Track data will be masked via random numbers using the same FPE logic. **NOTE:** Expiry date will be always in clear in AES DUKPT mode. |
| Track-3 | MSR Track-3 Data | Not Encrypted | Not Encrypted |
#### S16 - Obtain Card Data (Manual Entry or Swipe)
| Information | Description | DDK Mode | AES DUKPT Mode |
| ----------- | ------------------------------ | ----------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------- |
| Track-2 | MSR/MSD Track-2 Data | Track data encrypted using VAES format preserving encryption (FPE) algorithm. | Track data will be masked via random numbers using the same FPE logic. **NOTE:** Expiry date will be always in clear in AES DUKPT mode. |
| Track-1 | MSR/MSD Track-1 Data | Track data encrypted using VAES format preserving encryption (FPE) algorithm. | Track data will be masked via random numbers using the same FPE logic. **NOTE:** Expiry date will be always in clear in AES DUKPT mode. |
| PAN | Account number entered by user | Encrypted using VAES FPE encryption algorithm. | PAN data will be masked via random numbers. Encrypted data will be returned in EParms data. |
| Expiry Date | Expiry Date entered by user | Encrypted if EParms disabled. | Expiry Date will always be in clear in AES DUKPT mode. |
| CVV | CVV value entered by user | Not encrypted | AES DUKPT support both encrypted and clear CVV in manual entry request. |
#### E20 - Derived Key Support
| Option | Description | DDK Mode | AES DUKPT Mode |
| ------ | ----------- | ----------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| 00 | RegiStart | Enables encryption with the current DDK, and generates a registration message as the response. | In AES DUKPT mode this API is not required, encryption is enabled automatically in SRED mode. If this option is used in AES DUKPT backward compatibility mode, VCL will generate a pseudo command response that VSD will accept but will also ignore. This API has no effect on the VCL state in AES DUKPT mode. |
| 01 | RegiStop | Disables encryption if VCL is not in SRED mode. | Not Available in AES DUKPT mode. Application will send E2101 response if E2001 command is sent in AES DUKPT mode. |
| 02 | Advance DDK | Advances to the next pre-derived key. Works in either shared key or unique key per device modes | In AES DUKPT mode this option is not applicable. If this option is used in AES DUKPT backward compatibility mode, VCL will generate a pseudo command response that VSD will accept but will also ignore. |
| 03 | BIN Update | Used in DDK mode to update BIN table. | In AES DUKPT mode VCL will no longer generate any override messages because they are no longer needed. All configuration changes are included within the eParms data blob. In AES DUKPT there is no longer a requirement to send up command responses to VSD. So if E2003 command is sent in AES DUKPT mode, application will send E2101 response as MSG\_OVERRIDE\_MSG\_QUERY is not supported in AES DUKPT mode. |
#### E30 - BIN Range Check
| Command | Description | DDK Mode | AES DUKPT Mode |
| ------- | ----------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------- |
| E30 | The E30 command is used to check the bin range that the card belongs to by comparing the 7th through the 9th bytes of the PAN data. | Application gets the clear PAN using SG\_CLEAR\_DATA\_REQUEST API and compares the 7th-9th byte. | In AES DUKPT mode, application will also get the clear PAN using the MSG\_CLEAR\_DATA\_REQUEST API. |
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.verifone.com/xpi/tbd-documentation/engage-miscellaneous/cxpi_aes-dukpt_referenceguide_ver1.0.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.