UIC Bezel5 Programmer’s Manual
Page.121/166
UDN PM098 Rev. 1.0
Copyright © 2013, Uniform Industrial Corp. All Rights Reserved
6.5.
Double DUKPT
In order to support 2 million times of card reading, the Double DUKPT (D-DUKPT) solution is being
used in the Bezel5 reader. There are two DUKPT key slots available inside the reader. They can be
combined in different modes to fit the user application for achieving the 2 million times of
operations. In this way it can extend the life cycle of the reader without the need to return the
reader to the factory for key re-injection. The host application chooses either Triple DES or AES as
the crypto engine to protect the card data.
Key Management Mode
Mode
Function Description
Auto rollover 1
(Factory Default)
Under this mode, the user only needs to load the initial key/ key serial number (KSN) to slot 1.
The reader will duplicate the same key and KSN to slot 2. When the slot 1 key generation
reaches the maximum 1M iterations, the reader will roll over the key management to slot 2 to
continue the work.
Note: Loading the key to slot 2 is prohibited.
Note: the EC of KSN will start over when the reader switches the key management to slot 2.
Auto rollover 2
Under this mode, the user needs to load the initial key/key serial number (KSN) to slot 1 and
slot 2 separately. The key management starts at slot 1. When the slot 1 key reaches the end,
the reader will roll over the key management to slot 2 if the key is available. If slot 2 has no key,
the reader enters the terminated state. Otherwise it continues to work at slot 2. The key and
KSN can be different in both slots.
Note: it is allowed to update the key to any slot regardless the slot is active or not. The simple
rule is that the reader always chooses the lower number of the key slot for the key
management if it is available. For Example, if the active key slot is 2 and slot 1 reaches the end,
and then the user updates slot 1. For the next card swipe, the reader will choose slot 1 for the
key management and leave slot 2 unchanged. Once the new key in slot 1 is running over, the
reader will go back to slot 2 (assuming no key update in slot 2) to continue the work.
Traditional mode
Reserved and not in use.
Table 6-2. Key Management Mode
D-DUKPT Rules:
1.
There are two DUKPT key management slots in the reader.
2.
Each key slot has 3 different states:
Empty: No key is loaded.
Active: Key is loaded and is able to do the key management.
Terminated: Passed 1M key iterations. No more function is allowed unless the key is re-injected.
3.
No matter the reader is in what mode, it will always examine the key slot starting at the lower
number (i.e. slot 1 then slot 2). If slot 1 is active with the key available, the reader will use the
key for the data encryption. If slot 1 is inactive (empty or terminated) but slot 2 is active, the