Why is Triple DES a better encryption scheme than DUKPT (Derived Unique Key Per Transaction)?
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
DUKPT does not really compete with Triple DES. The DES stands for Data Encryption Standard, a block cipher that was selected as an official Federal Information Processing Standard (FIPS) for the United States in 1976. Triple DES, sometimes shortened further as TDES, increases the difficulty of cracking the encryption by applying three rounds of action: an encryption, a decryption and an encryption, each with independent keys. TDES has become popular for encrypting financial transactions because it is potentially far more secure than DES, which has been shown to yield its secrets somewhat quickly to relatively cheap hardware.
Both DES and TDES use a symmetric key. In other words, the same key enciphers and deciphers the protected data. To keep the key secret, a secure key-management system is required. One financial area of particular concern is the point-of-sale or POS terminal. Worldwide, these devices probably handle billions of transactions a day. If the keys to even a small portion of that traffic could be discovered, all manner of theft and fraud could be perpetrated.
One way to prevent such cybercrime is to use a different key for each transaction, which is the function of DUKPT or Derived Unique Key Per Transaction. Devices that use DUKPT are initialized with a master key -- from which the unique keys are derived, one per transaction. Even if an attacker discovers the key to a particular transaction, none of the other transactions from the same device can be decrypted with that key. A potential attack point in this scheme is the master key stored in the encrypting device. Tools that use DUKPT, however, are typically built so that tampering with the device wipes this master key out.
These derived keys are used to encrypt transaction data with a symmetric cipher such as TDES. Because the programming of TDES is well-understood and the algorithm requires minimal processing power, it is a popular choice for POS systems. But on many systems, it is not the only powerful symmetric encryption algorithm available.
AES (Advanced Encryption Standard) is a good alternative. When making choices about encryption standards, it is important to remember that the algorithms are not usually the weak point. As was made clear by Ross Anderson in his landmark paper "Why Cryptosystems Fail," published by the Association for Computing Machinery (ACM) in 1993, "most security failures are due to implementation and management errors."
- Joel Dubin explains how to verify FIPS 140-2 compliance.
- See if the symmetric encryption algorithm for S/MIME messages can be changed.
Dig Deeper on Disk Encryption and File Encryption
Related Q&A from Michael Cobb
What is BGP hijacking or IP hijacking and how do cybercriminals pull off the attacks? Expert Michael Cobb explains how enterprises can mitigate these...continue reading
Is the Dell eDellRoot security threat a serious problem and, if so, can it be prevented with self-signed root certificate authorities? Expert Michael...continue reading
What does FIPS 140-2 Level 2 certification for devices cover? Expert Michael Cobb explains the FIPS 140-2 security standard and how vendors use it in...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.