Why is Triple DES a better encryption scheme than DUKPT (Derived Unique Key Per Transaction)?
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
DUKPT does not really compete with Triple DES. The DES stands for Data Encryption Standard, a block cipher that was selected as an official Federal Information Processing Standard (FIPS) for the United States in 1976. Triple DES, sometimes shortened further as TDES, increases the difficulty of cracking the encryption by applying three rounds of action: an encryption, a decryption and an encryption, each with independent keys. TDES has become popular for encrypting financial transactions because it is potentially far more secure than DES, which has been shown to yield its secrets somewhat quickly to relatively cheap hardware.
Both DES and TDES use a symmetric key. In other words, the same key enciphers and deciphers the protected data. To keep the key secret, a secure key-management system is required. One financial area of particular concern is the point-of-sale or POS terminal. Worldwide, these devices probably handle billions of transactions a day. If the keys to even a small portion of that traffic could be discovered, all manner of theft and fraud could be perpetrated.
One way to prevent such cybercrime is to use a different key for each transaction, which is the function of DUKPT or Derived Unique Key Per Transaction. Devices that use DUKPT are initialized with a master key -- from which the unique keys are derived, one per transaction. Even if an attacker discovers the key to a particular transaction, none of the other transactions from the same device can be decrypted with that key. A potential attack point in this scheme is the master key stored in the encrypting device. Tools that use DUKPT, however, are typically built so that tampering with the device wipes this master key out.
These derived keys are used to encrypt transaction data with a symmetric cipher such as TDES. Because the programming of TDES is well-understood and the algorithm requires minimal processing power, it is a popular choice for POS systems. But on many systems, it is not the only powerful symmetric encryption algorithm available.
AES (Advanced Encryption Standard) is a good alternative. When making choices about encryption standards, it is important to remember that the algorithms are not usually the weak point. As was made clear by Ross Anderson in his landmark paper "Why Cryptosystems Fail," published by the Association for Computing Machinery (ACM) in 1993, "most security failures are due to implementation and management errors."
- Joel Dubin explains how to verify FIPS 140-2 compliance.
- See if the symmetric encryption algorithm for S/MIME messages can be changed.
Dig Deeper on Disk and file encryption tools
Related Q&A from Michael Cobb
Attackers using crafted TIFF images can exploit flaws in the LibTIFF library to carry out remote code execution. Expert Michael Cobb explains how ...continue reading
Companies and government agencies handling criminal justice information need to comply with CJIS Security Policy. Expert Michael Cobb explains the ...continue reading
An Intel chip flaw lets attackers bypass ASLR protection on most operating systems. Expert Michael Cobb explains the vulnerability and how to prevent...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.