Pin Translation

AS2805 describes a session specific key derivation mode in section 6.4. It serves a similiar purpose as DUKPT and either algorithm can be used as DUKPT is covered in section 6.7. In this scheme, a session pin key (known as a KPE) is derived from the Terminal Pin Key using SystemTraceAuditNumber(STAN) and TransactionAmount as the derivation data.

Translate pin is a common function that can translate to/from a variety of formats. In this example, we translate a pin from a KPE to a pin encryption key (PEK) such as when sending a pin to a payment network.


cat >> translate-pin-as2805.json 
{
    "EncryptedPinBlock": "B3B34B43BAB5F81A",
    "IncomingKeyIdentifier": "arn:aws:payment-cryptography:us-east-2:111122223333:key/ivi5ksfsuplneuyt",
    "IncomingTranslationAttributes": {
        "IsoFormat0": {
            "PrimaryAccountNumber": "9999179999900013"
        }
    },
      "IncomingAs2805Attributes": {
        "SystemTraceAuditNumber": "000348",
        "TransactionAmount": "000000000328"
    },
    "OutgoingKeyIdentifier": "",
    "OutgoingTranslationAttributes": {    
        "IsoFormat0": {
            "PrimaryAccountNumber": "9999179999900013"
        }
    }
}


$ aws payment-cryptography-data translate-pin-data --cli-input-json file://translate-pin-as2805.json  --region ap-southeast-2


{
    "WrappedKey": {
        "KeyCheckValue": "DC1081",
        "KeyCheckValueAlgorithm": "ANSI_X9_24",
        "KeyMaterial": "HDC10AEF038E695DDD72AF08DC1BB422D",
        "WrappedKeyMaterialFormat": "KEY_CRYPTOGRAM",
        "WrappingKeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/rhfm6tenpxapkmrv"
    }
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Exporting working keys

Mac Generation and Validation