BP-CCALC: Key exchange session preparation

Key exchange session preparation with BP-CCALC

This tutorial focuses on Cryptographic Calculator functionality handling key encryption steps to be taken to encrypt key under KEK (Key Exchange Key) for formal key exchange session between two entities which need to share a key symmetric encryption over DEA.

Generate KEK parts

Use BP-CCALC > Keys > Keys DEA > Key Generator and set it up to generate 3 x 128bit keys – enforcing the Odd parity. Output should read like below and each key custodian needs to receive one of the following keys & its key check value (KCV):

DEA Keys: Key generation finished
Key length:        128-bit (32H)
Key parity:        Right odd
Keys generated:    3
Key #1:            3B577FB3FD756DDFE62F6B52751580E0
KCV (Visa):        CAEBAA
Key #2:            D9CDE338A104A789859E76150B543251
KCV (Visa):        DF9B9A
Key #3:            1032D0581A31D64FADD08991945E0D3E
KCV (Visa):        83EBC1

Combine KEK parts together

Use the combine tab to put the generated keys together, what will produce your KEK/Host key and its final checksum. Final checksum of components combined should be provided to all custodians as well.

DEA Keys: Key combination operation finished
Key #1:            3B577FB3FD756DDFE62F6B52751580E0
Key #2:            D9CDE338A104A789859E76150B543251
Key #3:            1032D0581A31D64FADD08991945E0D3E
Combined key:      F2A84CD346401C19CE6194D6EA1FBF8F
KCV (Visa):        DDA8BA

Encrypt key under KEK

The working key (example uses another random value of 0823E9A4E53751C7156ED64F1C0EAB8C & KCV: 54759F) needs to be encrypted by the KEK key using Cipher > DES screen.

DES/3DES operation finished
Key:                 F2A84CD346401C19CE6194D6EA1FBF8F
Algorithm:           3DES ECB
Crypto operation:    Encryption
Data:                0823E9A4E53751C7156ED64F1C0EAB8C
Padding Method:      ISO9797-1 (Padding method 1)
Encrypted data:      0E3CA7FA8483EB8B39EAEAC2CE9F6D40
DES operations count:    6

Resulting cryptogram of 0E3CA7FA8483EB8B39EAEAC2CE9F6D40 is the working key encrypted under the KEK which was put together from 3 separate component. All these 4 parts (3 components + cryptogram) needs to be safely delivered to the receiving party to and used to retrieve the working key as part of key exchange session.


In this article, we went through the functionality of Cryptographic Calculator and covered the key encryption under KEK.

Cryptographic Calculator and other tools covered in EFTtools suite were designed to help and assist payment industry people in their day to day tasks and make their work the most effective. Our team would be grateful if you would suggest any improvements to our applications or report completely new functionality needed. Feedback from our users like this is exactly what drives the development of its and helps us to share our experience to wide public.