I have one question regarding this document:
ANSI X9.24, Retail Financial Services Symmetric Key Management Part 1: Using Symmetric Techniques
In the chapter "Method: DUKPT (Derived Unique Key Per Transaction)", page 41, it says, that the receiver should verify that the originator's transaction counter in the SMID has increased.
Other sources say that HSM's (the receiver) do not store any state apart from the base derivation keys: The base derivation keys can be looked up by the key set identifier (contained in the SMID). So the receiver (HSM) is able to decrypt without keeping any state of the originator. I understand that very well.
But when verifying the transaction counter I can not imagine any other way than keeping track of the transaction counter per key serial number (KSN) of the originator (a table or map) - that is there is some state in the HSM kept, but there should not be kept any state.
Although the document contains pseudo code that explains the implementation of the methods described in the document there is no hint how the transaction counter is verified.
How is this actually implemented or what is the basic idea how this is achieved without keeping track of the state?
(this question was posted on stackoverflow, not answered there, but recommended to be asked here)