I know this topic is old (almost 2 years!), but I since it was never really answered I figured I would resurrect it since I have a similar question.
I am working on a DUKPT implementation using the Thales Simulator code, and I have a KSN that is 20 bytes (no padding). I have walked through the ANSI documentation on how the DUKPT implementation creates the derived keys, and have a pretty good understanding of what is involved and how Thales is working. Now, theoretically, it shouldn't matter if the KSN is 16 bytes + padding, or 20 bytes with no padding, as long as you change the KSN Descriptor to properly identify the transaction counter portion of the KSN (last 21 bites). So, if you have a KSN that is 95959876543210E00000, you would use a KSN Descriptor that adds up to 15 instead of 11 (i.e. use "906" instead of "605").
Is this correct?
I ask because I am attempting to do just this. I can work through examples in the ANSI documentation on DUKPT that use a 16 byte KSN, and all my results are as expected. As soon as I try to use "live" data with a real KSN that is 20 bytes, my data decryption does not work. I am trying to figure out if it is related to the KSN, or something else...
Thanks!