Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Key management


Published on

A presentation on symmetric key management which are accepted by PCI SSC

Published in: Software
  • Be the first to comment

Key management

  1. 1. Key management KodeGear ( 1
  2. 2. Contents • Introduction • Fixed Key • Master / Session Key • DUKPT • Closing 2
  3. 3. Introduction • Cryptography – Confidentiality: keep information secret – Authentication: legitimate author/user? – Integrity: Is the data compromised? – Non-repudiation: Protect denial 3
  4. 4. Introduction • Cryptography – Encryption/Decryption: make a cryptogram for the unauthorized not be able to figure out the data – Hash (Message Digest): digest a message into a fixed length hash value, no key is needed – MAC (Massage Authentication Code): make a fixed length MAC value, key is needed 4
  5. 5. Introduction • Symmetric Algorithm – Same key (Symmetric Key) is used for encryption and decryption – Example: DES, AES – Easier and faster than asymmetric algorithm – Must transfer key in secure manner 5
  6. 6. Introduction • Asymmetric Algorithm – Different keys (Asymmetric Key) are used – Key pairs (private/public keys) are mathematically linked – Example: RSA – Harder and slower than symmetric algorithm – No need to transfer decryption key 6
  7. 7. Fixed Key • Physically load a key (fixed) to the client • The client encrypt a data with the key • The host decrypt the data with the key • The key is replaced on either plan or key compromise • Same key is used over and over for encipherment 7
  8. 8. Fixed Key Host Client (device) Network Data encryption Data Data Data decryption 8
  9. 9. Master / Session Key • Share a master key between host and client beforehand • Host generates a session key before transaction • Host encrypts the session key with the master key and send to client • Client decrypts the encrypted session key with the master key shared beforehand 9
  10. 10. Master / Session Key • Must generate and share a new master key if the master key is compromised • Still popular because of effectiveness • Adoption of asymmetric for master key • Developed before asymmetric algorithm was developed 10
  11. 11. Master / Session Key PRIVATEPUBLIC Host Client (device) Generate asymmetric key pair and tra nsfer private key to client at factory Symmetric Key PRIVATE Encrypted Symmetric Key Encrypted Symmetric Key encryption decryption Symmetric Key Network 11
  12. 12. Master / Session Key Host Client (device) Data encryption and decryption with symmetric key Data encryption Data Network Data Data decryption 12
  13. 13. DUKPT • Derived Unique Key Per Transaction • Host has BDK (Base Derivation Key) and generates IPEK (Initial Pin Encryption Key) • IPEK is inserted into client • Client generates Future Key sets and remove IPEK 13
  14. 14. DUKPT • Future Key is used for data encryption • The used future key is replaced with a newly generated future key • Client transmits key set id, client id and transaction counter with encrypted data • Host calculates the encryption key with the transmitted data and decrypt 14
  15. 15. DUKPT IPEKBDK Host Client (device) IPEK generation Network generation 21 Future Keys Will be remove d after generati on of future key Used future key is replaced with a new one 15
  16. 16. DUKPT BDK Host Client (device) Network 21 Future Keys DataData encryption DataData decryption calculation 16
  17. 17. Closing • Key managements are not limited with these three ways – can be used mingled • The devices should be tamper proof • Reference: ANS X9.24-1 17