remote key load

7/28/2019 Remote Key Load

1/8

Spread security.Unlock efficiency

Remote Key Loading


2/8

A smarter way to do business


3/8

The hacker community is growing increasingly sophisticated which means the financial

community needs to do the same. But the key to a smart automatic teller operation lies in

more than high security. Todays business-minded financial institutions also demand efficiency.

Thats why they depend on Remote Key Loading (RKL) from Sagem Denmark.

By replacing traditional dual-control split-knowledge a manual approach to key installation and

maintenance with Sagem RKL a secure, on-line solution key management becomes

more cost-effective. More secure. More efficient. More simple. In other words: more intelligent.

Cut costs

Sending two-person teams to each ATM and administering key material has traditionally been

an expensive, time-consuming task. And as card-issuing companies are demanding larger,

more complex key sizes, the complexity of manual key entry and key handling is continuing to

increase along with the cost. Sagem RKL allows banks to save on the generation, storage, dis-

tribution and manual handling of paper-based key information, as these procedures are either

unnecessary with Sagem RKL or controlled by the host system.

Increase security

The human factor involved in manual key handling increases the security risk of key exposure

or misuse. With Sagem RKL, human handling of key information is unnecessary. All information

is safely transmitted online using secure cryptographic methods to protect and distribute keys.

This enables secure installation and frequent periodic key updating, which increases overall

system security.

Streamline operationsBy definition, secure remote control is far more efficient than traditional dual split control.

Eliminating the human factor also eliminates constraints regarding operational hours and

distance in addition to avoiding the risk of misuse of key information.

Prevent headaches

Because Sagem RKL is based on open international standards, it is easy to implement at

the host end. No proprietary standards; only the freedom to take a smarter approach to

key management.


4/8

Sagem RKL is based upon sophisticated, standardised and profes-

sionally accepted methods of cryptography. A variety of built-in

authentication measures ensures that both the host and the

ATM operate under fully secure conditions.

Two keys maximum security

The secure operation of Sagem RKL depends upon cryptography

using 2048 bit RSA keys, generated internally in the Sagem

encrypting PIN pad. Both the host and the ATM own a pair of

keys one secret key and one public key. The public key is used

to encrypt data; the secret key to decrypt data. With RSA-basedtechnology, the only party able to decrypt a given message is the

owner of the related secret key.

A safer form of technology


5/8

State-of-the-art cryptographic protocol

The key exchange protocol uses X.509 certificates to verify that

the public keys belong to valid encrypting PIN pads (EPPs)/hosts.

This prevents man-in-the-middle types of attacks. The certificates

are issued by a central Certification Authority.

In addition, the protocol uses dynamic messages, including nonces

(nonce = number used only once) to protect against replay attacks.

The nonces are digitally signed to provide mutual authentication.

The protocol terminates with authentic confirmation of keyreception.

SAGEM SECURITY

Sagem Denmarks standard RKL solution includes

the following features:

- 2048 bit RSA keys (generated internally in the

encrypting PIN pad)

- One RSA key pair for key encryption/decryption

- One RSA key pair for data verification/signing

- Public keys contained in X.509 certificates

- Certificate-based protocol according to international

ISO 11770-3 standard

- EPP firmware programming interface compatible

with XFS 3.03 API

- Loading of externally generated X.509 certificates

(if customer desires)

OPTION

- Establishment of secure communication channel

to external Certification Authority and loading of

externally generated X.509 certificates

A typical interaction for the exchange of the initial symmetric

master key takes less than 60 seconds.

Host

Host validates

signature using

public CA key of

ATM certificates

Host sends cer-

tificate with own

public key

ATM

ATM sends cer-

tificates with own

public key

ATM validates signa-

ture and nonce

using public key

and obtains key by

decrypting with

secret key

ATM sends receipt

that information is

correct

Key exchange

Host requests a

nonce from ATM

ATM validates

signature using

public CA key of

host certificate

Host generates and

encrypts Terminal Master

key using ATM public key

and generates signature

and encryption result

using own secret key

ATM generates a

nonce and starts

key exchange


6/8

A better way to serve customers


7/8

With Sagem, security is more than the technical measures that ensure safe transactions.

Sagem security also means people more than 150 highly committed, highly skilled

professionals who are dedicated to making your experience with Sagem Denmark check out

successfully on all counts. Weve been providing high-security payment solutions worldwide

since the 1980s. And with the 58,000-strong SAFRAN Group behind us, well be delivering

security tomorrow as well.

Sagem Denmark is a major supplier of encrypting PIN pads worldwide and has several years of

experience supplying EPPs and RKL solutions on an OEM basis. Were here to support you too

so that not only you, but also your customers benefit from better service.

Open standards = flexible solutions

We dont think banks should be locked into using one particular ATM supplier. So unlike our

competitors, Sagem supports open rather than proprietary standards to give financial institutions

as much freedom of choice as possible.

We also support a flexible approach to implementing RKL. Banks do not need to switch to the

technology all at once a gradual approach is an option for financial institutions that want to

implement Sagem RKL now and start using it later. By purchasing an encrypting PIN pad from

Sagem Denmark, it is possible to operate ATMs in a traditional mode until the host software

vendor is ready to support the new key loading system.

Prepared customers = satisfied customers

When planning for the implementation of an RKL system, one of the major factors to consider

is the support of RKL in the host system. Often the host relies on a dedicated, standalone Host

Secure Module (HSM) provided by a third-party vendor. This means that the HSM module

chosen or currently in use has to be able to support RSA-based RKL operations.

How to proceedPlease contact Sagem Denmark for a detailed checklist and guidelines for RKL implementation

in your system.

Sagem Denmark is happy to support the ATM supplier as well as the HSM supplier during the

implementation phase.


8/8

We live and breathe payment security

Sagem Denmark has more than 20 years experience in providing high-

security payment solutions worldwide. Headquartered in Copenhagen,

Denmark, we also have offices in Finland, Norway and Sweden. In addition

to providing encrypting PIN pads to the ATM market, our expertise

encompasses unattended payment solutions and point-of-sales terminals

for the retail industry. Sagem Denmark is a fast-growing subsidiary of the

French SAFRAN Group and part of SAFRANs Defense and Security Division.

The SAFRAN Group has offices in 22 countries on all five continents.

Sagem Denmark A/S

Fabriksparken 20DK-2600 Glostrup

Denmark

Phone: +45 43 43 43 95

Fax: +45 43 43 53 54

Email: [email protected]

Web: www.sagemdenmark.com

June

2007

remote key load

Documents