remote key load
TRANSCRIPT
-
7/28/2019 Remote Key Load
1/8
Spread security.Unlock efficiency
Remote Key Loading
-
7/28/2019 Remote Key Load
2/8
A smarter way to do business
-
7/28/2019 Remote Key Load
3/8
The hacker community is growing increasingly sophisticated which means the financial
community needs to do the same. But the key to a smart automatic teller operation lies in
more than high security. Todays business-minded financial institutions also demand efficiency.
Thats why they depend on Remote Key Loading (RKL) from Sagem Denmark.
By replacing traditional dual-control split-knowledge a manual approach to key installation and
maintenance with Sagem RKL a secure, on-line solution key management becomes
more cost-effective. More secure. More efficient. More simple. In other words: more intelligent.
Cut costs
Sending two-person teams to each ATM and administering key material has traditionally been
an expensive, time-consuming task. And as card-issuing companies are demanding larger,
more complex key sizes, the complexity of manual key entry and key handling is continuing to
increase along with the cost. Sagem RKL allows banks to save on the generation, storage, dis-
tribution and manual handling of paper-based key information, as these procedures are either
unnecessary with Sagem RKL or controlled by the host system.
Increase security
The human factor involved in manual key handling increases the security risk of key exposure
or misuse. With Sagem RKL, human handling of key information is unnecessary. All information
is safely transmitted online using secure cryptographic methods to protect and distribute keys.
This enables secure installation and frequent periodic key updating, which increases overall
system security.
Streamline operationsBy definition, secure remote control is far more efficient than traditional dual split control.
Eliminating the human factor also eliminates constraints regarding operational hours and
distance in addition to avoiding the risk of misuse of key information.
Prevent headaches
Because Sagem RKL is based on open international standards, it is easy to implement at
the host end. No proprietary standards; only the freedom to take a smarter approach to
key management.
-
7/28/2019 Remote Key Load
4/8
Sagem RKL is based upon sophisticated, standardised and profes-
sionally accepted methods of cryptography. A variety of built-in
authentication measures ensures that both the host and the
ATM operate under fully secure conditions.
Two keys maximum security
The secure operation of Sagem RKL depends upon cryptography
using 2048 bit RSA keys, generated internally in the Sagem
encrypting PIN pad. Both the host and the ATM own a pair of
keys one secret key and one public key. The public key is used
to encrypt data; the secret key to decrypt data. With RSA-basedtechnology, the only party able to decrypt a given message is the
owner of the related secret key.
A safer form of technology
-
7/28/2019 Remote Key Load
5/8
State-of-the-art cryptographic protocol
The key exchange protocol uses X.509 certificates to verify that
the public keys belong to valid encrypting PIN pads (EPPs)/hosts.
This prevents man-in-the-middle types of attacks. The certificates
are issued by a central Certification Authority.
In addition, the protocol uses dynamic messages, including nonces
(nonce = number used only once) to protect against replay attacks.
The nonces are digitally signed to provide mutual authentication.
The protocol terminates with authentic confirmation of keyreception.
SAGEM SECURITY
Sagem Denmarks standard RKL solution includes
the following features:
- 2048 bit RSA keys (generated internally in the
encrypting PIN pad)
- One RSA key pair for key encryption/decryption
- One RSA key pair for data verification/signing
- Public keys contained in X.509 certificates
- Certificate-based protocol according to international
ISO 11770-3 standard
- EPP firmware programming interface compatible
with XFS 3.03 API
- Loading of externally generated X.509 certificates
(if customer desires)
OPTION
- Establishment of secure communication channel
to external Certification Authority and loading of
externally generated X.509 certificates
A typical interaction for the exchange of the initial symmetric
master key takes less than 60 seconds.
Host
Host validates
signature using
public CA key of
ATM certificates
Host sends cer-
tificate with own
public key
ATM
ATM sends cer-
tificates with own
public key
ATM validates signa-
ture and nonce
using public key
and obtains key by
decrypting with
secret key
ATM sends receipt
that information is
correct
Key exchange
Host requests a
nonce from ATM
ATM validates
signature using
public CA key of
host certificate
Host generates and
encrypts Terminal Master
key using ATM public key
and generates signature
and encryption result
using own secret key
ATM generates a
nonce and starts
key exchange
-
7/28/2019 Remote Key Load
6/8
A better way to serve customers
-
7/28/2019 Remote Key Load
7/8
With Sagem, security is more than the technical measures that ensure safe transactions.
Sagem security also means people more than 150 highly committed, highly skilled
professionals who are dedicated to making your experience with Sagem Denmark check out
successfully on all counts. Weve been providing high-security payment solutions worldwide
since the 1980s. And with the 58,000-strong SAFRAN Group behind us, well be delivering
security tomorrow as well.
Sagem Denmark is a major supplier of encrypting PIN pads worldwide and has several years of
experience supplying EPPs and RKL solutions on an OEM basis. Were here to support you too
so that not only you, but also your customers benefit from better service.
Open standards = flexible solutions
We dont think banks should be locked into using one particular ATM supplier. So unlike our
competitors, Sagem supports open rather than proprietary standards to give financial institutions
as much freedom of choice as possible.
We also support a flexible approach to implementing RKL. Banks do not need to switch to the
technology all at once a gradual approach is an option for financial institutions that want to
implement Sagem RKL now and start using it later. By purchasing an encrypting PIN pad from
Sagem Denmark, it is possible to operate ATMs in a traditional mode until the host software
vendor is ready to support the new key loading system.
Prepared customers = satisfied customers
When planning for the implementation of an RKL system, one of the major factors to consider
is the support of RKL in the host system. Often the host relies on a dedicated, standalone Host
Secure Module (HSM) provided by a third-party vendor. This means that the HSM module
chosen or currently in use has to be able to support RSA-based RKL operations.
How to proceedPlease contact Sagem Denmark for a detailed checklist and guidelines for RKL implementation
in your system.
Sagem Denmark is happy to support the ATM supplier as well as the HSM supplier during the
implementation phase.
-
7/28/2019 Remote Key Load
8/8
We live and breathe payment security
Sagem Denmark has more than 20 years experience in providing high-
security payment solutions worldwide. Headquartered in Copenhagen,
Denmark, we also have offices in Finland, Norway and Sweden. In addition
to providing encrypting PIN pads to the ATM market, our expertise
encompasses unattended payment solutions and point-of-sales terminals
for the retail industry. Sagem Denmark is a fast-growing subsidiary of the
French SAFRAN Group and part of SAFRANs Defense and Security Division.
The SAFRAN Group has offices in 22 countries on all five continents.
Sagem Denmark A/S
Fabriksparken 20DK-2600 Glostrup
Denmark
Phone: +45 43 43 43 95
Fax: +45 43 43 53 54
Email: [email protected]
Web: www.sagemdenmark.com
June
2007