remote Key loading

Remote Key Loading
Spread security. Unlock efficiency
Cut costs
increase security
A smarter way to do business
The hacker community is growing
increasingly sophisticated – which means
the financial community needs to do the
same. But the key to a smart automatic
teller operation lies in more than high
security. Today’s business-minded financial
institutions also demand efficiency. That’s
why they depend on Remote Key Loading
(RKL) from Cryptera.
By replacing traditional dual-control splitknowledge – a manual approach to key
installation and maintenance – with Cryptera
RKL – a secure, on-line solution – key
management becomes more cost-effective.
More secure. More efficient. More simple. In
other words: more intelligent.
Cut costs
Sending two-person teams to each ATM and
administering key material has traditionally
been an expensive, time-consuming
task. And as card-issuing companies are
demanding larger, more complex key sizes,
the complexity of manual key entry and key
handling is continuing to increase – along
with the cost. Cryptera RKL allows banks to
save on the generation, storage, distribution
and manual handling of paper-based key
information, as these procedures are either
unnecessary with Cryptera RKL or controlled
by the host system.
Increase security
The human factor involved in manual key
handling increases the security risk of
key exposure or misuse. With Cryptera
RKL, human handling of key information
is unnecessary. All information is
safely transmitted online using secure
cryptographic methods to protect and
distribute keys. This enables secure
installation and frequent periodic key
updating, which increases overall system
Streamline operations
By definition, secure remote control is far
more efficient than traditional dual split
control. Eliminating the human factor also
eliminates constraints regarding operational
hours and distance – in addition to avoiding
the risk of misuse of key information.
Prevent headaches
Because Cryptera RKL is based on open
international standards, it is easy to
implement at the host end. No proprietary
standards; only the freedom to take a
smarter approach to key management.
Remote Key Loading
Key exchange
Host validates signature
using public CA key of
ATM certificates
Host sends certificate
with own public key
Host requests a
nonce from ATM
Host generates and encrypts
Terminal Master Key using ATM
public key and generates
signature and encryption
result using own secret key
ATM sends certificates
with own public key
ATM validates signature
using public CA key of
host certificate
ATM generates a nonce
and starts key exchange
ATM validates signature
and nonce using public
key and obtains key by
decrypting with secret key
ATM sends receipt
that information is
A typical interaction for the exchange of the initial symmetric master key takes less than 60 seconds.
A safer form of technology
Cryptera RKL is based upon sophisticated,
standardised and professionally accepted
methods of cryptography. A variety of builtin authentication measures ensures that
both the host and the ATM operate under
fully secure conditions.
central Certification Authority. In addition, the
protocol uses dynamic messages, including
“nonces” (nonce = number used only once) to
protect against replay attacks. The “nonces”
are digitally signed to provide mutual
authentication. The protocol terminates with
authentic confirmation of key reception.
Two keys – maximum security
The secure operation of Cryptera RKL
depends upon cryptography using 2048 bit
RSA keys, generated internally in the Cryptera
encrypting PIN pad. Both the host and the
ATM own a pair of keys – one secret key
and one public key. The public key is used to
encrypt data; the secret key to decrypt data.
With RSA-based technology, the only party
able to decrypt a given message is the owner
of the related secret key.
State-of-the-art cryptographic protocol The
key exchange protocol uses X.509 certificates
to verify that the public keys belong to
valid encrypting PIN pads (EPPs)/hosts.
This prevents “man-in-the-middle” types
of attacks. The certificates are issued by a
Cryptera’s standard RKL solution includes
the following features:
• 2048 bit RSA keys (generated internally in the
encrypting PIN pad)
• One RSA key pair for key encryption/decryption
• One RSA key pair for data verification/signing
• Public keys contained in X.509 certificates
• Certificate-based protocol according to
international ISO 11770-3 standard
• EPP firmware programming interface compatible
with XFS 3.03 API
• Loading of externally generated X.509 certificates
(if customer desires)
• Establishment of secure communication channel
to external Certification Authority and loading of
externally generated X.509 certificates
Remote Key Loading
A better way to serve customers
With Cryptera, security is more than the
technical measures that ensure safe
transactions. “Cryptera security” also means
people – more than 100 highly committed,
highly skilled professionals who are dedicated
to making your experience with Cryptera check
out successfully on all counts. We’ve been
providing high-security payment solutions
worldwide since the 1980s.
Cryptera is a world leading supplier of
encrypting PIN pads and has several years of
experience supplying EPPs and RKL solutions
on an OEM basis. We’re here to support you too
– so that not only you, but also your customers
benefit from better service.
Open standards = flexible solutions
We don’t think banks should be locked into
using one particular ATM supplier. So unlike
our competitors, Cryptera supports open rather
than proprietary standards to give financial
institutions as much freedom of choice as
We also support a flexible approach to
implementing RKL. Banks do not need to
switch to the technology all at once – a gradual
approach is an option for financial institutions
that want to implement Cryptera RKL now and
start using it later. By purchasing an encrypting
PIN pad from Cryptera, it is possible to operate
ATMs in a traditional mode until the host
software vendor is ready to support the new key
loading system.
Prepared customers
= satisfied customers
When planning for the implementation of an
RKL system, one of the major factors to consider
is the support of RKL in the host system. Often
the host relies on a dedicated, standalone Host
Secure Module (HSM) provided by a third-party
vendor. This means that the HSM module chosen
or currently in use has to be able to support
RSA-based RKL operations.
How to proceed
Please contact Cryptera for a detailed checklist
and guidelines for RKL implementation
in your system. Cryptera is happy to support the
ATM supplier as well as the HSM supplier during
the implementation phase.
Remote Key Loading
Welcome to a place where we live
and breathe payment security
Headquartered in Copenhagen, Denmark, Cryptera has more than 25 years
experience in providing high-security payment solutions worldwide.
With more than 1,000,000 payment solutions in use across the globe, Cryptera has
proven and tested international experience within the global payment industry.
Cryptera is a world-leading provider of secure payment solutions and supplies
some of the largest global manufacturers of ATM’s and petrol pumps.
Our main products are encrypting PIN pads for ATM’s and Unattended
Payment terminals for self service payment solutions.
Cryptera employs a staff of approximately 100 and has its own hardware and
software development departments as well as production, sales and servicing
of its proprietary products and solutions.
The R&D department has a staff of highly educated engineers and computer
scientists with expertise in the fields of encryption, certification and integrated
payment solutions.
Cryptera A/S
Fabriksparken 20
DK-2600 Glostrup
Phone: + 45 4343 4395
+ 45 4343 5354
[email protected]