A presentation on symmetric key management which are accepted by PCI SSC

1. Key management
KodeGear
(http://www.kodegear.co.kr)
1

2. Contents
• Introduction
• Fixed Key
• Master / Session Key
• DUKPT
• Closing
2

3. Introduction
• Cryptography
– Confidentiality: keep information secret
– Authentication: legitimate author/user?
– Integrity: Is the data compromised?
– Non-repudiation: Protect denial
3

4. Introduction
• Cryptography
– Encryption/Decryption: make a cryptogram
for the unauthorized not be able to figure
out the data
– Hash (Message Digest): digest a message
into a fixed length hash value, no key is
needed
– MAC (Massage Authentication Code): make
a fixed length MAC value, key is needed
4

5. Introduction
• Symmetric Algorithm
– Same key (Symmetric Key) is used for
encryption and decryption
– Example: DES, AES
– Easier and faster than asymmetric algorithm
– Must transfer key in secure manner
5

6. Introduction
• Asymmetric Algorithm
– Different keys (Asymmetric Key) are used
– Key pairs (private/public keys) are
mathematically linked
– Example: RSA
– Harder and slower than symmetric algorithm
– No need to transfer decryption key
6

7. Fixed Key
• Physically load a key (fixed) to the client
• The client encrypt a data with the key
• The host decrypt the data with the key
• The key is replaced on either plan or key
compromise
• Same key is used over and over for
encipherment
7

8. Fixed Key
Host Client (device)
Network
Data
encryption
Data Data Data
decryption
8

9. Master / Session Key
• Share a master key between host and
client beforehand
• Host generates a session key before
transaction
• Host encrypts the session key with the
master key and send to client
• Client decrypts the encrypted session
key with the master key shared
beforehand
9

10. Master / Session Key
• Must generate and share a new master
key if the master key is compromised
• Still popular because of effectiveness
• Adoption of asymmetric for master key
• Developed before asymmetric algorithm
was developed
10

11. Master / Session Key
PRIVATEPUBLIC
Host Client (device)
Generate asymmetric key pair and tra
nsfer private key to client at factory
Symmetric Key
PRIVATE
Encrypted
Symmetric Key
Encrypted
Symmetric Key
encryption decryption
Symmetric Key
Network
11

12. Master / Session Key
Host Client (device)
Data encryption and decryption with
symmetric key
Data
encryption
Data
Network
Data Data
decryption
12

13. DUKPT
• Derived Unique Key Per Transaction
• Host has BDK (Base Derivation Key) and
generates IPEK (Initial Pin Encryption Key)
• IPEK is inserted into client
• Client generates Future Key sets and
remove IPEK
13

14. DUKPT
• Future Key is used for data encryption
• The used future key is replaced with a
newly generated future key
• Client transmits key set id, client id and
transaction counter with encrypted data
• Host calculates the encryption key with
the transmitted data and decrypt
14

15. DUKPT
IPEKBDK
Host Client (device)
IPEK
generation
Network
generation
21 Future Keys
Will be remove
d after generati
on of future key
Used future key
is replaced with
a new one
15

16. DUKPT
BDK
Host Client (device)
Network
21 Future Keys
DataData
encryption
DataData
decryption
calculation
16

17. Closing
• Key managements are not limited with
these three ways – can be used mingled
• The devices should be tamper proof
• Reference: ANS X9.24-1
17