Skip to content

EFT

Main menu option: EFT...

It performs operations related to the EFT(Electronic Funds Transfer) module, such as importing and exporting keys by component or via KEK(Key Encryption Key), as well as generating CSR(Certificate Signing Request) files for use in EMV(Europay Mastercard Visa) standard environments.

For more details see EFT.

Warning

The generic methods for importing, exporting and generating CSRs are available in the Partition menu. See the Import, Export and Attributes topics for more information.

Menu for EFT operations
Dinamo - Remote Management Console v. 4.7.12.3 2018 (c) Dinamo Networks

HSM 127.0.0.1 e - Engine 5.0.22.0 (DXP) - TCA0000000  - ID master

HSM - EFT



 1 - Import Key...
 2 - Export Key...
 3 - EMV CSR













 0 - Main Menu

Option:

Import Key

Symmetric keys can be imported using the following methods:

  1. Protected by KEK, aKey Encryption Key. The KEK can be DES or 3DES.

  2. Using the 03-component method, with KCV(Key Check Value) for each part and also a final KCV.

    This method is usually used to import ZCMK(Zone Control Master Key) used in EFT authorization systems, for example Visa, Mastercard and Elo, where each component is delivered to a custodian, and only by bringing the three parts together is it possible to reconstruct the key within the HSM; knowledge of two components from a cryptographic point of view does not provide any information about the key.

    The components are generated with XOR operations and random parts, which are then consumed and discarded when the key is reconstructed. The KCV is a six-digit hexadecimal value obtained by encrypting a block of zeros with a given key; the first six digits of the resulting cryptogram are the KCV of that key, according to the ANSI X9.24 standard.

    The process of generating the components and calculating the KCV is in accordance with the VISA Payment Technology Standards Manual, October 2007.

Export Key

Symmetric keys can be exported using the following methods:

Warning

In EFT export operations, the KEKing key is usually a ZCMK, Zone Control Master Key.

  1. Protected by KEK, aKey Encryption Key. The KEK can be DES or 3DES.

    The method used to calculate the KCV(Key Check Value), as well as the standard for using KEK , is described in the VISA Payment Technology Standards Manual, October 2007; this method can be used for DES and 3DES keys.

    There are 03 options for the KEKing method:

    1. Raw: the key used in the KEKing operation is the KEK itself, without derivation;

    2. VISA 1: the key used in the KEKing operation is derived from the reported KEK using the Variant-1 method (an XOR of KEK with 0800000000000000). This method is generally used in the VISA Dynamic Key Exchange (DKE) Service environment. For details see the VISA Payment Technology Standards Manual, October 2007.

    3. JCB: JCB card standard(JCB Co., Ltd), according to the JCB Key Guide document , s/version, January 2014.

  2. Using the 03-component method, with a KCV(Key Check Value) for each part and also a final KCV; this method is normally used to export ZPK(Zone PIN Key) for entry into EFT authorization systems (such as acquiring or capture network systems), where each component is delivered to a custodian, and only by bringing the three parts together is it possible to reconstruct the key; knowledge of two components from a cryptographic point of view does not provide any information about the key.

    The components are generated with XOR (EXCLUSIVE OR) operations and random parts, which are then consumed and discarded when the key is reconstructed. The KCV is a six-digit hexadecimal value obtained by encrypting a block of zeros with a given key; the first six digits of the resulting cryptogram are the KCV of that key, according to the ANSI X9.24 standard.

    The process of generating the components and calculating the KCV is in accordance with the VISA Payment Technology Standards Manual, October 2007.

    To export a key k, three random values(p1, p2 and p3) of the same size as k are generated.

    The P1, P2 and P3 components are calculated as:

    P1 = p2 xor p3 xor k

    P2 = p1 xor p3 xor k

    P3 = p1 xor p2 xor k

    These three components are distributed to the custodians, and at the time of import the following calculation is made inside the HSM:

    K = P1 xor P2 xor P3

    Using the properties of the XOR operation in this process, the calculated value of K is exactly the value of k, the originally exported key:

    K = k

Export symmetric keys in components

Start:

Key export by component
Dinamo - Remote Management Console v. 4.7.12.3 2018 (c) Dinamo Networks

HSM 127.0.0.1 e - Engine 5.0.22.0 (DXP) - TCA0000000  - ID master

HSM - EFT - Export Key - Key Components

*******************************************************************************
*                                                                             *
*                                   Warning                                   *
*                                                                             *
*   This export procedure will generate three components of the key and the   *
*     key check values (not actually three parts of the clear text key).      *
*     It is strongly recommended to designate three different custodians      *
*        to hold the key components and allow each custodian know only        *
*                            the proper component.                            *
*                                                                             *
*******************************************************************************


Key Name (HSM) : zmk
Use JCB format (y/[n]):
Exportable : yes


Press ENTER key to continue...

Part 1:

Key export by component, part 1
Dinamo - Remote Management Console v. 4.7.12.3 2018 (c) Dinamo Networks

HSM 127.0.0.1 e - Engine 5.0.22.0 (DXP) - TCA0000000  - ID master

HSM - EFT - Export Key - Key Components

Key Name (HSM) : zmk
Exportable : yes

Key material Part 1:

F251C80431517F857A3D19078532024001A27C4C1A2A25D5

Key Check Value:

FD4030


Press ENTER key to continue...

Screen enters part 1 and part 2:

Key export by component, part 1 ok
Dinamo - Remote Management Console v. 4.7.12.3 2018 (c) Dinamo Networks

HSM 127.0.0.1 e - Engine 5.0.22.0 (DXP) - TCA0000000  - ID master

HSM - EFT - Export Key - Key Components

Key Name (HSM) : zmk
Exportable : yes


Part 1 exported successfully.




Press ENTER key to continue...

Final screen:

Key export by component, final
Dinamo - Remote Management Console v. 4.7.12.3 2018 (c) Dinamo Networks

HSM 127.0.0.1 e - Engine 5.0.22.0 (DXP) - TCA0000000  - ID master

HSM - EFT - Export Key - Key Components

Key Name (HSM) : zmk
Exportable : yes


Final Key Check Value:

4D7131


Key exported successfully.

Press ENTER key to continue...

EMV CSR

Certificate request: CSR(Certificate Signing Request) files generated from the signature with a private key, to be sent to a Certificate Authority, which will issue the corresponding certificate.

The standard is EMV (used specifically for requesting certificates from VISA and Mastercard administrators) and the supported standards are:

  1. VISA: according to the document Visa Smart Debit/Credit Certification Authority Technical Requirements, version 2.1, december 2005, Amended april 2006.

  2. Mastercard: according to the document Public Key Infrastructure (PKI) - Certification Authority Interface Specification, January 2005.

  3. Elo: according to the document Elo Certificate Authority Manual - Issuer's Guide, version 1.2, September 2011.

  4. JCB: as per the JCB CA Interface Guide document , s/version, January 2014.

Attention

Pay attention to the size of the private key module; the EMV standard usually works with different sizes from the commonly adopted standards: for example 1152, 1408, 1536, 1976, 1984, 2304, 2560 and 2816 bis.

EMV standard CSR generation
Dinamo - Remote Management Console v. 4.7.12.3 2018 (c) Dinamo Networks

HSM 127.0.0.1 e - Engine 5.0.22.0 (DXP) - TCA0000000  - ID master

HSM - EFT - EMV CSR

RSA Key Name (HSM) : payk

                  Type : rsa1984
             Temporary : no
            Exportable : yes
             Encrypted : yes
               Blocked : no

  Public exponent(hex) : 010001
              Key size : 1984 bits

CSR type :
 1 - Visa
 2 - MasterCard
 3 - Elo
 4 - JCB
Option : 1
Tracking Number (6) : 123456
Service ID (8) : 12345678
Issuer ID(BIN) (8) : 12345678
Cert. Exp. Date (MMYY) : 1025
File (local) : payk.csr

File exported successfully.

Press ENTER key to continue...

In the example above, two files will be generated: payk.csr.INP (binary) and payk.csr.hash (text).