EFT
Main menu option: EFT...
It performs operations related to the EFT(Electronic Funds Transfer) module, such as importing and exporting keys by component or via KEK(Key Encryption Key), as well as generating CSR(Certificate Signing Request) files for use in EMV(Europay Mastercard Visa) standard environments.
For more details see EFT.
Warning
The generic methods for importing, exporting and generating CSRs are available in the Partition menu. See the Import, Export and Attributes topics for more information.
Dinamo - Remote Management Console v. 4.7.12.3 2018 (c) Dinamo Networks
HSM 127.0.0.1 e - Engine 5.0.22.0 (DXP) - TCA0000000 - ID master
HSM - EFT
1 - Import Key...
2 - Export Key...
3 - EMV CSR
0 - Main Menu
Option:
Import Key
Symmetric keys can be imported using the following methods:
-
Protected by KEK, aKey Encryption Key. The KEK can be DES or 3DES.
-
Using the 03-component method, with KCV(Key Check Value) for each part and also a final KCV.
This method is usually used to import ZCMK(Zone Control Master Key) used in EFT authorization systems, for example Visa, Mastercard and Elo, where each component is delivered to a custodian, and only by bringing the three parts together is it possible to reconstruct the key within the HSM; knowledge of two components from a cryptographic point of view does not provide any information about the key.
The components are generated with XOR operations and random parts, which are then consumed and discarded when the key is reconstructed. The KCV is a six-digit hexadecimal value obtained by encrypting a block of zeros with a given key; the first six digits of the resulting cryptogram are the KCV of that key, according to the ANSI X9.24 standard.
The process of generating the components and calculating the KCV is in accordance with the VISA Payment Technology Standards Manual, October 2007.
Export Key
Symmetric keys can be exported using the following methods:
Warning
In EFT export operations, the KEKing key is usually a ZCMK, Zone Control Master Key.
-
Protected by KEK, aKey Encryption Key. The KEK can be DES or 3DES.
The method used to calculate the KCV(Key Check Value), as well as the standard for using KEK , is described in the VISA Payment Technology Standards Manual, October 2007; this method can be used for DES and 3DES keys.
There are 03 options for the KEKing method:
-
Raw: the key used in the KEKing operation is the KEK itself, without derivation;
-
VISA 1: the key used in the KEKing operation is derived from the reported KEK using the Variant-1 method (an XOR of KEK with
0800000000000000)
. This method is generally used in the VISA Dynamic Key Exchange (DKE) Service environment. For details see the VISA Payment Technology Standards Manual, October 2007. -
JCB: JCB card standard(JCB Co., Ltd), according to the JCB Key Guide document , s/version, January 2014.
-
-
Using the 03-component method, with a KCV(Key Check Value) for each part and also a final KCV; this method is normally used to export ZPK(Zone PIN Key) for entry into EFT authorization systems (such as acquiring or capture network systems), where each component is delivered to a custodian, and only by bringing the three parts together is it possible to reconstruct the key; knowledge of two components from a cryptographic point of view does not provide any information about the key.
The components are generated with XOR (EXCLUSIVE OR) operations and random parts, which are then consumed and discarded when the key is reconstructed. The KCV is a six-digit hexadecimal value obtained by encrypting a block of zeros with a given key; the first six digits of the resulting cryptogram are the KCV of that key, according to the ANSI X9.24 standard.
The process of generating the components and calculating the KCV is in accordance with the VISA Payment Technology Standards Manual, October 2007.
To export a key
k
, three random values(p1
,p2
andp3
) of the same size ask
are generated.The
P1
,P2
andP3
components are calculated as:P1 = p2 xor p3 xor k
P2 = p1 xor p3 xor k
P3 = p1 xor p2 xor k
These three components are distributed to the custodians, and at the time of import the following calculation is made inside the HSM:
K = P1 xor P2 xor P3
Using the properties of the XOR operation in this process, the calculated value of
K
is exactly the value ofk
, the originally exported key:K
=k
Export symmetric keys in components
Start:
Dinamo - Remote Management Console v. 4.7.12.3 2018 (c) Dinamo Networks
HSM 127.0.0.1 e - Engine 5.0.22.0 (DXP) - TCA0000000 - ID master
HSM - EFT - Export Key - Key Components
*******************************************************************************
* *
* Warning *
* *
* This export procedure will generate three components of the key and the *
* key check values (not actually three parts of the clear text key). *
* It is strongly recommended to designate three different custodians *
* to hold the key components and allow each custodian know only *
* the proper component. *
* *
*******************************************************************************
Key Name (HSM) : zmk
Use JCB format (y/[n]):
Exportable : yes
Press ENTER key to continue...
Part 1:
Dinamo - Remote Management Console v. 4.7.12.3 2018 (c) Dinamo Networks
HSM 127.0.0.1 e - Engine 5.0.22.0 (DXP) - TCA0000000 - ID master
HSM - EFT - Export Key - Key Components
Key Name (HSM) : zmk
Exportable : yes
Key material Part 1:
F251C80431517F857A3D19078532024001A27C4C1A2A25D5
Key Check Value:
FD4030
Press ENTER key to continue...
Screen enters part 1 and part 2:
Dinamo - Remote Management Console v. 4.7.12.3 2018 (c) Dinamo Networks
HSM 127.0.0.1 e - Engine 5.0.22.0 (DXP) - TCA0000000 - ID master
HSM - EFT - Export Key - Key Components
Key Name (HSM) : zmk
Exportable : yes
Part 1 exported successfully.
Press ENTER key to continue...
Final screen:
Dinamo - Remote Management Console v. 4.7.12.3 2018 (c) Dinamo Networks
HSM 127.0.0.1 e - Engine 5.0.22.0 (DXP) - TCA0000000 - ID master
HSM - EFT - Export Key - Key Components
Key Name (HSM) : zmk
Exportable : yes
Final Key Check Value:
4D7131
Key exported successfully.
Press ENTER key to continue...
EMV CSR
Certificate request: CSR(Certificate Signing Request) files generated from the signature with a private key, to be sent to a Certificate Authority, which will issue the corresponding certificate.
The standard is EMV (used specifically for requesting certificates from VISA and Mastercard administrators) and the supported standards are:
-
VISA: according to the document Visa Smart Debit/Credit Certification Authority Technical Requirements, version 2.1, december 2005, Amended april 2006.
-
Mastercard: according to the document Public Key Infrastructure (PKI) - Certification Authority Interface Specification, January 2005.
-
Elo: according to the document Elo Certificate Authority Manual - Issuer's Guide, version 1.2, September 2011.
-
JCB: as per the JCB CA Interface Guide document , s/version, January 2014.
Attention
Pay attention to the size of the private key module; the EMV standard usually works with different sizes from the commonly adopted standards: for example 1152, 1408, 1536, 1976, 1984, 2304, 2560 and 2816 bis.
Dinamo - Remote Management Console v. 4.7.12.3 2018 (c) Dinamo Networks
HSM 127.0.0.1 e - Engine 5.0.22.0 (DXP) - TCA0000000 - ID master
HSM - EFT - EMV CSR
RSA Key Name (HSM) : payk
Type : rsa1984
Temporary : no
Exportable : yes
Encrypted : yes
Blocked : no
Public exponent(hex) : 010001
Key size : 1984 bits
CSR type :
1 - Visa
2 - MasterCard
3 - Elo
4 - JCB
Option : 1
Tracking Number (6) : 123456
Service ID (8) : 12345678
Issuer ID(BIN) (8) : 12345678
Cert. Exp. Date (MMYY) : 1025
File (local) : payk.csr
File exported successfully.
Press ENTER key to continue...
In the example above, two files will be generated: payk.csr.INP
(binary) and payk.csr.hash
(text).