Introduction to Financial Remote Key Loading (Part 3)
Cryptographic Techniques for Financial Remote Key Loading
In order for the endpoint device (whether an ATM, Point of Sale terminal, or IoT device) to receive symmetric encryption keys for PAN or PIN encryption, it must first establish a secure connection with the remote key platform. PKI is a form of asymmetric cryptography where the sender and receiver use public and private keys to both decrypt messages and verify each other’s identity. PKI allows the endpoint device and the RKL platform to verify each other’s identities and securely exchange keys.
Certificate-Based RKL (Using RSA Key Exchange)
Certificate-based RSA PKI is the most common and accepted method of RKL communication. Unlike symmetric cryptography where a single encryption key can be used to encrypt and decrypt a message, asymmetric cryptography requires two keys to communicate. A public key is used to encrypt and send the message by the sender, and a private key is used to decrypt the message by the recipient. This adds another layer of security in that not only is the message encrypted, but the recipient’s identity is verified and authenticated by possessing the appropriate private key.
PKI is the cryptographic backbone of RKL. For ATMs and POS terminals to receive and decrypt the keys sent to them by the RKL service, they must first be possession of a private key, which is known as a certificate. This certificate is injected into the POS terminal or ATM, usually at the time of manufacture by a certificate authority. Once the endpoint device receives its unique certificate, it can be deployed in the field where it can establish a secure connection. This facilitates the exchange of keys with the RKL platform.
The Accredited Standards Committee (ASC) X9, the component of the American National Standards Institute (ANSI) responsible for developing consensus standards for the financial services industry, has established Technical Report 34 (TR-34), which outlines the methods for remote distribution of symmetric keys using asymmetric encryption. TR-34 establishes the certificate-based RKL protocol as the preferred method of delivering encryption keys to POS and ATMs.
Another cryptographic technique used to establish a secure connected for RKL is signature-based. This method is primarily in use among older ATM networks. While similar to certificate-based RKL in some ways, it uses a digital signature that encrypts the key before being sent to the ATM. Signature-based protocols are more simplistic and require less data being sent, which may make them more suitable for older ATM networks based on dial-up connections.
Symmetric Key RKL
Some manufacturers inject keys into their own devices before deployment. In this symmetric key RKL model, the certificate establishment is skipped by integrating the initial symmetric key injection into the manufacturing process. While its not as prevalent as certificate-based RKL, it is still in use by many organizations.
Part 4 of our series on financial remote key loading, in which we will provide an overview of Futurex and VirtuCrypt's solutions for remote key loading, will be posted soon. If you're looking for more information in the meantime, please read our whitepaper on financial remote key loading.