Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Glossary of keys and associated terms:

 

Keys / TermsAliasesComment/Description

RKI-KEK

Admin Key

Remote Key Injection KEK. Used to encrypt keys injected remotely from an RKI server. In some cases

(SecureHead, SecureMag, and SecureKey), the RKI-KEK will also be used as the MSR Pairing Key (This key used to be called the Admin Key).

LCL-KEK

 

Local KEK. Used by ID TECH NGA key injection protocol. Encrypt other keys injected in TG3 

MSR Pairing Key 

MSR Pairing Key used to securely pair a non SRED device with an ID TECH PinPad (PP will have the BDK)

PCI Pairing Key 

PCI Pairing Key used to pair a PCI approved product with an ID TECH PinPad (PP will have the BDK)

DEK 

Data Encryption Key. Key used to encrypt MSR and EMV sensitive data. 

PEK 

PIN Encryption Key. DUKPT Key used to encrypt PIN in Online Pin mode

MAC 

MAC

key

kKey. Key used to authenticate secure messages

MSK 
 
 Master Session Key
KEK 
 
 Key Encryption Key
   
   
   

Data DUKPT Key

Data Encryption Key (DEK) 

For encryption of transaction data

PIN DUKPT Key

PIN Encryption Key (PEK)For encryption of PINs

PIN Master Key

  

Pairing Key(PINPAD)

PIN Pairing Key (PPK)The card reader and the PIN pad must both share this common secret so that they can exchange data privately. (The PIN pad will receive PAN data from the reader. Such data cannot be sent in the clear.)

MAC DUKPT

HOST-CR MAC Key (MAK) Key for producing MAC hash (authenticated hash) on a per-transactonbasis. The host may need to send authenticated commands to the reader. This key enables the creation of secure hash data.

RKL BDK

 Remote Key Loading BDK.

RKL DUKPT Key

 Remote Key Loading DUKPT key.
KSN Key Serial Number. A different 10-byte KSN generally exists for each key.

HOST-CR Key Encryption Key (Master Key)

 KEK for use between host and card reader (CR).

CR-EPP Key Encryption Key (Master Key)

 EPP = Encrypted Pin Pad

CR-EPP MAC Key (MAK)

 For MAC hashes that will be consumed by the PIN pad.

Firmware Encryption Key (FEK), fix key 

 For internal use.

Configuration Encryption Key (CEK), fix key

 For internal use.

TR31

(ANSI spec here)

 

TR31 is the ANSI standard way to create key block info (blocks of data that associate keys with key attributes). The payload of a TR31 key block consists of a key block header, an encrypted data block (key length, key, and padding), and a MAC value.

Image Modified

Key Block Protection Key

 generated in-memory at TR31 block creation time and never stored.

Key Block Encryption Key

 generated in-memory at TR31 block creation time and never stored.

Key Block MAC Key

 generated in-memory at TR31 block creation time and never stored.

 

Suggestions and input are welcome.  Please, feel free to offer up suggestions or ask questions in the comments below.

...