Glossary of keys and associated terms:
Keys / Terms | Aliases | Comment/Description |
---|---|---|
RKI-KEK | Admin Key | Remote Key Injection KEK. Used to encrypt keys injected remotely from an RKI server. In some cases (SecureHead, SecureMag, and SecureKey), the RKI-KEK will also be used as the MSR Pairing Key (This key used to be called the Admin Key). |
LCL-KEK | Local KEK. Used by ID TECH NGA key injection protocol. Encrypt other keys injected in TG3 | |
MSR Pairing Key | MSR Pairing Key used to securely pair a non SRED device with an ID TECH PinPad (PP will have the BDK) | |
PCI Pairing Key | PCI Pairing Key used to pair a PCI approved product with an ID TECH PinPad (PP will have the BDK) | |
DEK | Data Encryption Key. Key used to encrypt MSR and EMV sensitive data. | |
PEK | PIN Encryption Key. DUKPT Key used to encrypt PIN in Online Pin mode | |
MAC | MAC key. Key used to authenticate secure messages | |
MSK | ||
KEK | ||
Data DUKPT Key | Data Encryption Key (DEK) | For encryption of transaction data |
PIN DUKPT Key | PIN Encryption Key (PEK) | For encryption of PINs |
PIN Master Key | ||
Pairing Key(PINPAD) | PIN Pairing Key (PPK) | The card reader and the PIN pad must both share this common secret so that they can exchange data privately. (The PIN pad will receive PAN data from the reader. Such data cannot be sent in the clear.) |
MAC DUKPT | HOST-CR MAC Key (MAK) | Key for producing MAC hash (authenticated hash) on a per-transactonbasis. The host may need to send authenticated commands to the reader. This key enables the creation of secure hash data. |
RKL BDK | Remote Key Loading BDK. | |
RKL DUKPT Key | Remote Key Loading DUKPT key. | |
KSN | Key Serial Number. A different 10-byte KSN generally exists for each key. | |
HOST-CR Key Encryption Key (Master Key) | KEK for use between host and card reader (CR). | |
CR-EPP Key Encryption Key (Master Key) | EPP = Encrypted Pin Pad | |
CR-EPP MAC Key (MAK) | For MAC hashes that will be consumed by the PIN pad. | |
Firmware Encryption Key (FEK), fix key | For internal use. | |
Configuration Encryption Key (CEK), fix key | For internal use. | |
TR31 (ANSI spec here) | TR31 is the ANSI standard way to create key block info (blocks of data that associate keys with key attributes). The payload of a TR31 key block consists of a key block header, an encrypted data block (key length, key, and padding), and a MAC value. | |
Key Block Protection Key | generated in-memory at TR31 block creation time and never stored. | |
Key Block Encryption Key | generated in-memory at TR31 block creation time and never stored. | |
Key Block MAC Key | generated in-memory at TR31 block creation time and never stored. |
Suggestions and input are welcome. Please, feel free to offer up suggestions or ask questions in the comments below.