|
The A98-R automates both the generation and distribution of cryptographic keys for ATMs.
The A98-R is compatible with ATMs that use RSA-enabled encrypting pin-pads (EPPs).
The A98-R delivers random master keys in full compliance with the latest ANSI
standards (X9.24 Part 2) and with all known network mandates for Triple-DES
and unique keys per ATM.
The
A98-R implements both Diebold's Certificate Based Protocol (CBP) and NCR's
Signature Based Protocol (SBP). Wincor and other remote key protocols will be
provided in future releases as they become publicly available and commercially
viable. Standard on Retail Cryptographic Key Management. The Diebold approach
uses X.509 certificates and PKCS message formats to transport key data. NCR's
method relies on digital signatures to ensure data integrity. Both processes
require the ATM's EPP to be loaded at the factory with signed Public Keys or
Certificates. In addition, an A98 public key must be signed by a Certificate
Authority (i.e. Diebold or NCR) and imported back into the A98 during system
initialization.
The
remote re-key process requires the A98 to be authenticated by the ATM. In this
step either the signed A98 public key or its certificate is sent from the A98
to the ATM. Once verified, the ATM will send its EPP public key to the A98. (In
the case of Diebold, both an encryption and verification EPP public key is
sent.) The A98 stores the EPP data and then generates a new DES key, encrypts
it with the EPP's public key, prepares the required message format, and sends
this new master key to the ATM. When the EPP responds that it successfully
loaded the key, A98 sends a cryptogram of this new key to the host for loading
into the terminal data base.
In the
initial release of the A98 Remote Re-Key module, the interface to the ATM is
implemented through the terminal handler or device driver. Trusted Security
Solutions has defined an XML data structure that will be used to communicate
with the driver over a TCP/IP link. This approach confines modifications to the
ATM device driver and eliminates any need to change the host security module or
terminal driving application software. All the public key cryptography, message
formatting, database access, and user interface programming is provided in the
A98 module. Future releases of A98-R will support versions of direct connection
to the ATM and IFX.
By
integrating the remote re-key module into the conventional A98 platform,
Trusted Security Solutions continues to lead the industry by providing the most
efficient, compliant, and cost-effective key establishment solution for all
ATMs. The A98-R system not only fully automates key distribution for public
key-enabled ATMs, but also continues to support single and triple-DES key
loading for legacy ATMs.
Related
documents:
Remote
Re-Key Brochure (185kb)
|
