Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Andere mochten auch
Andere mochten auch (20)
Ähnlich wie Key management
Ähnlich wie Key management (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Key management
- 2. Contents • Introduction • Fixed Key • Master / Session Key • DUKPT • Closing 2
- 3. Introduction • Cryptography – Confidentiality: keep information secret – Authentication: legitimate author/user? – Integrity: Is the data compromised? – Non-repudiation: Protect denial 3
- 4. Introduction • Cryptography – Encryption/Decryption: make a cryptogram for the unauthorized not be able to figure out the data – Hash (Message Digest): digest a message into a fixed length hash value, no key is needed – MAC (Massage Authentication Code): make a fixed length MAC value, key is needed 4
- 5. Introduction • Symmetric Algorithm – Same key (Symmetric Key) is used for encryption and decryption – Example: DES, AES – Easier and faster than asymmetric algorithm – Must transfer key in secure manner 5
- 6. Introduction • Asymmetric Algorithm – Different keys (Asymmetric Key) are used – Key pairs (private/public keys) are mathematically linked – Example: RSA – Harder and slower than symmetric algorithm – No need to transfer decryption key 6
- 7. Fixed Key • Physically load a key (fixed) to the client • The client encrypt a data with the key • The host decrypt the data with the key • The key is replaced on either plan or key compromise • Same key is used over and over for encipherment 7
- 8. Fixed Key Host Client (device) Network Data encryption Data Data Data decryption 8
- 9. Master / Session Key • Share a master key between host and client beforehand • Host generates a session key before transaction • Host encrypts the session key with the master key and send to client • Client decrypts the encrypted session key with the master key shared beforehand 9
- 10. Master / Session Key • Must generate and share a new master key if the master key is compromised • Still popular because of effectiveness • Adoption of asymmetric for master key • Developed before asymmetric algorithm was developed 10
- 11. Master / Session Key PRIVATEPUBLIC Host Client (device) Generate asymmetric key pair and tra nsfer private key to client at factory Symmetric Key PRIVATE Encrypted Symmetric Key Encrypted Symmetric Key encryption decryption Symmetric Key Network 11
- 12. Master / Session Key Host Client (device) Data encryption and decryption with symmetric key Data encryption Data Network Data Data decryption 12
- 13. DUKPT • Derived Unique Key Per Transaction • Host has BDK (Base Derivation Key) and generates IPEK (Initial Pin Encryption Key) • IPEK is inserted into client • Client generates Future Key sets and remove IPEK 13
- 14. DUKPT • Future Key is used for data encryption • The used future key is replaced with a newly generated future key • Client transmits key set id, client id and transaction counter with encrypted data • Host calculates the encryption key with the transmitted data and decrypt 14
- 15. DUKPT IPEKBDK Host Client (device) IPEK generation Network generation 21 Future Keys Will be remove d after generati on of future key Used future key is replaced with a new one 15
- 16. DUKPT BDK Host Client (device) Network 21 Future Keys DataData encryption DataData decryption calculation 16
- 17. Closing • Key managements are not limited with these three ways – can be used mingled • The devices should be tamper proof • Reference: ANS X9.24-1 17