remote Key loadingspread security. unlocK efficiency

a smarter Way to do business

The hacker community is growing increasingly sophisticated – which means the financial community needs to do the same. But the key to a smart automatic teller operation lies in more than high security. Today’s business-minded financial institutions also demand efficiency. That’s why they depend on Remote Key Loading (RKL) from Cryptera. By replacing traditional dual-control split-knowledge – a manual approach to key installation and maintenance – with Cryptera RKL – a secure, on-line solution – key management becomes more cost-effective. More secure. More efficient. More simple. In other words: more intelligent.

Cut Costs

Sending two-person teams to each ATM and administering key material has traditionally been an expensive, time-consuming task. And as card-issuing companies are demanding larger, more complex key sizes, the complexity of manual key entry and key handling is continuing to increase – along with the cost. Cryptera RKL allows banks to save on the generation, storage, distribution and manual handling of paper-based key information, as these procedures are either unnecessary with Cryptera RKL or controlled by the host system.

InCrease seCurIty

The human factor involved in manual key handling increases the security risk of key exposure or misuse. With Cryptera RKL, human handling of key information is unnecessary. All information is safely transmitted online using secure cryptographic methods to protect and distribute keys. This enables secure installation and frequent periodic key updating, which increases overall system security.

streamlIne operatIons

By definition, secure remote control is far more efficient than traditional dual split control. Eliminating the human factor also eliminates constraints regarding operational hours and distance – in addition to avoiding the risk of misuse of key information.

prevent headaChes

Because Cryptera RKL is based on open international standards, it is easy to implement at the host end. No proprietary standards; only the freedom to take a smarter approach to key management.

remote Key loading3

cut costsincrease security

Key exchange

Host validates signature using public CA key of ATM certificates

Host sends certificatewith own public key

Host requests anonce from ATM

Host generates and encrypts Terminal Master Key using ATM public key and generates signature and encryption result using own secret key

ATM sends certificateswith own public key

ATM validates signature using public CA key of host certificate

ATM generates a nonce and starts key exchange

ATM validates signatureand nonce using public key and obtains key by decrypting with secret key

ATM sends receiptthat information iscorrect

A typical interaction for the exchange of the initial symmetric master key takes less than 60 seconds.

host atm

a safer form of technology

Cryptera RKL is based upon sophisticated, standardised and professionally accepted methods of cryptography. A variety of built-in authentication measures ensures that both the host and the ATM operate under fully secure conditions.

two keys – maxImum seCurIty

The secure operation of Cryptera RKL depends upon cryptography using 2048 bit RSA keys, generated internally in the Cryptera encrypting PIN pad. Both the host and the ATM own a pair of keys – one secret key and one public key. The public key is used to encrypt data; the secret key to decrypt data. With RSA-based technology, the only party able to decrypt a given message is the owner of the related secret key.

State-of-the-art cryptographic protocol The key exchange protocol uses X.509 certificates to verify that the public keys belong to valid encrypting PIN pads (EPPs)/hosts. This prevents “man-in-the-middle” types of attacks. The certificates are issued by a

central Certification Authority. In addition, the protocol uses dynamic messages, including “nonces” (nonce = number used only once) to protect against replay attacks. The “nonces” are digitally signed to provide mutual authentication. The protocol terminates with authentic confirmation of key reception.

5

Cryptera seCurIty

Cryptera’s standard RKL solution includes the following features:• 2048 bit RSA keys (generated internally in the

encrypting PIN pad)• One RSA key pair for key encryption/decryption• One RSA key pair for data verification/signing• Public keys contained in X.509 certificates• Certificate-based protocol according to

international ISO 11770-3 standard• EPP firmware programming interface compatible

with XFS 3.03 API• Loading of externally generated X.509 certificates

(if customer desires)

optIon

• Establishment of secure communication channel to external Certification Authority and loading of externally generated X.509 certificates

remote Key loading

a better Way to serve customers

With Cryptera, security is more than the technical measures that ensure safe transactions. “Cryptera security” also means people – more than 100 highly committed, highly skilled professionals who are dedicated to making your experience with Cryptera check out successfully on all counts. We’ve been providing high-security payment solutions worldwide since the 1980s. Cryptera is a world leading supplier of encrypting PIN pads and has several years of experience supplying EPPs and RKL solutions on an OEM basis. We’re here to support you too – so that not only you, but also your customers benefit from better service.

open standards = flexIble solutIons

We don’t think banks should be locked into using one particular ATM supplier. So unlike our competitors, Cryptera supports open rather than proprietary standards to give financial institutions as much freedom of choice as possible. We also support a flexible approach to implementing RKL. Banks do not need to switch to the technology all at once – a gradual

approach is an option for financial institutions that want to implement Cryptera RKL now and start using it later. By purchasing an encrypting PIN pad from Cryptera, it is possible to operate ATMs in a traditional mode until the host software vendor is ready to support the new key loading system.

prepared Customers

= satIsfIed Customers

When planning for the implementation of an RKL system, one of the major factors to consideris the support of RKL in the host system. Often the host relies on a dedicated, standalone Host Secure Module (HSM) provided by a third-party vendor. This means that the HSM module chosen or currently in use has to be able to support RSA-based RKL operations.

how to proCeed

Please contact Cryptera for a detailed checklist and guidelines for RKL implementationin your system. Cryptera is happy to support the ATM supplier as well as the HSM supplier during the implementation phase.

7 remote Key loading

open standards

flexible solutions

Welcome to a place Where We live and breathe payment security

Headquartered in Copenhagen, Denmark, Cryptera has more than 25 years experience in providing high-security payment solutions worldwide.

With more than 1,000,000 payment solutions in use across the globe, Cryptera has proven and tested international experience within the global payment industry.

Cryptera is a world-leading provider of secure payment solutions and supplies some of the largest global manufacturers of ATM’s and petrol pumps.

Our main products are encrypting PIN pads for ATM’s and Unattended Payment terminals for self service payment solutions.

Cryptera employs a staff of approximately 100 and has its own hardware and software development departments as well as production, sales and servicing of its proprietary products and solutions.

The R&D department has a staff of highly educated engineers and computer scientists with expertise in the fields of encryption, certification and integrated payment solutions.

Phone: + 45 4343 4395 Fax: + 45 4343 5354

info@cryptera.com www.cryptera.com

Fabriksparken 20 DK-2600 Glostrup

cryptera a/s