emv key management - securetechalliance.org · 2015-10-07 · datacard confidential emv key...
TRANSCRIPT
Datacard Confidential
EMV Key Management
Why Should You Care?
Guy Berg Global Industry Consultant Advanced Payment Technologies Datacard Group 651.354.6808 [email protected]
Datacard Confidential 2
What Do these Operations have in Common?
Dynamic Cryptogram
Dynamic Data Authentication
Digital Signatures
Tokenization
On-line Authentication
Off-line Authentication
Cryptography
Data Security
Key Management
Datacard Confidential 3
• Key Management System Core Functions – Generating Keys – Importing Keys – Exporting keys – Distributing keys – Protecting keys
What is Key Management?
Datacard Confidential 4
On-line Authentication Key
Payment Brand
Acquirer
Dynamic Cryptogram
Dynamic Cryptogram ARQC
Issuer
Shared Key
Datacard Confidential 5
On-line Authentication Keys
Payment Brand
Acquirer
Dynamic Cryptogram
Product 1 Key 1 Product 2 Key 2 Product 3 Key 3 Product 4 Key 4 Product 5 Key 5 Product 6 Key 6 Product….. Key …… Issuer
Datacard Confidential 6
Off-line Authentication Keys and Certificates
Payment Brand
Acquirer
JCB MC V D AM
Certificate Authority
Private Public
Issuer Public Key Certificate
Issuer
Public
Private
JCB MC V D AM
Cert
Datacard Confidential 7
• Updating EMV data on already issued cards • EMV Scripts
EMV Post Issuance Keys
Payment Brand
Acquirer
MDK Encryption Key
MDK MAC Key
MDK AC Key
Datacard Confidential 8
• Updating EMV data on already issued cards • EMV Card Update Scripts
EMV Post Issuance Keys
Payment Brand
Acquirer
MDK Encryption Key
MDK MAC Key
MDK AC Key
Product 1 Key set 1 Product 2 Key set 2 Product 3 Key set 3 Product 4 Key set 4 Product 5 Key set 5 Product 6 Key set 6 Product….. Key ……
Datacard Confidential 9
Smart Card Inventory Security Transport Keys
Datacard Confidential 10
Why is Key Management Important?
Keys are the Heart of EMV Protection
Maximizing key security is vital to EMV
Datacard Confidential 11
• Payment Brand • Issuers • Issuer Authorization Processors • Issuer Card Personalization Bureaus • Acquirers
Who Has to Manage EMV Keys
Datacard Confidential
Key Distribution
Key type Auth System
EMV Script Generator
CMS Data Prep
Perso / Bureau
Service Provider / VISA NET
PVK/ Key ü ü ü MDKac ü ü ü ü MDKenc ü ü MDKmac ü ü MDKidn ü ü ü MDKicvv ü ü ü KEK ü ü ZMK ü ü ü
Datacard Confidential 13
Key Transportation Key Ceremony
Datacard Confidential 14
Keys Transport using KEKs
Shared Key Encrypting Key
Shared Key Encrypting Key
Shared Key
Datacard Confidential 15
EMV Key Exchanges
Issuer
Issuer service bureau
Authorization processor
Product 1
Product 2
Product 3
Product 4
Product 5
Product …..
Product 1
Product 1
Product 1
Product 1
Product 1
Product 1
Product …
Datacard Confidential 16
Key Management Evolution
• Only used for EMV cards and PINs
• Key requirements were not well understood
• Tools were in an embryonic state
• Few people had key management knowledge
Step 1: PIN Key Management Step 2: PCI Data Security Compliance Step 3: EMV Key Management
Datacard Confidential 17
Key Management Evolution Continues…..
SE
SE
SE
TSM
Issuer 1
Issuer 1
Issuer 1
Issuer 1
Issuer 1
Issuer 1
TSM
TSM
Datacard Confidential 18
Continue to Evolve
Issuer 1
Issuer 1
Issuer 1
Issuer 1
Issuer 1
Issuer 1
Virtual Cards or Wallets
Datacard Confidential 19
Key Management Evolution
Datacard Confidential 20
• Tactical EMV Migration Questions – Where will keys be generated? – How often will keys be changed over time? – What will be the process for rolling over keys? – How will you transport keys to each location?
• One at a time in components? • Encrypted under a KEK (Key Encrypting Key)
– How will you assure the key security through the complete issuance process?
• What are your future plans for Key Management
Key Management Considerations
Datacard Confidential
EMV Key Management
Why Should You Care?
Guy R. Berg Global Industry Consultant
Datacard Group 651.354.6808