Cryptographic support of smart card personalization using SAM cards

The SAM card crypto applet is intended for execution of cryptographic functions, used for smart card personalization, in case cryptographic support of personalization is provided by SAM cards.

The current version of crypto applet implements functions for personalizing Gemplus, NPX, Axalto native cards. If you want to personalize other types of cards using SAM, the crypto applet functionality may be extended accordingly.

Time of personalization
Please note, the time of personalization using SAM cards depends on the difficulty of personalization of a certain card type, but has an average time overrun of 3-7 seconds compared to SafeNet (Eracom) or Thales e-Security high volume cruptographic equipment.

Authorization crypto applet is intended for cryptographic support of EMV authorization. Crypto applet provides secure storage of issuer cryptographic keys and implements symmetric cryptography of issuer authorization host and EMV application, as well as asymmetric cryptography of a POS terminal. Functional capabilities of EMV transaction authorization are equal to the high-volume cryptographic devices (such as SafeNet (Eracom) and Thales e-Security).

Due to the low price and wide functionality a Java card with the crypto applet may have numerous applications, but most often is used for EMV card quality assurance by means of EMV Insight.

Additional information

Management of SafeNet (Eracom), Thales e-Security and SAM-cards crypto devices

KeyCompass CryptoSubSystem (KeyCompass CSS) performs the procedure of information crypto processing and key generation, during the data preparation for smart-cards personalization and testing, and also PIN printing and data generation for the magnetic stripe. The SafeNet (Eracom), Thales e-Security and SAM-card (for some of the operations) crypto devices are used.

The KeyCompass CSS crypto subsystem is a tool for information security, which can also be used for the release of EMV-cards. In particular the The KeyCompass CSS crypto subsystem is used for data preparation, smart-card personalization, generating and printing the PIN.

KeyCompass CSS allows you to perform cryptographic procedures, necessary for card personalization of the following manufacturers:

  • Axalto;
  • GemPlus;
  • Giesecke & Devrient;
  • Setec and other manufacturesr
  • • as well as cards from different manufacturers that meet the GlobalPlatform specifications.

KeyCompass CSS successfully works with the software for microchip personalization data preparation SmartDataCEnter and the PIN printing and generation application MSDP Manager. For microchip card personalization KeyCompass CSS is used in systems based on SCPE.

KeyCompass CSS is a component of the Complex EMV cards issuance solution.

Additional information

PRONITspecialists have an in-depth understanding of smart cards architecture and principles of functioning. That is why we offer order development of smart card applets. We have already successfully implemented the following smart card applications:

If you are interested in order development of smart card applets, please This email address is being protected from spambots. You need JavaScript enabled to view it..

Convenience and automation of the cryptographic keys process management.

With the introduction of the issue and service technology for EMV-cards in large organizations it has become a particularly relevant problem to provide convenient and automate cryptographic keys process management. The solution is a system, which allows to generate, store, transmit, in good time to remove from circulation expired keys and put new ones into circulation. Also the system can provide key material to other information system, for example personalization system, acquiring, smart-cart management.

To solve these problems effectively a Key Management System (KMS) can be used.

 

Key Management System Architecture
Key Management System architecture.

Key Management System performs standard cryptographic materials management functions:

  • key generation;
  • requests generation for key certificates;
  • key certificate parameters display and testing;
  • transmit keys between cryptographic zones.

In addition to standard functions the Key Management System structures to work with cryptographic material and automates some of the processes, in particular:

  • storage of cryptogrammic keys and certificate parameters;
  • timely input and output of keys from circulation;
  • transmit group of keys between cryptographic zones.
  • automated procedure of the LMK replacement in the crypto device

Cryptographic materials can me associated with legal entities or individuals, payment systems and cryptographic devices.

KMS enables to generate documents, which correspond to executed operations:

  • keys generation, issuer certificates requests and generation processes protocols;
  • statistical and analytical reports and other customizable dicuments.

In the Key Management System a protocol keeps record of all transactions made with the system and its objects, including cryptographic materials.

Key Management System can be used by both individuals, and external informational systems. The system provides a means of managing access rights security officers, administrators, and users (including external applications).

To ensure safety when working in public networks the Key Management Systems uses technology to secure communications, including VPN, uses advanced mechanisms to limit access to the database.

Additional information

  • We will provide additional onformation upon request. Please send your request at This email address is being protected from spambots. You need JavaScript enabled to view it..

Issuer Self-signed Certificate format check

The Cert Auth module is designed for testing the formats of the Issuer Self-signed Certificates, which are sent to the Certification Authority (Visa, MasterCard International) for signature. In addition, the module allows you to get signed Issuer and the payment system certificates for testing the additional information without the reference to the Certification Authority.

Currently the module supports the exchange of certificates, accepted by Visa and MasterCard International.

The Cert Auth module allows to:

  • generate RSA-keys Certification Authority (the length of the keys can be set);
  • to receive and sort files:
  • Issuer self-signed Certificates;
  • In the result of hash-function calculation for the issuer certificates (for MasterCard International);
create files
  • with issuer certificates, signed by the payment system;
  • with payment system certificates;
  • with the result values of hash-function calculation for the Certification Authrotiy certificate (for MasterCard International)

Cryptography data preparation, for personalization and testing of plastic cards

The crypto subsystem is designed to ensure the safety of data preparation processes, card personalization and their testing. The crypto subsystem includes cryptographic hardware and software component, as well as control software.

At the issue preparation stage the crypto subsystem performs the following:

  • Generation of the PIN and printing of confidential values;
  • Calculation of specialized values for magnetic stripe encoding(CVV, iCVV, PVV);
  • Perform operations necessary for data preparation, issuance and maintenance of the smart cards:
  • generate and secure storage of the issuer keys, certificates request;
  • generate, verify and analyze issuer’s RSA-key certificates;
  • translation RSA key components from CRT to private modulus/exponent representation;
  • card keys generation;
  • o data re-encryption from one security zone to another

During the stage of personalization the crypto subsystem performs the following:

  • diversification of UDK-key;
  • generation of RSA-key cards and certificates;
  • re-encryption and secure data movement
  • PIN block formation and reformat;
  • MAC calculation;
  • implementation specific to each type of the native-card encryption functions.

The hardware component of the crypto subsystem can be presented by high-performance crypto devices from the SafeNet (Eracom) comoany, Thales e-Security or special SAM-cards. There is also a crypto device emulation software, useful at the stages of implementation and testing.

The management program part of the crypto subsystem must perform the key management procedure with the LMK, ZCMK, RSA keys and with the working issuer keys, and also provide an interface for external applications for secure execution of the crypto procedures.

The specificity of smart cards cryptography

For many years, cryptographic systems are used in the cards business for data preparation, card personalization and transactions authorization. The technology of this device, designed to work with magnetic stripe cards, have been developed, adjusted and unified to a large extent more than the cryptographic system for smart cards. Thales e-Security equipment is perfect for production of magnetic stripe cards. The ranges of cryptographic functions of the device are determined by firmware version.

Today smart cards are becoming more common, new applications are developed, more complex schemes of card usage and personalization. The dynamic development of the industry requires a more flexible support for the new trends by the crypto subsystems. Payment systems often issue new specifications and their improvement. Under the conditions of constant change and evolution of the market, the issuers are moving from one type of smart card to another, increasing the range of personalized applications – and all this implies a wider range of cryptographic functions, necessary for protecting information on cards that are personalized.

The solution specifics based on SafeNet (Eracom) devices.

Currently on the market, there are crypto devices, which take into account the above features of smart card personalization. SafeNet (Eracom) equipment allows the developer to load cryptographic functions (functional modules – FM), which meet the needs of a particular project. With this the modification of the functional modules can be carried out by third-party developers without the hardware manufacturer.

Java based SAM-cards and Open Platform cards, have the same advantages, along with exceptionally low price.

The solution specifics based on Thales e-Security devices.

The Thales e-Security device implements a different ideology: any change in the scheme of cryptographic personalization support, associated, for example, with the addition of a new application, which uses specific

Cryptography, requires the device firmware change, which is a difficult technical procedure and requires the direct participation of the hardware manufacturer.

Key management

An important task in the field of cryptographic security is a key management, used in continuous operation (Key Management).

The issuer works with a significant amount of secret key material and values, specificly:

  • • generates issuer RSA-key, evaluates their certificates;
  • • transfers information and keys from one security zone to another;
  • • operates the keys for secure information exchange with the card (Secure Messaging);
  • • works with the keys in the other symmetrical and asymmetrical security schemes.

In connection to this, there is a need for a convenient way to manage and store key material, which greatly simplifies the operation:

  • • control of the generation time and expiration date;
  • • automatically tests the KCV-key and it’s belonging in a particular security zone;
  • • automatic key replacement.

It is convenient, when you can work with most types of crypto equipment (SafeNet (Eracom), Thales e-Security, SAM-cards and others), without changing the crypto subsystem, and the main system, which it is based on. This advantage is achieved if the crypto subsystem has the ability to dynamically evolve and meet the requirements of payment systems.

Solutions by PRONIT company.

Key Management System software solution that automates the cryptographic keys management
KeyCompass CSS Software solution for management of SafeNet (Eracom), Thales e-Security and SAM-cards equipment.
Cert Auth Format testing module Issuer Self-signed Certificate
Joomla SEF URLs by Artio