Cryptography data preparation, for personalization and testing of plastic cards
The crypto subsystem is designed to ensure the safety of data preparation processes, card personalization and their testing. The crypto subsystem includes cryptographic hardware and software component, as well as control software.
At the issue preparation stage the crypto subsystem performs the following:
- Generation of the PIN and printing of confidential values;
- Calculation of specialized values for magnetic stripe encoding(CVV, iCVV, PVV);
- Perform operations necessary for data preparation, issuance and maintenance of the smart cards:
- generate and secure storage of the issuer keys, certificates request;
- generate, verify and analyze issuer’s RSA-key certificates;
- translation RSA key components from CRT to private modulus/exponent representation;
- card keys generation;
- o data re-encryption from one security zone to another
During the stage of personalization the crypto subsystem performs the following:
- diversification of UDK-key;
- generation of RSA-key cards and certificates;
- re-encryption and secure data movement
- PIN block formation and reformat;
- MAC calculation;
- implementation specific to each type of the native-card encryption functions.
The hardware component of the crypto subsystem can be presented by high-performance crypto devices from the SafeNet (Eracom) comoany, Thales e-Security or special SAM-cards. There is also a crypto device emulation software, useful at the stages of implementation and testing.
The management program part of the crypto subsystem must perform the key management procedure with the LMK, ZCMK, RSA keys and with the working issuer keys, and also provide an interface for external applications for secure execution of the crypto procedures.
The specificity of smart cards cryptography
For many years, cryptographic systems are used in the cards business for data preparation, card personalization and transactions authorization. The technology of this device, designed to work with magnetic stripe cards, have been developed, adjusted and unified to a large extent more than the cryptographic system for smart cards. Thales e-Security equipment is perfect for production of magnetic stripe cards. The ranges of cryptographic functions of the device are determined by firmware version.
Today smart cards are becoming more common, new applications are developed, more complex schemes of card usage and personalization. The dynamic development of the industry requires a more flexible support for the new trends by the crypto subsystems. Payment systems often issue new specifications and their improvement. Under the conditions of constant change and evolution of the market, the issuers are moving from one type of smart card to another, increasing the range of personalized applications – and all this implies a wider range of cryptographic functions, necessary for protecting information on cards that are personalized.
The solution specifics based on SafeNet (Eracom) devices.
Currently on the market, there are crypto devices, which take into account the above features of smart card personalization. SafeNet (Eracom) equipment allows the developer to load cryptographic functions (functional modules – FM), which meet the needs of a particular project. With this the modification of the functional modules can be carried out by third-party developers without the hardware manufacturer.
Java based SAM-cards and Open Platform cards, have the same advantages, along with exceptionally low price.
The solution specifics based on Thales e-Security devices.
The Thales e-Security device implements a different ideology: any change in the scheme of cryptographic personalization support, associated, for example, with the addition of a new application, which uses specific
Cryptography, requires the device firmware change, which is a difficult technical procedure and requires the direct participation of the hardware manufacturer.
Key management
An important task in the field of cryptographic security is a key management, used in continuous operation (Key Management).
The issuer works with a significant amount of secret key material and values, specificly:
- • generates issuer RSA-key, evaluates their certificates;
- • transfers information and keys from one security zone to another;
- • operates the keys for secure information exchange with the card (Secure Messaging);
- • works with the keys in the other symmetrical and asymmetrical security schemes.
In connection to this, there is a need for a convenient way to manage and store key material, which greatly simplifies the operation:
- • control of the generation time and expiration date;
- • automatically tests the KCV-key and it’s belonging in a particular security zone;
- • automatic key replacement.
It is convenient, when you can work with most types of crypto equipment (SafeNet (Eracom), Thales e-Security, SAM-cards and others), without changing the crypto subsystem, and the main system, which it is based on. This advantage is achieved if the crypto subsystem has the ability to dynamically evolve and meet the requirements of payment systems.
Solutions by PRONIT company.
Key Management System | software solution that automates the cryptographic keys management |
KeyCompass CSS | Software solution for management of SafeNet (Eracom), Thales e-Security and SAM-cards equipment. |
Cert Auth | Format testing module Issuer Self-signed Certificate |