Remote Key A98 ATM Initial Key Establishment System offers management of the cryptographic keys for ATMs. A98’s patented process is in use at banks, credit unions, networks, and large processors. With the introduction of the Remote Key Module, A98-R automates both the generation and distribution of cryptographic keys for ATMs. A98-R is compatible with ATMs that use RSA-enabled encrypting pin pads (EPPs). The A98-R implements both Diebold and Triton Certificate Based Protocols (CBP) and NCR and Wincor-Nixdorf’s Signature Based Protocol (SBP) that are defined in the ANS X9.24 Standard on Retail Cryptographic Key Management.
The Diebold approach uses X.509 certificates and PKCS message formats to transport key data.
NCR’s method relies on digital signatures to ensure data integrity. Both processes require the ATM’s EPP to be loaded at the factory with signed Public Keys or Certificates. In addition, as part of the initialization process, at least one A98 key pair must be generated and the public key signed by a Certificate Authority and imported back into the A98 before the A98 can successfully communicate with the public key ATM. A separate key pair is required for each ATM manufacturer.
The remote key process requires that mutual authentication first be established between the A98-R and the ATM EPP. Communications between the A98-R and the EPP is controlled and mediated by a separate Terminal Handler if not directly connected to the A98-R. During the Authentication step, the EPP sends its Public Key information to the A98-R via the Terminal Handler. Once the appropriate EPP Public Key information is exchanged and verified, it is stored in the A98-R database associated with the EPP and the A98-R responds with its Public Key information to be sent to and verified by the EPP Once mutual authentication is established, if a request for a new Terminal Master Key is received, the A98-R retrieves the previously stored EPP Public Key data, generates a new Terminal Master Key encrypted under the EPP’s Public Key, formats the new Master Key payload appropriately, and sends it to the Terminal Handler to forward down to the EPP.