Device Keys
This document describes the format of the key data returned by the Service Center Device API Registration endpoint
(data objects in the deviceKey element in the response message).
Device key object can have the following fields:
keyTypeName- key type name, see the chapterSupported Key TypesbelowkeyDataFormat- key format, see the chapterSupported key formatsbelowalgorithm- key algorithmkeyData- key data, encoded in the format specified bykeyDataFormatkeyIndex- key index, used for key versioning
Supported Key Types
The element keyTypeName describes the key type sent to the device. The following key types are currently in use:
| Key class | Key Type Name | Key Algorithm | Supported Key Data Format | Description |
|---|---|---|---|---|
| Private key | SALT | HMAC-SHA256 or RIDANGO | AES or TR34 | Tokenization key used for calculating card PAN token |
| Private key | IPEK | DUKPT-AES or DUKPT-TDEA | AES or TR34 | DUKPT AES Initial PIN Encryption Key or Triple-DES Initial PIN Encryption Key, used for encrypting tap data |
| Private key | TERM_EP2_SECRET | SECRET | TR34 | Terminal EP2 Shared Secret |
| Public key | SC_EP2_PUBKEY | RSA | TR34 | Service Center EP2 Public Key |
| Certificate | SC_ROOT_CERT | RSA | X509 | Service Center TLS Root CA Certificate |
Supported key data formats
The exact key format depends on the value of the element keyDataFormat. It can be one of the following:
| Format | keyData field encoding | Description |
|---|---|---|
| AES | HEX | Key data is encrypted with the AES encryption |
| TR34 | Plain text | Key data is in TR-34 keyblock format |
| X509 | BASE64 | Key data is X.509 data structure in DER format |
| PLAIN | HEX | Key data is not encrypted |
Which format is used for sending the key data depends from the key type.
AES
Field keyData contains a HEX-encoded private AES key, encrypted with the device's internal Key Exchange Key AES key using AES-CBC encryption.
Field keyIndex contains AES IV (initialization vector) value (if not present, then value 0 should be used)
TR34
The following fields are in use:
Field keyData contains a private key in TR-34 format, see below
The following TR-34 headers are supported:
- Key Block Version ID: Value
B - Keu Usage:
B1- DUKPT IKEYK0- key encryption or wrappingD0- data encryption12- EP2 component authentication00- no specific use
- Algorithm:
A- AEST- TDEAH- HMAC0- no specific use
- Mode of use:
B- encrypt/decryptE- encrypt onlyX- deriveG- generate onlyN- no specific
- Exportability:
E- exporting allowed
In case of DUKPT IPEK key TR-34 keyblock contains also an optional header KS with the hex encoded Initial KSN value.
TR-34 keyblock is encrypted with the device's Device Key Encryption Key (DKEK-PUB) public key and signed with the
Device Key Signing Key Private Key (DKSK-PRIV) private key.
Device should first use its Device Key Signing Key Certificate (DKSK-CERT) for verifying the keyblock signature
and then use its Device Key Encryption Key (DKEK-PRIV) for decrypting the private key from the keyblock.
TR-34 key settings
The following TR-34 header field values are used for the keys:
| Key Type Name | Key Algorithm | Header: Key Usage | Header: Algorithm | Header: Mode of use |
|---|---|---|---|---|
| SALT | AES | 00 | H | G |
| IPEK | AES | B1 | A | X |
| IPEK | TDES | B1 | T | X |
| TERM_EP2_SECRET | - | 12 | 0 | N |
| SC_EP2_PUBKEY | - | K0 | 0 | E |
Key format
SALT, IPEK
Key data inside the TR-34 keyblock is in binary form.
SC_EP2_PUBKEY
Key data inside the TR-34 keyblock should have the following structure:
| Bytes | Length | Field | Value |
|---|---|---|---|
| 0 | 1 | Type | E (ASCII) |
| 1-2 | 2 | Version | 07h 00h |
| 3-514 | 512 | Key value | Public Key in binary EP2 Public Key format (see the 'EP2 Security Specification, version 8.2', chapter '7.5 Format Public Keys') |
TERM_EP2_SECRET
Key data inside the TR-34 keyblock should have the following structure:
| Bytes | Length | Field | Value |
|---|---|---|---|
| 0 | 1 | Type | C (ASCII) |
| 1-2 | 2 | Version | 06h 10h |
| 3-18 | 16 | Key value | Component Secret in binary format |
X509
The following fields are in use:
Field keyData contains the certificate in BASE64-encoded DER format (see X.509) and field keyIndex is not used.
PLAIN
Field keyData contains the shared secret in HEX-encoded format and field keyIndex is not used.