Key Management for terminals with HCV activation
Initial configuration
Initially, terminals should have the following certificate issued by Sfey:
Sfey Root CA Certificate(SRCA-CERT)
This certificate should be compiled directly into the Payment Application code.
This certificate is used for validating other certificates exchanged later during the terminal registration and key exchange processes.
Terminal registration
When terminal starts a registration process, it should first generate Device Key Encrypton Key keypair
(DKEK-PRIV and DKEK-PUB), store this keypair in local keystore and create a certificate request (DKEK-CSR) for this.
Terminal should calculate HCV value from the DKEK-CSR binary thumbprint (that is - from the SHA-256
hash of the certificate request) during the creation of the DKEK-CSR and should show this on the screen of the terminal.
HCV calculation logic is specified here.
With the help of the Device API Device Registration endpoint terminal should send DKEK-CSR to the TPS. TPS
returns the Device Key Encryption Key Certificate (DKEK-CERT) and
Device Key Signing Key Certificate (DKSK-CERT) with full certificate chains.
Terminal should verify that both certificate chains are valid and store received certificates in the local keystore.
After the terminal is registered, manual activation through TPS Payments Manager UI is needed.
For this an authorized person
should enter HCV value received from the terminal.
Device Key Encryption Key Certificate Signing Request
Device Key Encryption Key Certificate Signing Request (DKEK-CSR) should contain at least the following fields:
Common Name- Terminal type and serial number concatenated in the form:{terminalType}:{serialNumber}
Key exchange
When TPS sends keys to the terminal (via the Device API Update Data endpoint), then these keys will be signed with the
Device Key Signing Key Private Key (DKSK-PRIV) and encrypted with the
Device Key Encryption Key Public Key (DKEK-PUB).
Keys will be provided in the TR-34 keyblock format.
Terminal should use stored Device Key Encryption Key Private Key (DKEK-PRIV) for decrypting the key and
use stored Device Key Sining Key Certificate (DKSK-CERT) for verifying the signature.
The following keys will be sent via Device API Update Data endpoint:
- Tokenization Key (
SALT) - this key should be used by the terminal for calculating card token from the PAN. - Terminal Data Encryption Key (
IPEK) - this key should be used by the terminal for encrypting tap data before sending this to the TPS.
Summary of the keys and certificates used in the terminal
Certificates
| Certificate | Short name | Issued by | Used by the terminal for |
|---|---|---|---|
| Sfey Root CA Certificate | SRCA-CERT | Validating STPS-CERT | |
| Sfey TPS CA Certificate | STPS-CERT | SRCA-CERT | Validating DKEK-CERT and DKSK-CERT |
| Device Key Encryption Key Certificate | DKEK-CERT | STPS-CERT | Validating DKEK-PRIV key |
| Device Key Signing Key Certificate | DKSK-CERT | STPS-CERT | Verifying signature of the keys received from TPS |
Private keys
| Private Key | Short name | Corresponding Certificate | Used by the termninal for |
|---|---|---|---|
| Device Key Encryption Key | DKEK-PRIV | DKEK-CERT | Decrypting keys received from TPS |
| Tokenization Key | SALT | - | Generating token from the card PAN |
| Terminal Data Encryption Key | IPEK | - | Encrypting tap data |