How to Understand Master Key and Session Key in WizarPOS Systems: Difference between revisions

Revision as of 21:20, 13 January 2024

Master Key

In a hierarchy of Key Encrypting Keys (KEKs) and Transaction Keys, the Master Key represents the highest level of KEK.
Distribution Method: Master Keys are typically distributed using physical methods, such as device keypads, magnetic cards, or key loading devices.
Replacement: They are replaced using the same methods whenever compromise is suspected or confirmed.

Transaction Key (Session Key)

A Transaction Key, often referred to as a Session Key, Data Key, communications key, or working key, is used to cryptographically process transactions.
In scenarios where different cryptographic functions are used, each function might employ a variant of the Transaction Key.

WizarPOS Key Hierarchy

Two-Layer Hierarchy:
- In WizarPOS devices, the highest-level KEK is known as the Master Key.
- The Master Key encrypts Transaction Keys (Session Keys) directly.
- Session Keys in WizarPOS: These include PIN keys (for encrypting PIN blocks), MAC keys (for MAC calculations), and data keys (for encrypting other data).
- WizarPOS supports three slots for Session Keys internally, but some external PINPads might only support two slots.
Three-Layer Hierarchy:
- Highest Level: Referred to as a Transfer/Transport Key.
- Middle Level: Known as a Master Key.
- Lowest Level: Called a Session Key, which is encrypted by the Master Key.
- This hierarchy offers an additional layer of security by separating the Transfer/Transport Key from the Master and Session Keys.

Groups of Keys

WizarPOS systems support 50 groups of Master/Session Keys.

Key Injection

Master Key (Two-Layer) & Transfer/Transport Key (Three-Layer): For injecting these keys, refer to How to Remotely Inject Test Keys (Master Key or DUKPT Key) into a Terminal or How to Use TMK Delivery System for KeyLoader POS and Master POS.
Session Key & Master Key (Three-Layer): These can be injected using our SDK. Refer to the PINPad section of our SDK for detailed instructions.

Usage

For information on how to utilize these keys, please refer to the PINPad description in our SDK.

@@ Line 1: / Line 1: @@
-== Description ==
+== Master Key ==
-* Master Key
+* In a hierarchy of Key Encrypting Keys (KEKs) and Transaction Keys, the Master Key represents the highest level of KEK.
-In a hierarchy of Key Encrypting Keys and Transaction Keys, the highest level of Key Encrypting
+* Distribution Method: Master Keys are typically distributed using physical methods, such as device keypads, magnetic cards, or key loading devices.
-Key is known as a Master Key
+* Replacement: They are replaced using the same methods whenever compromise is suspected or confirmed.
+== Transaction Key (Session Key) ==
-* Transaction Key(Session Key)
+* A Transaction Key, often referred to as a Session Key, Data Key, communications key, or working key, is used to cryptographically process transactions.
-A key used to cryptographically process the transaction. If more than one key is used for different
+* In scenarios where different cryptographic functions are used, each function might employ a variant of the Transaction Key.
-cryptographic functions, each may be a variant of the Transaction Key. A Transaction Key is
+== WizarPOS Key Hierarchy ==
-sometimes referred to as a Data Key, communications key, Session Key, or working key
+* '''Two-Layer Hierarchy:'''
+** In WizarPOS devices, the highest-level KEK is known as the Master Key.
-* WizarPOS Master/Session Key hierarchy
+** The Master Key encrypts Transaction Keys (Session Keys) directly.
-In WizarPOS device, we uses a hierarchy of Key Encrypting Keys and Transaction Keys. The highest level of
+** Session Keys in WizarPOS: These include PIN keys (for encrypting PIN blocks), MAC keys (for MAC calculations), and data keys (for encrypting other data).
-Key Encrypting Key is known as a Master Key. Master Keys are distributed using some physical
+** WizarPOS supports three slots for Session Keys internally, but some external PINPads might only support two slots.
-process, e.g., the device keypad, magnetic cards, key loading device. Master Keys are replaced
+* '''Three-Layer Hierarchy:'''
-by the same methods whenever compromise is known or suspected.
+** Highest Level: Referred to as a Transfer/Transport Key.
+** Middle Level: Known as a Master Key.
-Transaction Keys are distributed and replaced encrypted under a Key Encrypting Key. In a '''two layer''' hierarchy, the Master Key is used to encrypt Transaction Keys directly. Alternatively, multiple
+** Lowest Level: Called a Session Key, which is encrypted by the Master Key.
-levels of Key Encrypting Keys may be used. Each Key Encrypting Key is distributed and replaced
+** This hierarchy offers an additional layer of security by separating the Transfer/Transport Key from the Master and Session Keys.
-encrypted under the next-higher level Key Encrypting Key.
+== Groups of Keys ==
+* WizarPOS systems support 50 groups of Master/Session Keys.
-WizarPOS suport two layer hierarchy, the the highest level Key Encrypting Key is sometimes referred to as a Master key, the lowest level Key we called Session Key, and Master key is used to encrypt the Session Key.
+== Key Injection ==
+* '''Master Key (Two-Layer) & Transfer/Transport Key (Three-Layer):''' For injecting these keys, refer to [[How to Remotely Inject Test Keys (Master Key or DUKPT Key) into a Terminal]] or [[How to Use TMK Delivery System for KeyLoader POS and Master POS]].
-Actually, WizarPOS support '''three layer''' hierarchy too, the highest level Key Encrypting Key is sometimes referred to as a Transfer/Transport key; the middle level Key Encrypting Key is sometimes referred to as a Master Key; the lowest level Key we called Session Key, and Master key is used to encrypt the Session Key.
+* '''Session Key & Master Key (Three-Layer):''' These can be injected using our SDK. Refer to the PINPad section of our SDK for detailed instructions.
-Usually there are 3 types of Session Keys. They are PIN key, MAC key and data key. PIN key is only used to encrypt PIN block. MAC is used to calculate MAC. Data key is used to encrypt the other data. All internal PINPad supports 3 slots of Session Key and some external PINPad only supports 2 slot of Session Keys.
-There are 50 groups of Master/Session Key in WizarPOS.
-== Inject ==
-The Master key in the two layer hierarchy, and the Transfer/Transport key in the three layer hierarchy, please refer to [[How_to_inject_test_key(master_key_or_DUKPT_key)_remotely]] or use [[TMK Deliver System Usage（For KeyLoader POS/Master POS）]].
-The Session Key and the Master key in three layer, can inject by our SDK, please refer to the pinpad part.
 == Usage ==
-Please refer to our SDK, the description of the pinpad.
+* For information on how to utilize these keys, please refer to the PINPad description in our SDK.