AS 2805.6.4-2006

1 - AS 2805.6.4-2006 ELECTRONIC FUNDS TRANSFER-REQUIREMENTS FOR INTERFACES - KEY MANAGEMENT-SESSION KEYS-TERMINAL TO ACQUIRER
4 - PREFACE
6 - CONTENTS
7 - FOREWORD
8 - 1 SCOPE
8 - 2 APPLICATION
8 - 3 REFERENCED DOCUMENTS
9 - 4 DEFINITIONS
9 - 4.1 Acquirer
9 - 4.2 Acquirer network
9 - 4.3 Authentication
9 - 4.4 Back tracking
9 - 4.5 Card acceptor
9 - 4.6 Cardholder
9 - 4.7 Card issuer
9 - 4.8 Cipher text
9 - 4.9 Cryptographic key
9 - 4.10 Data Encipherment Algorithm (DEA)
9 - 4.11 Data key (KD)
9 - 4.12 Decipherment
9 - 4.13 Encipherment
10 - 4.14 Encipherment algorithm
10 - 4.15 Identification
10 - 4.16 Initial MAC key (KMACI)
10 - 4.17 Key
10 - 4.18 Key enciphering key (KEK)
10 - 4.19 Key verification code (KVC)
10 - 4.20 MAC key (KMAC)
10 - 4.21 Message authentication code (MAC)
10 - 4.22 Modulo 2 addition
10 - 4.23 Multiple acquirer PIN pad security number (PPASN)
10 - 4.24 Node
10 - 4.25 One way function (OWF)
10 - 4.26 Personal identification number (PIN)
11 - 4.27 PIN block
11 - 4.28 PIN enciphering key (KPE)
11 - 4.29 PIN pad identification number (PPID)
11 - 4.30 PIN protection key (KPP)
11 - 4.31 Plain text
11 - 4.32 Primary account number (PAN)
11 - 4.33 Request message
11 - 4.34 Response message
11 - 4.35 Session key (KS)
11 - 4.36 Systems trace audit number (STAN)
11 - 4.37 Statistically unique
11 - 4.38 Terminal
11 - 4.39 Terminal cryptographic unit (TCU)
11 - 4.40 Transaction
12 - 4.41 Transaction amount
12 - 5 OVERVIEW
12 - 5.1 Objectives of scheme
12 - 5.1.1 General
12 - 5.1.2 Back track prevention
12 - 5.1.3 Different keys for each function
12 - 5.2 Initialization
12 - 5.3 Key hierarchy and management
13 - 5.4 Proof of end points
13 - 6 DESCRIPTION OF FUNCTIONAL ELEMENTS
13 - 6.1 PIN pad identification numbers (PPID)
13 - 6.2 Acquirer PIN pad security number (PPASN)
13 - 6.3 Key enciphering key pair (KEK1 and KEK2)
13 - 6.3.1 General
13 - 6.3.2 KEK establishment
13 - 6.3.3 KEK1 and KEK2 updates
13 - 6.3.4 Algorithm KEK1 update
14 - 6.3.5 Algorithm KEK2 update
15 - 6.4 Key enciphering key variants (KEK1Vn)
15 - 6.5 PIN enciphering key (KPE)
15 - 6.5.1 General
15 - 6.5.2 Inputs
15 - 6.5.3 Algorithm
16 - 7 OPERATION
16 - 7.1 General
16 - 7.2 Initialization
16 - 7.2.1 General
17 - 7.2.2 Security of an acquirer™s keys
17 - 7.3 Terminal key establishment
17 - 7.4 Acquirer MACing of key establishment messages
17 - 7.5 Proof of end point
17 - 7.6 Key enciphering key change
17 - 7.7 Changing session keys
17 - 7.7.1 General
17 - 7.7.2 Session key set change
17 - 7.8 Resynchronization
17 - 7.9 Key mismatch
18 - APPENDIX A KMACI
18 - A1 SCOPE
18 - A2 CREATION OF KMACI
18 - A2.1 Inputs
18 - A2.2 Algorithm

Specifies key management techniques for keys used in the authentication, enciphering and deciphering of electronic messages relating to financial transactions using session keys.

This Standard specifies key management techniques for keys used in the authentication, enciphering and deciphering of electronic messages relating to financial transactions using session keys.In particular, this Standard -(a) defines security interface procedures between terminals and acquirers;(b) defines methods of interchange of the various enciphering keys used for securing transactions; and(c) ensures that messages can only be authenticated at their correct destination.NOTE: Principles concerning key management and physical security are dealt with in AS2805.6.1.

Originated as AS 2805.6.4-1988.
Previous edition 2001.
Third edition 2006.