Dynamic Key Exchange Models
I’ve had a number of people ask me recently about how to implement Dynamic Key Exchange models. Specifically, I’m talking here about ISO8583-based financial payment gateways. This post pertains to situations where you’re acting either as the Card Issuer (in which case you’re receiving payment transaction requests from the gateway) or the transaction acquirer (in which case you’re sending payment transaction requests to the gateway in order that they route it for appropriate authorization decisioning).
There’s some terminology to square away first:
Local Master Key (‘LMK’) – This is the key you store in the HSM in order to encrypt and do software-based storage of the current Working Keys (and Base Derivation Keys if you’re using DUKPT). Also called the Master File Key (‘MFK’)
Zone PIN Key (‘ZPK’) – The ZPK is what’s used to encrypt the PIN blocks that traverse the wires between institutions. Also referred to as the ‘Working Key.’ This is the key that the Dynamic Key Exchange is acting upon. You’re obligated to change the Working Key at agreed-upon intervals (I typically advocate every 12 hours).
Zone Master Key (‘ZMK’) – Think of the ZMK as the key transportation vehicle. It’s the key that the two parties use to encrypt and exchange new ZPKs. This key is established via a key ceremony. You keep a copy of the ZMK encrypted under the LMK in a file somewhere (you’ll see how it’s used here further down this post). Also called the Key Exchange Key (‘KEK’).
- From the moment you start planning discussions with the gateway, establish RIGHT AWAY that you want field-by-field level specifics of how the Dynamic Key Exchange is to be performed. It’ll be within the context of some Network Message Exchange (e.g., 0800/0810), but that’s not granular enough – you need to know the thing down to the field-content level.
- Scour the documentation you’ve been provided to see if those details are in there. I’ve done two different gateway projects recently, and in both cases the Key Exchange details were notably absent from the doc. But, that doc exists somewhere within the gateway institution. Track it down. Get your hands on it.
- Knowledge of the Key Exchange model is – by design – not widespread throughout the gateway provider’s project personnel. Insist on getting their expert in on at least one of the planning calls. Make note of this person’s name and contact details. Establish that information channel. This is a critically important point to your success.
At a high level, there are two models:
- You request a new ZPK from the gateway, and they provide it in the response. [I call this the ‘Pull‘ model (for obvious reasons – you pull the key from them).]
- The gateway sends you a new ZPK and you respond with a message indicating success or failure. [This, by contrast is the ‘Push‘ model.]
Your implementation will be one of those.
Now, I’ll provide two examples, one push, one pull.
The sequence of events is:
- The gateway sends us a new ZPK (under ZMK) in an 0800 (MTI) Network Request.
- We obtain the ZMK (under LMK) from our files.
- We use the cryptograms from Steps 1 and 2 to create the appropriate command to the Key-Up (here, a ’12’)
- We get the response from the Key-Up (the ’13’) and validate that the Check Digits match those provided by the Issuer.
- Assuming the check in Step 4 is okay, we store the result (the ZPK under LMK) as the new Working Key.
- We send an 0810 (MTI) Network Response back to the Issuer (Note that Field 39 on our response is ’00’ – indicating success).
There’s so much detail here worthy of comment. I’ll touch on a few things (these are the types of detail you want to bring to the surface in your reviews):
- This gateway uses ‘162’ in Field 70 to tip to us that it’s a Key Exchange in play.
- Note how we have to pluck the incoming cryptogram out of the esoteric morass of Field 123.
- We have to construct an equally cryptic Field 123 on our response.
Here is the pull model:
- We request a new key from the Gateway in an 0800.
- The new key (ZPK under ZMK) comes back in an 0810.
- We fire off an ‘FA’ to the Thales 8000.
- We get the ‘FB’ back and validate the check digits.
- If okay, we store the result (the ZPK under LMK) as the new Working Key.
Now, since we’re the initiator here we have to have a way to determine when to trigger the exchange request. We do that through a channel Logon Manager.
You get the idea, I hope! Nail down all those details in order to maximize your chances of success. Otherwise, feel free to beat your head against a wall, because that’s what will happen if you don’t get this information.