Page tree
Skip to end of metadata
Go to start of metadata

Glossary of keys and associated terms:


Keys / TermsAliasesComment/Description

RKI-KEK

Admin Key

Remote Key Injection KEK. Used to encrypt keys injected remotely from an RKI server. In some cases

(SecureHead, SecureMag, and SecureKey), the RKI-KEK will also be used as the MSR Pairing Key (This key used to be called the Admin Key).

LCL-KEK


Local KEK. Used by ID TECH NGA key injection protocol. Encrypt other keys injected in TG3 

MSR Pairing Key

MSR Pairing Key used to securely pair a non SRED device with an ID TECH PinPad (PP will have the BDK)

PCI Pairing Key

PCI Pairing Key used to pair a PCI approved product with an ID TECH PinPad (PP will have the BDK)

DEK

Data Encryption Key. Key used to encrypt MSR and EMV sensitive data. 

PEK

PIN Encryption Key. DUKPT Key used to encrypt PIN in Online Pin mode

MAC

MAC kKey. Key used to authenticate secure messages

MSK
 Master Session Key
KEK
 Key Encryption Key
IPEK
Initial PIN Encryption Key






Data DUKPT Key

Data Encryption Key (DEK) 

For encryption of transaction data

PIN DUKPT Key

PIN Encryption Key (PEK)For encryption of PINs

PIN Master Key



Pairing Key(PINPAD)

PIN Pairing Key (PPK)The card reader and the PIN pad must both share this common secret so that they can exchange data privately. (The PIN pad will receive PAN data from the reader. Such data cannot be sent in the clear.)

MAC DUKPT

HOST-CR MAC Key (MAK) Key for producing MAC hash (authenticated hash) on a per-transaction basis. The host may need to send authenticated commands to the reader. This key enables the creation of secure hash data.

RKL BDK


Remote Key Loading BDK.

RKL DUKPT Key


Remote Key Loading DUKPT key.
KSN
Key Serial Number. A different 10-byte KSN generally exists for each key.

HOST-CR Key Encryption Key (Master Key)


KEK for use between host and card reader (CR).

CR-EPP Key Encryption Key (Master Key)


EPP = Encrypted Pin Pad

CR-EPP MAC Key (MAK)


For MAC hashes that will be consumed by the PIN pad.

Firmware Encryption Key (FEK), fix key 


For internal use.

Configuration Encryption Key (CEK), fix key


For internal use.

TR31

(ANSI spec here)


TR31 is the ANSI standard way to create key block info (blocks of data that associate keys with key attributes). The payload of a TR31 key block consists of a key block header, an encrypted data block (key length, key, and padding), and a MAC value.

Key Block Protection Key


generated in-memory at TR31 block creation time and never stored.

Key Block Encryption Key


generated in-memory at TR31 block creation time and never stored.

Key Block MAC Key


generated in-memory at TR31 block creation time and never stored.