PKLD Usage 2.03

Reference: Revision: Date: Distribution:
PKLD_USAGE 2.0.3 01/10/2013 Internal
PKLD USAGE
____________
HELP MANUAL
____________
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
PKLD USAGE ----HELP MANUAL
Page 2 / 35
RECORD OF REVISIONS
Revision 02.00 02.01 02.02 02.03 Date 18-Jul-2013 30-Jul-2013 05-Sep-2013 01-Oct-2013 Writer Juan R Mudarra Antonio G. Lomea Juan R Mudarra Juan R Mudarra Initial version Added section 4.3.1.2 KeyEntry Added more info on KLD Settings Added section 4.2.1.5 Import HKS files Object of Evolution
APPROVAL
Name Beatriz Delgado Department Software Platform Function Software Platform Director Date 01-Oct-2013
DISTRIBUTION LIST:
Page 3 / 35
TABLE OF CONTENTS
1 2 3 INTRODUCTION AND SCOPE................................................................................................ 4 FUNCTIONAL SUMMARY....................................................................................................... 4 2.1 Modes of Operation .......................................................................................................... 4 2.2 Keyboard Use Description on PKLD Terminals................................................................. 5 PKLD INITIALISATION ............................................................................................................ 6 3.1 User Login ........................................................................................................................ 6 3.2 User Logout ...................................................................................................................... 7 ADMINISTRATOR MODE........................................................................................................ 8 4.1 Keys Manage. Internal Keys. ............................................................................................ 9 4.1.1 Installing the STMK...................................................................................................... 9 4.1.2 Installing the KPK. ..................................................................................................... 11 4.2 Key Management. Terminal Keys. .................................................................................. 12 4.2.1 Keys Manage............................................................................................................. 12 4.2.1.1 KeySet ............................................................................................................... 12 4.2.1.2 KeyEntry ............................................................................................................ 13 4.2.1.2.1 Add ............................................................................................................... 13 4.2.1.2.2 Modify Metadata............................................................................................ 21 4.2.1.2.3 Modify KeyData............................................................................................. 22 4.2.1.2.4 Delete............................................................................................................ 23 4.2.1.3 Import KeyStore ................................................................................................. 24 4.2.1.4 Export KeyStore................................................................................................. 24 4.2.1.5 Import HKS files. ................................................................................................ 24 4.3 User Management .......................................................................................................... 25 4.3.1 Adding Users ............................................................................................................. 25 4.3.2 Modifying Users......................................................................................................... 26 4.3.3 Deleting Users ........................................................................................................... 27 4.4 KLD Settings................................................................................................................... 28 4.4.1 Set Date time............................................................................................................. 28 4.4.2 Terminal Info.............................................................................................................. 28 4.4.3 Max Frame Size ........................................................................................................ 28 4.4.4 Pin Pad Baudrate ...................................................................................................... 28 4.4.5 Input Mode ................................................................................................................ 28 4.4.6 Barcode port .............................................................................................................. 29 4.4.7 Barcode Baudrate...................................................................................................... 29 4.5 Log Management............................................................................................................ 29 4.5.1 Exporting Log files ..................................................................................................... 29 4.5.2 Deleting Log Files...................................................................................................... 30 OPERATOR MODE ............................................................................................................... 30 5.1 Distributing Keys............................................................................................................. 31 5.2 Exporting Log Files ......................................................................................................... 32 ANNEX A. ENTERING KLA MODE IN SPIRE TERMINALS .................................................. 33 6.1 Phoenix Terminals (SPw70, SPw60, SPc50, SPp30)...................................................... 33 6.2 SPp10 Basic PIN Pad..................................................................................................... 35 ANNEX B. LOG FILE FORMAT AND MESSAGES ................................................................ 35
5 6 7
Page 4 / 35
1 INTRODUCTION AND SCOPE

This document contains the user manual for the Spire Personalization Key Loading terminal (PKLD). The intended usage of this terminal is the verification of the Spire Transport Key into terminals and the injection of Acquirers keys at the personalization site and at repair facilities. Due to the sensitive nature of the information contained on the PKLD and its functionalities, it must only be used in a secure key loading facility, which complies with the relevant PIN security standards. The scope of this document is to provide operation and administration personnel at the manufacturing/repair site, with guidance and help when using the PKLD.
2 FUNCTIONAL SUMMARY
The PKLD provides the functionality of verifying a device unique Transport Key and injecting Acquirers keys in all Spire devices, using local serial communication links. The list of supported devices is: - SPp10 Basic Pin Pad - SPp30 Retail Pin Pad - SPc50 Countertop POS - SPw60 Portable POS - SPw70 Mobile POS
2.1 Modes of Operation

In order to do this, the PKLD implements two modes of operation, each of them with access to specific functionalities. In summary the modes of operation and their functionalities are: 1. Administrator Mode. a. Key Management: i. Modify the Spire Transport Master Key. This functionality is intended for authorised Spire Key Custodians only and MUST NEVER be used by other personnel. ii. Modify the Key Protection Key which is the responsible to protect all sensitive data into the terminal. iii. Modify the PBDK which is used in special PinPad pairing process. iv. Manage the Keys provided by the acquirers, which can be used to install them into any type of Spire terminal. This option permits to add, modify and erase any type of key supported by Spire terminals. Also, it is possible to create groups to select several keys. b. User Management: allows the creation, modification and deletion of administrator and operators. c. KLD Settings: allows the modification of the basic operating parameters of the PKLD, such as date and time. d. Log Management: allows exporting and deleting the operating logs of the PKLD. Logs must be periodically extracted and kept to generate an audit trail of its usage, according to the relevant operational procedures. 2. Operator Mode.
Page 5 / 35
a. Key Distribution: verifying transport keys to a given number of devices and injecting some groups of Acquirer keys, named Keysets. b. Log Export: allows exporting the operating logs of the MKLD. Logs must be periodically extracted and kept to generate an audit trail of its usage, according to the relevant operational procedures The following sections document the operation of each of the functionalities of the MKLD.
2.2 Keyboard Use Description on PKLD Terminals

The terminal makes use of its ten numeric keys. These keys are used to access to each menu option showed on display and for data input. There are other three special keys to confirm, cancel and remove data on capture/modify dialog windows. To add alphanumeric characters the keyboard mode may be changed by pressing #. Each pressing on this key will change the keyboard mode (numeric, alphabetic upper case and alphabetic lower case). In Alphabetic modes, rapidly pressing the same key will cycle the input characters printed on that key (in the same way older mobile phones would allow textual input).
Other key functionalities of interest are:
Cancel or Escape function on edit mode and return to previous menu on navigation mode Backspace function to remove data on edit mode
Confirm function on edit and navigation mode
Change keyboard edit mode. Numeric, alphanumeric lowercase, alphanumeric capital. On top and at the right of the input dialog box you can observe the input method
Page 6 / 35
selected. [123] for numeric input, [abc] for alphanumeric lowercase input, and [ABC] for alphanumeric uppercase. Special characters on alphanumeric edit mode. On alphanumeric uppercase, [ABC], you have access to next characters +, ;, ?, -, n alphanumeric lowercase, [abc], to these ., :, ,, -"
3 PKLD INITIALISATION
The PKLD application runs directly after terminal startup showing the next screen. This screen is also shown whenever no users are logged into the terminal. PKLD ver 2.4.0
2013-07-18 11:37:49 Pressing on any key the terminal will show a message dialog to login on the terminal.
3.1 User Login

Both the Administrator and the Operator modes of the PKLD are used under dual control. This implies that at any given time two users WITH THE SAME ROLE must be logged in (i.e. either two administrators or two operators). User names and passwords for the PKLD follow these rules: - All ASCII alphanumeric characters, both lower and upper case, are allowed for usernames and passwords. - User names MUST contain 8 alphanumeric characters, with the exception of pre-defined users admin1 and admin2. - Passwords MUST contain 10 alphanumeric characters. IMPORTANT NOTE: The PKLD is initialised by authorised Spire Key Custodians, which will change the pre-expired passwords for default users and/or create additional users prior to sending the device to its operational destination (e.g. manufacturing site). For details on your login credentials, please refer to the Credential Sheets securely sent by Spire Payments through a separate channel. Note that the PKLD is protected against inactivity and overuse in the following ways: - The PKLD will automatically log all users out after 15 minutes of inactivity. - The PKLD will automatically log operators out after 1000 terminals of any kind have been loaded with their keys. - Any dialog screen requiring user input (e.g. a prompt asking for the new date and time) has an inactivity timeout of 60 seconds.
Page 7 / 35
The PKLD login procedure is shown in the following screenshots. Login first user Input user name: admin1 [123] Login first user Input user password: ******** [123]
[CANCEL]
[ACCEPT]
[CANCEL]
[ACCEPT]
Login second user Input user name: admin1
[123]
Login second user Input user password: ********
[123]
[CANCEL]
[ACCEPT]
[CANCEL]
[ACCEPT]
At its first initialisation, the terminal has enabled these users and pre-expired passwords. User: admin1, password: SP00001111 User: admin2, password: SP00002222 The PKLD will force administrators to change their password the first time they log-in. The next screens show the prompt screens for password change:
Warning Preexpired password!! Edit Login: admin1 [123] Input user password ******** Edit Login: admin1 [123] Input again user password ********
[CANCEL]
[ACCEPT]
[CANCEL]
[ACCEPT]
[CANCEL]
[ACCEPT]
A successful login by two users with the same role (Administrators or Operators) will give access to their operation mode main menu.
3.2 User Logout

Pressing the CANCEL, BACKSPACE or ENTER keys from the main menu of each mode of operation will initiate the logout process. The user will be prompted to confirm logout with the following screen:
Page 8 / 35
Warning Press ACCEPT to logout
[CANCEL]
[ACCEPT]
If ACCEPT is pressed, the logout operation will complete and the initialisation screen will be shown. If CANCEL is pressed, then the user is taken back to the main menu of the current mode of operation.
4 ADMINISTRATOR MODE
The following functionalities are available for PKLD administrators: a. Key Management: a. modify the Spire Transport Master Key. This functionality is intended for authorised Spire Key Custodians only and MUST NEVER be used by other personnel. b. Modify the Key Protection Key which is the responsible to protect all sensitive data into the terminal. c. Modify the PBDK which is used in special PinPad pairing process. d. Manage the Keys provided by acquirers. which can be used to install them into any type of Spire terminal. This option permits to add, modify and erase any type of key supported by Spire terminals. Also, it is possible to create groups to select several keys. b. User Management: allows the creation, modification and deletion of administrator and operators. c. KLD Settings: allows the modification of the basic operating parameters of the PKLD, such as date and time. d. Log Management: allows exporting and deleting the operating logs of the PKLD. Logs must be periodically extracted and kept to generate an audit trail of its usage, according to the relevant operational procedures. The main menu screen is shown in the next figure. Administrator Menu Keys Manage Users Manage KLD Settings Log Manage
1. 2. 3. 4.
Page 9 / 35
4.1 Keys Manage. Internal Keys.

4.1.1 Installing the STMK
In order to perform adequately, a PKLD must have a valid STMK loaded. The PKLD will check the presence of a STMK whenever a login process takes place. If the STMK is not present in the PKLD, it will be requested when the first Administrator Mode session is started. It is also possible to change the value of the STMK through the 1. Keys Manage 1. Internal Keys option of the Administrator Menu. IMPORTANT NOTE: A valid STMK is injected in the PKLD by Spire Key Custodians prior to devices shipment. Any modification of this value will render the PKLD unusable. Any terminals loaded with a Transport Key after an invalid STMK has been injected will be later rejected at the acquirers personalisation centre. Hence this option MUST NEVER be exercised by unauthorised personnel. The following screen is shown to administrators after login when the STMK is not installed. After the warning has been accepted, the PKLD will request the STMKs components. Warning STMK not installed!!
[CANCEL]
[ACCEPT]
If option 1. Keys Manage 1. Internal Keys is selected from the Administrator Menu, the following screen will give access to the modification of the STMK. Keys Manage 1. Internal Keys 2. Terminal Keys 1. 2. 3. 4. Internal Keys Manage Spire Transport Master Key Spire Key Protection Key PinPad Pairing Base D. Key HKS file Key
Page 10 / 35
The PKLD will show the checksum of the STMK (3 bytes). STMK Checksum ABCDEF
[CANCEL]
[ACCEPT]
If the ACCEPT (enter) button is pressed, then the PKLD will request the number of components of the key to be loaded. This value MUST be between 2 and 10. Spire Transport MK [123] Select number of components 2
[CANCEL]
[ACCEPT]
The PKLD will then request each 24-byte component in groups of 8 bytes and then show the next dialog is shown each time as components are selected. STMK [123] Component 0 Key Chsum ABCDEF
input key component 0 (24 bytes) Input data from 0 to 7: 1234567890ABCDEF Input data from 8 to 15: 1234567890ABCDEF Input data from 16 to 24: 1234567890ABCDEF
[CANCEL]
[ACCEPT]
After all components have been input the PKLD will show the full key checksum and, if accepted, will commit the changes to the STMK. IMPORTANT NOTE: Key components are XORed between them to produce the final STMK key, it is assumed that each key component is input by a different custodian, all under the supervisor of an PKLD administrator.
Page 11 / 35
IMPORTANT NOTE: Byte endianness is interpreted as follows. Byte 0 ..... Byte 7 | Byte 8 ..... Byte 15 | Byte 16 ..... Byte 23 i.e. the byte marked as byte 0 is the MSB of the key. IMPORTANT NOTE: The STMK in the PKLD is only modified if the whole process is completed and the key checksum shown at the end is accepted. Otherwise, no changes will be committed in the PKLDs internal keystore.
4.1.2 Installing the KPK.

If option 1. Keys Manage 1. Internal Keys is selected from the Administrator Menu, the following screen will give access to the modification of the KPK. IMPORTANT NOTE: This key is used to protect all data saved into the Keystore. Any modification of this value will render the Keystore unusable, and all data previously saved will be removed.
Keys Manage 1. Internal Keys 2. Terminal Keys 1. 2. 3. 4.
Internal Keys Manage Spire Transport Master Key Spire Key Protection Key PinPad Pairing Base D. Key HKS file Key
The PKLD will show the checksum of the KPK (3 bytes). KPK Checksum ABCDEF
[CANCEL]
[ACCEPT]
If the ACCEPT (enter) button is pressed, then the PKLD will request the method to introduce the value of the KPK. We recommend to use the Manually method to have the possibility of recovery a backup of the KeyStore if the terminal lost its keys.
Page 12 / 35
Save Spire KPK Select Generation Method 0.Manualy 1.Randomly
If the option 0.Manualy is selected, then the PKLD will request the number of components of the key to be loaded. This value MUST be between 2 and 10. If option 3. Pin Pad Pairing Base Derivation Key or option 4. HKS file Key are selected from the Administrator Menu, the same screens as in the KPK option appear on PKLD.
4.2 Key Management. Terminal Keys.

4.2.1 Keys Manage
If option 1. Keys Manage is selected from the Administrator Menu, the following screen will give access to manage the Acquirers keys. Keys Manage 1. Internal Keys 2. Terminal Keys KeyStore Manage 1.KeySet 2.KeyEntry 3.Import KeyStore 4.Export KeyStore 5.Import HKS files
In the KeyStore exists two items, KeyEntry which save all metadata and data information related to Acquirer key, and KeySet used to group list of KeyEntry.
4.2.1.1 KeySet
With option 1. KeySet the PKLD allows to Add, Modify and Delete KeySets in the Keystore. These items will be used to group individual KeyEntry into sets of keys. KeySet Manage 1.Add 2.Modify 3.Delete
Page 13 / 35
If option 1. Add is selected the PKLD will request for data required for a new Keyset
New KeySet [123] Input Keyset name: New KeySet Select Keyset Arch 0.Generic 1.POS 2.PINPad KeySet Save Confirm to save this data Name: POS_Keyset Arch: POS
[CANCEL]
[ACCEPT]
If option 2. Modify is selected the PKLD shows a list of Keysets created to select one of them. Use the arrow keys to move on the list and ENTER key to select the selected item. If the list exceeds the screen dimensions, use the * key to move to the previous screen or # key to move to the next screen. Once a Keyset has been selected the PKLD will request for each data saved on selected Keyset. You can modify the Keyset name, the Keyset architecture or both. If option 3. Delete is selected the PKLD will show a list of Keysets created to select which will be deleted.
4.2.1.2 KeyEntry
If option 1. KeyEntry is selected on the KeyStore, the PKLD will show a list of created KeySets to select one of them and manage only the KeyEntries associated to this KeySet. The available operations on the selected KeyEntry are Adding a new KeyEntry, Modifying the Key Metada, Modifying (Introducing) the KeyData and deleting the KeyEntry KeyEntry Manage: POS 1.Add 2.Modify Metadata 3.Modify KeyData 3.Delete
4.2.1.2.1
Add
With option 1. Add a list of KeySets is shown, to select the one where the new KeyEntry will be added:
Page 14 / 35
KeySet List 3/0/3 GENERIC PINPAD POS
After selecting the KeySet, the user must choose the KeyEntry type: Master key, DUKPT Key or AES key New KeyEntry Select Type 0. Master Session 1. DUKPT Session 2. AES Key
4.2.1.2.1.1 Master session/Fixed key With the Master Session key, the user must choose values of the following parameters:
o o o o o o o
Algorithm mode Key Usage Slot ID (0 253) PIN Pad Pairing flag Key length Key encryption mechanism (the mode of operation used to encrypt Key Data with the Encrypting KPK) Derivation Mechanism
The following drawings show an example of displayed screens:
New KeyEntry Select Usage 0. Master Key PIN encryption 1. Master Key Data Encryption 2. Master Key Data Enc and Dec 3. Master Key MAC Generation 4. Master Key transport 5. Master Key TR31 key transport 6. Fixed Key PIN Encryption 7. Fixed Key Data Encryption 8. Fixed Key Data Enc and Dec
Select 0. DES 1. DES 2. DES 3. DES
New KeyEntry Algorithm CBC mode EBC mode CFB mode OFB mode
Page 15 / 35
New KeyEntry Input Slot ID: 13
New KeyEntry Select Pairing: 0. None 1. Yes
New KeyEntry Select Length: 0. 16 bytes 1. 24 bytes 2. 32 bytes
New KeyEntry Select EncMode 0. CBC 1. ECB
New KeyEntry Select DerivationMechanism 0. None 1. Acquirer Serial Number 2. Terminal Serial Number
At the end, the PKLD will show a summary of chosen options (the below example shows the case of a FIXED key with no derivation mechanism)
KeyEntry Metadata Save
Confirm to save this data Keyset: POS Type: Master Session Algorithm DES CBC mode Usage Master Key PIN Encryption Slot index: 13 Flag Paring: None Length: 16 bytes EncMode: CBC Derivation Mechanism: None [CANCEL] [ACCEPT]
Page 16 / 35
The screen summary for a Master Session key with Serial Number derivations mechanism would look similar to the below example: KeyEntry Metadata Save
Confirm to save this data Keyset: POS Type: Master Session Algorithm DES CBC mode Usage Master Key PIN Encryption Slot index: 13 Flag Paring: None Length: 16 bytes EncMode: CBC Derivation Mechanism: Terminal Serial Number Derivation Mode CBC [CANCEL] [ACCEPT]
In case of selecting Acquirer Serial Number as the Derivation Mechanism, the user must choose the derivation mode, initial and final Acquirer Serial Numbers as illustrated in the below example: New KeyEntry Select Derivation Mode 0. CBC 1. ECB
Input Initial ASN (24) [123] Input data from 0 to 7: 1111111111111111 Input data from 8 to 15: 1111111111111111 Input data from 16 to 23: 1111111111111111
Input Final ASN (24) [123] Input data from 0 to 7: D000000000000000 Input data from 8 to 15: D000000000000000 Input data from 16 to 23: D000000000000000
Page 17 / 35
Confirm to save this data Keyset: POS Type: Master Session Algorithm DES CBC mode Usage Master Key PIN Encryption Slot index : 13 Flag Paring: None Length: 16 bytes EncMode:CBC
Confirm to save this data Derivation Mechanism: Acquirer Serial Number Derivation Mode: CBC Initial ASN: 1111111111111111 1111111111111111 1111111111111111 Final ASN: D000000000000000 D000000000000000 D000000000000000
[CANCEL]
[ACCEPT]
[CANCEL]
[ACCEPT]
4.2.1.2.1.2 DUKPT Key With the DUKPT key, the user must choose values of the following parameters:
o o o o o o o o
Algorithm mode Slot ID (0 253) PIN Pad Pairing flag Key length Key encryption mechanism (the mode of operation used to encrypt Key Data with the Encrypting KPK) TRSM length (between 0 and 59 bits) Initial and final TRSM values Base Derivation Key index value
Select 0. DES 1. DES 2. DES 3. DES
New KeyEntry Algorithm CBC mode EBC mode CFB mode OFB mode
Page 18 / 35
New KeyEntry Select Length: 0. 16 bytes
New KeyEntry Input TRSM Length (bits): 25
New KeyEntry Input Initial Value: 4 bytes 11223344
New KeyEntry Input Final Value: 4 bytes 55667788
New KeyEntry Input BDIndex: 5 bytes 1122334455
At the end, the PKLD will show a summary of the chosen options:
Page 19 / 35
Confirm to save this data Keyset: POS Type: DUKPT Session Algorithm DES CBC mode Usage Master Key PIN Encryption Slot index: 13 Flag Pairing: None Length: 16 bytes EncMode:CBC TRSM Length: 25 Initial Value: 11223344 Final Value: 55667788 B.D. Key Index: 1122334455 [CANCEL] [ACCEPT]
4.2.1.2.1.3 AES Key With the AES key, the user must choose values of the following parameters:
o o o o o
Algorithm mode Slot ID (0 253) PIN Pad Pairing flag Key length Key encryption mechanism (the mode of operation used to encrypt Key Data with the Encrypting KPK)
New KeyEntry Select Algorithm 0. AES_256_CBC mode
Page 20 / 35
New KeyEntry Select Length: 0. 16 bytes 1. 24 bytes 2. 32 bytes
At the end, the PKLD will show a summary of the chosen options:
Confirm to save this data Keyset: POS Type: AES Key Algorithm AES_256_CBC mode Usage Master Key PIN Encryption Slot index: 13 Flag Paring: None Length: 16 bytes EncMode: CBC [CANCEL] [ACCEPT]
Page 21 / 35
4.2.1.2.2
Modify Metadata
After selecting this option, the user is shown a list of available KeyEntries for the chosen KeySet:
KeyEntry List 000015|MKSK |M PIN 000016|MKSK |M PIN 000017|MKSK |M PIN 000018|MKSK |M PIN 000019|DUKPT|M PIN 000020|DUKPT|M PIN 000021|AES |M PIN
1/0/7 Enc|A65704 Enc|000000 Enc|000000 Enc|000000 Enc|000000 Enc|000000 Enc|000000
Each row in the list shows for fields: 1. 2. 3. 4. Internal data base unique identifier for the given key entry Key type Key algorithm Key checksum value
Key entries for which no key value has been introduced yet will show a 0 value in the Key checksum field. The user can then select any row, and a list of possible fields to edit will be shown. The following drawings show an example:
KeyEntry List 1/0/7 Select Metadata Field 0.Keyset 1.Type 2.Algorithm 3.Usage 4.Slot ID 5.F Pairing
KeyEntry List 1/0/7 Select Metadata Field 0.M Der Mechanism 1.M Der Mode
Page 22 / 35
4.2.1.2.3
Modify KeyData
After selecting this option, the user is shown a list of available KeyEntries for the chosen KeySet: KeyEntry List 000015|MKSK |M PIN 000016|MKSK |M PIN 000017|MKSK |M PIN 000018|MKSK |M PIN 000019|DUKPT|M PIN 000020|DUKPT|M PIN 000021|AES |M PIN 1/0/7 Enc|A65704 Enc|000000 Enc|000000 Enc|000000 Enc|000000 Enc|000000 Enc|000000
Each row in the list shows for fields: 1. 2. 3. 4. Internal data base unique identifier for the given key entry Key type Key algorithm Key checksum value
Key entries for which no key value has been introduced yet will show a 0 value in the Key checksum field. The user can then select any row, and a series of screens will be shown to introduce values for the Key data parameters. Among others, the user will need to introduce the number of components (minimum 2) that will make up the whole key. The following drawings show an example:
Edit KeyEntry: 16 Select EncMode 0.CBC 1.ECB
Edit KeyEntry: 16 Select Length 0.16 bytes 1.24 bytes 2.32 bytes
KeyEntry: 16 Select number of components 2
KeyData 16 input key Component 0 (24 bytes): Input data from 0 to 7: 1111111111111111 Input data from 8 to 15: 2222222222222222 Intput data from 16 to 24: 3333333333333333
Page 23 / 35
Component 0 Key Chsum 656B04
KeyData 16 input key Component 1 (24 bytes): Input data from 0 to 7: 4444444444444444 Input data from 8 to 15: 5555555555555555 Intput data from 16 to 24: 6666666666666666
[CANCEL]
[ACCEPT]
Component 1 Key Chsum F8757B
KeyData 16 Key Chsum A65704
[CANCEL]
[ACCEPT]
[CANCEL]
[ACCEPT]
At the end, a confirmation screen summarizing the values of the Key data will be shown. KeyEntry KeyData Save Confirm to save this data EncMode: CBC Length: 24 bytes Check Value: A65704
[CANCEL]
[ACCEPT]
4.2.1.2.4
Delete
After selecting this option, the user is shown a list of available KeyEntries to be deleted for the chosen KeySet: KeyEntry List 000015|MKSK |M PIN 000016|MKSK |M PIN 000017|MKSK |M PIN 000018|MKSK |M PIN 000019|DUKPT|M PIN 000020|DUKPT|M PIN 000021|AES |M PIN 1/0/7 Enc|A65704 Enc|000000 Enc|000000 Enc|000000 Enc|000000 Enc|000000 Enc|000000
Each row in the list shows for fields:

Page 24 / 35
1. 2. 3. 4.
Internal data base unique identifier for the given key entry Key type Key algorithm Key checksum value
Key entries for which no key value has been introduced yet will show a 0 value in the Key checksum field. Once a KeyEntry has been selected, a confirmation screen will be shown:
Warning Confirm to delete 16
[CANCEL]
[ACCEPT]
The shown index corresponds to the internal database unique identifier.
4.2.1.3 Import KeyStore

If option 3. Import is selected on the KeyStore the PKLD will request to insert a USB disk with the PKLD_KEYSTORE.db file included in it root folder.
4.2.1.4 Export KeyStore

If option 4. Export is selected on the KeyStore the PKLD will request to insert a USB disk where save the PKLD_KEYSTORE.db file into it root folder.
4.2.1.5 Import HKS files.

If option 5. Import HKS files is selected on the KeyStore the PKLD will request to insert a USB disk where HKS files are allocated. If the USB disk is detected correctly and exist files with extension .hks, these files will be copied and parsed to extract and import all KeyEntries availables. All component keys on HKS files are protected with a HKS key which must be inserted in the terminal. This process is described in point 4.1.2. Per each HKS file found the terminal will show a message with the file name imported and one line, with the key name, per each KeyEntry detected with the result of the import process. A 0 value means that the key was inserted correctly, -1 that the key data value and check value parsed are differents, and -2 if there are no data for this key.
Page 25 / 35
4.3 User Management

Administrators may create any number of additional users and assign them either Administrator or Operator permissions. The User Management sub-menu allows the creation, modification and deletion of users. Users Manage 1. Add 2. Modify 3. Delete
4.3.1 Adding Users

With option 1. Add, Administrators will be able to create new users. Administrators will have to select a role and user name for each new user, and the new user will have to input their own password twice for verification. The process is shown in the following figure:
New User [123] Input user role (0 oper, 1 admin): 0 New User Input user name: MYNEWUSR [ABC]
New User [123] Input user password: **********
New User.......[123] Input again user password ********
Note that: - Each user is assigned a single role, either operator (0, oper) or administrator (1, admin). - User names MUST be 8 alphanumeric characters long (lower and upper case). - Passwords MUST be 10 alphanumeric characters long (lower and upper case) Once all user details have been input, a summary screen will request confirmation before creating the new user. If the prompt is accepted, then the new user will be created.
Page 26 / 35
Login Save Confirm to save this data Role: 0 Name: MYNEWUSR Passwd: ** [CANCEL] [ACCEPT]
4.3.2 Modifying Users

With option 2. Modify, Administrators will be able to modify the details of existing users. Selecting the option will give access to a menu in which administrators can use the navigation (up and down arrow) keys to select the user they want to modify. The first column on each row indicates the role of the user (0 for operator, 1 for administrator), and the second column shows the user name. 0 0 1 1 User List 3/0/4 oper0001 oper0002 admin1 admin2
Selecting a user with the ACCEPT (Enter) key will initiate a prompt to modify the user details as seen in the following figure. Note that confirmation of the new data is requested after each detail change. Once accepted, the change is committed to the user database, thus allowing independently changing each of the details of a user.
Edit Login: admin2 [123] Input user name: admin002 Login Save Confirm to save this data Name: admin002
[CANCEL]
[ACCEPT]
Edit Login: admin2 [123] Input user password: **********
Edit Login: admin2 [123] Input again user password ********
Login Save Confirm to save this data Passw: **
[CANCEL]
[ACCEPT]
Page 27 / 35
Edit Login: admin2 [123] Input user role 0.Operator 1.Administrator
Login Save Confirm to save this data Role: Administrator
[CANCEL]
[ACCEPT]
Note that: - Each user is assigned a single role, either operator (0.Operator) or administrator (1.Administrator). - User names MUST be 8 alphanumeric characters long (lower and upper case). - Passwords MUST be 10 alphanumeric characters long (lower and upper case) Once all user details have been input, a summary screen will request confirmation before creating the new user. Login Save Confirm to save this data Role: Operator Name: MYNEWUSR Passwd: ** [CANCEL] [ACCEPT]
4.3.3 Deleting Users

With option 3. Delete, Administrators will be able to delete existing users. IMPORTANT NOTE: The PKLD MUST always have two administrator credentials on its user database. Attempting to delete one of the last two administrator users will generate an error message. Selecting the option will give access to a menu in which administrators can use the navigation (up and down arrow) keys to select the user they want to delete. The first column on each row indicates the role of the user (0 for operator, 1 for administrator), and the second column shows the user name. 0 0 1 1 User List 2/0/4 oper0001 oper0002 admin1 admin2
Page 28 / 35
Selecting a user with the ACCEPT (Enter) key will initiate a prompt to confirm user deletion. If accepted, the user will be deleted. Warning Confirm to delete: oper0002
[CANCEL]
[ACCEPT]
4.4 KLD Settings

Administrators may modify the PKLD operational settings. KLD Settings DateTime Terminal Info MAX_FRAME_SIZE PINPAD_BAUDRATE INPUT_MODE BARCODE_PORT BARCODE_BAUDRATE
1. 2. 2. 3. 4. 5. 6.
4.4.1 Set Date time

When selected, the MKLD will show the current time. Administrators will need to delete this value and input the new one following the format YYYY-MM-DD HH:MM:SS
4.4.2 Terminal Info

When selected, the MKLD will show all data from terminal: Serial Number, MAC address, Firmware version, and SDK version release used.
4.4.3 Max Frame Size

This value is used to support communication with different version of KLA. Use 1020 to communicate with KLA prior to 2.0.0 and 2044 for versions of KLA equal of later than 2.0.0. By default this value is set to 1020.
4.4.4 Pin Pad Baudrate

This value permits configure the communication speed of the SPp10 connected on the PinPad port. By default this value is set to 19200.
4.4.5 Input Mode

In some dialog box used to capture data, like Serial Number and MAC address value, the terminal can use an external IR Barcode reader instead to input manually with internal keyboard. Select with this menu the input method used to capture data: Keyboard (by default), IRBarcode, or ask each time.
Page 29 / 35
4.4.6 Barcode port

Select the port where the IRBarcode reader is connected. Pin Pad port by default.
4.4.7 Barcode Baudrate

Allow to configure the communication speed used for the IRBarcode reader. 19200 by default.
4.5 Log Management

Administrators may export and delete the MKLD log file. create any number of additional users and assign them either Administrator or Operator permissions. The User Management sub-menu allows the creation, modification and deletion of users.
Log Menu 1. Export 2. Delete
4.5.1 Exporting Log files

With option 1. Export, Administrators will be able to export the MKLD log file to an external USB disk connected to the SPc50 USB port. Once the option is selected, the MKLD will request the insertion of a USB disk and check its presence and free disk space. Export Log Insert the USB Disk and press ACCEPT to copy Checking for USB
[CANCEL]
[ACCEPT]
If the USB disk is found and has enough free space, the KLD will copy the log into a file named kld_log.txt in the root directory of the USB disk.
Page 30 / 35
Export Log The USB Disk can now safely be removed from the terminal
[CANCEL]
[ACCEPT]
4.5.2 Deleting Log Files

With option 2. Delete, Administrators will be able to delete existing users. Selecting the option will prompt the administrator to confirm log deletion. If accepted, the log file will be deleted. Warning ACCEPT to
Press log
delete
[CANCEL]
[ACCEPT]
5 OPERATOR MODE
The following functionalities are available for PKLD operators: a. Key Distribution: distribute transport keys to a given number of devices. b. Log Export: allows exporting the operating logs of the PKLD. Logs must be periodically extracted and kept to generate an audit trail of its usage, according to the relevant operational procedures The main menu screen is shown in the next figure. Operator Menu 1. Distribute 2. Log Export
Page 31 / 35
5.1 Distributing Keys

Option 1. Distribute constitutes the main functionality of the device, which consists on install on the terminals the Keyentries associated to each KeySet selected. After selecting this menu, a list of KeySets available for key loading in the terminal will be shown in the screen. The user can then highlight one by one each KeySet that must be loaded. KeySets List 2/0/4 Generic PINPAD POS TEST
The meaning of the three numbers appearing in the title is: Selected item / Page number / Total number of items Each selected Keyset will be removed from the list of remaining available Keysets. This will go on until the user presses the CANCEL key. At that moment, the full list of Keysets selected for key loading will be displayed for acceptance.
KeySets Selected: 2 Generic POS
[CANCEL]
[ACCEPT]
Once the list of Keysets has been confirmed,, the following information will be requested from the operator: - The number of terminals to be loaded in one batch. Distribute [123] Select number of terminals 30
Page 32 / 35
Once this information has been input the distribution process for each terminal will take place and a short status message for each terminal in the batch will be shown. Pressing ACCEPT in this status screen will make the MKLD continue with the next terminal in the batch, while pressing CANCEL will stop the loading process and show the batch summary screen before going back to the operator main menu. Authentication Success Batch 1/30 Serial Number 123456789ABC TK checksum AABBCC Keyset 7 err 0 Keyset 8 err 0 [CANCEL] [ACCEPT]
Authentication Fails Batch 1/30 Error -1 Serial Number 123456789ABC
[CANCEL]
[ACCEPT]
Once the full batch has been processed, or after the user cancels the batch loading operation, a batch summary screen will be shown. Batch Process Information Terminals Processed 30 Success 29 Fails 1 Time Elapsed 1260 seconds
[CANCEL]
[ACCEPT]
5.2 Exporting Log Files

Refer to section 4.5.1 for details on this functionality.
Page 33 / 35
6 ANNEX A. ENTERING KLA MODE IN SPIRE TERMINALS

6.1 Phoenix Terminals (SPw70, SPw60, SPc50, SPp30)
KLA is a system application and it is not available from app list on screen. To launch it please use the next sequence of keys.
The first screen showed is version of this application and a message about the state of the Transport Key. If the terminal is enabled and have a Transport Key installed it will show the following message. Keyloader APP v.1.8.0 TK Installed Checksum: ABCDEF
If the terminal is not enabled it will show the next message Keyloader APP v.1.8.0 TK not Installed !!
Pressing any key will prompt the user for which Serial port will be used to communicate with the MKLD. Use the numeric key pad to select one. Select COM Port 0. COM RS232 1. COM PINPAD
Page 34 / 35
By default on SPW70 the COM1 is only available by dock station. For development terminals you may also select COM2 (COM PINPAD), available on the side of the terminal.
COM RS232 COM PINPAD
ON SPC50 terminals both two ports are available directly in the back of terminal.
COM RS232
COM PINPAD
After select a valid port, the terminal will show the next screen. At this point the connection between the MKLD and the terminal will start. Waiting for Connection....... Press ESC to exit
Page 35 / 35
6.2 SPp10 Basic PIN Pad

For RS232 PIN Pads, no specific actions are required. They must be connected directly to the PIN PAD output of the MKLD.
MKLD PINPAD
For RS422 PIN Pads, an RS232-RS422 adapter and external power supply are required. The RS232 side of the adapter must be connected directly to the PIN PAD output of the MKLD.
7 ANNEX B. LOG FILE FORMAT AND MESSAGES

Log file is exported as an ascii text file with fields separated with the character;. Each line contains the next information: Date and time Users logged Action Action result Extra info
This is a sample log obtained after a complete and successful Distribute process on a terminal 2013-07-24 18:03:51;3|4;Batch End;0; 2013-07-24 18:04:13;3|4;Decrypt private certs;1084556536; 2013-07-24 18:04:13;3|4;Batch Start;0;1 2013-07-24 18:04:37;3|4;Auth session;0;1234567890123456 2013-07-24 18:04:53;3|4;Install TK;0;TK 5C0311, SN 1234567890123456 2013-07-24 18:05:05;3|4;Auth TK;0;TK 5C0311, SN 1234567890123456 2013-07-24 18:05:59;3|4;Batch Stop;0; 2013-07-24 18:05:59;3|4;Batch End;0;

PKLD Usage 2.03

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

PKLD Usage 2.03

Diunggah oleh

Hak Cipta:

Format Tersedia

Reference: Revision: Date: Distribution:

PKLD_USAGE 2.0.3 01/10/2013 Internal

PKLD USAGE ----HELP MANUAL

PKLD USAGE ----HELP MANUAL

PKLD USAGE ----HELP MANUAL

1 INTRODUCTION AND SCOPE

2.1 Modes of Operation

PKLD USAGE ----HELP MANUAL

2.2 Keyboard Use Description on PKLD Terminals

Other key functionalities of interest are:

Confirm function on edit and navigation mode

PKLD USAGE ----HELP MANUAL

3.1 User Login

PKLD USAGE ----HELP MANUAL

Login second user Input user name: admin1

Login second user Input user password: ********

3.2 User Logout

PKLD USAGE ----HELP MANUAL

Warning Press ACCEPT to logout

PKLD USAGE ----HELP MANUAL

4.1 Keys Manage. Internal Keys.

PKLD USAGE ----HELP MANUAL

PKLD USAGE ----HELP MANUAL

4.1.2 Installing the KPK.

Keys Manage 1. Internal Keys 2. Terminal Keys 1. 2. 3. 4.

PKLD USAGE ----HELP MANUAL

Save Spire KPK Select Generation Method 0.Manualy 1.Randomly

4.2 Key Management. Terminal Keys.

PKLD USAGE ----HELP MANUAL

PKLD USAGE ----HELP MANUAL

KeySet List 3/0/3 GENERIC PINPAD POS

The following drawings show an example of displayed screens:

Select 0. DES 1. DES 2. DES 3. DES

PKLD USAGE ----HELP MANUAL

New KeyEntry Input Slot ID: 13

New KeyEntry Select Pairing: 0. None 1. Yes

New KeyEntry Select Length: 0. 16 bytes 1. 24 bytes 2. 32 bytes

New KeyEntry Select EncMode 0. CBC 1. ECB

KeyEntry Metadata Save

PKLD USAGE ----HELP MANUAL

PKLD USAGE ----HELP MANUAL

KeyEntry Metadata Save

KeyEntry Metadata Save

The following drawings show an example of displayed screens:

Select 0. DES 1. DES 2. DES 3. DES

New KeyEntry Input Slot ID: 13

PKLD USAGE ----HELP MANUAL

New KeyEntry Select Pairing: 0. None 1. Yes

New KeyEntry Select Length: 0. 16 bytes

New KeyEntry Select EncMode 0. CBC 1. ECB

New KeyEntry Input TRSM Length (bits): 25

New KeyEntry Input Initial Value: 4 bytes 11223344

New KeyEntry Input Final Value: 4 bytes 55667788

New KeyEntry Input BDIndex: 5 bytes 1122334455

PKLD USAGE ----HELP MANUAL

KeyEntry Metadata Save

The following drawings show an example of displayed screens:

New KeyEntry Select Algorithm 0. AES_256_CBC mode

New KeyEntry Input Slot ID: 13

PKLD USAGE ----HELP MANUAL

New KeyEntry Select Pairing: 0. None 1. Yes

New KeyEntry Select Length: 0. 16 bytes 1. 24 bytes 2. 32 bytes