PKLD USAGE
____________
HELP MANUAL
____________
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
Page 2 / 35
RECORD OF REVISIONS
Revision 02.00 02.01 02.02 02.03 Date 18-Jul-2013 30-Jul-2013 05-Sep-2013 01-Oct-2013 Writer Juan R Mudarra Antonio G. Lomea Juan R Mudarra Juan R Mudarra Initial version Added section 4.3.1.2 KeyEntry Added more info on KLD Settings Added section 4.2.1.5 Import HKS files Object of Evolution
APPROVAL
Name Beatriz Delgado Department Software Platform Function Software Platform Director Date 01-Oct-2013
DISTRIBUTION LIST:
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
Page 3 / 35
TABLE OF CONTENTS
1 2 3 INTRODUCTION AND SCOPE................................................................................................ 4 FUNCTIONAL SUMMARY....................................................................................................... 4 2.1 Modes of Operation .......................................................................................................... 4 2.2 Keyboard Use Description on PKLD Terminals................................................................. 5 PKLD INITIALISATION ............................................................................................................ 6 3.1 User Login ........................................................................................................................ 6 3.2 User Logout ...................................................................................................................... 7 ADMINISTRATOR MODE........................................................................................................ 8 4.1 Keys Manage. Internal Keys. ............................................................................................ 9 4.1.1 Installing the STMK...................................................................................................... 9 4.1.2 Installing the KPK. ..................................................................................................... 11 4.2 Key Management. Terminal Keys. .................................................................................. 12 4.2.1 Keys Manage............................................................................................................. 12 4.2.1.1 KeySet ............................................................................................................... 12 4.2.1.2 KeyEntry ............................................................................................................ 13 4.2.1.2.1 Add ............................................................................................................... 13 4.2.1.2.2 Modify Metadata............................................................................................ 21 4.2.1.2.3 Modify KeyData............................................................................................. 22 4.2.1.2.4 Delete............................................................................................................ 23 4.2.1.3 Import KeyStore ................................................................................................. 24 4.2.1.4 Export KeyStore................................................................................................. 24 4.2.1.5 Import HKS files. ................................................................................................ 24 4.3 User Management .......................................................................................................... 25 4.3.1 Adding Users ............................................................................................................. 25 4.3.2 Modifying Users......................................................................................................... 26 4.3.3 Deleting Users ........................................................................................................... 27 4.4 KLD Settings................................................................................................................... 28 4.4.1 Set Date time............................................................................................................. 28 4.4.2 Terminal Info.............................................................................................................. 28 4.4.3 Max Frame Size ........................................................................................................ 28 4.4.4 Pin Pad Baudrate ...................................................................................................... 28 4.4.5 Input Mode ................................................................................................................ 28 4.4.6 Barcode port .............................................................................................................. 29 4.4.7 Barcode Baudrate...................................................................................................... 29 4.5 Log Management............................................................................................................ 29 4.5.1 Exporting Log files ..................................................................................................... 29 4.5.2 Deleting Log Files...................................................................................................... 30 OPERATOR MODE ............................................................................................................... 30 5.1 Distributing Keys............................................................................................................. 31 5.2 Exporting Log Files ......................................................................................................... 32 ANNEX A. ENTERING KLA MODE IN SPIRE TERMINALS .................................................. 33 6.1 Phoenix Terminals (SPw70, SPw60, SPc50, SPp30)...................................................... 33 6.2 SPp10 Basic PIN Pad..................................................................................................... 35 ANNEX B. LOG FILE FORMAT AND MESSAGES ................................................................ 35
5 6 7
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
Page 4 / 35
2 FUNCTIONAL SUMMARY
The PKLD provides the functionality of verifying a device unique Transport Key and injecting Acquirers keys in all Spire devices, using local serial communication links. The list of supported devices is: - SPp10 Basic Pin Pad - SPp30 Retail Pin Pad - SPc50 Countertop POS - SPw60 Portable POS - SPw70 Mobile POS
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
Page 5 / 35
a. Key Distribution: verifying transport keys to a given number of devices and injecting some groups of Acquirer keys, named Keysets. b. Log Export: allows exporting the operating logs of the MKLD. Logs must be periodically extracted and kept to generate an audit trail of its usage, according to the relevant operational procedures The following sections document the operation of each of the functionalities of the MKLD.
Cancel or Escape function on edit mode and return to previous menu on navigation mode Backspace function to remove data on edit mode
Change keyboard edit mode. Numeric, alphanumeric lowercase, alphanumeric capital. On top and at the right of the input dialog box you can observe the input method
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
Page 6 / 35
selected. [123] for numeric input, [abc] for alphanumeric lowercase input, and [ABC] for alphanumeric uppercase. Special characters on alphanumeric edit mode. On alphanumeric uppercase, [ABC], you have access to next characters +, ;, ?, -, n alphanumeric lowercase, [abc], to these ., :, ,, -"
3 PKLD INITIALISATION
The PKLD application runs directly after terminal startup showing the next screen. This screen is also shown whenever no users are logged into the terminal. PKLD ver 2.4.0
2013-07-18 11:37:49 Pressing on any key the terminal will show a message dialog to login on the terminal.
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
Page 7 / 35
The PKLD login procedure is shown in the following screenshots. Login first user Input user name: admin1 [123] Login first user Input user password: ******** [123]
[CANCEL]
[ACCEPT]
[CANCEL]
[ACCEPT]
[123]
[123]
[CANCEL]
[ACCEPT]
[CANCEL]
[ACCEPT]
At its first initialisation, the terminal has enabled these users and pre-expired passwords. User: admin1, password: SP00001111 User: admin2, password: SP00002222 The PKLD will force administrators to change their password the first time they log-in. The next screens show the prompt screens for password change:
Warning Preexpired password!! Edit Login: admin1 [123] Input user password ******** Edit Login: admin1 [123] Input again user password ********
[CANCEL]
[ACCEPT]
[CANCEL]
[ACCEPT]
[CANCEL]
[ACCEPT]
A successful login by two users with the same role (Administrators or Operators) will give access to their operation mode main menu.
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
Page 8 / 35
[CANCEL]
[ACCEPT]
If ACCEPT is pressed, the logout operation will complete and the initialisation screen will be shown. If CANCEL is pressed, then the user is taken back to the main menu of the current mode of operation.
4 ADMINISTRATOR MODE
The following functionalities are available for PKLD administrators: a. Key Management: a. modify the Spire Transport Master Key. This functionality is intended for authorised Spire Key Custodians only and MUST NEVER be used by other personnel. b. Modify the Key Protection Key which is the responsible to protect all sensitive data into the terminal. c. Modify the PBDK which is used in special PinPad pairing process. d. Manage the Keys provided by acquirers. which can be used to install them into any type of Spire terminal. This option permits to add, modify and erase any type of key supported by Spire terminals. Also, it is possible to create groups to select several keys. b. User Management: allows the creation, modification and deletion of administrator and operators. c. KLD Settings: allows the modification of the basic operating parameters of the PKLD, such as date and time. d. Log Management: allows exporting and deleting the operating logs of the PKLD. Logs must be periodically extracted and kept to generate an audit trail of its usage, according to the relevant operational procedures. The main menu screen is shown in the next figure. Administrator Menu Keys Manage Users Manage KLD Settings Log Manage
1. 2. 3. 4.
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
Page 9 / 35
[CANCEL]
[ACCEPT]
If option 1. Keys Manage 1. Internal Keys is selected from the Administrator Menu, the following screen will give access to the modification of the STMK. Keys Manage 1. Internal Keys 2. Terminal Keys 1. 2. 3. 4. Internal Keys Manage Spire Transport Master Key Spire Key Protection Key PinPad Pairing Base D. Key HKS file Key
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
Page 10 / 35
The PKLD will show the checksum of the STMK (3 bytes). STMK Checksum ABCDEF
[CANCEL]
[ACCEPT]
If the ACCEPT (enter) button is pressed, then the PKLD will request the number of components of the key to be loaded. This value MUST be between 2 and 10. Spire Transport MK [123] Select number of components 2
[CANCEL]
[ACCEPT]
The PKLD will then request each 24-byte component in groups of 8 bytes and then show the next dialog is shown each time as components are selected. STMK [123] Component 0 Key Chsum ABCDEF
input key component 0 (24 bytes) Input data from 0 to 7: 1234567890ABCDEF Input data from 8 to 15: 1234567890ABCDEF Input data from 16 to 24: 1234567890ABCDEF
[CANCEL]
[ACCEPT]
After all components have been input the PKLD will show the full key checksum and, if accepted, will commit the changes to the STMK. IMPORTANT NOTE: Key components are XORed between them to produce the final STMK key, it is assumed that each key component is input by a different custodian, all under the supervisor of an PKLD administrator.
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
Page 11 / 35
IMPORTANT NOTE: Byte endianness is interpreted as follows. Byte 0 ..... Byte 7 | Byte 8 ..... Byte 15 | Byte 16 ..... Byte 23 i.e. the byte marked as byte 0 is the MSB of the key. IMPORTANT NOTE: The STMK in the PKLD is only modified if the whole process is completed and the key checksum shown at the end is accepted. Otherwise, no changes will be committed in the PKLDs internal keystore.
Internal Keys Manage Spire Transport Master Key Spire Key Protection Key PinPad Pairing Base D. Key HKS file Key
The PKLD will show the checksum of the KPK (3 bytes). KPK Checksum ABCDEF
[CANCEL]
[ACCEPT]
If the ACCEPT (enter) button is pressed, then the PKLD will request the method to introduce the value of the KPK. We recommend to use the Manually method to have the possibility of recovery a backup of the KeyStore if the terminal lost its keys.
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
Page 12 / 35
If the option 0.Manualy is selected, then the PKLD will request the number of components of the key to be loaded. This value MUST be between 2 and 10. If option 3. Pin Pad Pairing Base Derivation Key or option 4. HKS file Key are selected from the Administrator Menu, the same screens as in the KPK option appear on PKLD.
In the KeyStore exists two items, KeyEntry which save all metadata and data information related to Acquirer key, and KeySet used to group list of KeyEntry.
4.2.1.1 KeySet
With option 1. KeySet the PKLD allows to Add, Modify and Delete KeySets in the Keystore. These items will be used to group individual KeyEntry into sets of keys. KeySet Manage 1.Add 2.Modify 3.Delete
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
Page 13 / 35
If option 1. Add is selected the PKLD will request for data required for a new Keyset
New KeySet [123] Input Keyset name: New KeySet Select Keyset Arch 0.Generic 1.POS 2.PINPad KeySet Save Confirm to save this data Name: POS_Keyset Arch: POS
[CANCEL]
[ACCEPT]
If option 2. Modify is selected the PKLD shows a list of Keysets created to select one of them. Use the arrow keys to move on the list and ENTER key to select the selected item. If the list exceeds the screen dimensions, use the * key to move to the previous screen or # key to move to the next screen. Once a Keyset has been selected the PKLD will request for each data saved on selected Keyset. You can modify the Keyset name, the Keyset architecture or both. If option 3. Delete is selected the PKLD will show a list of Keysets created to select which will be deleted.
4.2.1.2 KeyEntry
If option 1. KeyEntry is selected on the KeyStore, the PKLD will show a list of created KeySets to select one of them and manage only the KeyEntries associated to this KeySet. The available operations on the selected KeyEntry are Adding a new KeyEntry, Modifying the Key Metada, Modifying (Introducing) the KeyData and deleting the KeyEntry KeyEntry Manage: POS 1.Add 2.Modify Metadata 3.Modify KeyData 3.Delete
4.2.1.2.1
Add
With option 1. Add a list of KeySets is shown, to select the one where the new KeyEntry will be added:
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
Page 14 / 35
After selecting the KeySet, the user must choose the KeyEntry type: Master key, DUKPT Key or AES key New KeyEntry Select Type 0. Master Session 1. DUKPT Session 2. AES Key
4.2.1.2.1.1 Master session/Fixed key With the Master Session key, the user must choose values of the following parameters:
o o o o o o o
Algorithm mode Key Usage Slot ID (0 253) PIN Pad Pairing flag Key length Key encryption mechanism (the mode of operation used to encrypt Key Data with the Encrypting KPK) Derivation Mechanism
New KeyEntry Select Usage 0. Master Key PIN encryption 1. Master Key Data Encryption 2. Master Key Data Enc and Dec 3. Master Key MAC Generation 4. Master Key transport 5. Master Key TR31 key transport 6. Fixed Key PIN Encryption 7. Fixed Key Data Encryption 8. Fixed Key Data Enc and Dec
New KeyEntry Algorithm CBC mode EBC mode CFB mode OFB mode
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
Page 15 / 35
New KeyEntry Select DerivationMechanism 0. None 1. Acquirer Serial Number 2. Terminal Serial Number
At the end, the PKLD will show a summary of chosen options (the below example shows the case of a FIXED key with no derivation mechanism)
Confirm to save this data Keyset: POS Type: Master Session Algorithm DES CBC mode Usage Master Key PIN Encryption Slot index: 13 Flag Paring: None Length: 16 bytes EncMode: CBC Derivation Mechanism: None [CANCEL] [ACCEPT]
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
Page 16 / 35
The screen summary for a Master Session key with Serial Number derivations mechanism would look similar to the below example: KeyEntry Metadata Save
Confirm to save this data Keyset: POS Type: Master Session Algorithm DES CBC mode Usage Master Key PIN Encryption Slot index: 13 Flag Paring: None Length: 16 bytes EncMode: CBC Derivation Mechanism: Terminal Serial Number Derivation Mode CBC [CANCEL] [ACCEPT]
In case of selecting Acquirer Serial Number as the Derivation Mechanism, the user must choose the derivation mode, initial and final Acquirer Serial Numbers as illustrated in the below example: New KeyEntry Select Derivation Mode 0. CBC 1. ECB
Input Initial ASN (24) [123] Input data from 0 to 7: 1111111111111111 Input data from 8 to 15: 1111111111111111 Input data from 16 to 23: 1111111111111111
Input Final ASN (24) [123] Input data from 0 to 7: D000000000000000 Input data from 8 to 15: D000000000000000 Input data from 16 to 23: D000000000000000
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
Page 17 / 35
Confirm to save this data Keyset: POS Type: Master Session Algorithm DES CBC mode Usage Master Key PIN Encryption Slot index : 13 Flag Paring: None Length: 16 bytes EncMode:CBC
Confirm to save this data Derivation Mechanism: Acquirer Serial Number Derivation Mode: CBC Initial ASN: 1111111111111111 1111111111111111 1111111111111111 Final ASN: D000000000000000 D000000000000000 D000000000000000
[CANCEL]
[ACCEPT]
[CANCEL]
[ACCEPT]
4.2.1.2.1.2 DUKPT Key With the DUKPT key, the user must choose values of the following parameters:
o o o o o o o o
Algorithm mode Slot ID (0 253) PIN Pad Pairing flag Key length Key encryption mechanism (the mode of operation used to encrypt Key Data with the Encrypting KPK) TRSM length (between 0 and 59 bits) Initial and final TRSM values Base Derivation Key index value
New KeyEntry Algorithm CBC mode EBC mode CFB mode OFB mode
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
Page 18 / 35
At the end, the PKLD will show a summary of the chosen options:
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
Page 19 / 35
Confirm to save this data Keyset: POS Type: DUKPT Session Algorithm DES CBC mode Usage Master Key PIN Encryption Slot index: 13 Flag Pairing: None Length: 16 bytes EncMode:CBC TRSM Length: 25 Initial Value: 11223344 Final Value: 55667788 B.D. Key Index: 1122334455 [CANCEL] [ACCEPT]
4.2.1.2.1.3 AES Key With the AES key, the user must choose values of the following parameters:
o o o o o
Algorithm mode Slot ID (0 253) PIN Pad Pairing flag Key length Key encryption mechanism (the mode of operation used to encrypt Key Data with the Encrypting KPK)
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
Page 20 / 35
At the end, the PKLD will show a summary of the chosen options:
Confirm to save this data Keyset: POS Type: AES Key Algorithm AES_256_CBC mode Usage Master Key PIN Encryption Slot index: 13 Flag Paring: None Length: 16 bytes EncMode: CBC [CANCEL] [ACCEPT]
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
Page 21 / 35
4.2.1.2.2
Modify Metadata
After selecting this option, the user is shown a list of available KeyEntries for the chosen KeySet:
KeyEntry List 000015|MKSK |M PIN 000016|MKSK |M PIN 000017|MKSK |M PIN 000018|MKSK |M PIN 000019|DUKPT|M PIN 000020|DUKPT|M PIN 000021|AES |M PIN
Each row in the list shows for fields: 1. 2. 3. 4. Internal data base unique identifier for the given key entry Key type Key algorithm Key checksum value
Key entries for which no key value has been introduced yet will show a 0 value in the Key checksum field. The user can then select any row, and a list of possible fields to edit will be shown. The following drawings show an example:
KeyEntry List 1/0/7 Select Metadata Field 0.Keyset 1.Type 2.Algorithm 3.Usage 4.Slot ID 5.F Pairing
KeyEntry List 1/0/7 Select Metadata Field 0.M Der Mechanism 1.M Der Mode
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
Page 22 / 35
4.2.1.2.3
Modify KeyData
After selecting this option, the user is shown a list of available KeyEntries for the chosen KeySet: KeyEntry List 000015|MKSK |M PIN 000016|MKSK |M PIN 000017|MKSK |M PIN 000018|MKSK |M PIN 000019|DUKPT|M PIN 000020|DUKPT|M PIN 000021|AES |M PIN 1/0/7 Enc|A65704 Enc|000000 Enc|000000 Enc|000000 Enc|000000 Enc|000000 Enc|000000
Each row in the list shows for fields: 1. 2. 3. 4. Internal data base unique identifier for the given key entry Key type Key algorithm Key checksum value
Key entries for which no key value has been introduced yet will show a 0 value in the Key checksum field. The user can then select any row, and a series of screens will be shown to introduce values for the Key data parameters. Among others, the user will need to introduce the number of components (minimum 2) that will make up the whole key. The following drawings show an example:
Edit KeyEntry: 16 Select Length 0.16 bytes 1.24 bytes 2.32 bytes
KeyData 16 input key Component 0 (24 bytes): Input data from 0 to 7: 1111111111111111 Input data from 8 to 15: 2222222222222222 Intput data from 16 to 24: 3333333333333333
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
Page 23 / 35
KeyData 16 input key Component 1 (24 bytes): Input data from 0 to 7: 4444444444444444 Input data from 8 to 15: 5555555555555555 Intput data from 16 to 24: 6666666666666666
[CANCEL]
[ACCEPT]
[CANCEL]
[ACCEPT]
[CANCEL]
[ACCEPT]
At the end, a confirmation screen summarizing the values of the Key data will be shown. KeyEntry KeyData Save Confirm to save this data EncMode: CBC Length: 24 bytes Check Value: A65704
[CANCEL]
[ACCEPT]
4.2.1.2.4
Delete
After selecting this option, the user is shown a list of available KeyEntries to be deleted for the chosen KeySet: KeyEntry List 000015|MKSK |M PIN 000016|MKSK |M PIN 000017|MKSK |M PIN 000018|MKSK |M PIN 000019|DUKPT|M PIN 000020|DUKPT|M PIN 000021|AES |M PIN 1/0/7 Enc|A65704 Enc|000000 Enc|000000 Enc|000000 Enc|000000 Enc|000000 Enc|000000
Page 24 / 35
1. 2. 3. 4.
Internal data base unique identifier for the given key entry Key type Key algorithm Key checksum value
Key entries for which no key value has been introduced yet will show a 0 value in the Key checksum field. Once a KeyEntry has been selected, a confirmation screen will be shown:
[CANCEL]
[ACCEPT]
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
Page 25 / 35
Note that: - Each user is assigned a single role, either operator (0, oper) or administrator (1, admin). - User names MUST be 8 alphanumeric characters long (lower and upper case). - Passwords MUST be 10 alphanumeric characters long (lower and upper case) Once all user details have been input, a summary screen will request confirmation before creating the new user. If the prompt is accepted, then the new user will be created.
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
Page 26 / 35
Login Save Confirm to save this data Role: 0 Name: MYNEWUSR Passwd: ** [CANCEL] [ACCEPT]
Selecting a user with the ACCEPT (Enter) key will initiate a prompt to modify the user details as seen in the following figure. Note that confirmation of the new data is requested after each detail change. Once accepted, the change is committed to the user database, thus allowing independently changing each of the details of a user.
Edit Login: admin2 [123] Input user name: admin002 Login Save Confirm to save this data Name: admin002
[CANCEL]
[ACCEPT]
[CANCEL]
[ACCEPT]
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
Page 27 / 35
[CANCEL]
[ACCEPT]
Note that: - Each user is assigned a single role, either operator (0.Operator) or administrator (1.Administrator). - User names MUST be 8 alphanumeric characters long (lower and upper case). - Passwords MUST be 10 alphanumeric characters long (lower and upper case) Once all user details have been input, a summary screen will request confirmation before creating the new user. Login Save Confirm to save this data Role: Operator Name: MYNEWUSR Passwd: ** [CANCEL] [ACCEPT]
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
Page 28 / 35
Selecting a user with the ACCEPT (Enter) key will initiate a prompt to confirm user deletion. If accepted, the user will be deleted. Warning Confirm to delete: oper0002
[CANCEL]
[ACCEPT]
1. 2. 2. 3. 4. 5. 6.
Page 29 / 35
[CANCEL]
[ACCEPT]
If the USB disk is found and has enough free space, the KLD will copy the log into a file named kld_log.txt in the root directory of the USB disk.
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
Page 30 / 35
Export Log The USB Disk can now safely be removed from the terminal
[CANCEL]
[ACCEPT]
Press log
delete
[CANCEL]
[ACCEPT]
5 OPERATOR MODE
The following functionalities are available for PKLD operators: a. Key Distribution: distribute transport keys to a given number of devices. b. Log Export: allows exporting the operating logs of the PKLD. Logs must be periodically extracted and kept to generate an audit trail of its usage, according to the relevant operational procedures The main menu screen is shown in the next figure. Operator Menu 1. Distribute 2. Log Export
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
Page 31 / 35
The meaning of the three numbers appearing in the title is: Selected item / Page number / Total number of items Each selected Keyset will be removed from the list of remaining available Keysets. This will go on until the user presses the CANCEL key. At that moment, the full list of Keysets selected for key loading will be displayed for acceptance.
[CANCEL]
[ACCEPT]
Once the list of Keysets has been confirmed,, the following information will be requested from the operator: - The number of terminals to be loaded in one batch. Distribute [123] Select number of terminals 30
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
Page 32 / 35
Once this information has been input the distribution process for each terminal will take place and a short status message for each terminal in the batch will be shown. Pressing ACCEPT in this status screen will make the MKLD continue with the next terminal in the batch, while pressing CANCEL will stop the loading process and show the batch summary screen before going back to the operator main menu. Authentication Success Batch 1/30 Serial Number 123456789ABC TK checksum AABBCC Keyset 7 err 0 Keyset 8 err 0 [CANCEL] [ACCEPT]
[CANCEL]
[ACCEPT]
Once the full batch has been processed, or after the user cancels the batch loading operation, a batch summary screen will be shown. Batch Process Information Terminals Processed 30 Success 29 Fails 1 Time Elapsed 1260 seconds
[CANCEL]
[ACCEPT]
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
Page 33 / 35
The first screen showed is version of this application and a message about the state of the Transport Key. If the terminal is enabled and have a Transport Key installed it will show the following message. Keyloader APP v.1.8.0 TK Installed Checksum: ABCDEF
If the terminal is not enabled it will show the next message Keyloader APP v.1.8.0 TK not Installed !!
Pressing any key will prompt the user for which Serial port will be used to communicate with the MKLD. Use the numeric key pad to select one. Select COM Port 0. COM RS232 1. COM PINPAD
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
Page 34 / 35
By default on SPW70 the COM1 is only available by dock station. For development terminals you may also select COM2 (COM PINPAD), available on the side of the terminal.
ON SPC50 terminals both two ports are available directly in the back of terminal.
COM RS232
COM PINPAD
After select a valid port, the terminal will show the next screen. At this point the connection between the MKLD and the terminal will start. Waiting for Connection....... Press ESC to exit
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.
Page 35 / 35
MKLD PINPAD
For RS422 PIN Pads, an RS232-RS422 adapter and external power supply are required. The RS232 side of the adapter must be connected directly to the PIN PAD output of the MKLD.
This is a sample log obtained after a complete and successful Distribute process on a terminal 2013-07-24 18:03:51;3|4;Batch End;0; 2013-07-24 18:04:13;3|4;Decrypt private certs;1084556536; 2013-07-24 18:04:13;3|4;Batch Start;0;1 2013-07-24 18:04:37;3|4;Auth session;0;1234567890123456 2013-07-24 18:04:53;3|4;Install TK;0;TK 5C0311, SN 1234567890123456 2013-07-24 18:05:05;3|4;Auth TK;0;TK 5C0311, SN 1234567890123456 2013-07-24 18:05:59;3|4;Batch Stop;0; 2013-07-24 18:05:59;3|4;Batch End;0;
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROPERTY OF SPIRE PAYMENTS AND MAY NOT BE USED, COPIED, DISCLOSED OR DIVULGED, IN WHOLE OR IN PART, FOR ANY PURPOSE BY ANY PERSON WITHOUT THE WRITTEN APPROVAL OF SPIRE PAYMENTS.