Phoenix : Triple DES (Double Length Keys) Roll out Plan

Title: Phoenix : Triple DES (Double Length Keys) Roll out Plan
Version: 1.0

This document and the information herein are the property of TPS Pakistan Pvt Ltd. and all
unauthorized use and reproduction is prohibited.
COPYRIGHT

2008 BY TPS PAKISTAN PVT LTD

ALL RIGHTS RESERVED

CONFIDENTIAL, UNPUBLISHED PROPERTY OF TPS PAKISTAN PVT LTD

Phoenix: Triple DES Roll out Plan

Revision History
Date

Revised by

Revision
Section

5th March

Nabeel
Ahsan

1, 2, 3, 4

Description

Page 3 of 16
2008 TPS Pakistan Pvt Ltd

Phoenix: Triple DES Roll out Plan

Table of Contents

1. General Description...............................................................................3
1.1 Introduction...........................................................................................3
2. Pre- Requisite Security Procedures / Processes.................................3
2.1 HSM Migration.....................................................................................3
2.2 Key Management...........................................................................3
2.3 Keys Generation and Loading of Initial Keys at ATM.....4
3. Configuring PHOENIX for Triple DES.................................................. 6
4. Test Cases................................................................................................11

Page 4 of 16
2008 TPS Pakistan Pvt Ltd

Phoenix: Triple DES Roll out Plan

1. General Description
With the increase in computer processing power an
attack on single length DES keys is becoming
feasible, causing a migration to double or triple
length DES keys.

1.1
Introduction

Page 5 of 16
2008 TPS Pakistan Pvt Ltd

Phoenix: Triple DES Roll out Plan

2. Pre- Requisite Security

Procedures / Processes
The live HSM needs to be migrated to double length
keys and Triple DES compliant, through CS
(Configure Security Console Command), it is
expected that the bank contact their HSM vendor for
this task

2.1 HSM
Migration

The settings can be examined by the QS (Query

Security) Console command that the HSM has
indeed been migrated.

The bank will have to decide upon whether to have

unique Master Key per ATM or share the same Master
Key for all ATMs.

2.2 Key
Management

Unique Clear and Encrypted Key per ATM.

Share Clear and Encrypted Key for all ATM.

Incase of unique Master Key per ATM, the bank will

have to maintain separate key for each ATM, which
would mean generating a unique Master key each
ATM.
Otherwise, the key generation will be a one time
process and that Master key will be used by all ATM.
The two accompanying security form should be used
to record the clear and respective encrypted Master
Key.
1. Security Form For Double Length Clear Key
2. Security Form For Double Length Encrypted
Key

Page 6 of 16
2008 TPS Pakistan Pvt Ltd

Phoenix: Triple DES Roll out Plan

First step is to generate a clear component from the
HSM. This can be achieved by issuing a command on
the HSM console GC.

2.3 Keys
Generation
and Loading
of Initial
Keys at ATM

Generate Key Component

Example:
Online> GC <Return>
Enter Key length [1, 2, 3]: 2 <Return>
Enter Key Type: 002 <Return>
Enter Key Scheme: U <Return>
Clear Component: XXXX XXXX XXXX XXXX XXXX
XXXX XXXX XXXX
Encrypted Component: XXXX XXXX XXXX XXXX
XXXX XXXX XXXX XXXX
Key check value: XXXXXX
The Clear Component from GC command will be the
Terminal Master Key (Clear). The key should be
recorded in the Security Form for Double Length
Clear Key.
The Clear Component from the GC command will
have to be entered at the ATM Key A slot. After
entering the key, the Key Check Value should be
matched to confirm that the key was entered
correctly.
Next we generate the Terminal Master Key
(Encrypted). For that we reuse the encrypted
component from the above GC command. For this
purpose, we use the FK command, as follows
Key from Components
Command: FK (can be used online and offline).
Example:
Online - AUTH > FK < Return >
Key Length [1, 2, 3]: 2 <Return>
Key type: 002 <Return>
Key Scheme: U<Return>
Component type [X, H, E, S]: E <Return>
Enter number of components (2-9): 1 < Return >
Enter component 1: U XXXX XXXX XXXX XXXX
XXXX XXXX XXXX XXXX

Page 7 of 16
2008 TPS Pakistan Pvt Ltd

Phoenix: Triple DES Roll out Plan

Encrypted key: U YYYY YYYY YYYY YYYY YYYY YYYY
YYYY YYYY
Key check value: ZZZZ ZZ
The Encrypted Key from FK command will be the
Terminal Master Key (Encrypted). The key should be
recorded in the Security Form for Double Length
Encrypted Key.
The Encrypted Key from the FK command will have to
be entered into the appropriate ATM key in Phoenix.
After entering the key, the Key Check Value should be
matched to confirm that the key was entered
correctly.

Page 8 of 16
2008 TPS Pakistan Pvt Ltd

Phoenix: Triple DES Roll out Plan

3. Configuring PHOENIX for

Triple DES
Configuring an ATM to double length in Phoenix is a
two step process:
1. Entering the Encrypted TMK in the appropriate
ATM ID.
2. Changing the Key type of the ATM from Single
Length to Double Length
The double length encrypted key (TMK) will be
entered through the PHOENIX USER INTERFACE
security manager menu.

3.1 Adding
Double
Length
Encrypted
Key (TMK)
for Any ATM

The double length key, encrypted under an

appropriate pair of LMK, will be the one as returned
from the FK HSM console command output.
These keys will have to be entered by any of the
concerned ATM operation department personnel, who
are having rights for modifying keys in the SECURITY
MANAGER menu of PHOENIX.
Following snap shot, describe how to navigate to the
DOUBLE LEN: TERMINAL MASTER KEY menu
option in phoenixs User Interface itself:
PHOENIX SECURITY > HSM Keys > Double Len: Terminal Master
Key

Page 9 of 16
2008 TPS Pakistan Pvt Ltd

Phoenix: Triple DES Roll out Plan

After entering into the Double Len: Terminal Master

Key form option, the following top down list of ATM
selection will appear , which can be used , to select
the required ATM, for which double length keys needs
to be entered :-

Upon selecting the desired ATM ID, another dialogue box

will then appear, displaying the ATM- ID, which has been so
selected. Upon confirmation, a dialogue box will again reappear, informing us of any of the two below given facts:

Key Already Exists, Do you want to Overwrite?

Entering Keys first time...

Page 10 of 16
2008 TPS Pakistan Pvt Ltd

Phoenix: Triple DES Roll out Plan

If, it has been decided that keys will be entered, a following
form will then appear, for entering the desired double

length encrypted key:

Upon successfully entering and confirming component 1
and component 2, a key check value (KCV), will then
be displayed, that should be exactly the same, as returned
from FK command executed on the HSM and the one
written down in the HSM security form for 3DES Key
Components.
Following is a sample screen shot:

Page 11 of 16
2008 TPS Pakistan Pvt Ltd

Phoenix: Triple DES Roll out Plan

If the key check value, so displayed, does not matches

the previous key check value of FK, the double
length encrypted keys, can then again be entered , by
selecting the CANCEL option , in the latter form.
This parameter will then decide that whether single
length or double length keys should be used for
performing transactions. The Key download
option, when done for double length keys, allows
remote DES key loading.

3.2
Modifying
ATM
Controller
parameters
for Double
length key
Operations:

The Key length can be changed by following the path:

MAIN MENU MANAGER ATM MANAGER
CONFIGUREMODIFY NDC ATM Appl. Specific
Params (sub form)

On selecting the MODIFY button, a form illustrated as

below will appear:

Page 12 of 16
2008 TPS Pakistan Pvt Ltd

Phoenix: Triple DES Roll out Plan

After COMMITING changes, on the above given ATM

modify form, an NDC ATM Appl. Specific Params
form will appear, snap shot is attached herewith:

Page 13 of 16
2008 TPS Pakistan Pvt Ltd

Phoenix: Triple DES Roll out Plan

The KEY Length field, is the length field, that

defines, whether double length encrypted key, is to be
used for PIN related transaction operations or for
KEY DOWNLOAD operation.
The KEY Length field can only take the following
valid values, for defining the concerned keys length:

s or S Single length keys

D or d Double length keys

The default value / current value, of the key length

field will be s or S for any of the given ATM.
Values other than the above, will eventually result in
the configuration of default single-length keys, for the
concerned given ATM, assigned the parameter S.

3.3 Sending
KEY
DOWNLOAD
(Key
Loading) to
the Migrated
ATM

Once the Key Length has been modified to Double

Length and the Terminal Master Key has been
entered, we have to perform the Key download
procedure.

Page 14 of 16
2008 TPS Pakistan Pvt Ltd

Phoenix: Triple DES Roll out Plan

Page 15 of 16
2008 TPS Pakistan Pvt Ltd

Phoenix: Triple DES Roll out Plan

4. Test Cases
The following generic test cases will be specifically
carried out, after a successful migration of any of the
concerned ATMs. Kindly note that the below given
test cases / transactions, are MANDATORY to be
tested out by the concerned personnel, and are
generic for any of the implemented banks. Perform:

Pin Validation for on-us customer. (Positive and

negative test case both).

Key Download Operation, for double length

keys.

PIN change.

PIN block translation for off-us customer.

Any other transactions that require PIN block

translation, for interfacing with any of the 3rd
party systems/ servers.

Page 16 of 16
2008 TPS Pakistan Pvt Ltd