This glossary information is also available by clicking the Glossary toolbar button above.
The HSM must be set into the Authorised state before certain ‘privileged’ functions can be performed. This can be achieved only by Authorising Officers using their Passwords or Smartcards. The Authorized state is required for all operations that are more sensitive than normal, such as the entry of ZMK components and any other functions that involve clear (unencrypted secret data).
Primary Account Number (PAN) as embossed on the plastic card.
A PIN created by the cardholder. This provides an opportunity for the cardholder to create a PIN that can be easily remembered (instead of using an arbitrary combination of numbers allocated by the card issuer).
A value which, when combined with other similar values, forms a key. The method of combination is the exclusive-OR function. For example, three Secret Values are components of an HSM Local Master Key or a Zone Master Key.
A PIN that has been derived from a value associated with a particular cardholder. The value is usually the cardholder’s account number.
A secret 56-bit value (64 bits if 8 parity bits are included) that is an input to the DES algorithm. It controls the transformation of data during encryption/decryption.
Modulo 2 addition, which is equivalent to binary addition without carry.
The ability to ensure that cryptographic keys defined for one purpose cannot be used illegally for another purpose.
The HSM resident DES keys that govern all HSM cryptographic functions. Used to encrypt all other DES keys, and to encrypt PINs that are to be stored by the Host in a database.
The random access memory reserved for the storage of the HSM Master Keys. Data in this memory area is protected against power failure, and it is automatically erased when the HSM is opened.
One pair of the DES keys that reside in internal, battery-protected memory.
A cryptographic check value which is generated and verified to ensure that messages transmitted from one location and received at another have not changed in any way. The left-most 32 bits of the Message Authentication output Block (MAB).
The right-most 32 bits of the Message Authentication output Block (MAB).
A PIN that can be derived from the account number or other constant data. It can always be recreated, given the original PIN-creation parameters.
Financial transaction on an account not held by the recipient bank.
The difference between a random or cardholder-selected PIN, and the natural PIN for that cardholder. Used to verify a cardholder's PIN entry. Can be stored in a file as an alternative to maintaining a file of encrypted PINs.
Financial transaction on an account held by the recipient bank.
A 16-character value or phrase, known only to an Authorizing Officer, and stored in the HSM. Two are used, and stored as Master Keys 00 and 01. Passwords are entered at the Console to set the HSM into the Authorized state. When the HSM is configured for Smartcard use, the Passwords are random values stored on the Smartcards (and PINs replace the Passwords functionally).
A 64 bit value which is formed from a PIN and account number (normally). It is used in transmitting the PIN from one location to another (in encrypted form).
A DES key that controls the IBM method of PIN and offset generation.
A printed, multi-part form arranged such that it conceals the printed secret information (such as a cardholder PIN, or a key, or a key component). The mailer is constructed in such a way that the secret information (e.g., PIN and reference number) cannot be read unless the mailer is torn open. It can be mailed or otherwise carried to another network node, or stored in a (secure) conventional filing system.
Alphanumeric Password used to allow access to data stored on a Smartcard.
A special PIN mailer used by the cardholder to return a PIN selection to the issuer. The mailer is constructed in such a way that the secret information (e.g., PIN and reference number) cannot be read unless the mailer is torn open. The return part of the mailer contains only the clear PIN and an encrypted reference to the Card Account Number.
A DES key that controls the generation and verification of PINs and offsets.
A 1-digit value that is used to generate a PIN Verification Value. It is used in VISA ATM Networks to indicate which of six possible pairs of PIN Verification Keys is required to generate a PIN Verification Value.
A value that is derived from the account number, the PIN, a PIN Verification Key Indicator, and a pair of PIN Verification Keys. Used to verify a cardholder's PIN entry in VISA ATM Networks.
An HSM function that involves the presence of clear, unprotected keys or PINs. A function which presents a security risk unless adequate controls are established, and it requires the presence of the LMK Component Holders or the assertion of the Authorized state.
A pair of cryptographic variables (secret key and public key) used in a Rivest, Shamir and Adleman public key crypto system.
A number produced by the HSM by encrypting part of the cardholder account number under a pair of Local Master Keys. Used as a security measure in PIN solicitation procedures, to prevent an adversary from discovering the cardholder's PIN selection.
The HSM must be put into the secure state before certain “secure” functions can be performed. These are the functions for generating, loading, storing and duplicating LMKs and their component parts. The HSM is put into the secure state by releasing both of the key locks on the front panel, which also allows the HSM to be removed from the rack.
A temporary key which is generated and used for one session only.
A plastic card containing an embedded microchip. Information can be written to the card and read from it using a compatible Smartcard reader. The HSM supports PC3, Multiflex and Cryptopflex Smartcards conforming to ISO 7816.
A printed, multi-part, turnaround form sent to a cardholder for selecting a PIN (see PIN Solicitation Mailer).
The key used for encryption by the source of a transaction message (i.e., a terminal or Host computer).
ATMs and similar electronic point-of-sale devices capable of a variety of cryptographic functions, e.g., PIN encryption, PIN verification and message authentication.
A terminal-resident DES key for creating a message authentication code on data in outgoing messages.
A terminal resident DES key for encrypting data in outgoing messages.
A terminal-resident DES key for encrypting other keys. In some cases, the TMK is also used for PIN encryption and/or PIN verification.
A terminal-resident DES key for encrypting PINs in outgoing messages, and/or for terminal PIN verification.
Contains Master Keys, Transport Keys and Data Keys. The Master Keys are manually distributed, the others are distributed electronically. Master Keys are normally available only in two or more components. Data keys are also known as Session Keys.
A decrypt-then-re-encrypt process which changes the key under which data is encrypted (e.g.,, translating a PIN from a Terminal PIN Key to a Zone PIN Key).
The 12K random access memory reserved for the storage of user keys, the Diebold Proprietary Algorithm Table, and the processing of PIN solicitation data from the Host. This memory area is automatically erased when the HSM is tampered with or when power is removed.
User verification key used in the Racal Watchword token or system.
VISA name for a Zone PIN Key.
Used to create MACs on messages between institutions (i.e., in a defined cryptographic zone).
VISA name for ZMK.
Used to encrypt data between institutions (i.e., in a defined cryptographic zone).
The master key used in a shared (interchange) network to protect other keys during conveyance. (Manually transported key encrypting key. Transported as three components and formed by combining the components using the exclusive-OR function).
A 16-digit value. Three ZMK components are exclusive-OR combined to form a ZMK.
Provides support for ZMKs created in systems using Atalla security modules. The variant is a single digit value in the range 0-9, where:
|
Value |
Key Encrypted by the ZMK |
|
1 |
ZPK |
|
2 |
ZEK |
|
3 |
CVK and ZAK |
|
4 |
PVK |
|
5 |
ATM Key (≡TMK) |
|
8 |
Derivation Key (DK) |
The data-encrypting key used to encrypt PINs for transmission over a shared (interchange) network.
Used to encrypt zone session keys (i.e., ZEK, ZAK, etc.) for electronic delivery. Similar to ZMK.