Spread security.

Unlock efficiency

Remote Key Loading

A smarter way to do business

The hacker community is growing increasingly sophisticated which means the financial community needs to do the same. But the key to a smart automatic teller operation lies in more than high security. Todays business-minded financial institutions also demand efficiency. Thats why they depend on Remote Key Loading (RKL) from Sagem Denmark. By replacing traditional dual-control split-knowledge a manual approach to key installation and maintenance with Sagem RKL a secure, on-line solution key management becomes more cost-effective. More secure. More efficient. More simple. In other words: more intelligent. Cut costs Sending two-person teams to each ATM and administering key material has traditionally been an expensive, time-consuming task. And as card-issuing companies are demanding larger, more complex key sizes, the complexity of manual key entry and key handling is continuing to increase along with the cost. Sagem RKL allows banks to save on the generation, storage, distribution and manual handling of paper-based key information, as these procedures are either unnecessary with Sagem RKL or controlled by the host system. Increase security The human factor involved in manual key handling increases the security risk of key exposure or misuse. With Sagem RKL, human handling of key information is unnecessary. All information is safely transmitted online using secure cryptographic methods to protect and distribute keys. This enables secure installation and frequent periodic key updating, which increases overall system security.

Streamline operations By definition, secure remote control is far more efficient than traditional dual split control. Eliminating the human factor also eliminates constraints regarding operational hours and distance in addition to avoiding the risk of misuse of key information. Prevent headaches Because Sagem RKL is based on open international standards, it is easy to implement at the host end. No proprietary standards; only the freedom to take a smarter approach to key management.

A safer form of technology

Sagem RKL is based upon sophisticated, standardised and professionally accepted methods of cryptography. A variety of built-in authentication measures ensures that both the host and the ATM operate under fully secure conditions. Two keys maximum security The secure operation of Sagem RKL depends upon cryptography using 2048 bit RSA keys, generated internally in the Sagem encrypting PIN pad. Both the host and the ATM own a pair of keys one secret key and one public key. The public key is used to encrypt data; the secret key to decrypt data. With RSA-based technology, the only party able to decrypt a given message is the owner of the related secret key.

Key exchange
Host ATM

Host validates signature using public CA key of ATM certificates Host sends certificate with own public key

ATM sends certificates with own public key

ATM validates signature using public CA key of host certificate

Host requests a nonce from ATM

ATM generates a nonce and starts key exchange

Host generates and encrypts Terminal Master key using ATM public key and generates signature and encryption result using own secret key

ATM validates signature and nonce using public key and obtains key by decrypting with secret key ATM sends receipt that information is correct

A typical interaction for the exchange of the initial symmetric master key takes less than 60 seconds.

State-of-the-art cryptographic protocol The key exchange protocol uses X.509 certificates to verify that the public keys belong to valid encrypting PIN pads (EPPs)/hosts. This prevents man-in-the-middle types of attacks. The certificates are issued by a central Certification Authority. In addition, the protocol uses dynamic messages, including nonces (nonce = number used only once) to protect against replay attacks. The nonces are digitally signed to provide mutual authentication. The protocol terminates with authentic confirmation of key reception.

SAGEM SECURITY Sagem Denmarks standard RKL solution includes the following features: - 2048 bit RSA keys (generated internally in the encrypting PIN pad) - One RSA key pair for key encryption/decryption - One RSA key pair for data verification/signing - Public keys contained in X.509 certificates - Certificate-based protocol according to international ISO 11770-3 standard - EPP firmware programming interface compatible with XFS 3.03 API - Loading of externally generated X.509 certificates (if customer desires) OPTION Establishment of secure communication channel to external Certification Authority and loading of externally generated X.509 certificates

A better way to serve customers

With Sagem, security is more than the technical measures that ensure safe transactions. Sagem security also means people more than 150 highly committed, highly skilled professionals who are dedicated to making your experience with Sagem Denmark check out successfully on all counts. Weve been providing high-security payment solutions worldwide since the 1980s. And with the 58,000-strong SAFRAN Group behind us, well be delivering security tomorrow as well. Sagem Denmark is a major supplier of encrypting PIN pads worldwide and has several years of experience supplying EPPs and RKL solutions on an OEM basis. Were here to support you too so that not only you, but also your customers benefit from better service. Open standards = flexible solutions We dont think banks should be locked into using one particular ATM supplier. So unlike our competitors, Sagem supports open rather than proprietary standards to give financial institutions as much freedom of choice as possible. We also support a flexible approach to implementing RKL. Banks do not need to switch to the technology all at once a gradual approach is an option for financial institutions that want to implement Sagem RKL now and start using it later. By purchasing an encrypting PIN pad from Sagem Denmark, it is possible to operate ATMs in a traditional mode until the host software vendor is ready to support the new key loading system. Prepared customers = satisfied customers When planning for the implementation of an RKL system, one of the major factors to consider is the support of RKL in the host system. Often the host relies on a dedicated, standalone Host Secure Module (HSM) provided by a third-party vendor. This means that the HSM module chosen or currently in use has to be able to support RSA-based RKL operations.

How to proceed Please contact Sagem Denmark for a detailed checklist and guidelines for RKL implementation in your system. Sagem Denmark is happy to support the ATM supplier as well as the HSM supplier during the implementation phase.

We live and breathe payment security Sagem Denmark has more than 20 years experience in providing highsecurity payment solutions worldwide. Headquartered in Copenhagen, Denmark, we also have offices in Finland, Norway and Sweden. In addition to providing encrypting PIN pads to the ATM market, our expertise encompasses unattended payment solutions and point-of-sales terminals for the retail industry. Sagem Denmark is a fast-growing subsidiary of the French SAFRAN Group and part of SAFRANs Defense and Security Division. The SAFRAN Group has offices in 22 countries on all five continents.

Sagem Denmark A/S Fabriksparken 20 DK-2600 Glostrup Denmark Phone: +45 43 43 43 95 Fax: +45 43 43 53 54 Email: info@sagemdenmark.com Web: www.sagemdenmark.com

June 2007