GoldEasy-KMS is a standalone module that embeds physically and logically protected cryptographic card(s)
During this phase, all necessary data for the chip application is generated and is formatted to modify the original input file
The Instant Issuance Software modules are personalisation software dedicated to chip card personalisation of on personalisation equipment
Developed using fast C language all Electrical Personalisation Software modules come with a set of well designed, adequately ordered and secured commands that perfectly fit with the specific card personalisation requirements. Modules delivered are optimized to speed up the chip personalisation process while in the same time being as generic as possible to allow bureau to make as much modification as possible in the preparation phase while using the same Electrical Personalisation Software at the production stage.
Electrical Personalisation Software modules interpret specifically formatted data that are contained in the personalisation equipment input file generated by the Data Preparation module. Receiving the command designed for one card profile (as identified by a BIN) and one application type (MasterCard Paypass or Visa MSD), the module parses the transmitted data and uses them to generate device compliant instructions sequences.
Some of the data may have been encrypted during the preparation phase to ensure data confidentiality and require Electrical Personalisation Software module to interact with an external cryptographic module loaded with appropriate key sets. Same extra interface is used to communicate with a Key Management System to perform online cryptographic operation during the personalisation phase. These operations are specific to a card and/or an application and require some specific firmware to be uploaded in the Hardware Security Module.
Each Electrical Personalisation Software is bundled with some particular cryptographic functions loaded in the HSM firmware and optimised for the card to personalise. The software comes also with a set of configuration files and pre-valued profiles to be loaded into the Data Preparation module for generation of appropriate production files.
Thus, the data preparation module enables complete management of data dedicated to chip application, featuring not only data generation but also data manipulation capability, mapping of data into the card file structure and generation of production files that need to be sent to the personalisation devices.
Input file importation is supervised by a dedicated component which extracts cardholder data from magnetic stripe track records and verifies integrity and consistency of transmitted information. In standard, GoldEasy-DP module comes with an import component compliant with traditional embossing file. However, some custom components can be developed to manage bank specific formats.
Data generation is controlled thanks to profiles containing specific parameters for a bank, a card type and card applications. At the end of the processing, cardholder data included in the input file are mixed with payment application profile parameters and are glued with the cardholder specific key set generated during key diversification and enciphering mechanisms.
Card mapping is accomplished at the end of the data generation and is parameterised thanks to specific configuration files. GoldEasy-DP comes with a set of pre-configured mapping files corresponding to the card list supported in the Electrical Personalisation Software package.
At the end of the process, the data preparation module manages the generation production files compatible with the personalisation device and containing information formatted for targeted Electrical Personalisation Software.
Data preparation rely on an embedded hardware protected coprocessor to perform cryptographic operation purposes such as key generation, encryption – decryption and PIN management. All along the data flow, cryptographic data are securely generated and transferred thanks to HSM. Cardholder applicative keys are computed thanks to GoldEasy-KMS module that stores issuer secret master keys.
Administrative functions for GoldEasy-DP
• Creation, edition and deletion of platform users
• Addition and modification of user role and right
• Maintenance of platform components
ARCHITECTURE AND TECHNOLOGY
• Client-server architecture
• GoldEasy-DP module is developed in Java language and use XML as exchange file format
• GoldEasy-DP relies on an Oracle Database
• Architecture to allow several separate process execution in parallel
• Benchmarks made using a PC loaded with a database, GoldEasy-KMS relying on one or more HSM cryptographic cards loaded with appropriate Firmware
• Input file of 100 000 records, each records of approximately 3Ko size (2 magnetic stripes data, 5 graphical lines and 20 lines for carriers)
• Tested scenario: importation of file, sorting, generation of records listing, EMV static data generation, cryptographic data generation and production file generation
• Applicative profile: native visa application with one 3DES key. For DDA profile, addition of one 1024 asymmetric key and generation of the associated certificate
SDA SDA + DDA
1 X HSM = 6,500 records/hour
2 X HSM = 9,000 records/hour
This security level guarantees that neither keys nor sensitive data are in clear outside hardware-protected tokens thus preserving cardholder data secrecy and information integrity during the complete issuance process.
Thanks to key transfer protocols, all keys generated during preparation phase can be securely and remotely transferred from one Hardware Security Module to other one without any security breach.
This module is accessed by the Data Preparation module to perform cryptographic operations related to the smart card personalisation process. This includes -but is not limited to- encryption and decryption operations, PIN translation operations, symmetric key generation and diversification and RSA key pair generation.
GoldEasy-KMS comes with some functionality that allows its management and its configurations.
Key Management main functions
• Management of user profiles
• Issuer management
• Symmetric keys (DES) generation
• Asymmetric Key generation
• Import/export of symmetric keys
• Management of digital certificates
• Certificate request creation for VISA and MasterCard certification authority
• Import of VISA, MasterCard and X509 formatted certificates
GoldEasy-KMS Configuration functions
• Creation and management of KMS user roles
• Creation, edition and deletion of issuers
• Creation, edition and deletion of logical groups of keys
• Creation, edition and deletion of key envelopes
• Creation, edition and deletion of certificate authority characteristics
GoldEasy-KMS Keys creation functions
• Importation of DES transport keys
• Generation of DES transport keys
• Importation of DES encrypted under a transport key
• Importation of a DES key by part
• Exportation of DES key
• Generation, duplication and deletion of a DES key
• Generation and deletion of RSA key pair
GoldEasy-KMS certificate management functions
• Importation, edition and deletion of a public key
• Generation of certificate request for EMV keys
• Importation of EMV certificates
Supported Cryptographic operations
• Symmetric key (DES or 3DES) encryption/decryption
• Generation and diversification of EMV applicative keys
• PIN transcription
• Generation and verification of RSA signatures
• Generation of EMV SDA and DDA certificates
• Client-Server architecture allowing distant access
• Synchronous/asynchronous execution mode
• Open architecture to accept multiple HSM boards
• Multithread execution for parallel process execution