System and method for securing a base derivation key for use in injection of derived unique key per transaction devices

US 7,548,621 B1
Filed: 09/26/2002
Issued: 06/16/2009
Est. Priority Date: 09/26/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A system for securing a Base Derivation Key (BDK) at a facility for injecting Derived Unique Key Per Transaction (DUKPT) encryption devices comprising:

a symmetrical key generator that generates a symmetrical key for each BDK segment received for encryption;

a symmetrical encryption device for encrypting a Base Derivation Key (BDK) segment using a symmetrical key received from the symmetrical key generator for the BDK segment encryption;

an asymmetrical key pair generator for generating a private/public key pair for each BDK segment symmetrically encrypted;

an asymmetrical encryption device that generates a doubly encrypted segment by encrypting the encrypted BDK segment using the public key of the private/public key pair that was generated for the BDK segment and that generates a singularly encrypted segment by encrypting the symmetrical key used to encrypt symmetrically the BDK segment, the asymmetrical encryption device destroying the public key of each private/public key pair used to encrypt an encrypted BDK segment and the corresponding symmetrical key used to encrypt the BDK segment after generation of the doubly encrypted segment and the singularly encrypted symmetrical key; and

a local memory for storing the private keys of each private/public key pair used to encrypt BDK segments and symmetrical keys.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system that secures a Base Derivation Key (BDK) in a facility for injecting Derived Unique Key Per Transaction (DUKPT) devices uses software for securing the BDK rather than a Tamper Resistant Security Module (TRSM). The system comprises a symmetrical key generator, a symmetric encryption device, a concatenating device, an asymmetrical key pair generator, and an asymmetrical encryption device. The symmetrical key generator randomly generates an encryption key for a symmetrical encryption method. The symmetrical key is provided to the symmetric encryption device for encrypting a segment of a BDK with a symmetrical key. The asymmetrical encryption device uses the public key of a randomly generated private/public key pair generated by the asymmetrical key pair generator to asymmetrically encrypt the symmetrically encrypted BDK segment and the symmetrical key. The public key is then destroyed and the private key is stored on the computer.

Citations

20 Claims

1. A system for securing a Base Derivation Key (BDK) at a facility for injecting Derived Unique Key Per Transaction (DUKPT) encryption devices comprising:
- a symmetrical key generator that generates a symmetrical key for each BDK segment received for encryption;
  
  a symmetrical encryption device for encrypting a Base Derivation Key (BDK) segment using a symmetrical key received from the symmetrical key generator for the BDK segment encryption;
  
  an asymmetrical key pair generator for generating a private/public key pair for each BDK segment symmetrically encrypted;
  
  an asymmetrical encryption device that generates a doubly encrypted segment by encrypting the encrypted BDK segment using the public key of the private/public key pair that was generated for the BDK segment and that generates a singularly encrypted segment by encrypting the symmetrical key used to encrypt symmetrically the BDK segment, the asymmetrical encryption device destroying the public key of each private/public key pair used to encrypt an encrypted BDK segment and the corresponding symmetrical key used to encrypt the BDK segment after generation of the doubly encrypted segment and the singularly encrypted symmetrical key; and
  
  a local memory for storing the private keys of each private/public key pair used to encrypt BDK segments and symmetrical keys.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1 wherein the asymmetrical encryption device writes each doubly encrypted BDK segment and the corresponding singularly encrypted symmetrical key to an independent removable media for transportation to a DUKPT injection facility.
  - 3. The system of claim 1 wherein the symmetrical encryption device performs a Data Encryption Standard (DES) encryption method.
  - 4. The system of claim 1 wherein the symmetrical encryption device performs a triple DES encryption method.
  - 5. The system of claim 2 further comprising:
    - a device for concatenating each doubly encrypted BDK segment and the corresponding singularly encrypted symmetrical key to form a single data structure for storage on a removable media.

6. A system for preparing an encrypted Base Derivation Key (BDK) for use in injecting a Derived Unique Key Per Transaction (DUKPT) encryption device comprising:
- an asymmetrical decryption device using a private key of a private/public key pair to decrypt asymmetrically a doubly encrypted Base Derivation Key (BDK) segment to generate a symmetrically encrypted BDK segment and to decrypt asymmetrically a singularly encrypted symmetrical key to generate the symmetrical key;
  
  a symmetrical decryption device for decrypting the symmetrically encrypted BDK segment using the symmetrical key generated by asymmetrically decrypting the singularly encrypted symmetrical key; and
  
  a BDK assembler for assembling a plurality of decrypted BDK segments, each one of which was decrypted with a different symmetrical key, the assembled BDK segments forming a single BDK for use in the injection of a Derived Unique Key Per Transaction (DUKPT) encryption device.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6 wherein the asymmetrical decryption device receives each doubly encrypted BDK segment and the corresponding singularly encrypted symmetrical key from different removable media.
  - 8. The system of claim 6 wherein the symmetrical decryption device performs a Data Encryption Standard (DES) decryption method.
  - 9. The system of claim 6 wherein the symmetrical decryption device performs a triple DES decryption method.
  - 10. The system of claim 6 further comprising:
    - a device for segregating the doubly encrypted BDK segment from the singularly encrypted symmetrical key that was used to encrypt the BDK segment.

11. A method for securing a Base Derivation Key (BDK) at a facility for injecting Derived Unique Key Per Transaction (DUKPT) encryption devices comprising:
- encrypting a first Base Derivation Key (BDK) segment using a first symmetrical key;
  
  encrypting a second Base Derivation Key (BDK) segment using a second symmetrical key, the second symmetrical key being different than the first symmetrical key;
  
  generating a first asymmetrical key pair;
  
  generating a second asymmetrical key pair, the second asymmetrical key pair being different than the first asymmetrical key pair;
  
  generating a first doubly encrypted BDK segment by encrypting the first symmetrically encrypted BDK segment using a public key of the first asymmetrical key pair;
  
  generating a second doubly encrypted BDK segment by encrypting the second symmetrically encrypted BDK segment using a public key of the second asymmetrical key pair;
  
  encrypting the first symmetrical key used to encrypt the first BDK segment using the public key of the first asymmetrical key pair;
  
  encrypting the second symmetrical key used to encrypt the second BDK segment using the public key of the second asymmetrical key pair;
  
  destroying the public key of the first asymmetrical key pair after the asymmetrical encryption of the first symmetrically encrypted BDK segment and the asymmetrical encryption of the first symmetrical key;
  
  destroying the public key of the second asymmetrical key pair after the asymmetrical encryption of the second symmetrically encrypted BDK segment and the asymmetrical encryption of the second symmetrical key; and
  
  storing the first private key and the second private key in a local storage device.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11 further comprising:
    - writing the first doubly encrypted BDK segment and the first singularly encrypted symmetrical key to a first removable media;
      
      writing the second doubly encrypted BDK segment and the second singularly encrypted symmetrical key to a second removable media.
  - 13. The method of claim 11 wherein the symmetrical encryption comprises performing a Data Encryption Standard (DES) encryption method.
  - 14. The method of claim 11 wherein the symmetrical encryption comprises performing a triple DES encryption method.
  - 15. The method of claim 12 further comprising:
    - concatenating the first doubly encrypted BDK segment and the singularly encrypted symmetrical key to form a first single data structure that is written to the first removable media; and
      
      concatenating the second doubly encrypted BDK segment and the singularly encrypted symmetrical key to form a second single data structure that is written to the second removable media.

16. A method for preparing an encrypted Base Derivation Key (BDK) for use in generating an Initial PIN Pad Key for injection into a Derived Unique Key Per Transaction (DUKPT) encryption device comprising:
- asymmetrically decrypting with a private key of a first private/public key pair a first doubly encrypted Base Derivation Key (BDK) segment to generate a first symmetrically encrypted BDK segment;
  
  asymmetrically decrypting with the private key of the first private/public key pair a first singularly encrypted symmetrical key to generate a first symmetrical key;
  
  symmetrically decrypting the first symmetrically encrypted BDK segment using the first symmetrical key generated from the asymmetrical decryption of the first singularly encrypted symmetrical key to generate a first decrypted BDK segment;
  
  asymmetrically decrypting with a private key of a second private/public key pair a second doubly encrypted Base Derivation Key (BDK) segment to generate a second symmetrically encrypted BDK segment;
  
  asymmetrically decrypting with the private key of the second private/public key pair a second singularly encrypted symmetrical key to generate a second symmetrical key;
  
  symmetrically decrypting the second symmetrically encrypted BDK segment using the second symmetrical key generated from the asymmetrical decryption of the second singularly encrypted symmetrical key to generate a second decrypted BDK segment; and
  
  assembling the first and the second decrypted BDK segments to form a BDK for use in the injection of a Derived Unique Key Per Transaction (DUKPT) encryption device.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16 further comprising:
    - receiving the first doubly encrypted BDK segment and the first singularly encrypted symmetrical key from a first removable media on which both the first doubly encrypted BDK segment and the first singularly encrypted symmetrical key are stored; and
      
      receiving the second doubly encrypted BDK segment and the second singularly encrypted symmetrical key from a second removable media on which both the second doubly encrypted BDK segment and the second singularly encrypted symmetrical key are stored.
  - 18. The method of claim 16 wherein the symmetrical decryption comprises performing a Data Encryption Standard (DES) decryption method.
  - 19. The method of claim 16 wherein the symmetrical decryption comprises performing a triple DES decryption method.
  - 20. The method of claim 16 further comprising:
    - segregating the first doubly encrypted BDK segment from the first singularly encrypted symmetrical key; and
      
      segregating the second doubly encrypted BDK segment from the second singularly encrypted symmetrical key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NCR Voyix Corporation
Original Assignee
NCR Corporation (NCR Voyix Corporation)
Inventors
Vargese, Bavan, Smith, Walt E., Fisher, Larry F. Jr.
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
PAN, JOSEPH T

Application Number

US10/256,869
Time in Patent Office

2,455 Days
Field of Search

713/1, 713/2, 713/188, 713/194, 713/170, 713/181, 380/200, 380201-203, 380/255, 380277-279, 380/228, 380/239, 380/241, 380281-286, 726/1, 726/2
US Class Current

380/277
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 9/0625   with splitting of the data ...

H04L 9/30   Public key, i.e. encryption...

System and method for securing a base derivation key for use in injection of derived unique key per transaction devices

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for securing a base derivation key for use in injection of derived unique key per transaction devices

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links