TryTRY
BuyBUY
  • newsletter
  • contact
  • corporate
  • careers
Utimaco
TRYour free HSM simulator
BUYget a quote
  • home
  • solutions
  • products
  • services
  • blog
  • downloads
  • partners
  • company

Utimaco Portal

Here you will find everything you need as a partner and customerLogin required

  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research
  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research

Home / Blogs / AFD Fleet Cards – Transition from 3DES to AES

AFD Fleet Cards – Transition from 3DES to AES

November 09, 2020

In this article we will focus on fleet cards issued by banks and/or follow a payment card association scheme (Visa, MasterCard, etc.) and the necessary transition from 3DES to AES encryption.

We may refer to these fleet cards as “AFD” cards (or AFD-Fleet cards), where AFD stands for Automated Fuel Dispenser. Like traditional bank cards, these cards and the infrastructure behind them need to also consider moving from 3DES to AES if they already use a chip or are directly integrating AES if they are migrating to EMV.

Upgrading from 3DES to AES is much more complicated in the card payment environment than in a software scheme (like for the TLS module of browsers, for example).

  • The payment environment is clearly different because much cryptography is involved.
  • Today, there are very few issuers processing ARQC using AES in the United States.
  • When migrating to AES, you need to consider larger cryptographic block sizes, and this involves changing the key bundle block, as well.
  • AES key exchange is now described by the latest version of the ANS X9 TR-31. Key blocks can now be secured by AES instead of triple-DES.

Fleet cards that use payment networks must operate within a PCI environment. Therefore, they must implement key blocks before the deadlines of June 2021 and 2023, as set by the PCI Council [1].

AES-Based DUKPT

Another reason for fleet cards to migrate to AES is related to the latest version of ANS X9.24 part 3 that now allows Derived Unique Key Per Transaction, aka DUKPT, to use AES.

DUKPT is a very popular key derivation scheme used to generate session keys to cipher data between zones. There are several HSMs that support DUKPT AES. Therefore, it is reasonable to believe that triple DES could be abandoned in the near future inside the payment networks

Reasons Why AES is Better than 3DES

Here are some of the reasons why AES is better than 3DES:

  • 3DES relies on single-DES, which is a broken algorithm. There are several attacks that can break 2-key DES and 3-key DES in contexts where the keys can be isolated as single-DES keys with known corresponding ciphertexts.
  • 3DES is deprecated, AES is the future. NIST, the National Institute of Standards and Technology has withdrawn the approval for the 2-key 3DES algorithm at the end of 2015. Even if 3-key 3DES is still approved by NIST, its security is no better than 2-key 3DES. It is now recommended to phase out 3-key 3DES before  2031.
  • Overall, AES is a better algorithm. AES is faster and is considered more secure. The AES DUKPT can generate two billion keys before rekeying (instead of 1 million for TDE-based DUKPT). Since the AES key space is so much larger (256 bits instead of 112 bits for 2 keys – 3DES), AES keys have a longer crypto period than 3DES keys. This reduces the need for complex and costly key exchange ceremonies.
  • AES should have better resistance to quantum computing attacks. Advances in quantum computing show that AES should resist quantum attacks much better than 3DES.

Conclusion

Fleet cards using payment networks should adopt an AES-based algorithm and make sure they migrate to AES and do not use the deprecated 3DES algorithm. For this migration, it is very important to select the right HSM as not all hardware security modules are able to provide efficient and robust AES algorithms, especially the newest AES DUKPT.

New call-to-action

References

  • Read more articles on Fuel and Fleet Cards (2019 – today), by Martin Rupp, Priyank Kumar, Ulrich Scholten & Dawn Turner
  • Information Supplement: Cryptographic Key Blocks (2017), by the PTS Working Group PCI Security Standards Council
  • [1] Phase 1 – Implement key blocks for internal connections and key storage within service provider environments. This would include all applications and databases connected to hardware security modules (HSM). Effective date: June 2019.
    Phase 2 – Implement key blocks for external connections to associations and networks. Estimated timeline for this phase is 24 months following Phase 1, or June 2021.
    Phase 3 – Implement key blocks to extend to all merchant hosts, point-of-sale (POS) devices and ATMs. Estimated timeline for this phase is 24 months following Phase 2, or June 2023.
Back to overview

Stay on top of our news
Don’t miss out on any Utimaco updates

Subscribe to Utimaco Newsletter

We will keep you posted with news from Utimaco and the industries we protect, as well as information on upcoming events and webinars.

Subscribe now

Partners

Altacom UAB VAR Group SpA - Utimaco Hardware Security Modules Partner CEGA Security Primekey Solutions AB intarsys AG CertiSur S.A. Cogito Group Pty Ltd PrimeKey Labs GmbH CewTec S.A. PKI Solutions Inc. Thomas-Krenn.AG Ascertia - Utimaco Hardware Security Modules Partner CREA plus d.o.o. Utimaco HSM - InfoGuard Swiss Cyber Security Cryptomathic Inc. Nexus Technology GmbH Cyber Armor Pte Ltd JJNet International Co., Limited - Utimaco Hardware Security Modules Partner Encryption Consulting LLC Fornetix - Utimaco Hardware Security Modules Partner cv cryptovision GmbH Compumatica secure networks GmbH Astel (UK) Ltd. - Utimaco Hardware Security Modules Partner MTG - Utimaco Hardware Security Modules Partner Synergy Computers (Pvt.) Ltd. - Utimaco Hardware Security Modules Partner Microexpert Limited Cryptomathic A/S Macroseguridad Versasec MALKOM D.Malińska i Wspólnicy s.j. Nexus - Utimaco Hardware Security Modules Partner Safesoft Kft. Compumatica secure networks B.V. Perceptus-sp.-z-o.-o. MIcrosec EUROPEAN DYNAMICS SA. IQuantics Corp Clearkey Consulting - Utimaco Hardware Security Modules Partner Secure Source Distribution (M) Sdn Bhd - Utimaco Hardware Security Modules Partner Envoy Data Corporation - Utimaco Hardware Security Modules Partner Baas Control s.r.o. SecureMetric Technology Sdn. Bhd. Rohde & Schwarz Cybersecurity GmbH Softline Solutions GmbH Telegrupp AS AKEA S.A. - Utimaco Hardware Security Modules Partner Fortiedge Pte Ltd. CREAplus Italia S.r.l ESYSCO Sp. z o.o. Komar Consulting Inc. - Utimaco Hardware Security Modules Partner PETA (Thailand) Co., Ltd. Utimaco HSM - PTESA_profesionales en transacciones electronicas Cryptomathic GmbH Throughwave (Thailand) Co.,Ltd - Utimaco Hardware Security Modules Partner E-Sign S.A. Nexus - Utimaco Hardware Security Modules Partner Abrantix AG Utimaco HSM - QuintessenceLabs Skytech Computing Solutions Limited. - Utimaco Hardware Security Modules Partner Real security d.o.o.
Find a partner

Share this page

EMEA

Utimaco IS GmbH
Germanusstraße 4
52080 Aachen
Germany
Phone: + 49 241 1696 200

Americas

Utimaco Inc.
900 E Hamilton Ave., Suite 400
Campbell, CA 95008
USA
Phone: +1 844 UTIMACO

APAC

Utimaco IS Pte Limited
80 Raffles Place,
#32-01, UOB Plaza
Singapore 048624
Phone: +65 6622 5347

Utimaco

  • support
  • corporate
  • careers
  • legal
  • terms & conditions
  • privacy
  • cookie-policy
© 2021
to top
  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research