KeyBRIDGE Remote Key Delivery (RKD) supports the remote distribution of keys to deployed (POI) terminals. By enabling remote key delivery, organizations save valuable time and resources by securely automating the delivery of keys to remote terminals.
More and more, the industry is demanding the ability to implement remote symmetric key distribution without relying on the physical security, policies procedures and personnel associated with physical Key Injection Facilities (KIF). Moreover, in order to maintain a competitive advantage in the growing virtual marketplace, it is imperative to utilize solutions that allow for the reduction of operational delays and high costs associated with shipping devices to KIFs simply to receive new cryptographic keys.
Organizations are better equipped to perform periodic key rotations and contend with a suspected or known key compromise by quickly and efficiently replacing terminal keys in the field. KeyBRIDGE RKD supports numerous APIs, including support for communicating and connecting with client-defined terminal management systems. KeyBRIDGE RKD leverages TR-34 for terminal payload generation, assuring secure, compliant and interoperable key transfer. Through the use of TLS 1.2, communications to and from the KeyBRIDGE RKD appliance are maintained and secured. As a licensed feature, KeyBRIDGE can fully support the requirements of Verifone Remote Key (VRK). This feature allows customers with their own Terminal Management Systems to build a remote keying facility, fully compatible with the latest Verfone terminal requirements.
KeyBRIDGE can also form the core of a system to remotely deploy PKI trust to terminals. In this role, it receives requests for key pairs; it generates the keys, forms CSRs and sends them to a CA, then gets the certificates and forms terminal payloads to be returned to the requesting Terminal Management System. This system functionally mirrors our standard RKD offering, but is focused on delivering terminal trust anchors.
The KeyBRIDGE RKD server is the core component in a cost-effective, compliant RKD solution.
In addition to its intuitive, easy-to-use graphical user interface, state of the art security features and robust auditing, the KeyBRIDGE platform provides the following essential RKD services:
- An easy-to-manage key inventory that holds the keys and their associated metadata necessary for terminal deployment. The inventory permits keys to be grouped into named containers called Relationships; this mechanism allows key managers to segregate keys for management and compliance purposes.
- A rich collection of tools to generate, import and export inventory keys, and specify their properties.
- The ability to build a KeyBRIDGE farm that will automatically partition DUKPT DID space, thereby ensuring that no KeyBRIDGE will ever inject a duplicate KSN.
- Complete key lifecycle management and tracking.
- An asymmetric key database used to sign the terminal key payloads, and their corresponding CA certificate chain. These keys provide the mutually authenticated trust required for a secure, standards-compliant implementation.
- Full support for all common secret key distribution scenarios: Fixed-key, Master/Session and DUKPT (both TDES and AES).
- The ability to collect all necessary key injection properties for a given terminal estate into a named container called a Key Profile. Key Profiles simplify the process of specifying injection requests at the Terminal Management System (TMS), allowing operators with little or no cryptographic expertise to accurately and securely inject terminals, thereby minimizing incorrect and insecure configurations.
- A simple JSON Schema RESTful API used to receive TMS key requests and return the corresponding terminal key payloads.
- Protecting the TMS interfaces using mutually-authenticated TLS v1.2, and the resources to import and manage the required TLS authentication keys.
- Complete, detailed audit logging of all user management activity and secret key distribution request processing.
- Automated database backup with support for numerous endpoint storage locations.
The KeyBRIDGE platform is designed with compliance in mind, and supports the requirements of:
- ASC X9.24, parts 1, 2 and 3
- ASC X9 TR-31 Interoperable Secure Key Exchange Key Block Specification
- ASC X9 TR-34 Interoperable Method for Distribution of Symmetric Keys using Asymmetric Techniques
- PCI PIN and PCI P2PE key management
Also supported are methods that are similar but not conforming perfectly to the standard. Additionally, GEOBRIDGE has implemented symmetric key distribution protocols supported by many device manufacturers, and similar secret key distribution techniques employed by other manufacturers are supported as well.
Lastly, the KeyBRIDGE appliance supports a simple JSON Schema RESTful API that can also be leveraged for remote key distribution techniques. This API may be accessible from a self managed KeyBRIDGE appliance, or available in a service model maintained by the GEOBRIDGE KEES™ Team
Find out more about GEOBRIDGE KEES™ on our website.
