The present invention relates generally to the area of encryption of messages sent from one device to another, in this case, between an automated teller banking machine (ATM) and a host computer. More specifically, the present invention relates to securely transferring a “master key” from a host to a remote ATM over a communications network. As used herein, “ATM” refers to any automated banking or teller machine, as well as any other terminal or communications used in making financial transactions or directives, the communications for which are secured using symmetric encryption techniques. A “host” may refer to a computer or communications system at a bank, other financial institution, a transaction processor, acquirer, switch, or other entity authorizing and/or executing financial transactions or directives made from an ATM.
When an ATM sends to a host a message containing a customer's PIN number and a request to transfer funds to/from the associated account, the PIN number is securely encrypted to prevent persons from obtaining this information and accessing the customer's account without authorization. When an ATM sends to a host or receives from a host a sensitive message, a Message Authentication Code or MAC may be appended to the message to ensure the authenticity and integrity of the message. When an ATM sends to a host or receives from a host a sensitive message, some or all of said message may be encrypted to ensure the privacy of the message. More specifically, the encryption of the PIN, the generation and verification of the MAC, and the encryption and decryption of some or all of the message, are performed by an Encrypting PIN Pad or EPP on the ATM. That is, the EPP itself contains a processor programmed with instructions to perform these cryptographic operations. These cryptographic operations are performed according to published standards that are known to those skilled in the art.
A typical ATM may include an output device such as a video display for communicating with a customer or an operator, an input device such as a keypad or touchscreen functionality as part of the display, a card reader mechanism for reading a customer's ATM card, a cash dispenser mechanism, a depository mechanism for accepting deposits into the machine, a receipt printer, and a computer system in operative communication and control of the foregoing components for processing input and output and performing tasks The computer system contains a processor programmed with software, including an operating system, to communicate with and control the foregoing devices to cause them to correctly perform their respective functions, and including to communicate with the EPP and with external systems over a communications network, using protocols suitable to that network. Where it is stated herein that an EPP communicates with a host, or vice versa, it should be understood that the communication occurs through the software and hardware of the ATM in which the EPP is an operative part. Further, while the foregoing description is applicable to an ATM that processes banking transactions, not all banking ATMs will have all such components (such as the depository mechanism), and the principles of the invention disclosed herein are applicable to other secure terminals that process financial transactions that do not contain a cash dispenser, such as a terminal in a gasoline pump.
“Working keys” are used to encrypt the PIN, to generate and verify a MAC, and to encrypt and decrypt some or all of the messages described above. The working keys are initially exchanged between the ATM and host over a communications network, which may not be secure. For security, the working keys are therefore enciphered under “master keys” or “terminal master keys” during the exchange. The master keys must be known to both the ATM and the host.
A master key must be loaded into the EPP in a secure manner. In the past, this has been accomplished by having two persons, each knowing only a portion of master key code, manually enter his portion of the code into the ATM in a secure environment. Then, the ATM would execute an algorithm to generate the master key from the data manually input by the two operators. It can be expensive and cumbersome to deploy two human operators to load the master keys into the EPP.
The present invention relates to a method and system to securely and remotely load the master keys, that is, from a host machine to the EPP/ATM over a communications network. This process may be referred to as remote key transfer (RKT). The purpose of RKT methodology is to validate that the transfer is taking place between the known and intended entities (the particular host and EPP involved) and to securely encrypt the master keys during transfer. The present invention also provides a secure method for RKT transfer that will allow the EPP/ATM to become associated with a new host (for example, if the ATM was sold) without compromising or using any information (including the master key) associated with the previous host and without a requirement to replace the EPP, to reload a new EPP certificate, or reload a new EPP secret key.