Key Pair Generation & Signing
As the Internet of Things continues to expand, companies are recognizing the value and necessity of device authentication to provide secure remote updates to protect their devices from attack. Device authentication usually relies on Public Key Infrastructure (PKI), but the logistical challenge of providing thousands of key pairs and certificates for those devices is significant. In addition, because many IoT devices have a relatively low price point, the cost to install keys and certificates must be kept as low as possible.
Efficient remote key management is even more critical in payments, where secure, compliant key delivery to POS terminals is mandatory. As the number of terminals expands and the number of payment keys each terminal must manage increases, authenticated key delivery to deployed terminals is becoming increasingly important. And the entire process – key pair generation, Certificate Signing Request (CSR) creation, communication to and from the Certificate Authority (CA), forming and transmitting the terminal key injection payload – must remain compliant with the relevant ANSI X9.24, PCI-PIN and PCI-P2PE requirements.
KeyBRIDGE has the ability to generate, store, and distribute hundreds of thousands of key pairs per day. Additionally, by leveraging the KeyBRIDGE API for Remote Centralized Key Management (ARCK), users can use this simple JSON Schema RESTful API to request generation and facilitate secure signing while relying on KeyBRIDGE for the secure delivery of signed key pairs to target devices.
Using KeyBRIDGE’s Remote Centralized Key Management features, you can build a compliant, scalable high-volume key delivery system:
In this scenario, by using RESTful APIs, the KeyBRIDGE platform:
- Receives a key request from the customer TMS.
- Based on the data in the key request, generates a key pair of the specified algorithm and length using the internal FIPS-140-2 level 3 HSM.
- Uses the certificate profile to create and send a CSR to the CA.
- Receives the certificate from the CA.
- Forms the key, certificate and other metadata into a terminal TR-34 payload and returns it to the TMS.
In addition to its remote key management features that make the scenario above possible, KeyBRIDGE includes:
- Resources to import and manage the required payload signing keys.
- Resources to create and maintain X.509 certificate profiles, including any optional certificate extensions your infrastructure requires.
- Complete, detailed audit logging of all user management activity and key request processing; this includes:
- Query, Filter, and View: Date/Time of requests/call, key generation, CSR creation.
- Payload packaging, package signing, and package delivery.
- Query, Filter, and View: Date/Time of status receipt, request submission, request.
- Processing, CA receipts/retrievals, and payload delivery/pickup.
- Query, Filter, and View: hundreds of unique functions.
- Protecting the TMS and CA interfaces using TLS v1.2, and the resources to import and manage the required TLS authentication keys.
- Automated database backup with support for numerous endpoint storage locations.
With its intuitive, easy-to-use graphical user interface, state of the art security features, robust auditing and the best support in the industry, you can count on KeyBRIDGE to be the tool of choice for remote key management projects, both now and in the future. GEOBRIDGE is committed to provide the payment industry with best-in-class tools for remote centralized key management that embrace state-of-the-art security protocols to ensure your key management initiatives are delivered on time, on budget and fully compliant with the latest standards. Let GEOBRIDGE partner with you for your current and future key management needs.