KEY-UP II & III units provide total facilities to create, store and secure the following DES keys:
Master File Key (MFK)
An MFK is injected into the module at initialization and never utilized
outside the unit. It is used for encryption of other keys to be used by
KEY-UP II. Encrypted keys may be stored on the host database or on
KEY-UP II's internal table.
Key Exchange Key (KEK)
A KEK is required for each pair of processors that will be in
communication. It is used to encrypt and decrypt the "working keys" the
pair will need to share. KEY-UP II generates a KEK for manual injection
into the remote processor. The identical key is encrypted under the MFK
for local storage.
Used for key management by ATMs. These keys can be generated by KEY-UP II, but are manually loaded into the ATM.
This includes keys for PIN encryption/decryption (KPE), PIN
verification (KPV), message authentication (KMAC) and data encryption
(KC). Except for KPVs, which are predetermined, working keys are
automatically generated as needed, distributed through the network
under the KEKs and stored on the host database, encrypted under the MFK.