In China, the security is a critical routine work for most Enterprises. In particular, the internet companies and financial companies arise very quickly. I work as a CTO in one of biggest third payment company in China. We meet a project which need to connect with other financial system. In this project, security is one of challenges. I will share some security information in this article with the readers.
Chinese financial system utilizes HSM (Host Security Module) as the security template. HSM consists of three layers which are local master key, exchange master key and work key. Figure 1 displays the three layers of HSM.
Local Master Key (LMK)
Local master key is the most important key for HSM systems. LMK as the name is stored in local machine. LMK is used to encryped all the other keys such as ZMK, TMK, PIK, MAK, etc.
Exchange Master Key
Exchange master key is used to protect keys when they are exchanged between different collaborators. Exchange master key normally consists of Zone Master Key (ZMK) and Terminal Master Key (TMK).
ZMK: is used between different financial enterprises or banks. We can them zone.
TMK: is used within the same financial enterprises. From the technical part, ZMK is normally used in different LANs and TMK is used in the same LAN. TMK can be found in ATM and POS machines.
Work key is used to protect different kinds of data. According to the type of data, different work key is applied.
ZPK is used to protect PIN between different Zones.
ZAK is used to protect authentication message such as MAC between Zones.
TPK is used to protect PIN within the same zone.
TAK is used for MAC (Message Authentication Codes). TAK is also called MAK.
Hopefully this limited understanding can help others.