Understand Master&Session Keys

In a hierarchy of Key Encrypting Keys (KEKs) and Transaction Keys, the Master Key represents the highest level of KEK.
Distribution Method: Master Keys are typically distributed using physical methods, such as key loading devices, PSAM card or smart card.
Replacement: They are replaced using the same methods whenever compromise is suspected or confirmed.

A Transaction Key, often referred to as a Session Key, Data Key, communications key, or working key, is used to cryptographically process transactions.
In scenarios where different cryptographic functions are used, each function might employ a variant of the Transaction Key.

Two-Layer Hierarchy:
- There are two type of keys: Master Key and Session Key.
- In the devices, the highest-level KEK is known as the Master Key.
- The Master Key encrypts Transaction Keys (Session Keys) directly.
- Session Keys: These include PIN keys (for encrypting PIN blocks), MAC keys (for MAC calculations), and data keys (for encrypting other data).
- Each Master Key support three slots for Session Keys internally.
Three-Layer Hierarchy:
- There are three type of keys: Transport Key, Master Key and Session Key.
- Highest Level: Referred to as a Transfer/Transport Key.
- Middle Level: Known as a Master Key, which is encrypted and updated by Transport Key.
- Lowest Level: Called a Session Key, which is encrypted and updated by the Master Key.

Master Key (Two-Layer) & Transfer/Transport Key (Three-Layer): For injecting these keys, refer to Use TMK KeyLoader POS or Understand Remote Key Injection.
Session Key & Master Key (Three-Layer): These can be injected using our SDK. Refer to the PINPad section of our SDK for detailed instructions.

For information on how to utilize these keys, please refer to the PINPad description in our SDK.

Last updated 8 months ago