Clover Mobile Security Policy 16
to decrypt the KEK. In turn, the KEK is used to extract the IPEKs
from the TR31 containers. Once the IPEKs have been extracted,
the RKI process is complete and the device is ready to process
transactions.
h. There are no alternative key systems. The use of any alternative
key management system would not work and would invalidate any
PCI approval of this POI.
6. Cryptographic Algorithms
a. All code is cryptologically authenticated before execution. The
authentication process relies upon cryptological data stored in one
time programmable memory (OTP memory). Once programmed,
OTP memory cannot be rewritten so code signing keys cannot be
replaced.
i. Main Board (MB) - the mainboard uses 2048 bit RSA PSS to
validate code. Main Board code is authenticated via the MB
secure boot key (MB SBK). The bootloader cannot execute
unless it is validated by the MB SBK.
ii. Secure Board (SB) - the secure board uses 256 bit ECDSA to
validate code. The secure board is protected by the Clover
Root Key (CRK). The CRK is validated by the Maxim Root
Key (MRK). At boot, the CRK is validated with the MRK.
The CRK is then used to validate code.
7. Key Invalidation
a. In the case of a compromise of a certificate authority operating by
the vendor, the vendor will notify user and the device must be
decommissioned according the instructions provided in that
section of this document.
b. In the case that you have been notified by the acquirer that the
BDK or the IPEK has been compromised, you must decommission
your device according the instructions provided in that section of
this document.
8. Key table
Key Name Purpose/Usage Algorithm Size Stored
Maxim Root
Key (MRK) Verify CRK ECDSA
L=2048,
N=256
(See FIPS
186-4
Semiconductor
Mask
To Next Page
Loading...
Need help?
General
