Master key generation process

Master keys are generated and encrypted by the keygen program.

Figure 1 shows the computational actions that are involved in master key generation.

Figure 1. Master key generation process
This image is explained in the surrounding text.

The master key that is used by IBM® Safer Payments to encrypt and decrypt data is generated by two sets of at least 80 random characters that are hashed by MD5, creating a 256-bit length root key. The two sets of random characters are each generated by combining at least 40 random keystrokes from a user with 40 machine-generated random characters. This master key is never stored or made accessible to users. Rather, using the two passphrases of the key holders, the master key is encrypted with the AES-256 algorithm.

Important: Using the two passphrases, the encrypted master key can be decrypted. This is illustrated in Figure 1 with the dotted line.

The encrypted master key is stored in a safe place and is used, together with the passphrases of the key holders, to create the usage key triplets. The usage key triplets are the only keys that are used during IBM Safer Payments operations.

This is also the reason why the key generator is provided as a separate utility program rather than a part of IBM Safer Payments. Not even the encrypted master key must ever be stored on the IBM Safer Payments server host. Use a different computer to create the encrypted master key, store it in a safe place, and generate usage key triplets when needed.