Don Taylor

1
STS, Key Management and Revenue Protection

• Don Taylor
• STS Association

www.sts.org.za
2
Whats it all about ?

• Standard Transfer Specification (STS)
• Meter Keys
• Vending Keys and Supply Group Codes (SGC)
• Encryption / Decryption
• Key Change Tokens
• Key Load Files
• Secure Modules (SM)
• Key Management Center (KMC)
• Meter Manufacturers
• Utilities
• Token Vendors

A host of entities that work together.
3
What is encryption ?
shuffle letters
ENCRYPTION
000 0 JOE
001 1 JEO
010 2 EJO
011 3 EOJ
100 4 OEJ
101 5 OJE
reverse the shuffle process
DECRYPTION
The Key is a shared secret between sender and
receiver.
4
What is a key ?

• A secret random number

3-bit Key 8 combinations
101
56-bit DES Key 72 x 1015 combinations
1001 1100 1011 1110 1101 11011011 1110 1001 1110 0001 1000 1011 1010
64-bit STS Key 18 x 1018 combinations
1001 1100 1011 1110 1101 11011011 1110 1001 1110 0001 1000 1011 1010 1011 1111
DES keys are still widely used in the banking
industry STS key is 256 times stronger than a
DES key.
5
Meter key ?
KMC generates Key and allocates Supply Group
Code to Utility
applies for SGC
Key Management Centre
Utility
Key
SGC
SGC 000439
Key Load File
places order
Secure Module
installs
Supply Group
Meter Manufacturer
Key Change Token
SGC 000439
Meter
Key1
manufactures
installed in

• Each meter Key1 is uniquely derived from Key.

6
Vending key ?
Key Management Centre
authorizes
Already allocated Key and SGC
Utility
Key
SGC
contracts with
Key Load File

installs
Vendor
Secure Module
Encrypt (credit) using Key1
(credit)

Credit Token
installed
Meter
Customer
Decrypt (credit) using Key1
Key1

• The Key gives vending authorization.

7
The implication ?

• Key authorizes credit transfer to customer
• Anyone in possession of the Key can transfer
  credit
• A loaded Secure Module is a credit transfer
  machine
• A lost or unused SM is a money printer

Manage your Secure Modules.
8
Who owns the key ?

• The Utility owns the Key
• The Key protects the Utilitys revenue
• It is the Utilitys responsibility to keep the
  Key safe once it leaves the KMC

Responsibility accompanies ownership.
9
What does KMC do ?

• Generate Supply Group Codes and Keys
• Allocate to Utilities
• ESCROW in safe storage
• Distribute to equipment manufacturers and token
  vendors authorized by Utility
• Authenticate Secure Modules
• Initialize Secure Modules

KMC is responsible for keys in its own domain.
10
What does STSA do ?

• Facilitates access to STS services
• Product certification
• Key management
• Assures availability of services
• Assures conformance to standards
• STS protocols
• Codes of practice

STSA supports the STS infrastructure.
11
Where are your keys now ?

• Every meter manufacturer that supplied meters to
  the Utility
• Every SM that vended tokens for the Utility
• Loaded SMs in cupboards and boxes
• Stolen or missing SMs

Keys are all over the show.
12
Present status ?

• Many Utilities are ignorant of responsibility
• Few can give 100 accountability of SMs
• Many SMs becoming redundant due to online vending
  systems
• Program initiated by NRS User Group and KMC to
  bring keys and SMs under control
• STS Association initiated a project for enhanced
  key management infrastructure

We need to get our act together.
13
What should Utility do ?

• Take ownership and responsibility
• Understand all relevant aspects of key management
• Put own management plan in place
• Actively participate in the STS User Group
• Take ownership of the infrastructure

Wake up before it is too late.
14
Conclusion ?

• The Key protects your Revenue
• Manage it

Thank you for your attention!