Skip to content

Instantly share code, notes, and snippets.

@mylamour

mylamour/symmetric key.puml Secret

Created April 4, 2025 15:05
Show Gist options
  • Save mylamour/060707806ab98f5052cea9c36c1e84c9 to your computer and use it in GitHub Desktop.
Save mylamour/060707806ab98f5052cea9c36c1e84c9 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
symmetric key.puml
@startuml
title Symmetric Key Lifecycle (Generated by Card Scheme)
participant "卡组 (Switch)" as Switch
participant "HSM (Switch)" as HSM_Switch
participant "密钥分量持有者" as Custodian
participant "收单侧 (Acquirer)" as Acquirer
participant "HSM (Acquirer)" as HSM_Acquirer
participant "发卡侧 (Issuer)" as Issuer
participant "HSM (Issuer)" as HSM_Issuer
participant "应用 (Acquirer)" as AppAcquirer
participant "应用 (Issuer)" as AppIssuer
== 密钥生成 (Generation by Switch) ==
Switch -> HSM_Switch: 1. 分别为发卡和收单请求生成不同的共享对称密钥 (K)
activate HSM_Switch
HSM_Switch --> HSM_Switch: 安全生成密钥 K
HSM_Switch --> Switch: 返回 K 的 KCV 或句柄
deactivate HSM_Switch
== 密钥分发 (Distribution via Components) ==
Switch -> HSM_Switch: 2. 请求导出 K 的密钥分量
activate HSM_Switch
HSM_Switch --> HSM_Switch: 将 K 分割为 N 个分量 (K1, K2, ...)
HSM_Switch --> Switch: 安全输出各分量 (e.g., 打印)
deactivate HSM_Switch
Switch -> Custodian: 3. 分发给Acquirer 的共享密钥
Switch -> Custodian: 3. 分发给 Issuer 的共享密钥
note right of Custodian: 通过安全途径传递
Custodian -> Acquirer: 4. 将密钥分量交付给 Acquirer 管理员
Custodian -> Issuer: 4. 将密钥分量交付给 Issuer 管理员
== 密钥导入与存储 (Import & Storage) ==
alt 发卡和收单是不同的密钥
Acquirer -> HSM_Acquirer: 5. 请求导入密钥分量
activate HSM_Acquirer
Acquirer -> HSM_Acquirer: 输入 Acquirer 收到的 K1, K2, ...
HSM_Acquirer --> HSM_Acquirer: 合并分量重构 K
HSM_Acquirer --> HSM_Acquirer: 使用 LMK_Acquirer 加密 K 进行存储
HSM_Acquirer --> Acquirer: 返回 K 的 KCV (供比对) 或确认导入
deactivate HSM_Acquirer
Issuer -> HSM_Issuer: 5. 请求导入密钥分量
activate HSM_Issuer
Issuer -> HSM_Issuer: 输入 Issuer 收到的 K1, K2, ... (相同密钥 K 的分量)
HSM_Issuer --> HSM_Issuer: 合并分量重构 K
HSM_Issuer --> HSM_Issuer: 使用 LMK_Issuer 加密 K 进行存储
HSM_Issuer --> Issuer: 返回 K 的 KCV (供比对) 或确认导入
deactivate HSM_Issuer
end
== HSM 集群同步 (Replication - Optional) ==
Acquirer -> HSM_Acquirer: 6. (内部机制) 同步 收单侧的Key 到 Acquirer HSM 集群
Issuer -> HSM_Issuer: 6. (内部机制) 同步 发卡侧的Key 到 Issuer HSM 集群
Switch -> HSM_Switch: 6. (内部机制) 同步 发卡侧Key和收单侧的Key 到 Switch HSM 集群
== 工作密钥派生 (Derivation) ==
AppAcquirer -> HSM_Acquirer: 7. 请求使用 K 派生工作密钥 (DK_Acq)
activate HSM_Acquirer
HSM_Acquirer --> HSM_Acquirer: 派生 MAC Key, PIN Key
HSM_Acquirer --> AppAcquirer: 返回工作密钥句柄/受保护形式
deactivate HSM_Acquirer
' Switch 和 Issuer 在需要时进行类似派生 '
== 密钥使用 (Usage in Transaction: Acquirer -> Switch -> Issuer) ==
AppAcquirer -> HSM_Acquirer: 8. 使用 DK_Acq 加密 PIN, 计算 MAC
activate HSM_Acquirer
HSM_Acquirer --> AppAcquirer: 返回加密 PIN, MAC 值
deactivate HSM_Acquirer
AppAcquirer -> Switch: 9. 发送 ISO8583 (含加密PIN, MAC)
activate Switch
Switch -> HSM_Switch: 10. 使用 K (主副本) 派生 DK_Switch_In, 验证 MAC / 解密 PIN
activate HSM_Switch
HSM_Switch --> Switch: 返回验证结果 / 解密 PIN
deactivate HSM_Switch
note right of Switch: Switch 使用 K 验证入站报文
Switch -> Switch: 11. 处理交易,准备转发
Switch -> HSM_Switch: 12. 使用 K (主副本) 派生 DK_Switch_Out, 加密 PIN / 计算 MAC
activate HSM_Switch
HSM_Switch --> Switch: 返回加密 PIN / 新 MAC 值
deactivate HSM_Switch
note right of Switch: Switch 使用 K 加密/签名出站报文
Switch -> Issuer: 13. 发送 ISO8583 (含加密PIN, 新MAC)
deactivate Switch
activate Issuer
AppIssuer -> HSM_Issuer: 14. 请求使用 K 派生工作密钥 (DK_Iss)
activate HSM_Issuer
HSM_Issuer --> HSM_Issuer: 派生 MAC Key, PIN Key
HSM_Issuer --> AppIssuer: 返回工作密钥句柄/受保护形式
deactivate HSM_Issuer
AppIssuer -> HSM_Issuer: 15. 使用 DK_Iss 验证 MAC / 解密 PIN
activate HSM_Issuer
HSM_Issuer --> AppIssuer: 返回验证结果 / 解密 PIN
deactivate HSM_Issuer
AppIssuer -> AppIssuer: 16. 处理授权决策
deactivate Issuer
@enduml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment