General Information

About this Document

MICROS 9700 Encryption Key Management Utility

General Information
About this Document

This document is intended as a quick reference guide to provide information concerning the MICROS 9700 Encryption Key Management Utility. This document relates specifically to MICROS 9700 Version 3.60 Hospitality Management System software.

About the 9700 Encryption Key Management Utility Secure Key Practices

The purpose of the 9700 Encryption Key Management Utility is to allow the user to set the encryption passphrase for the 9700 System. In accordance with the PCI Data Security Standard, MICROS Systems, Inc. mandates each site protect encryption keys against both disclosure and misuse.

To ensure secure distribution, MICROS Systems, Inc. mandates that users divide knowledge of a specific encryption key among two or three people. Users should establish dual control of keys so that it requires two to three people, each knowing only his or her part of the key, to reconstruct the entire key. A sites management procedures must require the prevention of unauthorized substitution of keys. 9700 HMS prevents the unauthorized substitution of keys by employing security measures in the Key Management Utility; for example, an unencrypted key will not be accepted by the utility. Furthermore, a sites management procedures must require the replacement of known or suspected compromised keys. The site also must require each key custodian to sign a form stating that he or she understands and accepts his or her key-custodian responsibilities.

MD0006-050
February 3, 2010 Page 1 of 13

General Information
Key Management Utility Security Enhancements

Key Management Utility Security Enhancements

Previously, the 9700 3.x system stored the encryption keys used to encrypt and decrypt secure data, such as credit card numbers, in the database. Now due to a new Payment Card Industry Data Security Standard (PCI DSS) requirement that mandates the secure deletion of unused encryption keys, 9700 version 3.60 and greater uses a new encryption scheme that avoids using secondary encryption keys.

The New Encryption Scheme

The key rotation itself will always require the 9700 system to be brought down to down state for a very short period of time, and the 9700 system must remain down while the Key Management Utility tool is used to run the initial key rotation. After the initial key rotation, the subsequent process of database re-encryption runs in the background so that it does not necessarily require system to be down at the time when re-encryption is running. The secure deletion of the old encrypted passphrase file is accomplished using the secure delete application SDelete. For more information on SDelete, see page 6.

MD0006-050
February 3, 2010 Page 2 of 13

General Information
Operations Considerations

Operations Considerations
Warning: After a key rotation (the initial key rotation and all
subsequent rotations) is performed by the Key Management Utility, the database and 9700 application becomes synchronized with new encryption key data.

Because of this reason, users should not swap databases (restoring/replacing the existing database with a different one) until they are absolutely sure that the new database is also in sync with the 9700 application. Generally speaking, there is no way to determine whether an offline database that is about to be restored by the user is in sync with 9700 application. Therefore, usually the only safe scenario to restore/replace a database is to restore/replace the database with a good database backup that must have been taken prior to performing the new key rotation. The database can only be restored/ replaced if no key rotation has occurred since uploading the existing database or since the backup database was taken.

9700 3.60 Fresh Installation

The following should be noted when conducting a fresh 9700 3.60 installation:

The 9700 3.60 installation process prompts for and requires SDelete installation before successful completion. For more information on SDelete, see page 6. After the fresh install completes, the 3.60 install shield will remind the user to run the initial key rotation after rebooting the server. If the user forgets to run the initial key rotation, the 9700 system will refuse to be brought up to levels equivalent to dbs up or higher and the following message displays.

To ensure PCI compliance, MICROS Systems Inc. mandates that the site run the initial key rotation after the installation is complete.

MD0006-050
February 3, 2010 Page 3 of 13

General Information
Operations Considerations

The 9700 system must remain down while the Key Management Utility tool is used to run the initial key rotation. If the 9700 system has a backup application server, the user will need to run the Key Manager Utility with the same pass phrase on the backup server after the initial key rotation is completed on the primary server. Note that this is the same case for all existing 3.10 sites as well (if rotating key occurs on one server, the same rotation must occur on the backup server in order to sync the new pass phrases). After initial key rotation is complete, the 9700 system can be brought up to operation level. All new secure details will be encrypted using the new key.

Upgrading from 9700 v. 3.10 to 9700 v. 3.60

The following should be noted when upgrading a 9700 v. 3.10 system to 9700 v. 3.60:

SDelete must be installed before running the Key Management Utility. For more information on SDelete, please see page 6. To ensure PCI compliancy, MICROS Systems Inc. mandates that the site run the initial key rotation after the upgrade is complete. If the 9700 system has a backup application server, the user will need to run the Key Manager Utility with the same pass phrase on the backup server after the initial key rotation is completed on the primary server (if rotating key occurs on one server, the same rotation must occur on the backup server in order to sync the new pass phrases). The database re-encryption will run after the initial key rotation. After initial key rotation is complete, the 9700 system can be brought up to operation level. All new secure details will be encrypted using the master key.

MD0006-050
February 3, 2010 Page 4 of 13

General Information
Operations Considerations

Periodic Key Rotation

In order to achieve maximum security, MICROS Systems, Inc. mandates the system administrator regularly rotate the sites encryption keys. When periodical key rotation occurs, database re-encryption will not require the 9700 system to be down. The key rotation itself will still require the 9700 system to be in down mode, however the rotation (without database reencryption) should take only a short period of time. Encryption key rotations are necessary and must occur periodically, at least annually. For more information on how to rotate keys, please see the 9700 HMS Version 3.60 and the Key Management Utility section on page 6.

MD0006-050
February 3, 2010 Page 5 of 13

9700 HMS Version 3.60 and the Key Management Utility

Operating Conditions

9700 HMS Version 3.60 and the Key Management Utility

Operating Conditions

The following conditions must be true for the KeyManager program to run:

The 9700 system is in a down state. When the initial key encryption process occurs, the 9700 system must remain in the down state. For any subsequent key rotations after the initial key rotation, the 9700 system must be in a down state but can be bought up to operational mode once the re-encryption process has started. If a passphrase change is attempted while 9700 is not in an down state, the following error will display:

It must be running locally on a 9700 systemit cannot be run remotely. The EMC web service must be up and runningIIS installed and running. The Database must be accessible. SDelete must be downloaded and installed in the following location C:\SDelete. SDelete is a command line utility that is used to the securely delete one or more files and/or directories or to cleanse the free space on a logical disk. For more information on SDelete and to download SDelete, see the SDelete v1.51 page on the Microsoft TechNet website http:// www.microsoft.com/technet/sysinternals/Security/SDelete.mspx.

MD0006-050
February 3, 2010 Page 6 of 13

9700 HMS Version 3.60 and the Key Management Utility

Initial Key Rotation Considerations

Note

The 9700 3.60 installation process prompts for and requires SDelete installation before successful completion. If the site is using a 9700 system below version 3.10 SP6, follow the link above to download and install SDelete. Please ensure that SDelete is installed on the same drive as the operating system in a folder named SDelete before using the Key Manager Utility, as the utility will not run successfully without it. If SDelete is not installed and the Key Manager Utility tries to update the passphrase, the following error message will display:

Initial Key Rotation Considerations

The Key Manager Utility automatically detects when the initial key rotation occurs and prompts the user with dialog noting that the system must remain in a down state during the initial key rotation. The dialog will say the following: The software has detected this is the first key rotation after 3.x installation and will now perform database re-encryption. The process may take considerable amount of time to complete, and the system needs to remain in down state during the process. Please be patient and DO NOT interrupt the re-encryption process! Failure to do so may cause unrecoverable loss of encrypted data! After initial key rotation is complete, the 9700 system can be brought up to operation level.

Subsequent Key Rotation Considerations

The Key Management Utility will always require the 9700 system to initially be in a down state. Once the re-encryption process starts, the 9700 system can be brought back to the operations mode.

MD0006-050
February 3, 2010 Page 7 of 13

9700 HMS Version 3.60 and the Key Management Utility

Login Conditions

Login Conditions

Only two types of users can log into the KeyManager program:

MICROS super-users. Employees with access level of 0 who also need system administrator privileges for the server to run the Key Manager application.

Display Screen

There is only one window in the Key Manager program, seen below:

The areas of the window are: A: The top line displays the current PC Number (useful to determine if you are running on PC1 or PC2). B: Update Passphrase entry area. C: Encryption Key Status.

MD0006-050
February 3, 2010 Page 8 of 13

9700 HMS Version 3.60 and the Key Management Utility

Changing the Passphrase

Changing the Passphrase

Changing the passphrase has these restrictions:

The passphrase must be 1 to 24 characters long. The passphrase and confirm passphrases must match. The system must be in the down state (database must be brought down from a Cygwin command line with the micros stop y command). The database must be accessible. SDelete must be downloaded and installed in the same drive as the operating system in a folder named SDelete. For more information on SDelete and to download SDelete, see the SDelete v1.51 page on the Microsoft TechNet website http://www.microsoft.com/technet/ sysinternals/Security/SDelete.mspx.

Warning: If the passphrase is lost, the encrypted data in the

database is unrecoverable. There are no backdoors!

To change the passphrase, follow the directions below.

1. Bring the 9700 system to a down state by entering the command micros
stop y in the Cygwin command line.

MD0006-050
February 3, 2010 Page 9 of 13

9700 HMS Version 3.60 and the Key Management Utility

Changing the Passphrase

2. Navigate to the 9700/bin directory on the 9700 Server and double-click the
KeyManager.exe file. The KeyManager Login Screen opens, seen below.

Enter a valid ID and Password, then click OK.

3. Enter the new passphrase and confirm the passphrase in the Update
Passphrase section, circled below.

MD0006-050
February 3, 2010 Page 10 of 13

9700 HMS Version 3.60 and the Key Management Utility

Changing the Passphrase

4. Click Update. The following warning displays.

5. Click Yes to continue and only if the sites credit card records have been
batched and settled. Click No if the sites credit card records have not been batched and settled; do not proceed with the key rotation until the credit card records have been batched and settled and the database is backed up. The Key Management Utility will recognize if the initial key rotation has occurred. If the initial key rotation has occurred, the utility displays a dialog, seen below, informing the user that the 9700 system can be brought to an operation state while the database re-encryption process occurs.

6. The re-encryption begins and a status bar displays, as seen below. The
percentage of records being re-encrypted displays in the corner of the status bar, circled below. Click OK when all records have been successfully reencrypted.

MD0006-050
February 3, 2010 Page 11 of 13

9700 HMS Version 3.60 and the Key Management Utility

Signature Confirmation

7. Once the passphrase has successfully changed, the following window

displays. Click OK.

If the Key Management Utility is run after a fresh 9700 installation, the following message displays instead of the message seen above. No keys are present in the database, so the passphrase is stored for future use. Click OK.

8. When the passphrase change/key rotation successfully completes, the

following prompt displays. To exit the application, click Yes.

Signature Confirmation

The passphrase is stored on the 9700 PC. The encryption keys are stored in the database. In order to determine if the passphrase matches the encryption keys, a passphrase signature field exists in the database. The signature is a one-way hash of the passphrase. This signature field is what KeyManager uses to determine if the passphrase can be set on the 9700 PC. The 9700 processes use the signature to determine if the security configuration is in sync and valid. A PC/database could be out of sync if a 9700 system were to point to a database using a different passphrase in a support situation, for example.

MD0006-050
February 3, 2010 Page 12 of 13

9700 HMS Version 3.60 and the Key Management Utility

Key Management Utility Messages

Key Management Utility Messages

Passphrase same as old passphrase

This message displays when the new passphrase entered is the same as the old passphrase. Click OK and re-enter a new passphrase. New passphrase now in sync with database.

A valid passphrase/database combination exists, and a new passphrase is to be stored. The message will display when the same passphrase is entered when running the Key Management Utility on the backup application server as was entered when running the utility on the primary application server. For more information, see page 4. Passphrase stored. (Database signature was not preset)

This message displays when the Key Management Utility is run after a fresh 9700 installation. No keys are present in the database, so the passphrase is stored for future use.

MD0006-050
February 3, 2010 Page 13 of 13