1. STS, Key Management and Revenue Protection Don Taylor STS Association www.sts.org.za

2. What’s it all about ? • Standard Transfer Specification (STS) • Meter Keys • Vending Keys and Supply Group Codes (SGC) • Encryption / Decryption • Key Change Tokens • Key Load Files • Secure Modules (SM) • Key Management Center (KMC) • Meter Manufacturers • Utilities • Token Vendors A host of entities that work together.

3. “JOE” message Secure Module Key shuffle rule 3 shuffled combinations Token 3 shuffle rule Key Meter “JOE” message What is encryption ? shuffle letters ENCRYPTION reverse the shuffle process DECRYPTION The Key is a shared secret between sender and receiver.

4. What is a key ? A secret random number 3-bit Key = 8 combinations 56-bit DES Key = 72 x 1015 combinations 64-bit STS Key = 18 x 1018 combinations DES keys are still widely used in the banking industry STS key is 256 times “stronger” than a DES key.

5. Key SGC Meter key ? Each meter Key1 is uniquely derived from Key. KMC generates Key and allocates Supply Group Code to Utility applies for SGC Key Management Centre Utility Key SGC SGC = 000439 Key Load File places order installs Secure Module Supply Group Meter Manufacturer Key Change Token SGC= 000439 Meter manufactures Key1 installed in

6. Key SGC Vending key ? The Key gives vending authorization. Key Management Centre authorizes Already allocated Key and SGC Utility Key SGC contracts with $ Key Load File installs Vendor Secure Module Encrypt (credit) using Key1 (credit) $ Credit Token installed Customer Meter Decrypt (credit) using Key1 Key1

7. The implication ? • Key authorizes credit transfer to customer • Anyone in possession of the Key can transfer credit • A loaded Secure Module is a credit transfer machine • A “lost” or “unused” SM is a money printer Manage your Secure Modules.

8. Who owns the key ? • The Utility owns the Key • The Key protects the Utility’s revenue • It is the Utility’s responsibility to keep the Key safe once it leaves the KMC Responsibility accompanies ownership.

9. What does KMC do ? • Generate Supply Group Codes and Keys • Allocate to Utilities • ESCROW in safe storage • Distribute to equipment manufacturers and token vendors authorized by Utility • Authenticate Secure Modules • Initialize Secure Modules KMC is responsible for keys in its own domain.

10. What does STSA do ? • Facilitates access to STS services • Product certification • Key management • Assures availability of services • Assures conformance to standards • STS protocols • Codes of practice STSA supports the STS infrastructure.

11. Where are your keys now ? • Every meter manufacturer that supplied meters to the Utility • Every SM that vended tokens for the Utility • Loaded SMs in cupboards and boxes • Stolen or missing SMs Keys are all over the show.

12. Present status ? • Many Utilities are ignorant of responsibility • Few can give 100% accountability of SMs • Many SMs becoming redundant due to online vending systems • Program initiated by NRS User Group and KMC to bring keys and SMs under control • STS Association initiated a project for enhanced key management infrastructure We need to get our act together.

13. What should Utility do ? • Take ownership and responsibility • Understand all relevant aspects of key management • Put own management plan in place • Actively participate in the STS User Group • Take “ownership” of the infrastructure Wake up before it is too late.

14. Conclusion ? The Key protects your Revenue Manage it Thank you for your attention!