6.5.2.6 KeyExpiryNumber (KEN)
A KEN is associated with each VendingKey by the KMS, and defines the following:
• the time-period, after which the VendingKey expires, and may no longer be used by a POS to generate DecoderKeys for the purpose of encrypting TransferCredit tokens, or meter-specific management tokens that incorporate the TID field;
• the time-period, after which the VendingKey expires, and may no longer be used by a POS to generate DecoderKeys for the purpose of encoding into a Key Change Token set as the new DecoderKey;
• the time-period, after which any DecoderKey generated from the VendingKey expires, and may no longer be used by a payment meter to accept TransferCredit tokens, or meter-specific management tokens that incorporate the TID field. Implementation of this by a payment meter is optional.
KEN通过KMS与每个VendingKey关联,定义了以下内容:
- 时间期限,在此期限之后,VendingKey将过期,POS不能再使用该期限生成用于加TransferCredit令牌或包含TID字段的meter特定管理令牌的解码器密钥;
- 时间期限,在此期限之后,VendingKey将过期,POS不能再使用该期限生成解码器密钥,以将其编码为密钥更改令牌集作为新的解码器密钥;
- 时间段,从VendingKey生成的解码器密钥到期,支付计量表不能再用于接受TransferCredit令牌或包含TID字段的计量专用管理令牌。通过付费表计实现这一点是可选的。
The required value of the KEN shall be transferred to the payment meter in the KENHO and KENLO fields of the key change token set (see 6.2.7 and 6.2.8).
将所需的KEN值转移到key change token set的KENHO和KENLO字段中的付费表中(见6.2.7和6.2.8)。
The KEN is an 8-bit number (range 0 – 255) that expresses this period as a displacement relative to the STS base date token identifier time stamp (see 6.3.5.1 ). Each unit in the KEN corresponds to a period of duration 2 1 6 –1 (65535) min, and there are 2 8 (256) of these periods numbered 0, 1 . .255 before the current STS base date time stamp is replaced by the next STS base time stamp. Thus the KEN corresponds to the most significant 8 bits of the 24-bit TID. Any token identifier whose most significant 8 bits are greater than a given key's KEN shall not be encrypted or decrypted with that key.
KEN是一个8位数字(范围0 - 255),表示这个时间段相对于STS基本日期令牌标识符时间戳的位移(参见6.3.5.1)。KEN中的每个单位对应持续时间2 1 6 -1(65535)分钟,在当前的STS基本日期时间戳被下一个STS基本时间戳取代之前,有2 8(256)个编号为0,1 .255的周期。因此KEN对应于24位TID的最高8个比特位。任何最高8位大于给定密钥KEN的令牌标识符都不能用该密钥进行加密或解密。
A POS may not issue a TransferCredit token encrypted under a DecoderKey whose corresponding VendingKey has expired. This is simple to verify by comparing the most significant 8 bits of the TID with the KEN corresponding to the VendingKey; if it is greater, the VendingKey has expired and may no longer be used to generate a DecoderKey to encrypt the TransferCredit token. It also cannot be used to generate a DecoderKey to encrypt any meter-specific management tokens that utilize the TID field. This does not apply to the key change token set that does not utilize the TID field. Hence, an expired DecoderKey can still be used to encrypt its replacement DecoderKey for the purpose of a DecoderKey change.
POS不能签发在对应的VendingKey已过期的DecoderKey下加密的TransferCredit令牌。这很容易验证,将TID的最高8位与VendingKey对应的KEN进行比较即可。如果大于此值,则VendingKey已经过期,可能不再用于生成用于加密TransferCredit令牌的DecoderKey。它也不能用来生成解码器密钥来加密任何使用TID字段的meter专用管理令牌。这不适用于没有使用TID字段的键更改令牌集。因此,过期的解码器密钥仍然可以用来加密替换的解码器密钥,以达到更改解码器密钥的目的。
A payment meter can optionally implement key expiry and store the KEN that corresponds to its current DecoderKey, as passed in the key change token set. All tokens that are entered into the payment meter, and that incorporate a token identifier field, are validated against this KEN. If the most significant 8 bits of the TID are greater than this KEN, the token shall be rejected.
付费表可以选择性地实现密钥到期并存储与其当前解码器密钥相对应的KEN,如在密钥更改令牌集中传递的那样。输入到付费表中的所有令牌,以及与令牌标识符字段相结合的令牌,都根据这个KEN进行验证。如果TID的最高8位大于这个KEN,令牌将被拒绝。
Where implemented, the concept of key expiry only applies to VendingKey values of type VDDK, VUDK and VCDK, and DecoderKey values of type DDTK, DUTK and DCTK that can be generated from the corresponding vending key types. A DITK shall not be associated with a KEN.
在实现中,密钥到期的概念仅适用于VDDK、VUDK和VCDK类型的VendingKey值,以及DDTK、DUTK和DCTK类型的DecoderKey值,这些值可以从相应的自动售货密钥类型生成。DITK不得与KEN联系在一起。
The management of the KEN by the KMS shall comply with the relevant Code of practice.See also C.3.4 for Code of practice on managing this data element.
KMS对KEN的管理应遵守相关的业务守则。有关管理该数据元素的实践代码,请参见C.3.4。