The last core subsystem. Foundry manages and provisions keys and transports cryptograms — the kernel and the issuer do the math. This doc draws the exact line: what the L2 kernel owns, what Foundry provisions, what the adapter supplies, and how DUKPT, CAPK, and the ARQC/ARPC handshake move through the system without Foundry ever touching a primitive. In the native C engine the crypto service is a portable module fronting the platform secure element; the Kotlin SDK wraps the same contract.
The single most important boundary in this doc. Foundry never generates or verifies a cryptogram, never derives a session key, never encrypts a PAN. Those are kernel and issuer operations. Foundry's crypto job is logistics: get the right keys loaded, move the right bytes, surface the result.
ctls_setCAPK, emv_setCRLdevice_startRKI, CA certs via device_loadCertCAdevice_getKSNemv_completeTransactionA deliberate separation carried from doc 05. Public key material and config ride the config feed; secret symmetric keys ride a dedicated injection channel. They never mix — secrets never sit in a config manifest, and the config path never carries a clear key.
The keys in play, and the ownership tag that decides where each is handled. Note that no row is owned by Foundry core compute — Foundry only ever loads, triggers, or transports.
| Key / artifact | Purpose | Lives where | Owner |
|---|---|---|---|
| CAPK | CA public key for offline data auth (SDA/DDA/CDA) | loaded into kernel | Foundry loads |
| CRL | Revoked certificate list for offline auth | loaded into kernel | Foundry loads |
| CA cert | Trust anchor for RKI / secure provisioning | secure element | Foundry loads |
| BDK / IPEK | DUKPT base / initial PIN-encryption key | secure processor | kernel · injected |
| DUKPT future keys | Per-transaction session keys derived from KSN | secure processor | kernel derives |
| P2PE key | Encrypts PAN / track at the read head | secure processor | kernel encrypts |
| KSN | Key serial number — names the session key to the decryptor | travels with payload | Foundry reads |
| Zone / working keys | Host-link MAC & field encryption to the processor | adapter / HSM | adapter supplies |
| ARQC / ARPC | Online auth cryptogram & issuer response | transported | Foundry moves |
keyContext(), and Foundry only loads, reads, and moves. There is no column for "Foundry computes." That absence is the design.
DUKPT-encrypted card data and the ARQC/ARPC cycle, traced through a single tap — with Foundry's role marked at each step. Foundry appears only as a courier; the math happens in the blue (kernel) and at the issuer.
device_getKSN so the eventual decryptor knows which session key was used. Pure logistics — a label, not a secret.9F26) over the transaction data. This lands in canonical's crypto group — carried, never computed.keyContext(). Adapter-owned crypto, isolated.What keeps Foundry on the right side of every key boundary.
keyContext(), sealed per processor — not in the shared crypto interface.