You can send and receive keys and PINs between your system and another system. For example, if you send encrypted data to another system, you also send the data-encrypting key that enciphered the data. The other system can then use the data-encrypting key to decipher the data. In a financial system, you might need to send a PIN from the system that received the PIN from a customer to a system that uses it to verify a customer's identity. As shown in Figure 3, when you send the PIN between systems, you encipher the PIN under a PIN-encrypting key.

Figure 3. Keys and PINs Protected When Sent between Two Systems

Two systems do not share a master key. When you send a key to another system, you do not encrypt it under a master key. You encrypt it under a transport key.

Two systems that exchange keys share transport keys that have the same clear value. At the sending system, the transport key is an exporter key-encrypting key. At the receiving system, the transport key is an importer key-encrypting key. When the sending system wants to send a key, the sending system encrypts the key under an exporter key-encrypting key. The key is in exportable form on the system that sends the key.

The key is in importable form on the system that receives the key. The receiving system reencrypts the key from under the importer key-encrypting key to under its own master key. The key is then in operational form and can be used on the system.