ANSI ASC X9 X9.24-1-2017 Retail Financial Services Symmetric Key Management Part 1 Using Symmetric Techniques.pdf

1、 American National Standard for Financial Services ANSI X9.24-1-2017 Retail Financial Services Symmetric Key Management Part 1: Using Symmetric Techniques Accredited Standards Committee X9, Incorporated Financial Industry Standards Date Approved: June 8, 2017 American National Standards Institute Am

2、erican National Standards, Technical Reports and Guides developed through the Accredited Standards Committee X9, Inc., are copyrighted. Copying these documents for personal or commercial use outside X9 membership agreements is prohibited without express written permission of the Accredited Standards

3、 Committee X9, Inc. For additional information please contact ASC X9, Inc., 275 West Street, Suite 107, Annapolis, MD 21401. This page left intentionally blank ANSI X9.24-1-2017 2017 ASC X9, Inc. All rights reserved i Contents Figures iii Tables . iv Foreword . v Introduction vi 1 Purpose 12 2 Scope

4、 12 2.1 General . 12 2.2 Application . 12 3 References . 13 4 Terms and Definitions . 14 5 Standard Organization 21 6 Payment Environment . 22 6.1 General . 22 6.2 Cardholder and Card Issuer . 22 6.3 Card Acceptor 22 6.4 Acquirer 22 6.5 Switch . 22 7 Key Management Requirements 23 7.1 General . 23 7

5、.1.1 Dual Control and Split Knowledge . 23 7.1.2 Permissible Key Forms . 23 7.1.3 Logging . 24 7.1.4 Key Strength 24 7.1.5 Key Locations 24 7.1.6 Production Key Usage 24 7.1.7 Single Purpose Key Use . 24 7.2 Secure Cryptographic Device (SCD) . 25 7.3 Environments . 26 7.3.1 Minimally Controlled Envi

6、ronment 26 7.3.2 Controlled Environment 26 7.3.3 Secure Environment 26 7.4 Key Blocks . 26 7.4.1 Overview of key blocks . 26 7.4.2 Key attributes . 27 7.4.3 Integrity of the key block 27 7.4.4 Key and Sensitive Attributes Field 28 7.5 Key Creation . 28 7.5.1 Random Key Generation . 28 7.5.2 Key Deri

7、vation 28 7.5.3 Key Calculation (Variants) 29 7.6 Key Component and Key Share Creation . 29 7.7 Check Values . 29 7.7.1 Introduction 29 7.7.2 Check Value Calculation . 30 7.8 Key Distribution . 30 7.8.1 Introduction 30 ANSI X9.24-1-2017 ii 2017 ASC X9, Inc. All rights reserved 7.8.2 Personal Conveya

8、nce of Cleartext Components or Shares 30 7.8.3 Transporting Cleartext Components or Shares . 30 7.8.4 Transporting Cleartext Keys Using a Portable Key Loading Device 31 7.9 Key Loading . 33 7.9.1 General 33 7.9.2 Loading Key Components or Shares . 33 7.9.3 Cleartext Key Loading . 34 7.10 Key Utiliza

9、tion 35 7.11 Cleartext Key Component and Share Storage 36 7.12 Key Replacement . 36 7.13 Key Destruction . 37 7.13.1 General 37 7.13.2 Key Destruction from an SCD 37 7.13.3 Destruction of a Key in Cryptogram Form 37 7.13.4 Component and Share Destruction . 37 7.14 Key Archiving . 37 7.15 Key Comprom

10、ise . 38 8 Symmetric Key Management Specifications 39 8.1 General 39 8.2 Method: Fixed Keys . 39 8.3 Method: Master Keys / Session Keys 39 Annex A (Normative) Key and Component Check Values 40 Annex B (Normative) Split Knowledge During Transport . 43 ANSI X9.24-1-2017 2017 ASC X9, Inc. All rights re

11、served iii Figures Figure 1 Example of XOR Function to Combine Key Components . 26 Figure 2 Key Block Overview Example 27 Figure 3 Legacy Generation of Key Check Value 40 Figure 4 CMAC Generation of Key Check Value . 41 ANSI X9.24-1-2017 iv 2017 ASC X9, Inc. All rights reserved Tables Table 1 Comple

12、te Hex Values for Rb 42 ANSI X9.24-1-2017 2017 ASC X9, Inc. All rights reserved v Foreword Approval of an American National Standard requires verification by ANSI that the requirements for due process, consensus, and other criteria for approval have been met by the standards developer. Consensus is

13、established when, in the judgment of the ANSI Board of Standards Review, substantial agreement has been reached by directly and materially affected interests. Substantial agreement means much more than a simple majority, but not necessarily unanimity. Consensus requires that all views and objections

14、 be considered, and that a concerted effort be made toward their resolution. The use of American National Standards is completely voluntary; their existence does not in any respect preclude anyone, whether he has approved the standards or not from manufacturing, marketing, purchasing, or using produ

15、cts, processes, or procedures not conforming to the standards. The American National Standards Institute does not develop standards and will in no circumstances give an interpretation of any American National Standard. Moreover, no person shall have the right or authority to issue an interpretation

16、of an American National Standard in the name of the American National Standards Institute. Requests for interpretation should be addressed to the secretariat or sponsor whose name appears on the title page of this standard. CAUTION NOTICE: This American National Standard may be revised or withdrawn

17、at any time. The procedures of the American National Standards Institute require that action be taken to reaffirm, revise, or withdraw this standard no later than five years from the date of approval. Published by Accredited Standards Committee X9, Incorporated Financial Industry Standards 275 West

18、Street, Suite 107 Annapolis, MD 21401 USA X9 Online http:/www.x9.org Copyright 2017 Accredited Standards Committee X9, Inc. All rights reserved. No part of this publication may be reproduced in any form, in an electronic retrieval system or otherwise, without prior written permission of the publishe

19、r. Printed in the United States of America. ANSI X9.24-1-2017 vi 2017 ASC X9, Inc. All rights reserved Introduction The users attention is called to the possibility that compliance with this standard may require use of an invention covered by patent rights. By publication of this standard, no positi

20、on is taken with respect to the validity of this claim or of any patent rights in connection therewith. The patent holder has, however, filed a statement of willingness to grant a license under these rights on reasonable and nondiscriminatory terms and conditions to applicants desiring to obtain suc

21、h a license. Details may be obtained from the standards developer. Today, billions of dollars in funds are transferred electronically by various communication methods. Transactions are often entered remotely, off-premise from financial institutions, by retailers or by customers directly. Such transa

22、ctions are transmitted over potentially non-secure media. The vast range in value, size, and the volume of such transactions expose institutions to severe risks, which may be uninsurable. To protect these financial messages and other sensitive information, many institutions are making increased use

23、of the American National Standards Institute Triple Data Encryption Algorithm (TDEA) and the Advanced Encryption Standard (AES). Specific examples of its use include standards for message authentication, personal identification number encryption, other data encryption, and key encryption. AES and th

24、e TDEA are in the public domain. The security and reliability of any process based on AES or the TDEA is directly dependent on the protection afforded to secrets called cryptographic keys. This part of this standard deals exclusively with management of symmetric keys using symmetric techniques. ANS

25、X9.24-2 addresses management of symmetric keys using asymmetric techniques. A familiar analogy may be found in the combination lock of a vault. The lock design is public knowledge. Security is provided by keeping a number, the combination, a secret. Secure operation also depends on protective proced

26、ures and features which prevent surreptitious viewing or determination of the combination by listening to its operation. Procedures are also required to ensure that the combination is random and cannot be modified by an unauthorized individual without detection. Suggestions for the improvement or re

27、vision of this Standard are welcome. They should be sent to the X9 Committee Secretariat, Accredited Standards Committee X9, Inc., Financial Industry Standards, 275 West Street, Suite 107, Annapolis, MD 21401 USA. This Standard was processed and approved for submittal to ANSI by the Accredited Stand

28、ards Committee on Financial Services, X9. Committee approval of the Standard does not necessarily imply that all the committee members voted for its approval. At the time this standard was approved, the X9 committee had the following members: Roy DeCicco, X9 Chairman Angela Hendershott, X9 Vice-Chai

29、rman Steve Stevens, Executive Director Organization Represented Representative ACI Worldwide Dan Kinney American Bankers Association . Diane Poole American Express Company David Moore Bank of America . Daniel Welch Blackhawk Network Anthony Redondo ANSI X9.24-1-2017 2017 ASC X9, Inc. All rights rese

30、rved vii Bloomberg LP Corby Dear Capital One Marie LaQuerre Citigroup, Inc. . Karla McKenna CLS Bank . Ram Komarraju Conexxus, Inc. . Michael Davis Conexxus, Inc. . Gray Taylor Delap LLP Darlene Kargel Deluxe Corporation Angela Hendershott Diebold Nixdorf Bruce Chapa Discover Financial Services. Mic

31、helle Zhang eCurrency David Wen Federal Reserve Bank . Mary Hughes Federal Reserve Bank . Janet LaFrence First Data Corporation . Andrea Beatty FIS . Stephen Gibson-Saxty Fiserv . Dan Otten FIX Protocol Ltd - FPL . Jim Northey Gilbarco Bruce Welch Harland Clarke . John McCleary Hewlett Packard . Sus

32、an Langford IBM Corporation . Todd Arnold Independent Community Bankers of America . Cary Whaley Ingenico . Rob Martin ISITC Jason Brasile J.P. Morgan Chase Roy DeCicco KPMG LLP . Mark Lundin MagTek, Inc. Roger Applewhite MagTek, Inc. Mimi Hart MasterCard Europe Sprl Mark Kamers NACHA The Electronic

33、 Payments Association Priscilla Holland National Security Agency . Paul Timmel Nautilus Hyosung . Joe Militello NCR Corporation . David Norris Office of Financial Research, U.S. Treasury Department . Justin Stekervetz PCI Security Standards Council Troy Leach RouteOne. Chris Irving RouteOne. Jenna W

34、olfe SWIFT/Pan Americas Frank Vandriessche Symcor Inc. Debbi Fitzpatrick TECSEC Incorporated . Ed Scheidt The Clearing House . Sharon Jablon U.S. Bank . John King U.S. Commodity Futures Trading Commission (CFTC) Robert Stowsky USDA Food and Nutrition Service . Kathy Ottobre Vantiv LLC . Gary Zempich

35、 VeriFone, Inc. Dave Faoro VISA . Kim Wagner Wayne Fueling Systems Steven Bowles Wells Fargo Bank Mark Schaffer ANSI X9.24-1-2017 viii 2017 ASC X9, Inc. All rights reserved At the time this standard was approved, the X9F subcommittee on Data and Information Security had the following members: Dave F

36、aoro, Chairman Organization Represented Representative ACI Worldwide Doug Grote ACI Worldwide Dan Kinney ACI Worldwide Julie Samson American Bankers Association . Tom Judd American Express Company Farid Hatefi American Express Company John Timar American Express Company Kevin Welsh Bank of America .

37、 Amanda Adams Bank of America . Peter Capraro Bank of America . Andi Coleman Bank of America . Lawrence LaBella Bank of America . Will Robinson Bank of America . Michael Smith Bank of America . Daniel Welch BlackBerry Limited Daniel Brown BlackBerry Limited Sandra Lambert Blackhawk Network Anthony R

38、edondo Bloomberg LP . Erik Anderson Bloomberg LP . Corby Dear Capital One . Marie LaQuerre Capital One . Johnny Lee Cipherithm Scott Spiker comForte 21 GmbH Thomas Gloerfeld comForte 21 GmbH Henning Horst Communications Security Establishment . Jonathan Hammell Communications Security Establishment

39、. David Smith Conexxus, Inc. Alan Thiemann CUSIP Service Bureau . Scott Preiss Delap LLP . David Buchanan Delap LLP . Darlene Kargel Deluxe Corporation . Angela Hendershott Deluxe Corporation . Margiore Romay Deluxe Corporation . Andy Vo Diebold Nixdorf . Bruce Chapa Diebold Nixdorf . Michael Ott Di

40、ebold Nixdorf . Dave Phister Diebold Nixdorf . Christoph Bruecher Diebold Nixdorf . Andrea Carozzi Diebold Nixdorf . Michael Nolte Discover Financial Services . Cheryl Mish Discover Financial Services . Diana Pauliks Discover Financial Services . Jordan Schaefer eCurrency . David Wen Federal Reserve

41、 Bank Patrick Adler Federal Reserve Bank Guy Berg Federal Reserve Bank Marianne Crowe Federal Reserve Bank Amanda Dorphy Federal Reserve Bank Mary Hughes Federal Reserve Bank Heather Hultquist ANSI X9.24-1-2017 2017 ASC X9, Inc. All rights reserved ix Federal Reserve Bank . Janet LaFrence Federal Re

42、serve Bank . Susan Pandy Federal Reserve Bank . Patti Ritter Federal Reserve Bank . Daniel Rozycki First Data Corporation . Andrea Beatty First Data Corporation . Lisa Curry First National Bank of Omaha Kristi White FIS . Chelsea Lopez FIS . John Soares FIS . Sunny Wear Fiserv . Bud Beattie Fiserv .

43、 Dan Otten GEOBRIDGE Corporation . Donna Gem GEOBRIDGE Corporation . Jason Way Gilbarco Scott Turner Gilbarco Bruce Welch Harland Clarke . Joseph Filer Heartland Payment Systems . Scott Meeker Hewlett Packard . Susan Langford Hewlett Packard . Luther Martin Hewlett Packard . Terence Spies IBM Corpor

44、ation . Todd Arnold Independent Community Bankers of America . Cary Whaley Ingenico . Rob Martin Ingenico . John Spence ITS, Inc. (SHAZAM Networks) . Manish Nathwani J.P. Morgan Chase Bruce Geller J.P. Morgan Chase Kathleen Krupa J.P. Morgan Chase Jackie Pagn K3DES LLC Azie Amini KPMG LLP . Mark Lun

45、din MagTek, Inc. Jeff Duncan MagTek, Inc. Mimi Hart MasterCard Europe Sprl Mark Kamers MasterCard Europe Sprl Joshua Knopp MasterCard Europe Sprl Larry Newell MasterCard Europe Sprl Adam Sommer MasterCard Europe Sprl Michael Ward National Institute of Standards and Technology (NIST) Elaine Barker Na

46、tional Institute of Standards and Technology (NIST) Lily Chen National Security Agency . Mike Boyle National Security Agency . Paul Timmel Nautilus Hyosung . Joe Militello Nautilus Hyosung . Jay Shin NCR Corporation . Tanika Eng NCR Corporation . Charlie Harrow NCR Corporation . David Norris PCI Sec

47、urity Standards Council Leon Fell PCI Security Standards Council Troy Leach PCI Security Standards Council Ralph Poore RSA, The Security Division of EMC Steve Schmalz SafeNet, Inc. Amit Sinha Security Innovation Mark Etzel Security Innovation William Whyte Security Innovation Lee Wilson Security Inn

48、ovation Zhenfei Zhang ANSI X9.24-1-2017 x 2017 ASC X9, Inc. All rights reserved TECSEC Incorporated Ed Scheidt TECSEC Incorporated Dr. Wai Tsang TECSEC Incorporated Jay Wack Thales UK Limited Larry Hines Thales UK Limited James Torjussen The Clearing House Henry Farrar Trustwave . John Amaral Trustw

49、ave . Tim Hollebeek U.S. Bank Stephen Case U.S. Bank Peter Skirvin Vantiv LLC Jeffrey Singleton Vantiv LLC Bill Weingart Vantiv LLC Gary Zempich Vantiv LLC James Zerfas VeriFone, Inc. . John Barrowman VeriFone, Inc. . David Ezell VeriFone, Inc. . Dave Faoro VeriFone, Inc. . Doug Manchester VeriFone, Inc. . Brad McGuinness VeriFone, Inc. . Joachim Vance VISA Shahzad Khan VISA Kim Wagner Wayne Fueling Systems . Steven Bowles Wells Fargo Bank . William Felts, IV Wells Fargo Bank . Phillip Griffin Wells Fargo Bank . Jan Kohl Wells Fargo Bank .