1、 TR-31 2005 Interoperable Secure Key Exchange Key Block Specification for Symmetric Algorithms Accredited Standards Committee X9, Incorporated Financial Industry Standards Copyright American National Standards Institute Provided by IHS under license with ANSINot for ResaleNo reproduction or networki
2、ng permitted without license from IHS-,-,-Copyright American National Standards Institute Provided by IHS under license with ANSINot for ResaleNo reproduction or networking permitted without license from IHS-,-,-X9 TR-31 200 2005 All rights reserved iContents Page Foreword iii Introductioniv 1 Scope
3、1 2 References .1 3 Terms and definitions .2 4 Symbols and abbreviated terms2 5 Key Block Properties and Characteristics3 5.1 Key Block Elements 3 5.2 Confidential Data to be Exchanged/Stored.3 5.3 Key Block Binding Method.4 5.4 TRSM Validation of Incoming Key Block 4 Annex A CBC MAC Key Block with
4、Optional Block5 A.1 Introduction5 A.2 Key Block Header (KBH).5 A.3 Encryption8 A.4 MAC.8 A.5 Defined values for Key Block Headers9 A.5.1 Key Usage 9 A.5.2 Algorithm10 A.5.3 Mode of Use .10 A.5.4 Key Version Number .11 A.5.5 Exportability.11 A.5.6 Optional block ID.12 A.6 Encoding 14 A.7 Key Block Ex
5、amples .15 A.7.1 Notation Used 15 A.7.2 Example 1: Key Block without Optional Blocks.15 A.7.3 Example 2: Key Block with Optional Block .17 Annex B Process for Approval of New Field Values 21 B.1 Introduction21 B.2 Origination .21 B.3 Justification for Proposal .21 B.4 Examination of Proposals 21 B.5
6、 Appeals Procedure22 B.6 Approved List Of Key Block Field Values.22 B.7 TR-31 Revision.22 Annex C New Field Value Request Form .23 Copyright American National Standards Institute Provided by IHS under license with ANSINot for ResaleNo reproduction or networking permitted without license from IHS-,-,
7、-X9 TR-31 200 ii 2004 All rights reservedFigures Figure A-1 CBC MAC Key Block. 5 Figure A-2 Examples of KBH and Optional Blocks. 13 Tables Table 5-1. Encryption IV 4 Table A-1. KBH for CBC MAC Binding Method. 6 Table A-2. Example of confidential data for a double-length TDEA key . 8 Table A-3. Defin
8、ed Key Usage Values 9 Table A-4. Defined Algorithm Values. 10 Table A-5. Defined Mode of Use Values . 10 Table A-6. Key Version Number definition. 11 Table A-7. Defined Values for Exportability Byte. 11 Table A-8. Defined Values for Optional Block ID. 14 Table A-9. Key Block Values Version IDs Optio
9、nal Block . 14 Copyright American National Standards Institute Provided by IHS under license with ANSINot for ResaleNo reproduction or networking permitted without license from IHS-,-,-X9 TR-31 200 2005 All rights reserved iiiForeword Publication of this Technical Report that has been registered wit
10、h ANSI has been approved by the Accredited Standards Committee X9, Incorporated, P.O. Box 4035, Annapolis, MD 21403. This document is registered as a Technical Report according to the “Procedures for the Registration of Technical Reports with ANSI.” This document is not an American National Standard
11、 and the material contained herein is not normative in nature. Comments on the content of this document should be sent to: Attn: Executive Director, Accredited Standards Committee X9, Inc., P.O. Box 4035, Annapolis, MD 21403. Published by Accredited Standards Committee X9, Incorporated Financial Ind
12、ustry Standards P.O. Box 4035 Annapolis, MD 21403 USA X9 Online http:/www.x9.org Copyright 2005 ASC X9, Inc. All rights reserved. No part of this publication may be reproduced in any form, in an electronic retrieval system or otherwise, without prior written permission of the publisher. Published in
13、 the United States of America. Copyright American National Standards Institute Provided by IHS under license with ANSINot for ResaleNo reproduction or networking permitted without license from IHS-,-,-X9 TR-31 200 iv 2004 All rights reservedIntroduction The retail financial transactions industry has
14、 in the past lacked an interoperable method for secure key exchange. While this has always been an issue, the planned move to Triple DEA (TDEA) encryption has made this issue more acute, as methods for the secure exchange of TDEA keys are non-obvious. This Technical Report is intended to give the re
15、ader an implementation that meets the requirements for secure key management as set forth in ANS X9.24 Retail Financial Services Symmetric Key Management Part 1: Using Symmetric Techniques. NOTE The users attention is called to the possibility that compliance with this technical report may require u
16、se of an invention covered by patent rights. By publication of this technical report, no position is taken with respect to the validity of this claim or of any patent rights in connection therewith. The patent holder has, however, filed a statement of willingness to grant a license under these right
17、s on reasonable and nondiscriminatory terms and conditions to applicants desiring to obtain such a license. Details may be obtained from the standards developer. Suggestions for the improvement or revision of this Technical Report are welcome. They should be sent to the X9 Committee Secretariat, Acc
18、redited Standards Committee X9, Inc., Financial Industry Standards, P.O. Box 4035 Annapolis, MD 21403 USA. This Technical Report was processed and approved for registration with ANSI by the Accredited Standards Committee on Financial Services, X9. Committee approval of this Technical Report does not
19、 necessarily imply that all the committee members voted for its approval. The X9 committee had the following members: Gene Kathol, X9 Chairman Vincent DeSantis, X9 Vice-Chairman Cynthia Fuller, Executive Director Isabel Bailey, Managing Director Copyright American National Standards Institute Provid
20、ed by IHS under license with ANSINot for ResaleNo reproduction or networking permitted without license from IHS-,-,-X9 TR-31 200 2005 All rights reserved vOrganization Represented Representative ACI Worldwide Jim Shaffer American Express Company Mike Jones American Financial Services Association Mar
21、k Zalewski Bank of America Daniel Welch Bank One Corporation Jacqueline Pagan BB and T Woody Tyner Cable (draft) 3. ANS X3.92 Data Encryption Algorithm (DEA) 4. ANS X9.52:1998 Triple Data Encryption Algorithm Modes of Operations 5. ISO 9797 Information technology - Security techniques - Message Auth
22、entication Codes (MACs) - Part 1: Mechanisms using a block cipher: 1999 6. ANS X9 TG 3 PIN Security Compliance Guideline 7. ANS X9 TG 7 Initial DEA Key Distribution for PIN Entry and Transaction Originating Devices Guideline 8. ISO 16609-2004, Banking Requirements for message authentication using sy
23、mmetric techniques Copyright American National Standards Institute Provided by IHS under license with ANSINot for ResaleNo reproduction or networking permitted without license from IHS-,-,-X9 TR-31 200 2 2004 All rights reserved3 Terms and definitions For the purposes of this document, the terms and
24、 definitions in reference 1 apply. Additionally: 3.1 hex-ASCII Base-16 numbers encoded as ASCII characters (0-9, A-F) 3.2 Initialization Vector (IV) A number used as a starting point for the encryption of a data sequence in order to order to increase security by introducing additional cryptographic
25、variance and to synchronize cryptographic equipment 3.3 Key Block Encryption Key The variant of the Key Block Protection Key that is used for enciphering the Key Block 3.4 Key Block MAC Key The variant of the Key Block Protection Key that is used for calculating the MAC over the Key Block 3.5 Key Bl
26、ock Protection Key The key encrypting key from which the Key Block Encryption Key and the Key Block MAC Key are derived 4 Symbols and abbreviated terms 4.1 Notation The following are used to indicate field encoding in the Key Block: nA - n-digits of Alphabetic (A-Z, a-z), e.g., 6A means exactly 6 al
27、phabetic characters in ASCII nAN - Alphanumeric (A-Z, a-z, 0-9), e.g., 6AN means exactly 6 alphanumeric characters in ASCII nH - Hex-ASCII (0-9, A-F), e.g., 6H means exactly 6 hex-ASCII characters nN - Numeric-ASCII (0-9), e.g., 6N means exactly 6 decimal characters in ASCII nB Binary bytes (0x00 to
28、 0xFF), e.g., 6B means exactly 6 bytes of binary data The following abbreviations are used in this document: 4.2 ASCII American Standard Code for Information Interchange 4.3 CAPI Cryptographic Application Programmers Interface 4.4 CBC Cipher Block Chaining; the Cipher Block Chaining encryption mode
29、of operation Copyright American National Standards Institute Provided by IHS under license with ANSINot for ResaleNo reproduction or networking permitted without license from IHS-,-,-X9 TR-31 200 2004 All rights reserved 34.5 EMV Europay MasterCard and Visa ICC Specification 4.6 ID Identification 4.
30、7 KBH Key Block Header 4.8 KEK Key Encrypting Key 4.9 MFK Master File Key 4.10 PIN Personal Identification Number 4.11 TCBC TDEA Cipher Block Chaining 4.12 0x Notation indicating a hexadecimal number follows. E.g., 0x31 indicates 31-hex (49-decimal) 5 Key Block Properties and Characteristics 5.1 Key
31、 Block Elements The Key Block consists of three parts: 1. The Key Block Header (KBH) which contains attribute information about the key and the Key Block 2. The confidential data that is being exchanged/stored 3. The Key Block Binding Method 5.2 Confidential Data to be Exchanged/Stored The confident
32、ial data to be exchanged/stored may be padded to mask the true length of the key/data. All pad characters are random data. Key blocks that support padding include a key length that allows the key to be distinguished from pad characters. See Annex A for an example method that meets these requirements
33、. Copyright American National Standards Institute Provided by IHS under license with ANSINot for ResaleNo reproduction or networking permitted without license from IHS-,-,-X9 TR-31 200 4 2004 All rights reserved5.3 Key Block Binding Method The Key Block Binding Method is the technique used to protec
34、t the secrecy and integrity of the Key Block. The method uses a Key Block Protection Key that was previously exchanged (using secure, possibly manual, methods as described in references 1, 2, and 7) between the two communicating parties. The Key Block Binding Method uses a variant of the Key Block P
35、rotection Key to maintain the secrecy of the confidential data being exchanged and/or stored. The protected confidential data, any pad characters, and, optionally, part of the header are TCBC encrypted as described in reference 4. The key used to perform the TCBC encryption is the Key Block Protecti
36、on Key XORd with EEEEEEEE (8 bytes of 0x45), across all parts of the key. If the first block of the data to be encrypted does not contain at least 42 random bits, then the encryption IV will contain at least 56 bits of random data. Table 5-1 illustrates the acceptable data in the first block of the
37、confidential data for each type of encryption IV. Note that a constant IV means that the encryption IV is constant for that version of the Key Block. If a random encryption IV is used, it is stored as part of the header. Table 5-1. Encryption IV Encryption IV First block of confidential data MAC cov
38、ers encryption IV? Random Any Yes Header/attribute information Random Yes Constant 42 Random Bits Optional The Key Block Binding Method uses a variant of the Key Block Protection Key to maintain the integrity of the Key Block. The header and all encrypted data described in the previous paragraph are
39、 protected with a TDEA CBC MAC, as described in reference 8, clause 6.1.4 MAC algorithm 1. The IV for the MAC is constant. The key used to calculate the MAC is the Key Block Protection Key XORd with MMMMMMMM (8 bytes of 0x4D), across all parts of the key. To prevent against a class of known attacks
40、on the TDEA CBC MAC, the Key block will have one or more of the following properties. 1. The Key Block will contain an explicit Key Block length or key length. 2. The MAC will be only 32 bits in length. 3. The Key Block will have a fixed key length for a given header. 5.4 TRSM Validation of Incoming
41、 Key Block Upon receiving the Key Block, the TRSM authenticates the Key Block and verifies that the contents of the header and the structure of the header are valid (see annex A). If any verification fails, the key block is rejected. Copyright American National Standards Institute Provided by IHS un
42、der license with ANSINot for ResaleNo reproduction or networking permitted without license from IHS-,-,-X9 TR-31 200 2004 All rights reserved 5Annex A CBC MAC Key Block with Optional Block A.1 Introduction This annex defines a secure Key Block that meets the requirements described in section 5. The
43、CBC MAC Key Block consist of three parts: 1. The Key Block Header (KBH) which contains attribute information about the key and the Key Block and is not encrypted The first section is 16 bytes with a fixed format defined below The second section is optional 2. The confidential data which will be encr
44、ypted Two bytes indicating the key length The key/sensitive data that is being exchanged and/or stored Optional random padding 3. A 32-bit MAC The key is typically padded to the maximum length of a TDEA key in order to hide the true length of short keys. This format is illustrated in Figure A-1. Hea
45、der Header (optional) Key length Key Padding MAC Encrypted MAC Figure A-1 CBC MAC Key Block A.2 Key Block Header (KBH) The header contains attribute information about the key. For better supportability (i.e., human readability), the header bytes use uppercase ASCII printable characters, though in so
46、me cases other characters may be necessary. Table A-1 shows the format of the KBH for this method. See Section A.5 for defined key attributes. Copyright American National Standards Institute Provided by IHS under license with ANSINot for ResaleNo reproduction or networking permitted without license
47、from IHS-,-,-X9 TR-31 200 6 2004 All rights reservedTable A-1. KBH for CBC MAC Binding Method Byte # Field Name Description Encoding Encrypted 0 Key Block Version ID A 0x41 (Current version) Note that numeric Key Block Version IDs are reserved for proprietary Key Block definitions 1AN No 1-4 Key Blo
48、ck Length ASCII numeric digits providing Key Block length after encoding, see section A.6. Length includes the entire block (Header + encrypted confidential data + MAC) in decimal; e.g., a 112 byte Key Block would contain 0 in byte #1, 1 in byte #2, 1 in byte #3, and 2 in byte #4 4N No 5-6 Key Usage Provides information about the intended function of the protected key/sensitive data. Common functions include encrypting data, encrypting PINs, and calculating a MAC. See Table A-3 for defined values. 2AN No 7 Algorithm The approv