《ANSI-TR-31-2005.pdf》由会员分享,可在线阅读,更多相关《ANSI-TR-31-2005.pdf(33页珍藏版)》请在三一文库上搜索。
1、 TR-31 2005 Interoperable Secure Key Exchange Key Block Specification for Symmetric Algorithms Accredited Standards Committee X9, Incorporated Financial Industry Standards -,-,- X9 TR-31 200 2005 All rights reserved i Contents Page Foreword iii Introductioniv 1 Scope1 2 References.1 3 Terms and defi
2、nitions.2 4 Symbols and abbreviated terms2 5 Key Block Properties and Characteristics3 5.1 Key Block Elements3 5.2 Confidential Data to be Exchanged/Stored.3 5.3 Key Block Binding Method.4 5.4 TRSM Validation of Incoming Key Block4 Annex A CBC MAC Key Block with Optional Block5 A.1 Introduction5 A.2
3、 Key Block Header (KBH).5 A.3 Encryption8 A.4 MAC.8 A.5 Defined values for Key Block Headers9 A.5.1 Key Usage9 A.5.2 Algorithm10 A.5.3 Mode of Use.10 A.5.4 Key Version Number.11 A.5.5 Exportability.11 A.5.6 Optional block ID.12 A.6 Encoding 14 A.7 Key Block Examples .15 A.7.1 Notation Used15 A.7.2 E
4、xample 1: Key Block without Optional Blocks.15 A.7.3 Example 2: Key Block with Optional Block .17 Annex B Process for Approval of New Field Values 21 B.1 Introduction21 B.2 Origination .21 B.3 Justification for Proposal.21 B.4 Examination of Proposals 21 B.5 Appeals Procedure22 B.6 Approved List Of
5、Key Block Field Values.22 B.7 TR-31 Revision.22 Annex C New Field Value Request Form.23 -,-,- X9 TR-31 200 ii 2004 All rights reserved Figures Figure A-1 CBC MAC Key Block. 5 Figure A-2 Examples of KBH and Optional Blocks. 13 Tables Table 5-1. Encryption IV 4 Table A-1. KBH for CBC MAC Binding Metho
6、d. 6 Table A-2. Example of confidential data for a double-length TDEA key . 8 Table A-3. Defined Key Usage Values 9 Table A-4. Defined Algorithm Values. 10 Table A-5. Defined Mode of Use Values . 10 Table A-6. Key Version Number definition. 11 Table A-7. Defined Values for Exportability Byte. 11 Tab
7、le A-8. Defined Values for Optional Block ID. 14 Table A-9. Key Block Values Version IDs Optional Block. 14 -,-,- X9 TR-31 200 2005 All rights reserved iii Foreword Publication of this Technical Report that has been registered with ANSI has been approved by the Accredited Standards Committee X9, Inc
8、orporated, P.O. Box 4035, Annapolis, MD 21403. This document is registered as a Technical Report according to the “Procedures for the Registration of Technical Reports with ANSI.” This document is not an American National Standard and the material contained herein is not normative in nature. Comment
9、s on the content of this document should be sent to: Attn: Executive Director, Accredited Standards Committee X9, Inc., P.O. Box 4035, Annapolis, MD 21403. Published by Accredited Standards Committee X9, Incorporated Financial Industry Standards P.O. Box 4035 Annapolis, MD 21403 USA X9 Online http:/
10、www.x9.org Copyright 2005 ASC X9, Inc. All rights reserved. No part of this publication may be reproduced in any form, in an electronic retrieval system or otherwise, without prior written permission of the publisher. Published in the United States of America. -,-,- X9 TR-31 200 iv 2004 All rights r
11、eserved Introduction The retail financial transactions industry has in the past lacked an interoperable method for secure key exchange. While this has always been an issue, the planned move to Triple DEA (TDEA) encryption has made this issue more acute, as methods for the secure exchange of TDEA key
12、s are non-obvious. This Technical Report is intended to give the reader an implementation that meets the requirements for secure key management as set forth in ANS X9.24 Retail Financial Services Symmetric Key Management Part 1: Using Symmetric Techniques. NOTE The users attention is called to the p
13、ossibility that compliance with this technical report may require use of an invention covered by patent rights. By publication of this technical report, no position is taken with respect to the validity of this claim or of any patent rights in connection therewith. The patent holder has, however, fi
14、led a statement of willingness to grant a license under these rights on reasonable and nondiscriminatory terms and conditions to applicants desiring to obtain such a license. Details may be obtained from the standards developer. Suggestions for the improvement or revision of this Technical Report ar
15、e welcome. They should be sent to the X9 Committee Secretariat, Accredited Standards Committee X9, Inc., Financial Industry Standards, P.O. Box 4035 Annapolis, MD 21403 USA. This Technical Report was processed and approved for registration with ANSI by the Accredited Standards Committee on Financial
16、 Services, X9. Committee approval of this Technical Report does not necessarily imply that all the committee members voted for its approval. The X9 committee had the following members: Gene Kathol, X9 Chairman Vincent DeSantis, X9 Vice-Chairman Cynthia Fuller, Executive Director Isabel Bailey, Manag
17、ing Director X9 TR-31 200 2005 All rights reserved v Organization Represented Representative ACI Worldwide Jim Shaffer American Express Company Mike Jones American Financial Services Association Mark Zalewski Bank of America Daniel Welch Bank One Corporation Jacqueline Pagan BB and T Woody Tyner Cab
18、le (draft) 3. ANS X3.92 Data Encryption Algorithm (DEA) 4. ANS X9.52:1998 Triple Data Encryption Algorithm Modes of Operations 5. ISO 9797 Information technology - Security techniques - Message Authentication Codes (MACs) - Part 1: Mechanisms using a block cipher: 1999 6. ANS X9 TG 3 PIN Security Co
19、mpliance Guideline 7. ANS X9 TG 7 Initial DEA Key Distribution for PIN Entry and Transaction Originating Devices Guideline 8. ISO 16609-2004, Banking Requirements for message authentication using symmetric techniques -,-,- X9 TR-31 200 2 2004 All rights reserved 3 Terms and definitions For the purpo
20、ses of this document, the terms and definitions in reference 1 apply. Additionally: 3.1 hex-ASCII Base-16 numbers encoded as ASCII characters (0-9, A-F) 3.2 Initialization Vector (IV) A number used as a starting point for the encryption of a data sequence in order to order to increase security by in
21、troducing additional cryptographic variance and to synchronize cryptographic equipment 3.3 Key Block Encryption Key The variant of the Key Block Protection Key that is used for enciphering the Key Block 3.4 Key Block MAC Key The variant of the Key Block Protection Key that is used for calculating th
22、e MAC over the Key Block 3.5 Key Block Protection Key The key encrypting key from which the Key Block Encryption Key and the Key Block MAC Key are derived 4 Symbols and abbreviated terms 4.1 Notation The following are used to indicate field encoding in the Key Block: nA - n-digits of Alphabetic (A-Z
23、, a-z), e.g., 6A means exactly 6 alphabetic characters in ASCII nAN - Alphanumeric (A-Z, a-z, 0-9), e.g., 6AN means exactly 6 alphanumeric characters in ASCII nH - Hex-ASCII (0-9, A-F), e.g., 6H means exactly 6 hex-ASCII characters nN - Numeric-ASCII (0-9), e.g., 6N means exactly 6 decimal character
24、s in ASCII nB Binary bytes (0x00 to 0xFF), e.g., 6B means exactly 6 bytes of binary data The following abbreviations are used in this document: 4.2 ASCII American Standard Code for Information Interchange 4.3 CAPI Cryptographic Application Programmers Interface 4.4 CBC Cipher Block Chaining; the Cip
25、her Block Chaining encryption mode of operation -,-,- X9 TR-31 200 2004 All rights reserved 3 4.5 EMV Europay MasterCard and Visa ICC Specification 4.6 ID Identification 4.7 KBH Key Block Header 4.8 KEK Key Encrypting Key 4.9 MFK Master File Key 4.10 PIN Personal Identification Number 4.11 TCBC TDEA
26、 Cipher Block Chaining 4.12 0x Notation indicating a hexadecimal number follows. E.g., 0x31 indicates 31-hex (49-decimal) 5 Key Block Properties and Characteristics 5.1 Key Block Elements The Key Block consists of three parts: 1. The Key Block Header (KBH) which contains attribute information about
27、the key and the Key Block 2. The confidential data that is being exchanged/stored 3. The Key Block Binding Method 5.2 Confidential Data to be Exchanged/Stored The confidential data to be exchanged/stored may be padded to mask the true length of the key/data. All pad characters are random data. Key b
28、locks that support padding include a key length that allows the key to be distinguished from pad characters. See Annex A for an example method that meets these requirements. -,-,- X9 TR-31 200 4 2004 All rights reserved 5.3 Key Block Binding Method The Key Block Binding Method is the technique used
29、to protect the secrecy and integrity of the Key Block. The method uses a Key Block Protection Key that was previously exchanged (using secure, possibly manual, methods as described in references 1, 2, and 7) between the two communicating parties. The Key Block Binding Method uses a variant of the Ke
30、y Block Protection Key to maintain the secrecy of the confidential data being exchanged and/or stored. The protected confidential data, any pad characters, and, optionally, part of the header are TCBC encrypted as described in reference 4. The key used to perform the TCBC encryption is the Key Block
31、 Protection Key XORd with EEEEEEEE (8 bytes of 0x45), across all parts of the key. If the first block of the data to be encrypted does not contain at least 42 random bits, then the encryption IV will contain at least 56 bits of random data. Table 5-1 illustrates the acceptable data in the first bloc
32、k of the confidential data for each type of encryption IV. Note that a constant IV means that the encryption IV is constant for that version of the Key Block. If a random encryption IV is used, it is stored as part of the header. Table 5-1. Encryption IV Encryption IV First block of confidential dat
33、a MAC covers encryption IV? Random Any Yes Header/attribute information Random Yes Constant 42 Random Bits Optional The Key Block Binding Method uses a variant of the Key Block Protection Key to maintain the integrity of the Key Block. The header and all encrypted data described in the previous para
34、graph are protected with a TDEA CBC MAC, as described in reference 8, clause 6.1.4 MAC algorithm 1. The IV for the MAC is constant. The key used to calculate the MAC is the Key Block Protection Key XORd with MMMMMMMM (8 bytes of 0x4D), across all parts of the key. To prevent against a class of known
35、 attacks on the TDEA CBC MAC, the Key block will have one or more of the following properties. 1. The Key Block will contain an explicit Key Block length or key length. 2. The MAC will be only 32 bits in length. 3. The Key Block will have a fixed key length for a given header. 5.4 TRSM Validation of
36、 Incoming Key Block Upon receiving the Key Block, the TRSM authenticates the Key Block and verifies that the contents of the header and the structure of the header are valid (see annex A). If any verification fails, the key block is rejected. -,-,- X9 TR-31 200 2004 All rights reserved 5 Annex A CBC
37、 MAC Key Block with Optional Block A.1 Introduction This annex defines a secure Key Block that meets the requirements described in section 5. The CBC MAC Key Block consist of three parts: 1. The Key Block Header (KBH) which contains attribute information about the key and the Key Block and is not en
38、crypted The first section is 16 bytes with a fixed format defined below The second section is optional 2. The confidential data which will be encrypted Two bytes indicating the key length The key/sensitive data that is being exchanged and/or stored Optional random padding 3. A 32-bit MAC The key is
39、typically padded to the maximum length of a TDEA key in order to hide the true length of short keys. This format is illustrated in Figure A-1. Header Header (optional) Key length Key Padding MAC Encrypted MAC Figure A-1 CBC MAC Key Block A.2 Key Block Header (KBH) The header contains attribute infor
40、mation about the key. For better supportability (i.e., human readability), the header bytes use uppercase ASCII printable characters, though in some cases other characters may be necessary. Table A-1 shows the format of the KBH for this method. See Section A.5 for defined key attributes. -,-,- X9 TR
41、-31 200 6 2004 All rights reserved Table A-1. KBH for CBC MAC Binding Method Byte # Field Name Description Encoding Encrypted 0 Key Block Version ID A 0x41 (Current version) Note that numeric Key Block Version IDs are reserved for proprietary Key Block definitions 1AN No 1-4 Key Block Length ASCII n
42、umeric digits providing Key Block length after encoding, see section A.6. Length includes the entire block (Header + encrypted confidential data + MAC) in decimal; e.g., a 112 byte Key Block would contain 0 in byte #1, 1 in byte #2, 1 in byte #3, and 2 in byte #4 4N No 5-6 Key Usage Provides informa
43、tion about the intended function of the protected key/sensitive data. Common functions include encrypting data, encrypting PINs, and calculating a MAC. See Table A-3 for defined values. 2AN No 7 Algorithm The approved algorithm for which the protected key may be used. See Table A-4 for defined value
44、s. 1AN No 8 Mode of Use Defines the operation the protected key can perform. For example, a MAC key may be limited to verify-only. See Table A-5 for defined values. 1AN No 9-10 Key Version Number Two-digit ASCII character version number, optionally used to indicate that contents of the Key Block is
45、a component, or to prevent re- injection of old keys. See Table A-6. for defined values. 2AN No 11 Exportability Defines whether the protected key may be transferred outside the cryptographic domain in which the key is found. See Table A-7 for defined values. 1AN No 12-13 Number of Optional Blocks D
46、efines the number of Optional Blocks included in the Key Block. The minimum value is zero and the maximum is 99, but it is also limited by the maximum number of bytes in the entire Key Block. For example, 5 Optional Blocks would be represented by 0 (0x30) in byte 12 and 5 (0x35) in byte 13. 2N No 14
47、-15 Reserved for future use This field is reserved for future use and is filled with ASCII zero (0x30) characters. 2N No Note: The remaining fields are only present if bytes 12-13 contain a value other than 00 (0x3030) 16-17 First Optional Block ID ID field for the First Optional Block, if one is pr
48、esent as indicated by a value other than 00 in bytes 12 and 13. The possible ID values are defined in Table A-8. 2AN No -,-,- X9 TR-31 200 2004 All rights reserved 7 18-19 Optional Block 1 Length If the first Optional Block is present, indicated by a value other than 00 in bytes 12 and 13, then this field contains the length of that Op