An Introduction into ANSI X9.24-1-2017 part 1

ANSI X9.24-1-2017 part 1 is a standard that deals with symmetric key management techniques for retail financial services. Most of the cryptographic notions needed to deal with symmetric encryption and key management are covered in this small, but efficient document issued by the American National Standards Institute (ANSI). The norm explains how to generate and transport cryptographic keys, and what sort of devices should be used to do it.

ANSI X9.24-1-2017 uses the notion of a Secure Cryptographic Device (SCD) and explains how it must be used in the context of symmetric encryption, typically AES or Triple-DES [1]. The concept of a Tamper Evident and Authenticable (TEA) Bag is also used extensively for the physical transportation of key secret material. The norm also deals with some aspects of PIN encryption and introduces the DUKPT (Derived Unique Key Per Transaction) key management scheme.

The ANSI X9.24-1 standard provides guidance regarding the management of symmetric keys using symmetric techniques.

Requirements for symmetric keys protected by asymmetric keys are to be found in Part 2 of ANSI X9.24 (ANSI X9.24-2).

Goals of ANSI X9.24-1-2017

The motivation behind ANSI X9.24-1-2017 is to give guidelines to financial institutions that implement encryption and authentication techniques to safeguard their electronic transactions. This is typically banks and payment processing institutions.

Nowadays, billions of dollars are electronically processed by various software and hardware systems. Such a volume of transactions must be protected from fraudsters, criminals, and malevolent hackers, and in general, must be protected from people trying to misuse the system.

To do this and to ensure that transactions can be insured, institutions involved with the processing of such transactions must use symmetric cryptographic techniques such as Triple-DES or AES.

Therefore, it is necessary to normalize how to deal with such encryption techniques, this is the reason behind X9.24-1-2017 .

The goal of ANSI’s X9.24-1-2017 is to specify some minimum requirements for the management of symmetric cryptographic keys used for financial transactions, typically POS and ATM transactions, or interbanking messages.

In other words, banking institutions, and in general, institutions involved in the processing of financial transactions, cannot implement a less secure solution than the one that is described by the X9.24-1-2017 norm.

The norm extensively describes all aspects of the key management life cycle. It details how to generate, distribute, transport, utilize, store, archive, replace, and destroy cryptographic keys and their related components.

Notions Covered in ANSI X9.24-1-2017

• Secure Cryptographic Devices;
• Key Blocks;
• Key Creation / Key Component and Key Share creation;
• Check Values;
• Key Distribution;
• Key Loading;
• Key Utilization and Storage;
• Key Replacement, Destruction and Archiving;
• Key Compromise;
• Transaction Key Management.

In Summary

ANSI X9.24-1-2017 is one of the most important standards dealing with PIN-based financial transactions. This norm offers the guidelines and specifies requirements needed to perform the secure management of symmetric cryptographic keys in the context of retail financial services transactions.

References, Side Notes and Further Reading

• Read more articles on the ANSI X9.24-1-2017 (2018 - today), by Martin Rupp, Matt Landrock and more
• ANSI X9.24-1-2017 - Retail Financial Services Symmetric Key Management Part 1: Using Symmetric Techniques (2017), by the Accredited Standards Committee X9 (Incorporated Financial Industry Standards), American National Standards Institute
• [1] Triple-DES (TDES) is the standard and the algorithm used by triple-DES is referred to as triple-DEA(TDEA). Practically these are equivalent terms.