Exploring Secure Cryptographic Devices for Retail Financial Services

The ANSI X9.24-1: 2017 standard requires the use of secure cryptographic devices (SCDs) in the context of symmetric key cryptography and refers to the ISO 13491-1 standard for the specifications that must be met for a device to be approved as an SCD. This article outlines and explains some of the aspects and requirements that both the X9.24-1-2017 and ISO 13491-1 mandate for SCDs that are used in retail financial services systems.

Definition

According to ISO 13491-1, a Secure Cryptographic Device (SCD) is defined as “a device that provides physically and logically-protected cryptographic services and storage. Such devices can be a PIN Entry Device (PED),a smartcard, or a hardware security module (HSM)”. 

Physical and logical protection of the SCD obviously implies that it is tamper-resistant and/or tamper-responsive. The standard makes an important distinction between a “simple” tamper-resistant SCD and one equipped with a tamper responsive mechanism that is able to “defend” itself against intrusion.

The security characteristics and evaluation criteria for SCDs are specified  in the ISO 13491-1:2016 and 13491-2:2016 standards, as well as in the ANSI X9.97-1: 2009 FINANCIAL SERVICES - SECURE CRYPTOGRAPHIC DEVICES (RETAIL) - PART 1 and 2.  ISO 13491-2 details the checklists needed for certification and assessment that an SCD can be used for retail financial environments.

An evaluation certificate is issued by the relevant accreditation authority based on the results from an accredited evaluation agency. Evaluation methods consist of the following:

• informal,
• semi-formal,
• semi-formal with approval and
• formal.

The documents issued after a successful process completion are, respectively:

• Assessment report,
• Evaluation report,
• Approval listing, and
• Certificate.

N of M Secret-Sharing Scheme for SCDs

According to the standard X9.24-1-2017, the SCD must reconstruct a key from its fragment using an XOR operation. However, when the SCD is used for the reverse operation, meaning it generates fragments from a key, an “n of m secret sharing scheme” shall be used.

This means that the secrets are shared among m participants and that among these participants, any group of n participants can reconstruct the secret, but any group of n-1 participants cannot do it.

The most common (n,m) secret sharing is Shamir's secret sharing.

Shamir secret sharing simply uses the fact that any polynomial of degree k can be defined by k different points. In this scheme, m participants are given each a different point. Any group of k participants can find the polynomial by combining their knowledge of the secrets and using, for example, interpolation to reconstruct the polynomial.

The secret itself can be the polynomial or any of its values at a given point. A group of k-1 participants cannot reconstruct the polynomial. Therefore, an infinite amount of possible values exists, thus making their knowledge of the secret totally useless without all the participants.

Comments

“An SCD that meets the Tamper Resistant requirements in Reference 3[ISO 13491], but does not meet the Tamper Responsive requirements therein, SHALL only be used in cases where the compromise of that SCD would not compromise keys or secrets not held within the SCD.” 

This is a very important requirement because it clearly distinguishes  ‘simple’ tamper-resistant SCDs from SCDs which have tamper-responsive requirements (like HSMs in general). The requirement restricts the use of the ‘simple’ tamper-resistant SCDs and requires them to be located in restricted areas (Minimally Controlled Environments).

“When an SCD is decommissioned, the financial keys SHALL be erased in accordance with Part 1 of Reference 3.”

We note that the standard does not use the cryptographic term ‘zeroization’ but simply requires the keys to be ‘erased’. 

“When an SCD is lost or stolen, all keys contained in that device SHOULD be considered compromised.”

We note that there is no strict definition of “lost” or “stolen” (e.g., when exactly the SCD is lost or stolen is left to the discrepancy of the organizations). It may be surprising that in such a case, according to the standard, the SCD shall not be considered compromised in a mandatory way but only as a possible option. 

Comparing with FIPS 140-2

In relation to the FIPS 140-2 standard, the intent in terms of tamper resistance/response, is certainly very similar. However, ISO 13491-1: 2016 is more specific in of its requirements when it comes to deployment. For example (ISO 13491-1: 2016, 6.4.1.4 under “tamper resistant requirements”): “In order to protect against substitution / removal, the device should be secured in such a manner that it is not practical to remove the device from its intended place of operation.” FIPS 140-2 (level 3) has several tamper resistant/response options, depending on the device type. E.g. you can get away with: “the cryptographic module should be covered with a hard opaque tamper-evident coating” (FIPS 140-2, 4.5.2 “single-chip cryptographic module”, level 3).

There is a good chance that an SCD meets the tamper resistant and responsive requirements of ISO 13491-1: 2016 if the SCD is FIPS 140-2 certified at level 3. 

PS: FIPS 140-2 was replaced by FIPS 140-3 in 2019.

Summary

ANSI X9.24-1-2017 defines concise requirements for the use of Secure Cryptographic Devices in the context of symmetric encryption performed by the actors of Retail Financial Services - by referring to other technical standards.

It is important to note that secret sharing performed by the SCD must use an “n of m secret sharing,” such as Shamir's secret sharing scheme.

It is also important to note that SCDs equipped with a “simple” tamper protection mechanism, e.g., without the ability to “answer” actively to unauthorized access, have several important usage restrictions.

References, Side Notes and Further Reading

• Read more articles on the ANSI X9.24-1-2017 (2018 - today), by Martin Rupp, Matt Landrock and more
• ANSI X9.24-1-2017 - Retail Financial Services Symmetric Key Management Part 1: Using Symmetric Techniques (2017), by the Accredited Standards Committee X9 (Incorporated Financial Industry Standards), American National Standards Institute
• How to share a secret (1979), by Adi Shamir, Communications of the ACM, Volumne 22, Issue 11

Norms used by X9.24-1-2017 

• NIST SP800-67, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher
• ANS X9.82, Random Number Generation, Part 3: Deterministic Random Bit Generators
• ISO 13491 - 2016 - all parts, Financial services – Secure cryptographic devices (Retail)
• ANS X9.24-2, Retail Financial Services Symmetric Key Management Part 2: Using Asymmetric Techniques for the Distribution of Symmetric Keys

• FIPS 197: Advanced Encryption Standard (AES), November 26, 2001
• NIST SP 800-38A: Recommendation for Block Cipher Modes of Operation: Methods and Techniques (December 2001)
• NIST SP 800-38C: Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality (July 2007)
• NIST SP 800-38D: Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC (November 2007)

• ANS X9.24-3, Retail Financial Services Symmetric Key Management Part 3: Derived Unique Key Per Transaction (Ballot Note: This is to be published in 2017)
• ANS X9.8-1, Personal Identification Number (PIN) Management and Security
• ISO 16609, Banking – Requirements for message authentication using symmetric techniques
• ISO 7812, Identification cards – Numbering system and registration procedure for issuer identifiers
• ISO 8583, Bankcard Originated Messages – Interchange message specifications – Content for financial transactions

• ISO 9797-1, Information technology – Security techniques – Message Authentication Codes (MACs) – Part 1: Mechanisms using a block cipher
• ISO/TR 14742, Recommendations on cryptographic algorithms and their use
• NIST SP 800-38B: Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication (October 2016)
• ANS X9.102-2008, Symmetric Key Cryptography For the Financial Services Industry - Wrapping of Keys and Associated Data
• ANS X9.119, Retail Financial Services - Requirements for Protection of Sensitive Payment Card Data Part 1: Using Encryption Methods
• ISO 11568-2, Financial Services – Key management (retail) – Part 2, Symmetric ciphers, their key management and life cycle
• NIST SP 800-57: Recommendation for Key Management – Part 1: General
• ANS TR-31, Interoperable Secure Key Exchange Key Block Specification for Symmetric Algorithms

Norms used by  ISO 13491-1

• ISO 9564-1, Financial services — Personal Identification Number (PIN) management and security — Part 1: Basic principles and requirements for PINs in card-based systems
• ISO 9564-2, Financial services — Personal Identification Number (PIN) management and security — Part 2: Approved algorithms for PIN encipherment
• ISO 13491-2:2005, Financial Services — Secure cryptographic devices (retail) — Part 2: Security compliance checklists for devices used in financial transactions
• ISO 16609, Financial services — Requirements for message authentication using symmetric techniques
• ISO/IEC 15408 (all parts), Information technology — Security techniques — Evaluation criteria for IT security
• ISO/IEC 17025, General requirements for the competence of testing and calibration laboratories
• ISO/IEC 19790, Information technology — Security techniques — Security requirements for cryptographic modules