3 min read

ANSI X9.24-1-2017: Key Distribution 

ANSI X9.24-1-2017: Key Distribution

Key distribution is perhaps the most important and crucial aspect of the ANSI X9.24-1-2017 part 1 standard. But first, let us explain what cryptographic key distribution is.

Definition of Cryptographic Key Distribution

In the context of symmetric-key cryptography, all parties that require to encrypt/decrypt confidential information must own an identical secret key that must be exchanged between each party beforehand.

Distribution of cryptographic keys is an enormous issue because keys have to be securely transported in one way or another, for example, via electronic methods, physical transportation by authorized people or through snail mail. While the key is in transit, it can be stolen or copied by an attacker who is then able to decrypt any ciphertext encrypted with that key.

Key exchange protocols like the famous Diffie-Hellman protocol were invented in the 70s and solved many problems related to key distribution. However, ANSI X9.24-1-2017 doesn’t deal with such key distribution protocols. Instead, it deals with the problems involved in the transportation of keys, either encrypted or split into shared secrets.

Key Transport

The standard makes some important distinctions regarding how the keys must be transported:

  • The keys are transported using an SCD (Secure Cryptographic Device) that does not act as a personal key loading device (PKLD);
  • The keys are transported via printed forms on a transport media that cannot be considered as an SCD;
  • The keys are transported using an SCD that acts as a personal key loading device (PKLD).

A PKLD is a portable and personal fill device used to load cryptographic keys. The use of such devices is clearly required in many cases by the ANSI X9.24-1-2017.

In the context of cleartext key components or shares transported by authorized people, the standard requires that “the component or share value is not visible to any unauthorized individual during conveyance”. Some specifications about this are given in Annex B:

Any such material not transported inside a tamper-responsive SCD must be transported in a Tamper Evident and Authenticable (TEA) Bag that cannot be opened without clear proof of the intrusion. A TEA bag is a security bag, such as a heavy-duty bag whose role is to hold high-value or sensitive items.

Additionally, the TEA bag must not allow the display of the content of what it carries. An exception exists if manipulation is required to do so that would result in altering the TEA bag in such a way that it would bear marks of intrusion.

Nevertheless, we note that during the reception of keys, or a share of keys, if they are in cleartext format, additional requirements should be given by the standard. For example, to make sure that no hidden video camera or other similar recording devices are present.

The transport process also requires several administrative formalities like logging the key transports, acknowledging its reception, etc.

Note that the case of a key encrypted by a KEK and shared between a sender and receiver via a network is described in section 7.1.2 'transport media' (e.g. anything which is not an SCD).

Key Transportation Using a PKLD

One essential aspect of symmetric key transport in ANSI X9.24-1-2017 is key transport using a portable key loader (PKLD). Many details are given for such a situation.

A fill device or key loader is an electronic module used to load cryptographic keys into machines that perform encryption (typically HSMs). Such devices are usually handheld and are often battery-operated.

PLKDs are very special devices. Generally, they are used to transport and load cleartext keys into other SCDs. In such a case, the standard requires that the keys are loaded into the key loader in a special place called the Key Injection Facility (KIF). Such a place must employ several security constraints in order to be considered a secure environment.

Keys loaded into a PKLD must have a lifespan, usually a short one. Such a small crypto period, which could be 24 hours or even less is needed to mitigate the risk that the key loading device could be stolen or lost.

ANSI X9.24-1-2017 requires several additional properties for allowing a PKLD to be used. Of course, the anti-tamper properties of an SCD are required but, much more than that, it must prevent several classes of attacks, like electro-magnetic attacks (TEMPEST, etc.), be able to perform automatic zeroization when the key lifespan is over, etc.


The key distribution requirements, as described in ANSI X9.24-1-2017, are probably the most critical section within the entire standard and they need to be carefully understood when implementing a symmetric cryptographic solution in the context of retail financial services.

Read White Paper

References, Side Notes and Further Reading