In this article, we look at the process of a keyshare generator and key derivation as described by the ANSI X9.24-1-2017 standard. This process is mandatory for operations performed by the retail financial services industry.
Random Generation of Cryptographic Keys
One important aspect of ANSI X9.24-1-2017 is the generation of secure cryptographic keys. The generation process must include certain steps designed to prevent attacks that could allow the process to be reversed and, subsequently, the generation of valid keys by unauthorized parties.
The generated keys must remain secret, especially since they must be generated inside a secure cryptographic device (SCD). However, because the keys may cipher a great volume of data (data that could be eventually recorded), some cryptanalysis could be performed against the ciphered data. For example, a hacker might try to reconstitute the mechanism that generates a key and could successfully predict future generated keys, resulting in compromised encryption.
Also, any data ciphered with a key sequence that has a bias (is not truly random) will reflect that bias accordingly - which can lead to a great variety of attacks. To counter this, the standard requires the keys to be generated by a random or pseudo-random process. This usually involves a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG), which does not allow the use of statistical analysis to detect ‘more probable’ keys.
ANSI X9.24-1-2017 also requires that “The strength of the random number generator SHALL be equal to or greater than the strength of the key it is generating”. The strength of a CSPRNG is computed as directly proportional to the source of entropy used for creating its seed. For example, a key with a strength of 128 bits should be generated by a CSPRNG having a source of entropy at least 128 bits.
Details related to random generators can be found in the document ANSI X9.82, Random Number Generation, Part 3.
ANSI X9.24-1-2017 also explains what key derivation - also referred to as "key diversification" is and how it should be performed.
A key derivation function (KDF) derives cryptographic keys from a master key (or a base derivation key) using a pseudorandom function.
One very important requirement of KDF is:
“It SHALL be cryptographically infeasible to recover the derivation key from the derived key”.
This means that key derivation functions should mitigate attacks, for instance timing side-channel attacks. They also cannot allow an attacker to guess the master key from a sample of n derived keys. A simple derivation function involves using a cipher that is considered secure, like Triple-DES or AES and generating keys resulting from the ciphering operation of a CSPRNG with the master key.
DUKPT is another example of a secure key derivation algorithm accepted by ANSI X9.24-1-2017.
Key Components and Key Share Creation
ANSI X9.24-1-2017 provides more details about the process of fragmenting keys into shares. This is a mandatory process for when a cleartext key is maintained outside an SCD. Such a key must be split into shares.
Key share creation requires that it be performed inside an SCD. When the key share creation produces cleartext output (which is the standard intended usage), the generation must additionally occur “in a
Controlled Environment or a Secure Environment”
ANSI X9.24-1-2017 provides guidance on how the correctness of the generated key should be checked by using check value calculation.
In other words, this means computing a check value from a key without disclosing it.
If a check value is not the one expected, the key has to be disabled, either temporarily or permanently. An investigation of the reason for the key mismatch should then be performed.
The check value algorithm itself must use all the components of the keys and not a subkey. A CMAC-based check value algorithm that produces a 10-byte check value is recommended for this purpose.
In the context of cryptographic operations performed by the retail financial services industry, the process of key generation and key derivation is described by the ANSI X9.24-1-2017 standard, which references to detailed specifications from other standards.
These are essential aspects of the security of retail payments and therefore should be carefully dealt with by any integrator working on such topics.
References, Side Notes and Further Reading
- Read more articles on the ANSI X9.24-1-2017 (2018 - today), by Martin Rupp, Matt Landrock and more
- ANSI X9.24-1-2017 - Retail Financial Services Symmetric Key Management Part 1: Using Symmetric Techniques (2017), by the Accredited Standards Committee X9 (Incorporated Financial Industry Standards), American National Standards Institute