This article proposes answers to a series of frequently asked questions (FAQs) about key blocks.
What are key blocks?
A: Key blocks are unique cryptographic structures with the general purpose of protecting keys outside of a strong security boundary (such as a FIPS or PCI-certified HSM). This enables the secure transfer of cryptographic keys over an insecure environment. Generally, key blocks seek to solve the following problems:
- How to securely transfer multiple and different cryptographic keys?
- How to find a trustable way to indicate to the recipient the usage and nature of the transferred keys?
- How to achieve both confidentiality and integrity of the transferred keys?
- How to protect the transferred keys against man-in-the-middle attacks, tampering, and misuse?
Key blocks achieve this by ciphering the key material itself using a given algorithm, which can be symmetric or asymmetric, to add a plaintext header with various attributes and information and to sign the whole block.
Is there a norm for key blocks?
A: At the moment, there is no definite ISO or ANSI norm for key blocks. But, a technical reference for implementing key blocks, especially in banking, is the TR-31 technical report (ASC X9 Technical Report: Interoperable Secure Key Exchange Key Block Specification).
Is a key block the same as a key variant?
A: No, a key block is typically not at all the same as a key variant. Key variants are older cryptographic structures than key blocks. They are also more ‘primitive'. Key variants protect application keys with a key-encryption-key (which is derived from a master key using a control vector - that corresponds to the application type - using XOR) and a simple ECB cipher mode. Using key variants, the application type is implicit - but with key blocks, all key metadata is explicit within the block.
Are key blocks secure?
A: If they are well implemented, key blocks based on the TR-31 technical report are generally considered to be very secure. Key blocks are simple but efficient. In the payment industry, they are used to protect billions of cryptographic keys and PINs in various environments, for example, banking between ATMs and HSMs.
How many key block formats are there?
A: Everyone's free to create their own key block format based on the TR-31 technical report, but the most common key block formats are:
- Atalla key block
- Thales key block
- IBM key block
- TR-34 key blocks
- PKCS#8 key blocks
Note that, in cryptographic software designs, ‘key containers’ are often the same as key blocks and use the same design.
Is a key block the same as a key bundle?
A: No. A key bundle is a primitive concept, anterior to key blocks, less general, and focused only on triple-DES.Is a key block the same as key wrapping?
A: No. Key wrapping is more complex and generalized than key blocks. It is described by ANSI X9.102. Key wrapping focuses on cipher-based key encryption algorithms itself.Where are key blocks used?
A: Key blocks are mainly used in banking to transport keys and PINs between HSMs, ATMs, or POS payment terminals. They can also be used in cryptographic money (cryptocurrency) or, in general, any cryptographic system that needs to exchange keys in a secure and protected way.
References and Further Reading
- More articles on Key Blocks (2019 - today), by Dawn M. Turner and Martin Rupp
- More articles on Key Management (2015 - today), by Matt & Peter Landrock, Stefan Hansen, Dawn Turner, and more
- X9 TR34–2012 - Interoperable Method for Distribution of Symmetric Keys using Asymmetric Techniques: Part 1 – Using Factoring-Based Public Key Cryptography Unilateral Key Transport (August 2012), by the American National Standards Institute
- Information Supplement: PIN Security Requirement 18-3 - Key Blocks (2019), by the PCI Security Standards Council
- Read more articles on the ANSI X9.24-1-2017 (2018 - today), by Martin Rupp, Matt Landrock and more
- ANSI X9.24-1-2017 - Retail Financial Services Symmetric Key Management Part 1: Using Symmetric Techniques (2017), by the Accredited Standards Committee X9 (Incorporated Financial Industry Standards), American National Standards Institute
- ASC X9 TR 31-2018 - Interoperable Secure Key Exchange Key Block Specification (2018), by American National Standards Institute (ANSI)