This article proposes a few answers to a series of frequently asked questions (FAQs) about key blocks and their use with PCI.
Q: What are the requirements for key blocks imposed by the PCI standards?
A: The latest PCI PIN standards imposes the usage of key blocks for the management and exchange (between internal and external systems) of all encrypted symmetric keys. These key blocks should follow the TR-31 technical report (an ISO document that details how key blocks should look like and be implemented).
Q: Are TR-31 key blocks mandatory and imposed by PCI PIN?
A: Strictly speaking, they aren’t. Any other ‘equivalent’ method to TR-31 can be used during an interim period as long as the key block respects a minimal set of functions defined by:
“The key usage must be cryptographically bound to the key using accepted methods, such that it must be infeasible for the key to be used if the usage attributes have been altered.”
Thus it doesn’t seem possible to use PKCS#8, for instance.
Q: Are there key block requirements in PCI-DSS?
A: No, there aren’t. PCI key blocks requirements are only for PCI-PIN.
Q: Does the issuer have to implement key blocks for their own issuing keys?
A: From a strict point of view, issuers are not legally bound to implement key blocks. However, since they are often the receiving party and connected to parties who must implement key blocks, issuers will also need to implement key blocks to have their system working for interoperability purposes.
Q: What type of keys must be protected by key blocks in PCI-PIN?
A: There can be a lot of different key types involved in the processing of PINs, but the most common are :
- ZMKs (Zone master keys);
- KEKs (Key encryption keys);
- BDKs (Base derivation keys);
- TMKs (Terminal masterkeys);
- PEKs (PIN encryption keys).
Q: Does PCI-PIN require key blocks to be used both for transport and for storage?
A: Yes, key blocks are also required for storage by PCI-PIN. This means that HSMs must store symmetric encrypted keys as key blocks and only ASC key blocks. Of course, this doesn’t apply to all types of keys. For example, this doesn’t apply to one-time keys, such as DUKPT.
Q: Do PCI-PIN request the use of a key protection key for the key block?
A: The key protection key (KPK) is specified in TR-31 to derive the KBEC (key block encryption key) and the KBAC (key block authentication key). If TR-31 is chosen as the implementation reference for the key blocks, using a KPK is mandatory.
Q: What is the current timeline for the implementation of keyblocks as dictated by the PCI norm?
A: The phased implementation dates are as follows (correct at time of writing):
- Phase 1 – Implement Key Blocks for internal connections and key storage within Service Provider Environments – this would include all applications and databases connected to hardware security modules (HSM). Effective date: 1 June 2019.
- Phase 2 – Implement Key Blocks for external connections to Associations and Networks. Effective date: 1 Jan 2023 (replaces previous effective dates of 1 June 2021 and 1 June 2023).
- Phase 3 – Implement Key Block to extend to all merchant hosts, point-of-sale (POS) devices and ATMs. Effective date: 1 June 2025 (replaces previous effective date of 1 June 2023).
Q: What can you do to get your organization ready before the changes related to keyblock as dictated by PCI-PIN requirements go into effect?
A: Talk to Cryptomathic to schedule a review of your system environments.
References and Further Reading
- Information Supplement: PIN Security Requirement 18-3 - Key Blocks ( June 2019 ) By PIN Assessment Working Group PCI Security Standards Council
- More articles on Key Blocks (2019 - today), by Dawn M. Turner and Martin Rupp
- More articles on Key Management (2015 - today), by Matt & Peter Landrock, Stefan Hansen, Dawn Turner, and more
- X9 TR34–2012 - Interoperable Method for Distribution of Symmetric Keys using Asymmetric Techniques: Part 1 – Using Factoring-Based Public Key Cryptography Unilateral Key Transport (August 2012), by the American National Standards Institute
- Information Supplement: PIN Security Requirement 18-3 - Key Blocks (2019), by the PCI Security Standards Council
- Read more articles on the ANSI X9.24-1-2017 (2018 - today), by Martin Rupp, Matt Landrock and more
- ANSI X9.24-1-2017 - Retail Financial Services Symmetric Key Management Part 1: Using Symmetric Techniques (2017), by the Accredited Standards Committee X9 (Incorporated Financial Industry Standards), American National Standards Institute
- ASC X9 TR 31-2018 - Interoperable Secure Key Exchange Key Block Specification (2018), by American National Standards Institute (ANSI)