In a retail financial services environment, the compromise of a symmetric cryptographic key is a critical security breach. Such a situation is described by the ANSI X9.24-1-2017 standard. Here, we summarize the ANSI guidance on how to respond if a potential compromise has been identified.

The PCI Council requires most actors of payment networks to implement ANSI X9.24/TR-31-compliant key blocks to wrap and securely transmit, transfer, or translate key or PIN codes.

This article briefly summarizes the symmetric cryptographic key utilization and storage requirements as described by the ANSI X9.24-1-2017 (part 1) standard.

Key distribution is perhaps the most important and crucial aspect of the ANSI X9.24-1-2017 part 1 standard. But first, let us explain what cryptographic key distribution is.

The ANSI X9.24-1-2017 standard defines the requirements for the loading of key components or shares, and the loading of cleartext keys. The loading of encrypted keys is described in other parts of the standard.

In this article, we look at the process of key generation and key derivation as described by the ANSI X9.24-1-2017 standard. This process is mandatory for operations performed by the retail financial services industry.

The ANSI X9.24-1: 2017 standard requires the use of secure cryptographic devices (SCDs) in the context of symmetric key cryptography and refers to the ISO 13491-1 standard for the specifications that must be met for a device to be approved as an SCD. This article outlines and explains some of the aspects and requirements that both the X9.24-1-2017 and ISO 13491-1 mandate for SCDs that are used in retail financial services systems.

Key Blocks have been invented as a standard way for protecting the integrity of symmetric cryptographic keys and for identifying what the keys can be used for. Key Blocks are used to protect Triple-DES keys (Key Blocks can be used as 3DES key bundles), but also AES keys (often using AES key wrapping).

The ANSI X9.24-1-2017 norm details how symmetric cryptographic keys should be managed and handled by the relevant actors of the retail financial services companies. Here we outline the general techniques and methodologies that are required or suggested by the standard.