ASC/X9 - ANSI X9.24-1
Retail Financial Services Symmetric Key Management Part 1: Using Symmetric Techniques
|Publication Date:||1 January 2017|
This part of this standard covers both the manual and automated management of keying material used for financial services such as point-of-sale (POS) transactions (debit and credit), automated teller machine (ATM) transactions, messages among terminals and financial institutions, and interchange messages among acquirers, switches and card issuers. This part of this standard deals exclusively with the management of symmetric keys using symmetric techniques. Requirements for symmetric keys protected by asymmetric keys are addressed in X9.24-2. Any requirements stated in this part are not meant to invalidate the requirements provided for in Part 2. This part of the standard specifies the minimum requirements for the management of keying material. Addressed are all components of the key management life cycle, including the generation, distribution, utilization, storage, archiving, replacement and destruction of the keying material. An institution's key management process, whether implemented in a computer or a terminal, is not to be implemented or controlled in a manner that has less security, protection, or control than described herein. The intention is that if two nodes implement compatible and secure versions of key management methods, key identification techniques, and key separation methods in accordance with this part of this standard, they will be interoperable at the application level. Other characteristics may be necessary for node interoperability; however, this part of this standard does not cover such characteristics as message format, communications protocol, transmission speed, or device interface.
The definition of the DUKPT algorithm is addressed in X9.24 Part 3. Information contained in previous versions of this standard related to the implementation of DUKPT has been moved to that standard.
This part of this standard is applicable for institutions implementing techniques to safeguard the cryptographic keys used for the authentication and encryption of messages and other sensitive data. For example, this applies to institutions in the financial services industry implementing References 10, 11, or 18.
Mandatory standard techniques and procedures are indicated by the word 'SHALL'. Guidelines are indicated by the word 'SHOULD'.
This key management standard, utilized in conjunction with the National Institute for Standards and Technology Triple Data Encryption Algorithm (TDEA) (see Reference 1) and the Advanced Encryption Standard (AES) (see Reference 5), is used to manage symmetric keys that can be used to protect messages and other sensitive information in a financial services environment. The security and reliability of any process based on AES or the TDEA is directly dependent on the protection afforded to secret parameters called cryptographic keys.
This standard establishes requirements and guidelines for the secure management and application-level interoperability of keying operations. Such keys could be used for authenticating messages (see References 11, 14, and 16), for encrypting Personal Identification Numbers (PIN) (see Reference 10), for encrypting other data, for encrypting other keys, or for other purposes.