1 / 8

ANS X9.24 Overview

ANS X9.24 Overview. Overview. ANS X9.24-2004 Part 1: Retail Financial Services Symmetric Key Management Part 1: Using Symmetric Techniques FYI - Part 2 covers using asymmetric techniques What it covers

metea
Download Presentation

ANS X9.24 Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ANS X9.24 Overview

  2. Overview • ANS X9.24-2004 Part 1: Retail Financial Services Symmetric Key Management Part 1: Using Symmetric Techniques • FYI - Part 2 covers using asymmetric techniques • What it covers • How it compares to the key management model described in NIST SP 800-57, Recommendation for Key Management – Part 1: General (Revised)

  3. X9.24 Very focused on a particular application of symmetric key management A product of X9F6 - Cardholder Authentication and ICCs Working Group X9F6 focuses almost entirely on PIN security At least to date – X9.114 will extend to other sensitive transaction data Should watch this one SP 800-57 A very broad and general document that covers a wide range of key management technologies and techniques High-level overview

  4. X9.24 Use is limited to the financial services industry and to the protection of sensitive financial information The “interchange environment” Widely followed by FIs Basically used for encrypting PINs SP 800-57 Use nominally limited to US federal government, but many NIST documents become de facto standards for most of the world Including this one Provides basis for FIPS 140-2, et al. Applicability

  5. X9.24 Lacks a broad framework for general key management A very narrow and focused set of requirements to support creating and use of PINs No explicit states of keys listed SP 800-57 A very broad framework Many requirements to choose from depending on application The familiar model of states Comparing content

  6. What X9.24 does describe • Key management requirements (Section 7) • Key generation • Use of TRSM • Secure environment • Key distribution • Key utilization • Key replacement • Key destruction and archival

  7. What X9.24 does describe • Key management methods (Section 8) • Methods requiring compromise prevention controls • Fixed transaction keys • A hierarchy of master keys and transaction keys • Methods requiring compromise detection controls • Derived unique key per transaction (DUKPT) • Key identification – one of these must be used • Implicit key identification • Key identification by name • May (?) be of interest to OO group • Security Management Information Data (SMID) Element • Transport format • Not actually required by the standard • May (?) be of interest to OO group

  8. Final thoughts on X9.24 • No issues with SP 800-57, but there are compatibility issues with other NIST documents • X9.24 uses a KDF that is not approved by NIST, so can’t be used in FIPS 140-2 compliant mode • X9.24 also generates symmetric keys from a KDF, which is also not allowed by FIPS 140-2 • But, in general, we can assume that the key management states of X9.24-2004 Part 1 are a subset of the states defined by SP 800-57

More Related