ISO 11568-2:2005
(Main)Banking — Key management (retail) — Part 2: Symmetric ciphers, their key management and life cycle
Banking — Key management (retail) — Part 2: Symmetric ciphers, their key management and life cycle
ISO 11568-2:2005 specifies techniques for the protection of symmetric and asymmetric cryptographic keys in a retail banking environment using symmetric ciphers and the life-cycle management of the associated symmetric keys. The techniques described enable compliance with the principles described in ISO 11568-1. The techniques described are applicable to any symmetric key management operation.
Banque — Gestion de clés (services aux particuliers) — Partie 2: Algorithmes cryptographiques symétriques, leur gestion de clés et leur cycle de vie
General Information
Relations
Standards Content (Sample)
INTERNATIONAL ISO
STANDARD 11568-2
Second edition
2005-10-01
Banking — Key management (retail) —
Part 2:
Symmetric ciphers, their key
management and life cycle
Banque — Gestion de clés (services aux particuliers) —
Partie 2: Algorithmes cryptographiques symétriques, leur gestion de
clés et leur cycle de vie
Reference number
ISO 11568-2:2005(E)
©
ISO 2005
---------------------- Page: 1 ----------------------
ISO 11568-2:2005(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.
© ISO 2005
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2005 – All rights reserved
---------------------- Page: 2 ----------------------
ISO 11568-2:2005(E)
Contents Page
Foreword. iv
Introduction . v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions. 2
4 General environment for key management techniques. 4
4.1 General. 4
4.2 Functionality of a secure cryptographic device . 4
4.3 Key generation . 5
4.4 Key calculation (variants) . 6
4.5 Key hierarchies . 6
4.6 Key Life Cycle . 7
4.7 Key storage . 9
4.8 Key restoration from back up. 10
4.9 Key distribution and loading . 10
4.10 Key use . 11
4.11 Key replacement . 11
4.12 Key destruction. 12
4.13 Key deletion. 12
4.14 Key archive. 12
4.15 Key termination. 12
5 Techniques for the provision of key management services . 13
5.1 Introduction . 13
5.2 Key encipherment. 13
5.3 Key variants. 13
5.4 Key derivation . 14
5.5 Key transformation. 14
5.6 Key offsetting . 15
5.7 Key notarization. 16
5.8 Key tagging . 17
5.9 Key verification . 18
5.10 Key identification. 19
5.11 Controls and audit . 19
5.12 Key integrity . 20
6 Symmetric key life cycle . 20
6.1 General. 20
6.2 Key generation . 20
6.3 Key storage . 20
6.4 Key restoration from back up. 21
6.5 Key distribution and loading . 21
6.6 Key use . 23
6.7 Key replacement . 23
6.8 Key destruction, deletion, archive and termination. 24
7 Key management services cross reference. 25
Annex A (normative) Notation used in this part of ISO 11568. 26
Annex B (normative) Approved algorithms for symmetric key management . 27
Annex C (normative) Abbreviations . 28
Bibliography . 29
© ISO 2005 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO 11568-2:2005(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO 11568-2 was prepared by Technical Committee ISO/TC 68, Financial services, Subcommittee SC 2,
Security management and general banking operations.
This second edition cancels and replaces the first edition (ISO 11568-2:1994), which has been technically
revised. It also cancels and replaces ISO 11568-3:1994, the content of which has been incorporated into this
part of ISO 11568.
ISO 11568 consists of the following parts, under the general title Banking — Key management (retail):
⎯ Part 1: Principles
⎯ Part 2: Symmetric ciphers, their key management and life cycle
⎯ Part 4: Asymmetric cryptosystems — Key management and life cycle
⎯ Part 5: Key life cycle for public key cryptosystems [To be withdrawn and incorporated into Part 4]
⎯ Part 6: Key management schemes [since withdrawn]
iv © ISO 2005 – All rights reserved
---------------------- Page: 4 ----------------------
ISO 11568-2:2005(E)
Introduction
ISO 11568-2 is one of a series of standards describing procedures for the secure management of
cryptographic keys used to protect messages in a retail financial services environment, for instance,
messages between an acquirer and a card acceptor, or an acquirer and a card issuer.
This part of ISO 11568 addresses the key management requirements that are applicable in the domain of
retail financial services. Typical of such services are point-of-sale/point-of-service (POS) debit and credit
authorizations and automated teller machine (ATM) transactions.
This part of ISO 11568 describes key management techniques which, when used in combination, provide the
key management services identified in ISO 11568-1. These services are:
⎯ key separation;
⎯ key substitution prevention;
⎯ key identification;
⎯ key synchronization;
⎯ key integrity;
⎯ key confidentiality;
⎯ key compromise detection.
The key management services and the corresponding key management techniques are cross-referenced in
Clause 7.
This part of ISO 11568 also describes the key life cycle in the context of secure management of cryptographic
keys for symmetric ciphers. It states both requirements and implementation methods for each step in the life
of such a key, utilizing the key management principles, services and techniques described herein and in
ISO 11568-1. This part of ISO 11568 does not cover the management or key life cycle for keys used in
asymmetric ciphers, which are covered in ISO 11568-4.
In the development of the ISO 11568 series due consideration was given to ISO/IEC 11770; the mechanisms
adopted and described in this part of ISO 11568 are those required to satisfy the needs of the financial
services industry.
© ISO 2005 – All rights reserved v
---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO 11568-2:2005(E)
Banking — Key management (retail) —
Part 2:
Symmetric ciphers, their key management and life cycle
1 Scope
This part of ISO 11568 specifies techniques for the protection of symmetric and asymmetric cryptographic
keys in a retail banking environment using symmetric ciphers and the life-cycle management of the associated
symmetric keys. The techniques described enable compliance with the principles described in ISO 11568-1.
The techniques described are applicable to any symmetric key management operation. The notation used in
this part of ISO 11568 is given in Annex A.
Algorithms approved for use with the techniques described in this part of ISO 11568 are given in Annex B.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO 9564-1:2002, Banking — Personal Identification Number (PIN) management and security — Part 1: Basic
principles and requirements for online PIN handling in ATM and POS systems
ISO/IEC 10116, Information Technology — Security techniques — Modes of operation for an n-bit block
cipher
ISO 11568-1:2005, Banking — Key management (retail) — Part 1: Principles
ISO 13491-1, Banking — Secure cryptographic devices (retail) — Part 1: Concepts, requirements and
evaluation methods
ISO 13491-2:2000, Banking — Secure cryptographic devices (retail) — Part 2: Security compliance checklists
for devices used in magnetic stripe card systems
ISO 16609:2004, Banking — Requirements for message authentication using symmetric techniques
ISO/IEC 18033-1, Information technology — Security techniques — Encryption algorithms — Part 1: General
1)
ISO/TR 19038 , Banking and related financial services — Triple DEA — Modes of operation —
Implementation guidelines
ANSI X9.24 Part 1-2004, Retail Financial Services Symmetric Key Management Part 1: Using Symmetric
Techniques
ANSI X9.65, Triple Data Encryption Algorithm (TDEA), Implementation Standard
1) To be published
© ISO 2005 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO 11568-2:2005(E)
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
cipher
pair of operations that effect transformations between plaintext and ciphertext under the control of a parameter
called a key
NOTE The encipherment operation transforms data (plaintext) into an unintelligible form (ciphertext). The
decipherment operation restores the original text.
3.2
counter
incrementing count used between two parties, e.g. to control successive key distributions under a particular
key encipherment key
3.3
data integrity
property that data has not been altered or destroyed in an unauthorized manner
3.4
data key
randomly or pseudo-randomly generated cryptographic key used for the encipherment, decipherment or
authentication of data
3.5
dual control
process of utilizing two or more separate entities (usually persons), operating in concert to protect sensitive
functions or information whereby no single entity is able to access or utilize the materials, e.g. cryptographic
key
3.6
exclusive-or
see modulo-2 addition
3.7
hexadecimal digit
single character in the range 0-9, A-F (upper case), representing a four-bit string
3.8
key component
one of at least two randomly or pseudo-randomly generated parameters having the characteristics (e.g. format,
randomness) of a cryptographic key that is combined with one or more like parameters, e.g. by means of
modulo-2 addition, to form a cryptographic key
3.9
key mailer
tamper evident envelope that has been designed to convey a key component to an authorized person
3.10
key offset
result of adding a counter to a cryptographic key using modulo-2 addition
3.11
key space
set of all possible keys used within a cipher
2 © ISO 2005 – All rights reserved
---------------------- Page: 7 ----------------------
ISO 11568-2:2005(E)
3.12
key transfer device
secure cryptographic device that provides key import, storage and export functionalities
[ISO 13491-2:2000, Annex F]
3.13
key transformation
derivation of a new key from an existing key using a non-reversible process
3.14
message authentication code
MAC
code in a message between an originator and a recipient, used to validate the source and part or all of the text
of a message
NOTE The code is the result of an agreed calculation.
3.15
modulo-2 addition
exclusive-or
XOR
binary addition with no carry, giving the following values:
0 + 0 = 0
0 + 1 = 1
1 + 0 = 1
1 + 1 = 0
3.16
n-bit block cipher
block cipher algorithm with the property that plaintext blocks and ciphertext blocks are n-bits in length
3.17
notarization
method of modifying a key encipherment key in order to authenticate the identities of the originator and the
ultimate recipient
3.18
offset
see key offset
3.19
originator
party that is responsible for originating a cryptographic message
3.20
pseudo-random
process that is statistically random and essentially unpredictable although generated by an algorithmic
process
3.21
recipient
party that is responsible for receiving a cryptographic message
© ISO 2005 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO 11568-2:2005(E)
3.22
secure cryptographic device
device that provides security storage for secret information such as keys and provides security services based
on this secret information
[ISO 13491-2]
3.23
split knowledge
condition under which two or more parties separately and confidentially have custody of the constituent part of
a single cryptographic key which, individually, conveys no knowledge of the resultant cryptographic key
4 General environment for key management techniques
4.1 General
The techniques that may be used to provide the key management services are described in Clause 5 and the
key life cycle in Clause 6. This clause describes the environment within which those techniques operate and
introduces some fundamental concepts and operations, which are common to several techniques.
4.2 Functionality of a secure cryptographic device
4.2.1 General
The most fundamental cryptographic operations for a symmetric block cipher are to encipher and decipher a
block of data using a supplied secret key. For multiple blocks of data, these operations might use a mode of
operation of the cipher as described in ISO/IEC 10116. At this level, no meaning is given to the data, and no
particular significance is given to the keys. Typically, in order to provide the required protection for keys and
other sensitive information, a secure cryptographic device must provide a higher level functional interface,
whereby each operation includes several of the fundamental cryptographic operations using some
combination of keys and data obtained from the interface or from an intermediate result. These complex
cryptographic operations are known as functions, and each one operates only on data and keys of the
appropriate type.
4.2.2 Data types
Application level cryptography assigns meaning to data, and data with differing meanings need to be
manipulated and protected in different ways by the secure cryptographic device. Data with a specific meaning
constitutes a data type.
The secure cryptographic device ensures that it is not possible to manipulate a data type in an inappropriate
manner; e.g. a PIN is a data type which must remain secret, whereas other transaction data may constitute a
data type which requires authentication but not secrecy.
A cryptographic key may be regarded as a special data type. A secure cryptographic device ensures that a
key can exist only in the permitted forms given in 4.7.2.
4.2.3 Key types
A key is categorized according to the type of data on which it operates and the manner in which it operates.
The secure cryptographic device ensures that key separation is maintained, so that a key cannot be used with
an inappropriate data type or in an inappropriate manner; e.g. a PIN encipherment key is a key type that is
used only to encipher PINs, whereas a key encipherment key (KEK) is a key type that is used only to encipher
other keys. Also a KEK may require categorization such that it operates only on one type of key, e.g. one type
of KEK may encipher a PIN encipherment key, while another may encipher a message authentication code
(MAC) key.
4 © ISO 2005 – All rights reserved
---------------------- Page: 9 ----------------------
ISO 11568-2:2005(E)
4.2.4 Cryptographic functions
The set of functions supported by the secure cryptographic device directly reflects the cryptographic
requirements of the application. It might include such functions as:
⎯ enciphering a PIN;
⎯ verifying an enciphered PIN;
⎯ generating a MAC;
⎯ generating an enciphered random key.
The design of the secure cryptographic device is such that no individual function may be used to obtain
unauthorized sensitive information. Additionally, no combination of functions exists which may result in such
data being obtained. Such a design is referred to as being logically secure. A secure cryptographic device
may be required to manage keys of several types. Cryptographic keys used in such a system may be held
securely outside of the cryptographic device by being stored in an enciphered form by using KEKs which
either exist only within the cryptographic device, or are enciphered under a higher level KEK. One technique
of providing key separation is to use a different KEK type for the encipherment of each type of key. When this
technique is used, and an enciphered key is passed to the secure cryptographic device, the key is deciphered
using the KEK type appropriate for the expected key type. If this key is an incorrect type, and thus is
enciphered under some other KEK type associated with some other key type, the decipherment produces a
meaningless key value.
4.3 Key generation
4.3.1 General
The key management principles given in ISO 11568-1 require that keys be generated using a process that
ensures that it is not possible to predict any key or determine that certain keys within the key space are more
probable than others.
In order to conform with this principle, keys and key components shall be generated using a random or
pseudo-random process. The pseudo-random key generation process may be either non-repeatable or
repeatable.
The random or pseudo-random process used, shall be such that it is not feasible to predict any key or to
determine that certain keys are more probable than other keys from the set of all possible keys.
Except for the variants of a key, the non-reversible transformations of a key, and keys enciphered under a key
or derived from a key, compromise of one secret key shall not feasibly provide useful information about any
other secret key.
4.3.2 Non repeatable key generation
This process may involve a non-deterministic value such as the output of a random number generator, or may
be a pseudo-random process.
An example of a pseudo-random process for generating a key, Kx, is as follows, where K is a secret
cryptographic key reserved for key generation, V is a secret seed value and DT is a date-time vector updated
on each key generation:
Kx = eK[eK (DT) ⊕ V]
and generate a new V as follows:
V = eK[Kx ⊕ eK (DT)]
NOTE This method, among others, may be found in ISO 18031.
© ISO 2005 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO 11568-2:2005(E)
4.3.3 Repeatable key generation
It is sometimes convenient to generate one or more keys, perhaps thousands, from a single key using a
repeatable process. Such a process allows for any of the resultant keys to be regenerated, as required, in any
location that possesses the seed key and appropriate generation data, and facilitates significant reductions in
the number of keys which require manual management, storage or distribution.
The generation process shall be such that if the initial key is unpredictable within the key space (as required
by the key management principles), then so is each resultant key.
The procedure may be used iteratively, as a key generated from one initial key may subsequently be used as
an initial key to generate others.
The generation process shall be non-reversible, such that disclosure of a generated key discloses neither the
initial key nor any other generated key. An example of such a process is the encipherment of a non-secret
value using the initial key.
4.4 Key calculation (variants)
It is possible to obtain a number of keys from a single key using a reversible process. An example of such a
process is the modulo-2 addition of the key and a non-secret value.
Key calculation has the qualities of speed and simplicity, but disclosure of one key calculated in this manner
discloses the original key and all other keys calculated from it.
4.5 Key hierarchies
A key hierarchy is a conceptual structure in which the confidentiality of certain keys is dependent upon the
confidentiality of other keys. By definition, disclosure of a key at one level of the key hierarchy shall not
disclose any key at a higher level.
Key encipherment introduces a key hierarchy whereby a key encipherment key (KEK) is considered to be at a
higher level than the key that it enciphers. The simplest is a two-level hierarchy, whereby the working keys are
enciphered by KEKs which are themselves stored in a cryptographic device. In a three-level hierarchy, these
KEKs are also managed in an enciphered form using a higher-level KEK. The concept may be extended to
four or more layers.
Similarly, when an initial key or key generating key (KGK) participates in the generation of other keys using a
deterministic process, a hierarchy may result whereby the KGK is considered to be at a higher level than the
generated keys.
Keys at the higher levels of the key hierarchy shall be of equal or greater strength than the keys they are
protecting.
Due consideration shall be paid to known attacks when assessing the equivalent strength of various
cryptographic algorithms. Generally an algorithm can be said to provide s bits of strength where the best-
s−1
known attack would take, on average, 2 T to attack, where T is the amount of time that is required to
perform one encryption of a plaintext value and comparison of the result against the corresponding ciphertext
value.
120−log k
E.g., in reference 2, an attack against 112-bit TDEA is presented that requires O(k) space and 2
40
operations, where k is the number of known plaintext-ciphertext pairs. As discussed in reference 3, given 2
80
known plaintext-ciphertext pairs, this reduces the strength of two-key (112-bit) TDEA to 2 . Recommended
equivalent key sizes at the time of publication are given in Table 1. In assessing these numbers consideration
Shall be paid to any further developments in cryptanalysis, factoring and computing generally.
6 © ISO 2005 – All rights reserved
---------------------- Page: 11 ----------------------
ISO 11568-2:2005(E)
Table 1 — Encryption algorithms — Equivalent strengths
Effective Strength Symmetric RSA Elliptic Curve
40
80 112-bit TDEA (with 2 known pairs) 1 024 160
112-bit TDEA (with no known pairs)
112 2 048 224
168-bit TDEA
NOTE At the time of publication, in the retail banking environment, where TDEA keys are used for protecting other keys, and are
changed such that the collection of quantities of plaintext/ciphertext pairs sufficient to significantly weaken the underlying cipher is
improbable, 112-bit TDEA can be considered to offer sufficient security for the protection of 168-bit TDEA and 2 048-bit RSA keys.
4.6 Key Life Cycle
The states that make up a key's lifetime are collectively referred to as the key's life cycle. Keys shall be
protected at all stages throughout their life cycle. An operation that changes a key's state is referred to as a
life cycle operation. This subclause specifies the requirements for attaining a given state or performing a given
operation.
The key life cycle consists of three phases as follows.
a) Pre-use: during which the key is generated and optionally stored prior to its use.
b) Use: during which
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.