2 min read

Introduction to Cryptographic Key Blocks - FAQs

Picture of Martin Rupp (guest) Martin Rupp (guest) : 21. October 2021

Key Management ANSI X9.24 key blocks
Introduction to Cryptographic Key Blocks - FAQs

This article proposes answers to a series of frequently asked questions (FAQs) about key blocks.

What are key blocks?

A: Key blocks are unique cryptographic structures with the general purpose of protecting keys outside of a strong security boundary (such as a FIPS or PCI-certified HSM). This enables the secure transfer of cryptographic keys over an insecure environment. Generally, key blocks seek to solve the following problems:

  • How to securely transfer multiple and different cryptographic keys?
  • How to find a trustable way to indicate to the recipient the usage and nature of the transferred keys?
  • How to achieve both confidentiality and integrity of the transferred keys? 
  • How to protect the transferred keys against man-in-the-middle attacks, tampering, and misuse?

Key blocks achieve this by ciphering the key material itself using a given algorithm, which can be symmetric or asymmetric, to add a plaintext header with various attributes and information and to sign the whole block.

Is there a norm for key blocks?

A: At the moment, there is no definite ISO or ANSI norm for key blocks. But, a technical reference for implementing key blocks, especially in banking, is the TR-31 technical report (ASC X9 Technical Report: Interoperable Secure Key Exchange Key Block Specification).

Is a key block the same as a key variant?

A: No, a key block is typically not at all the same as a key variant. Key variants are older cryptographic structures than key blocks. They are also more ‘primitive'. Key variants protect application keys with a key-encryption-key (which is derived from a master key using a control vector - that corresponds to the application type - using XOR) and a simple ECB cipher mode. Using key variants, the application type is implicit - but with key blocks, all key metadata is explicit within the block.

Are key blocks secure?

A: If they are well implemented, key blocks based on the TR-31 technical report are generally considered to be very secure. Key blocks are simple but efficient. In the payment industry, they are used to protect billions of cryptographic keys and PINs in various environments, for example, banking between ATMs and HSMs.

How many key block formats are there?

A: Everyone's free to create their own key block format based on the TR-31 technical report, but the most common key block formats are:

  • Atalla key block
  • Thales key block
  • IBM key block
  • TR-34 key blocks
  • PKCS#8 key blocks

Note that, in cryptographic software designs, ‘key containers’ are often the same as key blocks and use the same design.

Is a key block the same as a key bundle?

A: No. A key bundle is a primitive concept, anterior to key blocks, less general, and focused only on triple-DES.

Is a key block the same as key wrapping?

A: No. Key wrapping is more complex and generalized than key blocks. It is described by ANSI X9.102. Key wrapping focuses on cipher-based key encryption algorithms itself.

Where are key blocks used?

A: Key blocks are mainly used in banking to transport keys and PINs between HSMs, ATMs, or POS payment terminals. They can also be used in cryptographic money (cryptocurrency) or, in general, any cryptographic system that needs to exchange keys in a secure and protected way. 

 

New call-to-action

References and Further Reading