In financial cryptography and PCI standards, a Key Block is an encrypted key stored with its metadata in a cryptographically secure way. That means that the key’s usage information and other parameters can’t be altered by an attacker by tampering with the encrypted key.
Key Blocks are an important method to help protect payment security. They prevent the misuse of cryptographic keys and protect the keys from malevolent hackers who could exploit weaknesses and substitute other keys and perform similar attacks against payment systems.
There are already several key block implementations hanging around, which are in an active use:
In this article we will have a closer look at TR-31 and Thales Key Block and share some useful information.
TR-31 Key Blocks are described in the ANSI X9.24-1-2017 specification. The key block structure consists of three parts (Header, Encrypted key data and MAC).
Header: is the least sensitive part of the key block. It defines the key block type, key usage and key type
Encrypted key data: Contains all the key sensitive data including the actual key key value, its size. It can optionally contain the ciphering mode used and data padding options.
MAC: (The Message Authentication Code) is an integrity check of the Header and Key data and ensures that the key block has not been modified.
Let’s take a closer look onto a Thales Key block.
The Thales key block is based on the TR-31 key block that has been standardized for key exchange between communicating parties. A Thales key block refines and extends the TR-31 key block specification.
Two types of Thales Key Block LMKs are supported by the PayShield 9000 & PayShield 10k:
The ability to support Thales Key Blocks was initially introduced in the HSM 8000 in software release v3.0, and is also available on the PayShield 9k++ from its v1.0 firmware.
The Thales Key Block is denoted by key scheme “S”, it consists of four parts:
The Header determines how the key contained in the key block may be used. Only specific field values for the Header are permitted for HSM commands. If a key block with the “wrong” Header is submitted in a command message then the HSM will return an error code.
It is a 16-byte (clear) header, which defines the key usage (e.g. Visa PVV) and mode of use (e.g. verification only), the algorithm with which the key is used (e.g. 3DES) and the limitations on the exportability of the key (e.g. no export permitted); the Header also identifies the LMK used to encrypt the key in the key block.
Keyblock header values MUST be chosen with care. They SHOULD also be chosen to be as restrictive as possible for the particular key type and key usage; special attention SHOULD be given to:
Note: Some changes to keyblock header values are permitted (via a host command), but only to restrict key usage further. For example, a key initially designated as a “MAC generate and verify” key can later have its header changed to make it a “MAC generate only” key, but the reverse change is not permitted. Similarly, if a key is designated as “non-exportable” then it cannot later be changed to “exportable”.
The Optional Header comprises a number of Optional Header blocks, each with the following structure:
The Optional header block contains clear text unencrypted values and could be used,for example, to define the validity period for the key contained in the key block. The maximum length of an Optional Header block is 255 bytes (and the minimum length is 4 bytes). In theory, a key block may have a maximum of 99 optional blocks. In practice, however, only a small number of different types of optional blocks have been defined and each optional block identifier must be unique and may not be repeated.
The only part of the key block that is encrypted is the Key Data, which contains the actual key stored in the key block. The encryption algorithm used to protect the Key Data depends on the specific Keyblock scheme being used:
Note: The minimum padding necessary for AES, RSA and HMAC keys will always be applied.
The Key Block Authenticator ensures the integrity of the Key Block, and is calculated over the Header, Optional Header Blocks and the Key Data. The authentication algorithm used depends on the specific Key Block LMK being used:
The key types that may be included in a Thales key block are DES and 3DES keys, HMAC keys and RSA public and private keys. Note that an RSA public key is not encrypted, but the key block is still authenticated.
Migrating to the new key block formats will be complicated task, just like any cryptographic migration as the definition of Cryptographic Key Blocks by the standard is very rigorous and requires a strict implementation. All PCI:DSS requirements are now migrating towards the use of new key blocks, such as TR-31.
Legacy applications will need to be changed.