Key Block Header

So let's review TR-31 Key Blocks. Focusing on key generation, a system would generate a Key Block Protection Key KBPK, and then derive a Key Block Encryption Key KBEK and a Key Block Authentication Key KBAK. If one wants to protect a key in the payments system, you first need to define the purpose of the key and additional header

This header contains the usage and exportability information about the key. It is not encrypted and can also contain optional key header blocks as allowed by TR-31. Another very specific difference with other key block formats is that the header is included twice within the TR-34 key block. One is in the clear text at the start of the key block

A X9.143 key block always begins with a key block header consisting of a required 16-byte fixed-length portion followed by from 0 - 99 variable-length optional blocks. Table 1 shows the format of the required fixed-length portion of the header and only shows those values supported by ICSF.

Here is a list of the most common key block formats. TR-31 Key Block Compatible Atalla Key Block. This is by far the most ancient and the 'father' of all the other key blocks. The Atalla key block format contains 8-byte header containing the attributes of the key header 48-byte key field containing the Triple-DES cipher block chaining

TR-31 key block header field name 0 1 Key block version ID. Identifies the version of the key block, which defines the method by which it is cryptographically protected and the content and layout of the block. The allowed key block version ID values depend upon the Key Context value offset 14 in KBH.

A key bundle is clear texti.e., not encrypted and not protected from modification. When it is quotbundledquot or quotwrappedquot into a key block, cryptographic operations are performed to provide both confidentiality and integrity protection. Cryptographic key blocks may be used to protect both TDEA and AES keys. 1 See ANSI X9.24-1 7.4.

quotThe TR-31 key block is a format defined by the ANSI Standards Committee to support interchange of symmetric keys in a secure manner and with key attributes included in the exchanged data. CCA supports the management of DES keys, AES keys, and HMAC keys using TR-31.quot

Analysis of the Thales Key Block Format. Thales Key Block provides two types of key encryption Triple DES and AES Keyblock LMK e.g., encrypted by the LMK. In both cases, an Initialization Vector IV is used by taking bytes from the header, which as a result, directly binds the header and the encrypted key data.

TR-31 Key-blocks structure Header is the least sensitive part of the key block. It defines the key block type, key usage and key type Encrypted key data Contains all the key sensitive data including the actual key key value, its size. It can optionally contain the ciphering mode used and data padding options.

The header generator finalizes a header by adding a quotPBquot padding block if necessary to ensure length is a multiple of the cipher block size. While the Key Block Length remains quot0000quot during header generation, it is automatically calculated and updated within the wrapping mechanism.