COP
PYRIGHT © 201
1. IntrThis Transarchiconfo
It extIEC 6
The iCASTpayloadvaimple
Two referfinal
2. Aud
3. Not
This Assowith mercdama
3, STS ASSOCIA
STS
roductiodocument ssfer Specificitecture, remorming to NI
tends the co62055-41 ent
intention is tT or MISTY, oad and thntage of themented in a
review reporence. RPT-0release afte
dience STS Asso STS SM a
tices DISCLAIM
document wciation. PRISrespect to a
chantability oages.
PATENTS
ATION.
600-4-1
Enhan
on pecifies an e
cation (STS). mote codingST recomme
odes of practtities to prov
to implemenas a first ste 20-digit ne improveda 2nd step on
orts from an 031-120 covr corrections
ciation. and KMC dev
MER
was prepareSM makes noanything in tor fitness fo
AND INTELL
1 Standa
nced Key
enhanced KeSome of th
g of distribendations.
tice of the STvide security
nt the recomep, thus manumeric tok 128-bit key
nce the requi
independenvers the revies and recomm
velopers.
ed by Prism o representathis documeor a particula
LECTUAL PRO
ard Tran
y Manag
ey Managemhe main fea
buted HSM,
TS Associatioconsistent w
mmendationsaintaining baken carrier y security leirements for
nt security coew prior themended cha
Payment Teations or waent, and shalar purpose o
OPERTY
STS
nsfer Sp
gement S
ment System atures are: p
key expiry
on and recomwith contemp
s of section Dackward com
for keypadevel. The 12larger bandw
onsultant (Zie final release
nges were m
echnologies rranties whel not be liabor for any in
600-4-1 Ed 1
pecificat
System
(infrastructuprovision fo and enhan
mmends maporary stand
D and E, thempatibility wd implement28-bit AES bwidth token
iliant Systeme while RPT-
made.
(Pty) Ltd (“ether expresble for any imndirect, spec
1.1 : STS – En
tion -
ure) for the Sr a distributnced securit
aintenance odards.
e 64-bit blockwith the 64-b
tation, whilblock ciphers become cle
ms) are appe-0032-120 co
PRISM”) forssed or implimplied warrcial or conse
nhanced KM
PAGE 1 OF 6
Standard ted KMC ty levels
of various
k ciphers bit token e taking r will be earer.
nded for overs the
the STS ied by or anties of
equential
MS
62
COP
PYRIGHT © 201
Somerespo
The RECOas de
3, STS ASSOCIA
e elements oonsible for id
TERMINO
keywords MOMMENDED,escribed in [R
ATION.
of this docudentifying an
OLOGY
MUST, MUS, MAY, and ORFC 2119].
ment may bny or all such
ST NOT, REQOPTIONAL, w
be the subjech patent right
QUIRED, SHwhen they ap
STS
ct of patent ts.
ALL, SHALL ppear in this
600-4-1 Ed 1
rights. PRIS
NOT, SHOdocument, a
1.1 : STS – En
SM shall not
ULD, SHOUare to be int
nhanced KM
PAGE 2 OF 6
t be held
LD NOT, erpreted
MS
62
COP
PYRIGHT © 201
4. Con1. Int
2. Au
3. No
4. Co
5. Ov
6. De6.A6.6.
7. Ke7.A7.7.
8. Da8.A
8.8.8.
8.8.8.
8.
9. Cry9.A9.9.9.9.9.9.
3, STS ASSOCIA
ntents troduction ...
udience ........
otices ...........
ontents .........
verview ........
efinitions, AbA. Definitions ..B. AbbreviationC. Symbols ......
ey ManagemA. Setup procesB. Key publicatC. Vending Key
ata Types andA. Types ..........
8.A.1. Alph8.A.2. Sizes8.A.3. IDEN8.A.4. TIM
B. BCD .............C. BASE16 and D. Integer, field
8.D.1. Integ8.D.2. Octe8.D.3. Field8.D.4. Octe8.D.5. Poin8.D.6. Octe
E. CRC16-MODF. LVCONCAT ..G. Delimited Fi
8.G.1. DFC8.G.2. DFPA
H. Records ......
8.H.1. BUIL8.H.2. PAR
yptographic A. AES-192 in CB. SHA-384 ......C. HMAC-SHA-3D. KDF-X963-SHE. ECC CDH in NF. One-Pass UnG. ECDSA in NIS
ATION.
....................
....................
....................
....................
....................
bbreviations .......................
ns ...........................................
ent Process ss for SM Manuion after SM m
y Load Request
d Encodings .......................
habets .........s ..................NT ................ESTAMP .............................BASE16-DECOD
d element and p
ger-to-Octetet-String-to-Id-Element-toet-String-to-Fnt-to-Octet-Set-String-to-PBUS .......................................eld strings ......
ONCAT ........ARSE ..................................
LD-RECORD .SE-RECORD .
Primitives ...CCM mode .......
.......................384-192 ..........HA-384 ............NIST P-384 ......nified Model KeST P-384 .........
....................
....................
....................
....................
....................
and Symbols........................................................................
(diagrams) ..ufacturers and anufacture or mand Response .
............................................
....................
....................
....................
............................................DE ....................point conversio
t-String (I2OSInteger (OS2o-Octet-StrinField-Elemen
String (EC2OSPoint (OS2EC........................................................................
....................
............................................
....................
....................
............................................................................................................................................y Agreement S........................
....................
....................
....................
....................
....................
s ..........................................................................................
....................KMCs ...............maintenance ...........................
............................................
....................
....................
....................
....................................................................
ons ...................
SP) ...............2IP) ...............ng (FE2OSP) .nt (OS2FEP) .SP) ...............CP) .......................................................................................
....................
............................................
....................
....................
............................................................................................................................................cheme C(1, 2, E........................
STS
....................
....................
....................
....................
....................
............................................................................................
............................................................................................
............................................
....................
....................
....................
............................................................................................
....................
....................
....................
....................
....................
............................................................................................
....................
............................................
....................
....................
............................................................................................................................................ECC CDH) .................................
600-4-1 Ed 1
....................
....................
....................
....................
....................
............................................................................................
............................................................................................
............................................
....................
....................
....................
............................................................................................
....................
....................
....................
....................
....................
............................................................................................
....................
............................................
....................
....................
............................................................................................................................................................................................
1.1 : STS – En
...................
...................
...................
...................
...................
...........................................................................................
...........................................................................................
...........................................
...................
...................
...................
...........................................................................................
...................
...................
...................
...................
...................
...........................................................................................
...................
...........................................
...................
...................
...........................................................................................................................................................................................
nhanced KM
PAGE 3 OF 6
............ 1
............ 1
............ 1
............ 3
............ 6
............ 7
............... 7
............... 7
............... 7
............ 9
............... 9
............... 9
............. 10
.......... 11
............. 11
.......... 11
.......... 11
.......... 12
.......... 12
............. 12
............. 12
............. 13
.......... 13
.......... 13
.......... 13
.......... 13
.......... 13
.......... 13
............. 14
............. 14
............. 15
.......... 15
.......... 16
............. 16
.......... 16
.......... 16
.......... 18
............. 18
............. 18
............. 18
............. 19
............. 19
............. 20
............. 20
MS
62
COP
PYRIGHT © 201
9.9.
10. D1010101010
11. S11
12. S1212
12
13. K131313
13
14. S
15. K
16. S
17. E17
17
17
A. No
B. Bib
C. Ve
3, STS ASSOCIA
9.G.1. ECD9.G.2. ECD
H. GENERATE-KI. VALIDATE-KE
Data Formats0.A. PKID ..........0.B. PUBKEY .....0.C. VKLOADREQ0.D. VKLOADRE0.E. WRAPPED-
10.E.1. Att
M Manufact1.A. Recommen
M Initialisati2.A. Prerequisit2.B. SM Initialis
12.B.1. Rec2.C. SM PUBKEY
KMC Initialisa3.A. Prerequisit3.B. Prerequisit3.C. KMC Setup
13.C.1. Rec3.D. KMC opera
13.D.1. SM13.D.2. Ap13.D.3. Sup13.D.4. SM
M Vending K
KMC Vending
M KEK Confi
nd-of-life an7.A. SM Manufa
17.A.1. End17.A.2. Sto
7.B. SM ............
17.B.1. End17.B.2. Priv17.B.3. Sto
7.C. KMC ..........
17.C.1. End17.C.2. Key
ormative Ref
bliography ...
ending Key at
ATION.
SA-SIGN ......SA-VERIFY...
KEY ..................Y .....................
s and Structu..............................................Q ....................SP ...................KEY .................
ributes ........
turer Setup .nded process to
ion ..............es: SM ............ation and PUBK
commendedY publication ...
ation ............es: KMC HSM .es: KMC .................................
commendedation ................
M Manufactuproved HWIpply Group m
M PUBKEY up
Key Load Req
g Key Load Re
irmation and
nd key compracturer ............
d-of-life .......orage Master
.......................
d-of-life .......vate ECC CD
orage Master.......................
d-of-life .......y compromis
ferences ......
....................
ttributes .....
....................
....................................................................
ures ......................................................................................................................................
....................
....................o generate and
............................................KEY certification
process to g........................
............................................................................................
process to g........................
rer PUBKEYM
D & FWID lismanagementdates ...........
quest ...........
esponse .......
d Vending Ke
romise proce........................
....................r Key (SMK) o........................
....................H key (dSM) cr Key (SMK) o........................
....................se .................
....................
....................
....................
....................
....................................................................
............................................................................................................................................
....................
....................publish PUBKEY
............................................n ......................
generate and........................
............................................................................................
generate and........................
MAN updates .st updates ...t instruction....................
....................
....................
ey Import .....
edures .................................
....................or private EC........................
....................compromiseor Vending K........................
....................
....................
....................
....................
....................
STS
....................
....................................................................
............................................................................................................................................
....................
....................YMAN ................
....................................................................
d certify PUB........................
............................................................................................
d publish PU........................
....................
....................s ......................................
....................
....................
....................
............................................
....................CDSA key (dM
........................
....................
....................Key (VK) com........................
....................
....................
....................
....................
....................
600-4-1 Ed 1
....................
....................................................................
............................................................................................................................................
....................
............................................
....................................................................
BKEYSM .................................
............................................................................................
BKEYKMC ..............................
....................
....................
....................
....................
....................
....................
....................
............................................
....................MAN) comprom........................
....................
....................mpromise .....
........................
....................
....................
....................
....................
....................
1.1 : STS – En
...................
...................................................................
...........................................................................................................................................
...................
...........................................
...................................................................
...........................................
...........................................................................................
...........................................
...................
...................
...................
...................
...................
...................
...................
...........................................
...................mise ....................................
...................
...................
...........................................
...................
...................
...................
...................
...................
nhanced KM
PAGE 4 OF 6
.......... 21
.......... 21
............. 21
............. 21
.......... 23
............. 23
............. 23
............. 24
............. 25
............. 25
.......... 25
.......... 27
............. 27
.......... 29
............. 29
............. 30
.......... 30
............. 31
.......... 32
............. 32
............. 32
............. 33
.......... 33
............. 34
.......... 34
.......... 34
.......... 34
.......... 34
.......... 35
.......... 38
.......... 43
.......... 45
............. 45
.......... 45
.......... 45
............. 45
.......... 45
.......... 46
.......... 46
............. 46
.......... 46
.......... 46
.......... 48
.......... 49
.......... 52
MS
62
COP
PYRIGHT © 201
D. EnD.D.
E. DeE.E.
F. Re
G. Fil
H. Su
I. Sum
J. Sum
3, STS ASSOCIA
ncryption Alg.1. CAST-128 (E.2. MISTY1 (EA=
ecoder Key G1. HMAC-DKGA2. KDF108-Feed
cord-in-ema
le-of-records
ummary of cr
mmary of fun
mmary of re
ATION.
gorithms for A=12) .............
=11) .................
Generation AA (DKGA=04) ...dback-HMAC-S
ail format .....
s format ......
ryptographic
nctions ........
quired Code
IEC 62055-4................................................
lgorithm for........................HA-384............
....................
....................
c primitives a
....................
s of Practice
1 .................................................................
IEC 62055-4................................................
....................
....................
and standard
....................
e and Registr
STS
....................................................................
41 .................................................................
....................
....................
ds .................
....................
ies ...............
600-4-1 Ed 1
....................................................................
....................................................................
....................
....................
....................
....................
....................
1.1 : STS – En
...................................................................
...................................................................
...................
...................
...................
...................
...................
nhanced KM
PAGE 5 OF 6
.......... 53
............. 53
............. 53
.......... 54
............. 54
............. 54
.......... 56
.......... 57
.......... 58
.......... 61
.......... 62
MS
62
COP
PYRIGHT © 201
5. OveThis Specrelev
The i
1
2
34
The manarecom
All crAlgorSmarfor U
This d
1 Thisthat e
3, STS ASSOCIA
erview document sification (ST
vant cryptogr
nfrastructur
1. StandardManagem
2. Conformwith the the year
3. Enable se4. Support t
security taragement ommendation
ryptographicrithms – othrt Grid Cybe
US Federal Cr
document co
Definitioin conjun
Key mankey mana
Specificaof logical
Definitiomanagem
Initial keand KMC
The opesent by t
A referen Recomm
Generatiincluded
s specificationexceed the se
ATION.
specifies a KS) – as contraphic techn
re is intended
dise Securityment Centre to contempexpectation2045. ecure remotethe STSA Cod
rget has beperations,
ns of [NIST SP
c protocols aer than thosr Security by
ryptographic
ontains the f
ns of the Ternction with tagement proagement protion of Data l data fields. ns of Crypto
ment processy managem
C Initialisatiorational keyhe SM to thence to Vendiendations fon Algorithmin a revision
n has a higher curity require
Key Managemtemplated iniques, proto
d to:
y Module (S(KMC) to an
porary stand that the spe
e coding of Sde of Practic
en set at 1in accordanP800-57 PART
nd algorithmse prescribedy [NISTIR 762 Key Manage
following info
rms, Abbrevhe corresponocess diagra
ocesses. Types and E
ographic Prises. ent and trusn.
y managemee KMC, and tng Key Attribor new Encm (STS DKG
n of [IEC 620
security targeement of that
ment Systemn [IEC 62055
ocols, and dat
M) initialisan SM. dards for keecified crypt
SMs to simplce for Token
128 bits fornce with tT 1] and [NIS
ms in this sped or constrai28], and meement Syste
ormation:
iations and Snding section
ams summar
Encodings th
imitives and
st establishm
ent process, the Vending butes that mcryption AlgoGA) that me055-41].
et than [NIST standard, but
STS
m (infrastruc5-41] sectionta formats.
ation and ve
ey managemtographic tec
ify logistical ID rollover [S
r the wholethe key anST SP800-131
ecification aned by [IECet or exceedms [NIST SP8
Symbols thatns of [IEC 62rising the ste
at are used
d Data Form
ment proces
comprising Key Load Re
may be transforithms (STSeet the secu
SP800-152 Dt do not meet
600-4-1 Ed 1
cture) for thn 9 and Ann
ending key t
ment and crychniques ma
processes. STS COP 402
e system annd algorithmA].
re standardi62055-41] –
d1 the Augm800-152 DRA
t are used, w2055-41]. eps in the in
to provide e
mats and Str
ses, compris
the Vendinesponse fromferred with tS EA) and aurity target
RAFT] and thut the interope
1.1 : STS – En
he Standard nex A – incl
transfer fro
yptographic ay remain in
2-1].
nd 192 bits m security-
sed by ISO a– are approve
ented RequAFT].
which should
nitial and ope
exact represe
uctures use
sing SM Initi
g Key Load m the KMC.
he vending ka new Decoand which
us uses largerrability requir
nhanced KM
PAGE 6 OF 6
Transfer uding all
m a Key
security, use until
for key -strength
and NIST. ed for US irements
d be read
erational
entations
d in key
ialisation
Request
key. oder Key
may be
r key sizes rements.
MS
62
COP
PYRIGHT © 201
6. Def6.A. Def
See a
BCD
Big
Bit s
Crypbou
Oct
Oct
6.B. Abb
See a
HSM
IV
KMC
PRF
RBG
RTC
SM
6.C. Sym
a ×
a / b
a ÷ ⌈a⌉
∑ ai
3, STS ASSOCIA
finitionsinitions
also [IEC 620
D
Endian
string
ptographic undary
et
et string
breviations
also [IEC 620
M
C
F
G
C
mbols
b or a.b
b
b
for i=1 to n
ATION.
s, Abbre
055-41]sectio
Packe(4 bit
For e
Byte [W:E
A bit
ContiCrypt
An ei
A varand interpis an
055-41]sectio
Hardwusualcrypt
InitiaStarti
Key Msyste
Pseud
Rand
Real-
Secur
Integ
Real d
Integ
The c
The s
eviation
on 3.1 “Term
ed Binary Codets).
xample BCD(“1
ordering fromEND].
string is an ord
inuous perimetographic Modu
ght-bit byte. Se
riable-length orWikipedia:Octepreted as an ococtet).
on 3.2 “Abbr
ware Security lly refers to a tographic opera
lisation Vectoring Variable (SV
Management Cm (as in [IEC 6
dorandom func
om Bit Generat
time Clock.
rity Module (ca
ger multiplicatio
division; the qu
ger division with
ceiling of real n
sum of values a
s and Sy
ms and definit
ed Decimal [W
1234”) = x’1234
m most signifi
dered sequence
eter that estaule (Security M
ee Wikipedia:O
rdered sequencet [W:OCT]. ctet string (star
reviations”.
Module, also Security Mod
ations.
r, used in somV).
Centre, an infra62055-41]).
ction.
tor such as tho
alled a “Cryptog
on; the product
uotient of a divi
h truncation; th
umber a: the sm
1 + a2 + … + an.
STS
ymbols
tions”.
W:BCD]. Each
4.
icant to least
e of 0’s and 1’s.
ablishes the podule). See [IS
ctet [W:OCT].
ce of octets (eAny bit string
rting from the l
called a Crypule used by th
me block ciphe
astructure com
se defined in [I
graphic Module
t of integers a a
ided by b as a r
he largest intege
mallest integer
600-4-1 Ed 1
decimal digit i
significant. Se
physical and/oSO 19790].
.
ight-bit bytes).g with length eft of the bit st
ptographic Mohe KMC to ma
er modes of o
ponent used to
SO 18031] or
e” in [IEC 6205
and b.
real number.
er x where x ≤ a
≥ a. ⌈a/b⌉ = (a
1.1 : STS – En
is encoded as o
ee Wikipedia:E
or logical bou
See [ITU X.68a multiple of
tring, each grou
dule. This abanage keys an
operation. Als
o manage keys
[NIST SP800-9
55-41]).
a/b. a+b-1)÷b.
nhanced KM
PAGE 7 OF 6
one nibble
Endianness
unds of a
80] (ASN.1) 8 may be
up of 8 bits
bbreviation d perform
o called a
s in an STS
90].
MS
62
COP
PYRIGHT © 201
a ≡ ∅ [n,ma ∥ b|L| a ⨁x’H1
BitLOcte
3, STS ASSOCIA
b (mod q)
m] b
b 1H2…H2nH2n+1
Len(x) etLen(x)
ATION.
a is c
A nul
The i
The o
The le
The b
1 An ocn-octH2i-1H
For e
Lengt
Lengt
ongruent to b m
l or empty field
nterval (range)
ordered concate
ength in bits of
bitwise exclusiv
ctet string reprtet string S = s1
H2i such that si =
xample, x’0123
th in bits of bit
th in octets of o
modulo q.
d.
of integers bet
enation of the
f the octet- or b
ve-OR (bitwise a
resented as a se1 s2 … sn is rep= H2i-1 × 16 + H2
345 is a sequen
string or octet
octet string x.
STS
tween and inclu
octet- or bit-str
bit-string L.
addition modul
equence of Basresented by a
2i. See also BAS
ce of octets 0x0
string x.
600-4-1 Ed 1
uding n and m.
rings a and b.
o 2) of octet- o
se16 digits (0-9pair of digits
SE16() in section
01, 0x23, 0x45.
1.1 : STS – En
or bit-strings a a
, A-F). Each ocin the Base16
n 8.C.
nhanced KM
PAGE 8 OF 6
and b.
ctet si in an 6 alphabet
MS
62
COP
PYRIGHT © 201
7. Key7.A. Setu
The San S(whe
The Kand every
7.B. Key
Whemanu⑤ in
and to thThe kand
3
3, STS ASSOCIA
y Managup process fo
SM ManufacM Manufac
enever the m
KMC Initialisinfrequentlyy 2 to 3 year
publication
never fresh cufacture, refn the followi
Se
S
SM InitialThe SM gepair for ke
gives the publiche Manufacturekey pair is used⑦.
3
KM
1 SEsKK
ATION.
gement Por SM Manu
cturer Setup turer adopt
manufacturer
sation procey thereafter s).
after SM m
cryptographfurbishment ing diagram)
ecure manuf
SM
lisation enerates a keyey establishmec key (PUBKEYS
er. d in steps ⑥
MC
SM ManufactuEach SM Manufsigning, and senKMC (by e-mailKMCs import th
Processufacturers an
process (Stets this key mr’s digital sign
ss (Step ②(whenever t
anufacture o
ic trust mustor mainten
must be per
facturing faci
S
y nt, M)
4identity ausing the (from stecertified p
2 KMCEachestabkey ((to b
rer Setup facturer generands the public k) (to be used in
he public keys f
s (diagrand KMCs
ep ① in themanagemenning key pair
) is performthe KMC’s k
or maintena
t be establishance – the Srformed.
ility
SM Manuf
SM PUBKEY PuThe SM Manufcertifies (signsnd public key (Manufacturer’
p ①), and senpublic key to ea
e
C Initialisation KMC generateblishment, and PUBKEYKMC) to e used in steps
ates a key pair fkey (PUBKEYMAN
n steps ④ and from SM manuf
STS
ams)
e following dt specificatir expires, typ
ed once whkey establish
ance
hed in a SecuSM Initialisa
facturer
ublication facturer ) the SM’s PUBKEYSM) ’s signing key ds the
ach KMC (by e-mail).
es a key pair forpublishes the pall SM Operato⑥ and ⑦).
for digital N) to each ⑤). facturers.
600-4-1 Ed 1
iagram) is peon, and infr
pically every
en a KMC ishment key p
urity Moduletion process
5SM Eachcert
(and identity) verifies the cethe Manufact(PUBKEYMAN imthen stores thin the databas
SM Man
r key public ors
SM O
1.1 : STS – En
erformed onrequently th3 to 5 years)
s first commpair expires,
e (SM) – suchs (steps ③,
KMC
PUBKEY Imporh KMC receivesified SM public from the Manu
ertificate (signaturer’s public kemported in stephe certified SM se.
ufacturer
Operator
Physical delivery of
SM
nhanced KM
PAGE 9 OF 6
nce when hereafter ).
issioned, typically
h as after ④ and
t the key
ufacturer, ture) using
ey p ①), public key
MS
62
COP
PYRIGHT © 201
7.C. Ven
Whea Venuses an auKMC
VT(Ptrmis
3, STS ASSOCIA
nding Key Loa
never an SMnding Key Lothe SM’s cer
uthentic SM,to the SM a
SM Operat
Vending Key LoThe KMC finds tPUBKEYSM) in ithe SM based oesponse file co
more Vending Ks sent to the SM
ATION.
ad Request a
M needs new oad Request rtified public, then repliesnd includes
tor
ad Response the SM’s public ts database, autn the request, antaining a VKLO
Keys (as WRAPPM Operator (as
and Respons
or updated (step ⑥ in t
c key (imports with a Vendzero or more
SM
key thenticates and generates aOADRESP and zPED-KEY recordan e-mail attac
se
Vending Keythe followingted in step ⑤ding Key Loae VKs.
a zero or s). The file
chment).
STS
ys (VKs) fromg diagram) t⑤) to verifyad Response
6
7
VendinAn SM given a
the
600-4-1 Ed 1
m any KMC, that is sent tothat the req(step ⑦) th
KMC
ng Key Load Rein a production
a KMC’s public ke SM Operator,
VKLOADREQ wKMC (by e
1.1 : STS – En
the SM musto the KMC. T
quest originahat authentic
quest n environment key (PUBKEYKMC
and generateswhich is sent toe-mail).
nhanced KM
PAGE 10 OF 6
t prepare The KMC ted from cates the
is C) by a
o that
MS
62
COP
PYRIGHT © 201
8. Dat8.A. Typ
Somesectio
8.A.1
The f
Alp
Prin
Alph(Let
Dec
Hex[W:
Alph
8.A.2
The fparti
Not
nT
n-m
xnT
3, STS ASSOCIA
ta Typeses
e data elemon specifies
. Alphabets
following tab
habet
ntable ASCII
habetic tter)
cimal
xadecimal HEX]
hanumeric
. Sizes
following tabcular alphab
tation D
Ad
mT Aacn
T Alen
ATION.
s and En
ments must alphabets, s
ble names an
Short name
P
A
D
H
AN
ble gives a cbet:
Description
A fixed-lengthecimal numb
A variable-len minimum haracters. name from se
A variable-lenength a mulame from se
ncodings
be represenize notation
nd describes
[POSIX RE]
[\x20..\x7E]or
[[:print:]]
[A-Za-z]or
[[:alpha:]]
[0-9] or
[[:digit:]]
[0-9A-F]
[A-Za-z0-9]
ompact nota
h field of n cber, and T is
ngth field of length of n
n and m are ection 8.A.1.
ngth field of ltiple of x (ection 8.A.1
s
nted using as and encod
various alph
Descrip
] Each o[W:ASCprintabinclusiv
A printthat is, ‘a’ (x’61
A print‘9’ (x’3base 10
A print‘9’ (x’3the alp
A chara
ation used to
characters fra short nam
characters fn and a madecimal num
characters fa decimal nand n is a lite
STS
a limited alpings.
habets:
ption
octet is a siC] encodingble charactve).
able ASCII cha letter in th
1) to ‘z’ (x’7A
able ASCII ch39) inclusiv0 encoding.
able ASCII ch9) or ‘A’ (x’4habet for Ba
acter that is e
o express fix
rom alphabeme from secti
from alphabaximum len
mbers, and T
from alphabnumber). T ieral ‘n’.
600-4-1 Ed 1
phabet and/
ngle characg, and SHALLters [W:AS
haracter in the range ‘A’ A) inclusive.
haracter in thve, used as
haracter in th41) to ‘F’ (x’4ase16 encodi
either Alpha
xed- or varia
et T. n is a on 8.A.1.
bet T, with gth of m
T is a short
bet T, with is a short
1.1 : STS – En
or a fixed s
cter in the L be in the C] (x’20
the English a(x’41) to ‘Z’
he range ‘0’ s the alpha
he range ‘0’ 46) inclusive,ing.
betic or Dec
ble-length fi
Examples
1D, 3AN, 8H
2-4D, 0-16A
2nH
nhanced KM
PAGE 11 OF 6
size. This
US-ASCII range of – x’7E
alphabet, (x’5A) or
(x’30) to abet for
(x’30) to , used as
cimal.
ields of a
H
A
MS
62
COP
PYRIGHT © 201
8.A.3
An IDchara‘, x’2RE] [
8.A.4
A TIMand t
The “D, h,calenmm i
Notealter
8.B. BCD
PackeEach
Func
Exam
8.C. BAS
The Bstring
Func
Noteuppe
3, STS ASSOCIA
. IDENT
DENT is a speacters that aD), period (‘A-Za-z][A-Za
4. TIMESTAM
MESTAMP is time point us
“T” and “Z” a m, s are De
ndar day of tis a minute f
e that the unative repre
D
ed Binary Codigit is enco
tion descript
BCD(X) ostring X BCD(X) o
mple: If X=”01
SE16 and BAS
Base 16 encogs in the form
tion descript
BASE16(Xof hexad(i = 1, 2, …is the sam
BASE16-DBASE16-DHexadeci
e that in keeercase alphab
ATION.
ecial type coare either Alp.’, x’2E) or co
a-z0-9_\-.,]{0
MP
an instant insing [ISO 860
are literal, inecimal . YYYthe month (trom “00” to
se of hh=”2sentations, e
oded Decimaoded as one n
tion:
outputs the p(type 2nD).
outputs x’d1d
12345” with
SE16-DECOD
oding [RFC 4m of hexade
tion:
X) where X idecimal cha…, n), h2i-1 is me translatioDECODE(X) DECODE(BASimal alphabe
eping with tbetic charact
omprising onphanumeric omma (‘,’, x’20,98} (maxim
n Coordinate01] (NORMAT
ndicating a tYY is a calendthe first day “59”, and ss
24” for midnextended for
al [W:BCD] inibble (4 bits
packed Binar If X=d1d2…
d2…d2n-1d2n.
OctetLen(X)
DE
4648] (NORM
cimal [W:HE
s a sequenceracters h1 hthe top 4 bi
on of the botis the inversSE16(X)) = Xet.
the definitioters ‘A’ to ‘F’
ne Alphabeticor one of th2C). IDENT ium length 9
ed UniversalTIVE) basic for
imestamp (“dar year, MMis “01”). hh
s is a second
night or ss=rmats or sep
is a compacts) in the outp
ry Coded Dec…d2n where d
)=6, then BC
MATIVE, SECTIO
EX] strings.
e of octets x2 … h2n+1 (alsits of xi transttom 4 bits ose of BASE1X. The oper
on of the H’ are permitt
STS
c letter (1A)e following:s described 9 characters
Time (UTC) rmat: YYYYM
“T”) in UTC (M is a calen
h is an hour ofrom “00” to
=”60” for a parators are p
t representaput.
cimal represdi is an octe
D(X)=x’0123
ON 8) is inten
1 x2 … xn (an so an octetslated into th
of xi. 16(X), also kration SHALL
exadecimal ted in the ou
600-4-1 Ed 1
followed byunderscore by the regula
s).
representedMMDDThhmm
“Z”) format. ndar month of day in theo “59”.
leap secondpermitted.
tion for strin
entation of 2et in the de
345 with Octe
nded to repr
octet string)t string) suche Hexadeci
nown as theL fail if X is
alphabet inutput.
1.1 : STS – En
y zero to nine(‘_’, x’5F), hyar expressio
d as a complmssZ.
All charact(Jan = “01”)e range “00”
d are prohib
ngs of decim
2n-charactercimal alpha
etLen(BCD(X
esent arbitra
) outputs a sch that for mal alphabe
e decode op not a strin
n section 8.A
nhanced KM
PAGE 12 OF 6
ety-eight yphen (‘-n [POSIX
lete date
ers Y, M, , DD is a
” to “23”,
bited. No
mal digits.
r decimal bet then
X))=3.
ary octet
sequence every xi
et and h2i
peration: ng in the
A.1, only
MS
62
COP
PYRIGHT © 201
8.D. Inte
The f5.4.3
A fierepreellipt
A poPointstringelliptthe “
Withsectio
8.D.1
Is
Lx
8.D.2
Oo
O
8.D.3
FD
8.D.4
OD
O
8.D.5
PoO
8.D.6
Otto
3, STS ASSOCIA
eger, field ele
functions de3, [ANSI X9.6
eld element esented by atic curve q is
int P on an et P may be g representatic curve poin“PC” octet in
in the scopeon 9.E), and
1. Integer-to-
nteger-to-Ostring represe
Let len=⌈log2
x = ∑ (28(len-i) ×
2. Octet-Strin
Octet-String-outputs the i
Octet-String-
3. Field-Elem
Field-ElemenDomain para
4. Octet-Strin
Octet-String-Domain para
Octet-String-
5. Point-to-O
Point-to-Octeoutputs the oOctet-StringD
6. Octet-Strin
Octet-String-the coordinathe Domainordered con
ATION.
ement and p
escribed here2] section A.
of the prima big endian
a 384-bit int
elliptic curverepresentedations of xP nts (thus the[ANSI X9.63
e of this spefield elemen
-Octet-String
ctet-String(xentation of x
2(L) / 8⌉, th× Si) for i = 1
ng-to-Integer
-to-Integer(Snteger x rep
-to-Integer(I
ent-to-Octet
nt-to-Octet-Sameters.
ng-to-Field-E
-to-Field-Eleameters.
-to-Field-Ele
ctet-String (
et-StringDoma
octet string SDomain(yP).
ng-to-Point (
-to-PointDoma
ates (field ele parametercatenation o
point conver
e are define.5, [ANSI X9.
me field Fqoctet string teger.
e over Fq had by an orde
and yP. Thise prefix octet3] section 4.3
ecification ants have corr
g (I2OSP)
x, L) accepts x. Conversion
en output Sto len.
r (OS2IP)
S, L) accepts presented by
nteger-to-O
t-String (FE2
StringDomain(x
Element (OS2
mentDomain(S
ment(Field-E
EC2OSP)
ain(P) acceptS = x’04 ∥ Fie
OS2ECP)
ain(S) acceptsements) xP as. Conversioof fixed-leng
rsions
d in [ISO 18.63] section 4
is an integof length ex
as coordinateered concates specificatiot is x’04 as fo3.6).
ll points SHAresponding l
an integer xn fails if x is o
S where S i
a octet striny S. Conversi
ctet-String(x
2OSP)
x) is Integer-
2FEP)
S) is Octet-St
Element-to-O
s a point P =eld-Element
s octet strinand yP in Fqon fails if Ogth octet str
STS
8033-2] (NOR
4.3 and [NIST
er in the raxactly ⌈log2(q
es (xP, yP) thaenation of aon permits oor field “H” in
ALL be on thimitations.
x in the rangoutside the r
is the string
ng S with lenon fails if x is
x, L), L) = x.
to-Octet-Str
tring-to-Inte
Octet-String
= (xP,yP) that-to-Octet-St
g S and out. Let FELen =
OctetLen(S) rings PC (1
600-4-1 Ed 1
RMATIVE) sectT SP800-56A
ange [0, q-1q) / 8⌉ octets
at are both f prefix octet
only the uncn [ISO 18033
he NIST P-38
ge [0, L-1] anrange [0, L-1
g of octets
ngth len=⌈logs outside the
ring(x, q) wh
ger(S, q) wh
g(x)) = x.
t is not the pringDomain(xP)
puts a point= ⌈log2(q)/8⌉ ≠ 1+2.FELenoctet), SL (F
1.1 : STS – En
tions 5.2.5, 5A] Appendix C
1], and mays. For the NI
field element x’04 and t
compressed 3-2] section 5
84 elliptic cu
nd outputs t].
S1 S2 … Slen s
g2(L) / 8⌉ octe range [0, L-
here q is give
here q is give
point at Infi) ∥ Field-Elem
t P constructwhere q is
. Interpret FELen octets
nhanced KM
PAGE 13 OF 6
5.3.1 and C.
also be ST P-384
nts of Fq. the octet form for
5.4.3 and
urve (see
the octet
satisfying
tets, and -1].
en by the
en by the
nity, and ment-to-
ted from given by S as an s) and SR
MS
62
COP
PYRIGHT © 201
(yg
O
8.E. CRC
The CRC1
Func
This [IEC
The C
Lammimple
8.F. LVCO
(Mneordemapp
LVCOand min int
3, STS ASSOCIA
FELen octetyP = Octet-Stguaranteed t
Octet-String-
C16-MODBUS
16-bit chec16/MODBUS
tion descript
CRC16-Musing a Cthe initia
specificatio62055-41] fo
CRC paramet
width poly init refin refout xorout check
mert’s On-linementations
ONCAT
emonic: “Lenred concateping of the in
ONCAT is desmessage autterpretation,
FixedInpu SharedInf
[NIST SP8 MacData
[NIST SP8
ATION.
ts). FAIL if Pring-to-Field
to be a valid
-to-Point(Po
S
cksum specif[CRC-CAT]
tion:
MODBUS(x) cCyclic Redunl checksum 0
on treats thormats the C
ters in the Ro
16 0x8005 0xffff True True 0x0000 0x4b37 (in
ne CRC calcus.
ngth-Value Cnation of ocnputs, can be
signed to fothentication., and meets
ut for the KDfo for the
800-56A] seca (also called800-56A] sec
PC ≠ x’04. Cd-ElementDom
point on the
int-to-Octet
fied in [IEC.
computes andancy Code 0xFFFF.
he CRC as CRC as a two
ocksoft™ mo
nput=”12345
ulator [LAMM
Concatenatioctet strings e parsed una
ormat input . It follows tthe requirem
DF in [NIST SPKDF in [A
ction 5.8.1.d M) for key cction 8.2.
ompute xP =main(SR), thene curve.
t-String(P)) =
C 62055-41]
d outputs a with the ge
an integeroctet little-e
odel [ROCKSO
56789”)
MERT] support
n”) LVCONCeach with a
ambiguously
fields to cryhe principle
ments for the
P800-108] (sANSI X9.63]
confirmation
STS
= Octet-Strinn output p
= P.
(NORMATIVE)
16-bit checkenerator poly
r (16-bit biendian value
OFT] are:
ts this checks
AT is a forma length prefy into the orig
yptographic fs of [CM10] e following in
ections 5 an (section 8
n in [ISO 117
600-4-1 Ed 1
ng-to-Field-Eoint P = (xP,
) section 6.
ksum over thynomial (x16g endian b
e.
sum and can
atting functifix. The outginal inputs,
functions suto avoid exp
nput data fie
d 7). 8), equivale
70-3] section
1.1 : STS – En
ElementDomain
,yP). Point P
.3.7, also kn
e input octe6 + x15 + x2 +bit string),
n be used to
ion that prodtput is a onand is prefix
ch as key dploitable amelds:
nt to Othe
n 9, [ANSI X9
nhanced KM
PAGE 14 OF 6
n(SL) and P is not
nown as
t string x + 1) and
whereas
o validate
duces an e-to-one
x-free.
erivation mbiguities
erInfo in
9.63] and
MS
62
COP
PYRIGHT © 201
Func
Input
Proce
8.G. Deli
A denon-a
DFCOan odelimoutp
DFPA
8.G.1
Func
Input
Proce
3, STS ASSOCIA
tion descript
LVCONCAinput octparsed in
t:
I1, I2, …, I
ess:
If n > 255 Set S to a For j = 1,
o Ifo So S
Output S
imited Field
limited strinalphabetic d
ONCAT (mnerdered conc
miter from thuts for the sa
ARSE is the co
1. DFCONCAT
tion descript
DFCONCAof the inASCII cha
t:
DELIM, t I1, I2, …, I
ess:
If DELIM Set S to a For j = 1,
o Ifo S
Output S
ATION.
tion:
AT(I1, I2, …, tet strings I1
nto the origin
In, the n inpu
5 then FAIL. a 1 octet (8-b2, …, n do: f OctetLen(Ij
Set L to a 1 oS = S ∥ L ∥ Ij. S.
strings
g is an ordeelimiter (a c
emonic: “Delcatenation ohe printableame numbe
orrespondin
T
tion:
AT(DELIM, I1
put printablaracter DELIM
he delimiter In, the n inpu
is not a prinan empty oct2, …, n do: f any octet in
S = S ∥ Ij ∥ DES.
In) outputs 1, I2, …, In (0nal inputs.
ut octet string
bit) integer r
j) > 255 thenoctet (8-bit) i
red concateharacter out
limited Field of printable e ASCII alphar of input fie
g parsing fun
1, I2, …, In) oe ASCII strin
M. The outp
character (put printable A
table ASCII ctet string.
n Ij equals DEELIM.
as an octet 0≤n<256, Oc
gs.
epresentatio
n FAIL. nteger repre
nation of fietside the fiel
ConcatenatASCII strings
abet. The ouelds.
nction.
utputs as a ngs I1, I2, …, put can be un
printable ASCASCII strings.
character (1P
ELIM or is no
STS
string a onectetLen(Ii)<2
on of n.
esentation of
elds that are d alphabet).
tion”) is a fos that are sutput is pref
printable ASIn none of w
nambiguousl
CII, 1P).
P) then FAIL.
ot printable A
600-4-1 Ed 1
e-to-one pre256) that ca
f OctetLen(Ij
separated f
rmatting funseparated frofix-free with
SCII string a owhich may cy parsed into
ASCII then FA
1.1 : STS – En
efix-free encn be unamb
j).
from each ot
nction that pom each otrespect to
one-to-one econtain the po the origina
AIL.
nhanced KM
PAGE 15 OF 6
coding of biguously
ther by a
produces her by a all other
encoding printable al inputs.
MS
62
COP
PYRIGHT © 201
Notea pre
8.G.2
Func
Input
Proce
8.H. Rec
A recspeci
A recand astring
8.H.1
B(DcR
8.H.2
P(
P
3, STS ASSOCIA
e that the ouefix-free enco
2. DFPARSE
tion descript
DFPARSEDFPARSEstring S icharacte
t:
DELIM, t S, the oct
ess:
If DELIM If the last If any oct Split S int Output n
cords
cord is a dataification all d
cord combina checksum.g that does n
1. BUILD-REC
BUILD-RECOR0 < n < 256),
DELIM = ‘|’. computes CR ∥ BASE16(C
2. PARSE-REC
PARSE-RECO0 < n < 256),
Process:
DELIM is If S does
type ” ∥ r If OctetLe
ATION.
utput always oding of the
tion:
E(DELIM, S) E(DELIM,DFCs not a validrs ending in
he delimiter tet string to
is not a print octet in S istet in S is notto fields O1,
n and O1, O2,
a structure wdata transfer
es into a pr The type in
not contain t
CORD
RD(rectype, , and n prinThis functio
C = CRC16-MOC).
CORD
RD(rectype,, and an octe
‘|’. s not start wrectype). en(S) < (Octe
ends with thinputs.
is the inversCONCAT(DELd output of DDELIM).
character (pbe parsed.
table ASCII cs not DELIMt printable AO2, …, On de…, On.
with multipler and storage
intable ASCIndicator muthe delimiter
n, I1, I2, …, In
table ASCII on construcODBUS(R)
n, S) acceet string S.
with the stri
etLen(rectyp
he delimiter
se of DFCONLIM, I1, I2, …,DFCONCAT(D
printable ASC
character (1Pthen FAIL(“B
ASCII then FAlimited by th
e fields and ae formats are
I string: a tyst be an IDEr character ‘
n) accepts asstrings that
cts R = DFCO(C is a 16
epts as inpu
ng rectype ∥pe)+5) then F
STS
character D
NCAT, also k, In)) = I1, I2, …DELIM, …) (t
CII, 1P).
P) then FAIL.Bad encoding
AIL(“Bad charhe character
a printable Ae defined as
ype indicatorNT, and eac|’.
s input an IDSHALL NOT
ONCAT(DELIM6-bit big en
ut an IDENT
∥ DELIM the
FAIL(“Missing
600-4-1 Ed 1
DELIM; this is
known as th…, In. The othat is, a stri
g in input”). racters in inpDELIM.
ASCII represerecords.
r, an orderedh field must
ENT rectypecontain the
M = ‘|’, recndian bit s
T rectype, a
en FAIL(“Inpu
g CRC on rec
1.1 : STS – En
s necessary t
e parsing opperation failng of printa
put”).
entation. W
d sequence t be a printa
e, a positive ie delimiter cctype, I1, I2
string) and
a positive in
ut is not a r
cord ” ∥ recty
nhanced KM
PAGE 16 OF 6
to obtain
peration: s if octet ble ASCII
ithin this
of fields, ble ASCII
integer n character 2, …, In),
outputs
nteger n
record of
ype).
MS
62
COP
PYRIGHT © 201
3, STS ASSOCIA
Split S int Compute If C’ ≠ BA Parse R u If n ≠ m t Output O
ATION.
to R ∥ C’, whe C = CRC16-ASEI6(C) thenusing DFPARSthen FAIL(“WO1, O2, …, On.
ere C’ is the MODBUS(R)
n FAIL(“Bad cSE(DELIM, R
Wrong numbe
last 4 charac), C is a 16-bichecksum on
R) to recover er of fields in
STS
cters of S. t big endian
n record ” ∥ rfields O1, O2
n record ” ∥ r
600-4-1 Ed 1
bit string. ectype).
2, …, Om. Proectype).
1.1 : STS – En
opagate erro
nhanced KM
PAGE 17 OF 6
rs.
MS
62
COP
PYRIGHT © 201
9. Cry9.A. AES
The [FIPS[NIST
This B0, an
Func
9.B. SHA
The S
Func
9.C. HMA
HMA(HMAhash
With1024accor
Func
Input
Proce
3, STS ASSOCIA
yptograpS-192 in CCM
AES block c PUB 197],
T SP800-38C
specificationnd SHALL NO
tion descript
AES-192-over the(maximuinput platag.
AES-192-(maximuciphertex192-bit kover plai
A-384
SHA-384 has
tion descript
SHA-384
AC-SHA-384
AC-SHA-384-1AC) specifiedfunction SH
in the scope4 bits (the brdingly.
tion descript
HMAC-SHcompute
t:
K, a secre text, the
ess:
ATION.
phic PrimM mode
cipher with operated i] and [RFC 3
n requires thOT permit or
tion:
-CCMENC(K, Ne octet strinm length 223
aintext using
-CCMDEC(K, Nm length 22
xt includes akey K and 96intext and ad
h function, a
tion:
(X) outputs a
4-192
192 is defind in [ISO 97A-384 (sectio
e of this speblock size of
tion:
HA-384-192(ed over the n
et key (as andata on whi
mitives
192-bit ciphin CCM m3610], with a
at the CCM accept any o
N, additionalng inputs pl3-1 octets) usg K and N, an
N, addition3+15 octets) 128-bit keye6-bit nonce dditional usi
as specified i
a 384-bit dig
ned in RFC 4797-2] (NORM
on 9.B), with
ecification Hf SHA-384).
(K, text) oun-octet input
octet stringch the HMA
her key as mode as spa tag length (
implementaother value f
l, plaintext) laintext (masing the 192nd outputs a
al, cipherte) and additied authenticN to produng K and N,
n [ISO 10118
gest compute
4868 as theMATIVE) and h the MAC tr
HMAC-SHA-38The implem
utputs a 19 text (0 ≤ n <
). C is compute
STS
specified in pecified in (MAC) of 128
ation SHALL ufor the Flags
computes a aximum leng2-bit key K ana ciphertext
ext) accepts ional (maximcation tag, dece plaintextand outputs
8-3] (NORMA
ed over the i
e keyed-has[FIPS PUB 19
runcated to t
84-192 is onmentation g
92-bit messa< 216) using th
ed.
600-4-1 Ed 1
[ISO 18033[ISO 19772
8 bits.
use a Flags O Octet.
128-bit keyegth 223-1 octnd 96-bit nothat include
octet strinmum lengtheciphers thet, verifies ths plaintext.
ATIVE) and [FIP
nput bit strin
h message 98-1] and [Rthe leftmost
nly used witiven below
age authenthe m-octet k
1.1 : STS – En
3-3] (NORMAT
2] (NORMATI
Octet value o
ed authentictets) and adnce N, encip
es the authe
ng inputs ci 223-1 octets
e ciphertext ue authentica
PS PUB 180-4
ng X.
authenticatiRFC 2104], u
192 bits.
th a key of lhas been s
tication codkey K (0 < m
nhanced KM
PAGE 18 OF 6
TIVE) and VE) and
of x’7B in
ation tag dditional phers the ntication
iphertext s) where using the ation tag
4].
ion code using the
less than implified
e (MAC) < 128).
MS
62
COP
PYRIGHT © 201
9.D. KDF
The (NOR
Withand simp
Func
Input
Proce
9.E. ECC
The [ANSand [
This curve“ansi
3, STS ASSOCIA
B = 128, ipad = x’3 opad = x’ If OctetLe If OctetLe Append z Compute Output th
F-X963-SHA-
Key DerivatMATIVE, ANNE
in the scopesmall Z andlified accord
tion descript
KDF-X963from an SharedIn
t:
Z, a bit st SharedIn keydatal
ess:
hashlen produced
If BitLen( If OctetLe If keydat Set coun Compute Output th
CDH in NIST
Cofactor DifSI X9.63] sect[SEC 1] secti
specificatione and domaiix9p384r1”)
ATION.
an integer co3636…, an o’5C5C…, an oen(K) ≥ B theen(text) ≥ 21
zeros (octetse MAC = SHAhe leftmost
384
tion FunctioEX B.3), and
e of this specd SharedInfodingly.
tion:
3-SHA-384(Zasymmetric
nfo (maximum
tring of secrenfo, an octet len, an integ
= 384, an d by the hash(Z) ≥ 210 thenen(SharedIntalen > hashlter (a 32-bit,
e KeyData = he leftmost k
T P-384
ffie-Hellman tion 5.4.2 (“Mon 3.3.2.
n requires tn parameterand [SEC 2
onstant givinctet string cooctet string cen FAIL. 16 then FAIL.s x’00) to theA-384( (K0 ⨁192 bits of M
n (KDF) spe[SEC 1] secti
cification KDo (less than
Z, SharedInfcally shared m length 216
et data (maxstring of noner giving the
constant inth function (Sn FAIL. nfo) ≥ 216 thelen then FAIL, big-endian SHA-384( Z keydatalen b
(CDH) primModified Dif
hat all CDHrs that are sp2] (as “secp
ng the block onstant of leconstant of le
e end of key Kopad) ∥ SHA
MAC.
ecified in seion 3.6.1, usi
F-X963-SHA- 219 bits). T
fo, keydatalsecret Z (m
-1 octets).
imum lengthn-secret data
e length in bi
teger givingSHA-384).
en FAIL. L. bit string) to∥ counter ∥ Sbits of KeyDa
mitive specififfie-Hellman
operations pecified in [F384r1”). Oct
STS
size in octetsength B (the oength B (the
K to create aA-384( (K0 ⨁ection 5.6.3 ing the hash
-384 is only The impleme
len) outputsmaximum len
h 210-1 bits).a, 0 < OctetLts of keying
g the length
o x’00000001SharedInfo )ata.
ed in [ISO 1Primitive”),
SHALL be pFIPS PUB 186tet string re
600-4-1 Ed 1
s of the hashoctet x’36 re
e octet x’5C r
a B-octet stri ipad) ∥ text
of [ANSI Xfunction SH
used with keentation giv
s a keydatangth 210-1 b
Len(SharedIndata to be ge
h in bits of
1. .
1770-3] (NO
[NIST SP800
performed u6-3] (NORMAT
epresentatio
1.1 : STS – En
h function (Sepeated B timrepeated B ti
ing K0. t ) ).
9.63], [ISO A-384 (secti
eydatalen = ven below h
alen-bit key its) and oct
nfo) ≤ (216-1)enerated.
the digest
ORMATIVE) (A-56A] sectio
using the NITIVE), [ANSI Xns of points
nhanced KM
PAGE 19 OF 6
HA-384). mes). imes).
11770-3]
on 9.B).
384 bits, has been
derived tet string
).
(output)
Annex D), n 5.7.1.2
ST P-384 X9.62] (as s on the
MS
62
COP
PYRIGHT © 201
elliptsectio(sect
CDH [ISO
Func
Input
Proce
9.F. One
The Hellmspeciused
The comp
Key cinstemessusedconsi
The sincluand K
9.G. ECD
The [ANS
3, STS ASSOCIA
tic curve SHon 5.4.3, [Aion 8.D.5).
uses scalar (15946-1] (NO
tion descript
ECC-CDHis given bkey QB (astring Z.
t:
dA, the p QB, the p
ess:
Use dom Compute
curve). If P is the Set Z to x Zeroise in
e-Pass Unifie
One-Pass Uman (ECC CDified in [NIST with bilater
scheme is aplies with tha
confirmationad of a ran
sage, but slig in key conistent with t
scheme is noded in the VKEK Confirm
DSA in NIST P
Elliptic CurvSI X9.62], [FIP
ATION.
HALL use unANSI X9.63] s
(integer) muORMATIVE) se
tion:
HDomain(dA, QB
by the Domaa point on t
rivate key ofpublic key of
ain paramete the point
e point at infxP (the x-coontermediate
ed Model Key
nified ModeDH) primitivT SP800-56A
ral key confir
a compositeat standard a
n from the Sndom nonceghtly reducinnfirmation ishe entity aut
ot detailed hVending Key ation (sectio
P-384
ve Digital SigPS PUB 186-3
ncompressedsection 4.3.6
ltiplication oection A.1.2 a
B) accepts A’ain parametehe elliptic c
f entity A (anentity B (a p
ters (q, FR, a,P = (xP,yP) =
finity then FArdinate of P) results and
y Agreemen
el key agreeve, also knoA] (NORMATIV
rmation.
e of [ISO 11although it is
SM to the Ke, allowing ng freshnesss not requirthentication
here; insteadLoad Reque
on 16) proces
gnature Algo3] and [SEC
d form affi6) as describ
on an ellipticand A.4, and
s private keyers, always Nurve), and c
n integer in toint on the c
, b, G, n, h ) = h dA QB (sc
AIL. ). output Field
t Scheme C(
ement schemwn as C(1,
VE) section 6
770-3] key s not specific
KMC is modifthe confirm
s guaranteesred to be rrequiremen
d the schemest (section 1sses.
orithm (ECDS1].
STS
ne coordinabed by the
c curve over in [SEC 1].
y dA (an inteNIST P-384 incomputes an
he range [1,ncurve).
= NIST P-384alar multipli
d-Element-to
1, 2, ECC CD
me using th2, ECC CDH
6.2.1.2 and
agreement cally identifie
fied to use mation to bes. This modirandom) andnts of [ISO 97
me steps and14), Vending
SA) specified
600-4-1 Ed 1
ates ([ISO 18Point-to-Oct
a finite prim
eger in the ran this specificnd outputs a
n-1]).
4. ication of a
o-Octet-Strin
DH)
e Elliptic CuH) or C(1e, [ANSI X9.63
mechanismed and descr
a Time Variae included iification is pd the first p798-4].
all procedug Key Load R
d in [ISO 14
1.1 : STS – En
8033-2] (NO
tet-String co
me field, as d
ange [1,n-1] cation) and Ba shared sec
point on a
ng(Z).
urve Cofacto2s). The sc
3] section 6.5
s 1 and 2 aribed.
ant Parametn the first ermitted (thprotocol me
ural prerequiesponse (sec
4888-3] (NO
nhanced KM
PAGE 20 OF 6
ORMATIVE) onversion
efined in
where n B’s public ret octet
n elliptic
or Diffie-cheme is 5, and is
and thus
ter (TVP) protocol
he Nonce essage is
isites are ction 15)
RMATIVE),
MS
62
COP
PYRIGHT © 201
This curvehash
9.G.1
9.G.2
9.H. GEN
The [ANS
This param
Func
Proce
9.I. VALI
The psectio(“ECC
Func
3, STS ASSOCIA
specificatione and domafunction SH
1. ECDSA-SIG
ECDSA-SIGNn is given byoutputs a sig
In this specif
2. ECDSA-VER
ECDSA-VERIgiven by the(r, s); checksvalid or not:
In this specif
NERATE-KEY
Elliptic CurvSI X9.63] sect
specificationmeters; see
tion descript
GENERAT[1,n-1] wthe P-384
ess:
Use dom Select a u
o Os
o So Ifo S
Compute Output th
IDATE-KEY
public key vaon 5.2.2.1 (“C Full Public
tion descript
ATION.
n requires thin parameteALL BE SHA-
GN
NDomain,Hash(dA
y the Domaingnature (r, s)
fication the D
RIFY
IFYDomain,Hash(e Domain pas the purpor “valid” or “i
fication the D
e key genertion 5.2.1 an
n requires thsections 9.E
tion:
TE-KEY() genwhere n is giv4 curve).
ain parametunique and uObtain a stristrength of 1Set I = Octet-f (I > n – 2) t
Set dA = I + 1e the public khe key pair d
alidation prim“Standard PuKey Validatio
tion:
hat all ECDSAers that are 384 (section
A, M) acceptsn parameter) where r, s a
Domain is al
(QA, M, (r, s)arameters), arted signaturinvalid”.
Domain is al
ration primitnd [FIPS PUB
hat all CDHand 9.G.
nerates and oven by NIST
ters (q, FR, a,unpredictablng S of 384 92 bits or m-String-to-Fiehen discard . key QA = dA GdA and QA.
mitive specifublic Key Valon Routine”)
A operationsspecified in
n 9.B).
s A’s private rs) and a meare both in [
ways NIST P-
)) accepts A’a message Mre and outpu
ways NIST P-
tive specifie186-3] sectio
and ECDSA
outputs a raP-384) and
, b, G, n, h) =e integer dA
bits from aore. eld-ElementS and I and r
G (scalar mul
fied in [ISO 1idation Prim).
STS
s SHALL BE [FIPS PUB 1
key dA (an inssage M (an1,n-1].
-384, and th
s public key M (an octet st
uts an indica
-384, and th
d in [ISO 15on B.4 (using
keys use th
ndom privatthe correspo
= NIST P-384in the rangerandom bit
t(S). repeat the ge
ltiplication o
15946-1] (NO
mitive”), and
600-4-1 Ed 1
performed u86-3] (NORM
nteger in the octet string
e Hash funct
QA (a point tring), and a ation of whe
e Hash funct
5946-1] (NOR
g candidate t
he NIST P-38
te key dA (anonding publi
. e [1, n-1]: generator (R
eneration.
f a point on
ORMATIVE) sec[NIST SP800-
1.1 : STS – En
using the NISMATIVE), and
e range [1,n-g), and comp
tion is SHA-3
on the ellip purported s
ether the sig
tion is SHA-3
RMATIVE) sectesting).
4 curve and
n integer in tic key QA (a
RBG) with a
an elliptic cu
ction 7, [AN-56A] sectio
nhanced KM
PAGE 21 OF 6
ST P-384 that the
1] where putes and
384.
ptic curve signature nature is
384.
ction 6.1,
d domain
he range point on
security-
urve).
SI X9.63] n 5.6.2.5
MS
62
COP
PYRIGHT © 201
Proce
3, STS ASSOCIA
VALIDATnot the id
ess:
Use dom If QB is th If xQ is no Verify tha Verify tha Output T
ATION.
TE-KEY(QB) odentity elem
ain paramethe point at Inot in the rangat (yQ)2 ≡ (xat P = n Q (sc
TRUE.
utputs TRUEment, or fails
ters (q, FR, a,nfinity then Fge [0, q-1] orxQ)3 + a.xQ +calar multipl
E if QB = (xQ,yotherwise.
, b, G, n, h ) =FAIL. r yQ is not in + b (mod q)lication) is th
STS
yQ) is a poin
= NIST P-384
the range [0or FAIL.
he point at In
600-4-1 Ed 1
t on the NIS
4.
0, q-1] then F
nfinity or FAI
1.1 : STS – En
ST P-384 curv
FAIL.
L.
nhanced KM
PAGE 22 OF 6
ve and is
MS
62
COP
PYRIGHT © 201
10. Da10.A. PK
A PKseria
The r
The r
Pos
To vPARSrecov
10.B. PU
A PUThe c
The Pand p
3, STS ASSOCIA
ata FormKID
IDA is a recol number of
The tuple The tupl
entity A. Given PK
record type i
rectype rectype rectype
record conta
sition Field
1 Man2 UID
3 Seria
4 Finge
verify the FSE-RECORD()vered Finger
UBKEY
UBKEYA is pubcertificate m
PUBKEY is repermitted us
rectype =reserved
rectype =
ATION.
mats and
ord (section 8entity A with
e (Manufactue (Manufact
KIDA it is diffic
indicates the
= “SMID.1” = “SMMAN.= “KMCID.1
ains the follo
d
ufacturer
al
erprint
Fingerprint and compu
rprint with th
blic key certay be signed
epresented asage of the p
= “PK.ECDH. for use in th
= “PK.ECDSA
d Structu
8.H) that ideh A’s public k
urer, UID) unturer, UID, S
cult to find a
e role of the
if entity A is .1” if A is an ” if A is a KM
wing fields, i
Type
IDENT IDENT
TIMESTAMP
16H
of a PKIDA
te Fingerprinhe computed
ificate [W:Cd by an Issue
as a record (public key:
1” for a ECChe key manaA.1” for an EC
ures
entifies entitkey:
niquely identSerial) uniqu
a public key Q
entity in the
an SM; SM Manufac
MC.
in order:
Descripti
IdentifiesA UniqueManufacbe globa
P The timegeneratesigning oA collisiofields andLet S = LVSerial, Pothe leftm
A and purpnt' using thed Fingerprint
CERT] that ider, self-signed
(section 8.H)
C Cofactor Dgement procCDSA public
STS
y A by bindi
tifies entity Auely identifie
QA’ ≠ QA that
key manage
cturer;
ion
s the manufae IDentifier octurer; the tully unique.
e at which A’sed. The key por key agreemon resistant hd record typVCONCAT(reoint-To-Octe
most 16 chara
orted publie recovered ft'.
entifies entitd, or unsigne
), and the re
Diffie Hellmacesses specifkey with NIS
600-4-1 Ed 1
ng together
A. es a public
satisfies the
ement infras
acturer of enof entity A wiuple (Manufa
s key pair (dA
pair SHALL Nment before hash that bine to A’s publ
ectype, Manuet-String(QA)acters of BAS
c key QA': fields and QA
ty A and coned.
ecord type in
n (section 9fied in this doST P-384 dom
1.1 : STS – En
the unique
key associa
e Fingerprint
tructure:
ntity A. ith respect toacturer, UID)
A, QA) was NOT be used
this date. nds the precelic key QA. ufacturer, U)), then FingeSE16(SHA-38
parse PKIDA', then com
ntains A’s pu
ndicates the
.E) public keocument;
main parame
nhanced KM
PAGE 23 OF 6
name or
ted with
t.
o the ) must
for
eding
UID, erprint is 84(S)).
DA using mpare the
ublic key.
purpose
ey that is
eters.
MS
62
COP
PYRIGHT © 201
The r
Pos
To vedescrwher
10.C. VK
A Veis con
The r
Pos
3, STS ASSOCIA
record conta
sition Field
1 Subje
2 QAHE
3 Expir
4 Issue
5 Signa
erify the Sigribed for there QISSUER is th
KLOADREQ
nding Key Lonstructed by
record conta
ition Field
1 IDSM 2 IDKMC
3 TVPK
4 HWID
5 FWID
6 QEHE
ATION.
ains the follo
d
ect (IDA)
EX
ry
er
ature
gnature of ae Signature fhe Issuer’s p
oad Request y the SM and
ains the follo
d
C KMC D D
EX
wing fields, i
Type
Printable
194H
TIMESTAMP
∅ or Printable∅ or 192H
a PUBKEYA: pfield) and veublic key.
VKLOADREQd sent to the
wing fields, i
Type
PrintablePrintable
TIMESTAMIDENT IDENT
194H
in order:
Descripti
PKID (secincludes tEntity A’sBASE16(P
P The time SHALL beAn expirefor key agmay be uexpiry daPKID of thSignatureA digital sfields andunsignedLet M = LString(QA
let (r, s) =Issuer’s pBASE16(IOctet-Str
parse PUBKErify Signatur
QSM is a recorKMC to requ
in order:
Descrip
PKID (se PKID (se
MP Time vaSM hardSM firm12.A). SM ephencode
STS
on
ction 10.A) ofthe public kes public key QPoint-To-Octat which A’s
e greater thaed key pair Sgreement, alsed to verifyte. he Issuer rese. Leave empsignature thad record type.
LVCONCAT(reA), Expiry, Iss= ECDSA-SIGNprivate key, tnteger-to-O
ring(s, n)) wh
EYA using PAre using ECD
rd (section 8uest vending
ption
ection 10.A) ection 10.A)ariant paramdware mode
mware applic
hemeral publd as BASE16
600-4-1 Ed 1
f the owner ey FingerprinQA, encoded tet-String(QA
s key pair (dA
n the Serial fHALL NOT belthough an ey signatures c
sponsible forpty if the PUat binds togee, or empty i
ectype, Subjsuer), and N(dISSUER, M)hen the Signctet-String(r
here n is give
ARSE-RECORDSA-VERIFY(Q
.H) of type “g keys.
of the requeof the targe
meter taken fel and revisiocation and ve
lic key QE (se6(Point-To-O
1.1 : STS – En
of the publicnt.
as A)). A, QA) expiresfield of the Se used for sig
expired ECDScreated befo
r generating tBKEY is unsig
ether the pref the PUBKEY
ject, Point-To
where dISSUE
nature is r, n) ∥ Integeen by NIST P-
D(), construQISSUER, M, Sig
“VKLOAD.REQ
esting SM. t KMC. rom the SM’
on (see sectioersion (see se
ee section 0) Octet-String(Q
nhanced KM
PAGE 24 OF 6
c key QA;
s. Expiry Subject. gning or
SA key ore the
the gned. eceding Y is
o-Octet-
ER is the
er-to--384.
ct M (as gnature),
Q.1” that
’s RTC. on 12.A). ection
QE)).
MS
62
COP
PYRIGHT © 201
Pos
10.D. VK
A Vethat
The r
Pos
10.E. WR
A Wrto thmech
The r
Pos
10.E.1
Attrib(typeto th
3, STS ASSOCIA
ition Field
7 MacT
KLOADRESP
nding Key Lois constructe
record conta
ition Field
1 IDKMC
2 IDSM
3 TVPK
4 MacT
RAPPED-KEY
rapped Key ihe SM. Thishanism 2.
record conta
sition Field
1 Nonc
2 Attri
3 Prote
1. Attributes
butes are a ce P), i = 1,2, …he Vending K
ATION.
d
TagSMHEX
oad Responsed by the KM
ains the follo
d
C
KMC
TagKMCHEX
Y
s a record (ss constitute
ains the follo
d
ce
butes
ectedKey
s
collection of…,n. The encKey attribute
Type
48H
se VKLOADREMC and sent t
wing fields, i
Type
IDENT IDENT
TIMESTAM
48H
section 8.H) s a symmet
wing fields, i
Type D
24H A Eaun
P Thdedear
H ThKeasalA
f unique attrcoding, rangees table give
Descrip
SM key encode
ESPKMC is a reto the SM in
in order:
Descrip
PKID (sePKID (se
MP Time vaVKLOADKMC keencode
of type “KEYtric key tran
in order:
escription
96-bit valueach WRAPPEnique noncehe attributeselimited prinescribed in sre defined inhe key mateey (KEK) usins associated phabet. Prottributes, K)
ribute namese and interp
en in Append
STS
ption
confirmatiod as BASE16
ecord (sectioresponse to
ption
ection 10.A) ection 10.A) ariant paramDREQSM. ey confirmatid as BASE16
Y.1” that is cnsfer scheme
e representedED-KEY unde. s associated ntable ASCII section 10.E.1
n Appendix Crial K, protec
ng authenticadata) and en
otectedKey =).
s Ni (type 3Aretation of V
dix C, but in
600-4-1 Ed 1
on MacTagSM
6(MacTagSM)
on 8.H) of tyo a successfu
of the respoof the reque
meter copied
ion MacTagK
6(MacTagKMC
constructed be consistent
d in the Hexar a specific K
with the keystring using a1 below. Su
C. cted under thated encryptncoded in th= BASE16(AE
AN) and corrVNi is determ
all cases VN
1.1 : STS – En
M (see section).
pe “VKLOADl VKLOADRE
onding KMC. esting SM. from the SM
KMC (see sectC).
by the KMC t with [ISO
adecimal alpKEK must hav
y, encoded aa card formapported attr
he Key Exchation (with Ate Hexadecim
ES-CCM(KEK,
esponding vmined by Ni a
Ni SHALL be p
nhanced KM
PAGE 25 OF 6
n 14)
D.RESP.1” Q.
M’s
ion 15)
and sent 11770-2]
phabet. ve a
s a at as ributes
ange ttributes mal , Nonce,
values VNi according printable
MS
62
COP
PYRIGHT © 201
ASCIImaxi
The Acard S1,…,ASCII
1 The
3, STS ASSOCIA
I (and exclumum length
Attributes fiformat: eacSn be the nI alphabet (n
length limit o
ATION.
ude the rec of 252 char
eld of a WRch name Ni aames N1,…,N
no duplicates
of 252 charact
cord and fieacters1.
RAPPED-KEY and associatNn sorted ins are permitt
ters ensures th
eld delimite
is encoded ed value VN
strictly ascted), then At
hat each strin
STS
er characters
as a delimiti is concatenending lexicttributes = D
ng Ni ∥ VNi is a
600-4-1 Ed 1
s ‘|’=x’7C a
ed printablenated to formcographical oDFCONCAT(‘,’
valid input fie
1.1 : STS – En
and ‘,’=x’2C)
e ASCII stringm a single corder [W:LEX’, S1∥VS1, …, S
eld to LVCONC
nhanced KM
PAGE 26 OF 6
) with a
g using a card. Let X] in the Sn∥VSn).
CAT.
MS
62
COP
PYRIGHT © 201
11. SMPrior
The M(cons
11.A. Re
The f
3, STS ASSOCIA
M Manufar to SM initia
Select a uo T
Generatekeys.
o Tpg
o Tso
o Tp
Publish to T
Po T
Uo A
otmc
Manufacturesistent with
When thpair and
The Mano T
se
A KMC SHSM key pcertify PU
ecommended
following pro
The SM M
ATION.
facturerlisation an S
unique nameThe STSA SHOe an asymme
The key paparameters generated usThe key pair split knowleoperator to sThe secret keprerequisiteshe self-signe
The public kePUBKEYMAN; sThe PUBKEY Usage PeriodA procedureoperational dthe public kemanually cocommunicati
er’s key pair [NIST SP800-
e Manufactupublish the pufacturer SH
The Manufacsuch that thexpired key. HALL NOT tr
pair was geneUBKEYSM.
d process to
ocess is RECO
Manufacture
r SetupM Manufact
e MANUFACTOULD providetric digital s
ir SHALL beand having sing an RBG h
SHALL be gedge and du
sign an SM pey SHALL be s for a KMC Hed public keyey SHALL be see section 0Expiry SHAL
d (see below)e to publish documentatey is not exponfirming tion channel.
SHALL have-57 PART 1]):
urer’s key papublic key in
HALL NOT cecturer’s priv
he signature
ust any PUBerated) is mo
generate an
OMMENDED
er selects a u
turer SHALL:
TURER (an IDde a registry signature key
e an ECDSAa security-shaving equivenerated an
ual control. ublic key usiprotected by
HSM (sectiony to all KMCs
published as0) with recorLL be set to).
PUBKEYMAN
ion. Each repired, and SHthe public
e a lifespan (
air expires, t the mannerrtify SM pub
vate key dMA
operation
KEYSM for whore recent th
nd publish P
D:
nique name
STS
DENT) to ideservice for My pair for the
A key pair trength of a
valent (or strd managed It SHALL Nng the privay an HSM. Tn 13.A). . s a self-signe
rd type “PK.E the time of
N SHALL be ecipient of tHALL check
key’s finge
(Originator U
the Manufacr prescribed
blic keys usinAN SHALL be SHALL NOT
hich the Serihan the expir
UBKEYMAN
MANUFACT
600-4-1 Ed 1
ntify itself. Manufacturee purpose of
using the at least 192ronger) securwith respect
NOT be poste digital sig
The HSM SHA
ed PUBKEY rECDSA.1”. f generation
specified byhe PUBKEYM
the validity erprint ove
Usage Period
cturer SHALLby this sectiog an expiredassociated generate a
al (the pointry date of th
TURER (an ID
1.1 : STS – En
r names. f certifying S
NIST P-384 bits, and Srity-strengtht to the prinssible for annature key.
ALL meet the
ecord (refer
n plus the O
y KMC stanMAN SHALL chof the publi
er an inde
d) of at most
L generate a on.
d key. with an exp
a signature
t in time at we PUBKEYMAN
DENT).
nhanced KM
PAGE 27 OF 6
M public
domain SHALL be h. nciples of ny single
e security
red to as
Originator
dards or heck that ic key by
ependent
t 3 years
new key
piry date using an
which the N used to
MS
62
COP
PYRIGHT © 201
3, STS ASSOCIA
The ManQMAN) usPUB 186-
The Mantime at w
The ManPKIDMAN. is genera
On demaemail for
Operatin(by telepimport an
ATION.
nufacturer uing the NIST-3], [ANSI X9ufacturer co
which dMAN wnufacturer cExpiry is at
ated using dM
and by any Krmat (Appeng under the
phone) and cnd trust the
ses an HSMT P-384 dom9.62] and/or onstructs a Pwas generate
constructs amost 3 years
MAN. MC, the Mandix F). principle of
confirm the PUBKEYMAN.
to generateain paramet[SEC 1].
PKIDMAN with d. a PUBKEYMA
s after the Se
nufacturer se
f dual controFingerprint i
STS
e and store ters, in acco
rectype “SM
AN with recterial. The Iss
ends to the K
ol, two KMC in the PKIDM
600-4-1 Ed 1
a unique ECrdance with
MMAN.1”, UI
type “PK.ECsuer is PKIDM
KMC the PUB
operators caMAN, then inst
1.1 : STS – En
CDSA key pa[ISO 14888-
ID “A”, and S
DSA.1” andMAN and the S
BKEYMAN in re
all the Manutruct their sy
nhanced KM
PAGE 28 OF 6
air (dMAN, -3], [FIPS
Serial the
Subject Signature
ecord-in-
ufacturer ystem to
MS
62
COP
PYRIGHT © 201
12. SM12.A. Pre
An SM
An SM[FIPScompPract
3, STS ASSOCIA
M Initialierequisites:
M SHALL hav
A high qSP800-22entropy distinct.
A determsecurity-s
o T[
A real-timboundary
o Tm
Secure sprotectiousing tec
Keys and
o WeO
o Ap
Tested ispecificat
An authe HWID (s
MANUFA FWID (str UID (strin
device shmodel na
M SHOULD cS PUB 140-2pliance are tice detailing
ATION.
isation SM
ve:
uality entro2. The SM source, for e
ministic Randstrength of 1
The RBG SHASEC 1]. me clock (RTy. The RTC SHOmaintenancetorage for s
on. Key sepchniques from
sensitive da
Within the cerased on taOR Authenticallyprevious techmplementattion.
entic copy of string of typACTURER, MOring of type ng of type IDhall have a ame or code
comply with 2], or [PCI beyond the
g the security
opy source tSHALL impl
example by
dom Bit Gen192 bits or mALL comply
TC) for whic
OULD NOT dre interval of tsensitive dataration and m [ISO 11568
ata may be st
cryptographimper, and S
y encrypted hnique. tions of all
the NIST P-3pe IDENT), ODEL and REIDENT), a firmDENT), a uniMANUFACTUcan be used
a recognisedHSM]. Thescope of th
y requiremen
hat has beeement a coensuring tha
nerator (RBGmore.
with [ISO 18
ch the state
rift by more tthe SM. ta. All keyssubstitution
8-2]).
tored using o
c boundary SHALL includ
under a Sto
cryptograph
384 domain a hardware
EVISION. mware applique hardwaURER-unique
d as a UID pre
d standard foe target sechis documennts for an SM
STS
en assessed ntinuous quat adjacent
G) seeded fr
8031], [NIST
is protected
than 3 days
s and sensitin prevention
one of the fo
of the SM, de integrity p
orage Key th
hic primitive
parameters.e identifier t
cation and vre identifier
e UID, not mefix to guara
or cryptogracurity level nt. The STS
M.
600-4-1 Ed 1
using statistuality test oblocks read
rom the ent
SP800-90],
d within the
over the doc
ive data SHAn SHALL be a
ollowing tech
in non-volaprotection (s
hat is secur
es (section
that SHALL
version identr or assignedmerely a MOantee this.
ph modules or evaluatio
SA SHOULD
1.1 : STS – En
tical tests frn the outpufrom the so
tropy source
[ANSI X9.82
e SM’s crypt
cumented lif
ALL include assured (for
hniques:
atile memorsuch as a che
ely stored u
9) required
be compos
tifier. d soft identifODEL-unique
such as [ISOon criteria maintain a
nhanced KM
PAGE 29 OF 6
rom NIST ut of the ource are
e, with a
2] and/or
tographic
fetime or
integrity example
ry that is ecksum);
using the
by this
sed of a
fier. Each e UID. A
O 19790], for such Code of
MS
62
COP
PYRIGHT © 201
12.B. SM
Secuthat tto an
A MaThe inclu
12.B.
The f
3, STS ASSOCIA
M Initialisatio
re key agreethe SM cont
ny person.
anufacturer Sprocess SHAde at minim
Completeby the ST
In a physo B
to I
ko U
ao E
1. Recomme
following pro
This proc Perform
specificat Load into Set the S Instruct t
o So G
o Sw(
o ScS
o SwsATION.
on and PUBK
ement betwetain secret in
SHALL have ALL be perfoum:
e the producTSA. sically secureBy means of this process. nstruct the S
key QSM. Use the Mana PUBKEYSM cEnsure that Q It SH
QOP t By im
coup
ended proce
ocess is RECO
cess SHALL ba physical i
tion and intao the SM firmM RTC to thethe SM to geSet Serial (tyGenerate a u dSM i
partySet IDSM = BUwhere Fingesection 10.A
Securely stocryptographiSHALL includSet PUBKEYS
where QSMHEset to “99991
KEY certificat
een an SM annformation th
a documenteormed befor
ction of the
e facility and physical insp
SM to gener
nufacturer’s certificate. QSM is protecALL NOT be
to be signed mplication t
pled.
ss to genera
OMMENDED
e performedinspection oact. mware that he current da
enerate a unipe TIMESTA
unique ECDHis known ony (including tUILD-RECORDrprint is com
A). re dSM, QSM
c boundary e integrity pM-NOSIG = BUIEX is encode1231T11595
tion
nd a KMC – ihat is unique
ed process fre an SM is
SM, includin
under dual cpection verif
rate a unique
private key d
cted against mpossible forunder the M
the generati
ate and certif
D as a final ste
d under dual of the SM to
has been appte and time ique PUBKEYMP) to the c key pair (dSM
nly to the SMthe SM manuD(“SMID.1”, mputed from
and IDSM.in non-volarotection (suILD-RECORDed as descri9Z”.
STS
ncluding aute to the SM,
or SM initialdelivered b
ng loading fi
control: fy the integri
e key pair (d
dMAN to certi
modificationr any individ
Manufacturerion and cer
fy PUBKEYSM
ep during ma
control. o confirm th
proved by the(using a relia
YSM-NOSIG. Thecurrent date M, QSM) using
M and SHALLufacturer) un4, MANUFA
m QSM and ot
These valutile memory
uch as a checD(“PK.ECDH.1
bed for PUB
600-4-1 Ed 1
thentication and unknow
isation and Py the Manu
rmware that
ity of all equ
SM, QSM) and
ify the public
n or substitutual to causer’s private kertificate of Q
M
anufacture o
hat it is full
e STSA. able clock). e SM SHALL: according to
g GENERATEL NOT be render any circCTURER, UIDther fields a
ues SHALL by that is eracksum). 1”, 5, IDSM, QBKEY (section
1.1 : STS – En
of the SM – wn and unpre
PUBKEY certufacturer, an
t has been p
ipment to be
d to return th
c key QSM, p
tion. e a chosen pey dMAN. QSM must b
of the SM:
y manufactu
o the RTC. -KEY().
evealed to acumstances. D, Serial, Fingas described
be stored wased on tam
QSMHEX, Expin 0). Expiry
nhanced KM
PAGE 30 OF 6
requires edictable
tification. nd SHALL
produced
e used in
he public
roducing
ublic key
e tightly
ured per
ny other
gerprint) for PKID
ithin the per, and
iry, ∅, ∅) MAY be
MS
62
COP
PYRIGHT © 201
12.C. SM
WheSM mManu
3, STS ASSOCIA
o R Instruct
PUBKEYS
o Tp
o Tt
o TP
Store PU
M PUBKEY pu
never the asmanufactureufacturer SH
To revokcertificat
To revokQSM = (0,0
The Man The file s
ATION.
Return the uthe Manufa
SM. The HSM SHperforming tThe HSM SHthan the ExpThe HSM crPKIDMAN, andBKEYSM, and
ublication
ssociation bee or mainte
HALL publish
ke a public tion process ke a public 0) (an invalidufacturer ad
sent to all KM
nsigned PUBacturer’s HS
HALL requirehe signatureALL NOT creiry of PUBKEreates PUBK
d generates t discard PUB
etween an SMenance (sectthe updated
key with rto create an
key withoud point). dds each updMCs (for exam
BKEYSM-NOSIG.SM to sign
e dual authee operation.eate a signatEYMAN. KEYSM (basethe SignatureBKEYSM-NOSIG.
M and a pubtion 7.B) or
d association
replacement updated PUut replacem
dated PUBKEmple as an e
STS
the PUBK
entication o
ture if the Se
ed on PUBKe using dMAN
blic key is crer a suspect to all KMCs
t follow theUBKEYSM. ment constru
YSM to a file--mail attach
600-4-1 Ed 1
EYSM-NOSIG to
f two truste
erial of PUB
KEYSM-NOSIG), .
eated or moded key com:
e SM Initial
uct and sig
-of-records (Ament).
1.1 : STS – En
o create a
ed operator
KEYSM-NOSIG is
sets the I
dified – suchmpromise –
isation and
n a PUBKEY
Appendix G)
nhanced KM
PAGE 31 OF 6
certified
rs before
s greater
ssuer to
h as after the SM
PUBKEY
YSM with
.
MS
62
COP
PYRIGHT © 201
13. KM13.A. Pre
The crypt
The H
13.B. Pre
The K
The hardw
The S3, STS ASSOCIA
MC Initiaerequisites:
KMC SHALL tographic op
The HSMequivalen[ISO 1979
The STSAHSM.
HSM SHALL h
A high qSP800-22entropy distinct.
A determsecurity-s
o T[
A real-timboundary
Secure sprotectiousing tecsecure st
Tested ispecificat
An authe
erequisites:
KMC SHALL h
KMCID (so T
SWID (str A list of
Vending A list of
Vending
STSA SHOUware and fir
STSA SHOULATION.
alisationKMC HSM
use a Hardperations spe
M SHALL be nt evaluatio90], or [PCI H
A SHOULD m
have:
uality entro2. The HSMsource, for e
ministic Randstrength of 1
The RBG SHASEC 1].
me clock (RTy. torage for s
on. Key sepchniques fromtorage technmplementattion.
entic copy of
KMC
have:
string of typeThe STSA SHOring of type Approved HKeys to) an SApproved FWKeys to) an S
LD maintainmware (base
D provide a r
n
dware Securecified in this
certified to n level of a HSM].
maintain a Co
opy source tM SHALL imp
example by
dom Bit Gen192 bits or mALL comply
TC) for which
sensitive dataration and m [ISO 1156iques. tions of all
the NIST P-3
e IDENT), a uOULD providIDENT), a sofWID values.SM unless thWID values.SM unless th
n a Code of ed on the SM
registry serv
ity Module s document.
[FIPS PUB recognised
ode of Practic
hat has beeplement a co
ensuring tha
nerator (RBGmore.
with [ISO 18
h the state i
ta. All keyssubstitution
68-2]). See P
cryptograph
384 domain
unique namede a registry ftware applic. The KMC Shat SM’s HW
The KMC Shat SM’s FWI
Practice deM Prerequisit
vice for Appro
STS
(HSM) to m
140-2] Secustandard for
ce detailing
en assessed ontinuous quat adjacent
G) seeded fr
8031], [NIST
is protected
s and sensitin preventionPrerequisites:
hic primitive
parameters.
or identifierservice for Kcation and vHALL NOT nID is in the A
SHALL NOT nD is in the A
etailing the tes in section
oved HWID a
600-4-1 Ed 1
manage all k
rity Level 3 r cryptograp
the security
using statistuality test oblocks read
rom the ent
SP800-90],
within the
ive data SHAn SHALL be a: SM (section
es (section
r. KMC names. ersion ident
negotiate a KApproved listnegotiate a Kpproved list
requirementn 12.A).
and FWID va
1.1 : STS – En
keys and per
or higher, phic modules
requiremen
tical tests fron the outpu
from the so
tropy source
[ANSI X9.82
HSM’s crypt
ALL include assured (for n 12.A) for p
9) required
ifier. KEK with (ort. KEK with (or.
ts for appro
alues.
nhanced KM
PAGE 32 OF 6
rform all
or to an s such as
nts for an
rom NIST ut of the ource are
e, with a
2] and/or
tographic
integrity example
permitted
by this
r transfer
r transfer
oving SM
MS
62
COP
PYRIGHT © 201
13.C. KM
Prior
13.C.
The f
3, STS ASSOCIA
MC Setup
r to accepting
Generatewith SMs
o Tpg
o Ts
o T The key
(consiste The pub
PUBKEYK
the end o A proced
documenexpired, key’s fing
When ththe publi
1. Recomme
following pro
The KMC The KMC
the NIST [ANSI X9
o G
The KMCto KMCID
o So S
w(
The KMCat most 3
o CO
o Ss
ATION.
g Vending Ke
e an asymms. The key paiparameters generated usThe key pair split knowledThe secret ke
pair SHALLent with [NISTblic key SHA
MC; see sectiof the Origindure to publntation. Eacand SHALL c
gerprint overe KMC’s key
ic key in the
ended proce
ocess is RECO
C selects a unC uses an HS
P-384 doma.62] and/or [Generate a u dKMC
otheC constructs D, and Serial Set Serial (tySet IDKMC = where Fingersection 10.A
C constructs a3 years after Compute theOriginator UsSecurely storstorage and S
ey Load Requ
etric digital
r SHALL be and having sing an RBG h
SHALL be gedge and dualey SHALL be L have a lifT SP800-57 P
ALL be publion 0.) with ator Usage Pish PUBKEYK
ch recipient ocheck the valr an indepeny pair expiremanner pres
ss to genera
OMMENDED
nique name KM to generaain paramete[SEC 1].
unique ECDHis known onr party undea PKIDKMC wthe time at wpe TIMESTABUILD-RECO
rprint is comA). a PUBKEYKMC
the Serial. Te Expiry datsage Period (re dKMC, QKM
SHALL includ
uests from S
signature ke
an ECC CDa security-shaving equivenerated an control. protected byfespan (OrigPART 1]). ished as anrecord type
Period.
KMC SHALL beof the PUBKlidity of the
ndent commues, the KMC scribed by th
ate and publi
D:
KMCID (an IDate and storeers, in accor
key pair (dKM
nly to the KMer any circum
with rectype “which dKMC wMP) to the cORD(“KMCID
mputed from
C with rectypThe Issuer ante of the ke(maximum 3
MC, Expiry ande integrity p
STS
Ms, the KMC
ey pair for t
DH key pairtrength of a
valent (or strd managed
y an HSM. ginator Usag
n unsigned “PK.ECDH.1
e specified bEYKMC SHALLpublic key byunication chSHALL gene
his section.
ish PUBKEYK
DENT). e a unique Erdance with
MC, QKMC) usiMC HSM and
mstances. “KMC.1”, Mawas generatecurrent date D.1”, 4, SW
m QKMC and o
pe “PK.ECDHd Signatureey pair (dKM
3 years). nd IDKMC. Tprotection.
600-4-1 Ed 1
C SHALL:
the purpose
r using the at least 192ronger) securwith respect
ge Period) o
PUBKEY rec”. The Expir
by KMC stanL check that y manually cannel.
erate a new
KMC
ECDSA key pa[ISO 14888-
ng GENERATd SHALL NOT
anufacturer ed. according to
WID, KMCID, other fields a
.1” and Subjare empty.
MC, QKMC) as
hese values
1.1 : STS – En
of establish
NIST P-384 bits, and Srity-strengtht to the prin
of at most
cord (referrery field SHAL
dards or opethe public k
confirming th
key pair and
air (dKMC, QK
3], [FIPS PUB
TE-KEY(). T be reveale
set to SWID
o the RTC. Serial, Fing
as described
ect PKIDKMC.
the Serial
SHALL be i
nhanced KM
PAGE 33 OF 6
hing KEKs
domain SHALL be h. nciples of
3 years
ed to as LL reflect
erational key is not he public
d publish
MC) using B 186-3],
ed to any
, UID set
gerprint) for PKID
Expiry is
plus the
n secure
MS
62
COP
PYRIGHT © 201
13.D. KM
Durinand beforconfi
13.D.
Whehas bintegcertif
See t
13.D.
The KThe f
13.D.
The Suppsent requ
13.D.
The Kcertif
The KManuSHOUindexcertif
3, STS ASSOCIA
o Sw
On demaSM Oper
The SM example the PUBK
MC operation
ng operationthe STSA. Sre processinirmed crypto
1. SM Manu
n the KMC rbeen updategrity and auficate.
the recomme
2. Approved
KMC may reformat and v
3. Supply Gr
KMC may reply Groups, u
to specific Sests is beyon
4. SM PUBK
KMC will perficates (PUBK
KMC SHALL ufacturer’s ULD check thxed by MANficate’s Seria
ATION.
Set PUBKEYK
where QKMCHand by any Srator the PUB
Operator covia the tele
KEYKMC in a V
n
n the KMC wSuch updateng Vending ographically o
ufacturer PU
receives notied, the KMCthenticity o
ended proce
d HWID & FW
eceive from tvalidation of
roup manage
eceive from update registSMs (identifiend the scope
EY updates
riodically recKEYSM); see S
validate eacPUBKEYMAN hat each SM NUFACTURERal should be g
KMC = BUILD-HEX is encodeM Operator BKEYKMC in reonfirms thephone or fro
Vending Key L
will periodicaes SHALL be
Key Load Ror under dua
BKEYMAN upd
fication thatC should – w
f the certifi
ess to genera
WID list upda
the STSA updthese lists is
ement instru
Supply Groutration detaied by MANU
e of this spec
ceive files froSM PUBKEY p
ch certificatepreviously ipublic key is
R and UID, rgreater than
-RECORD(“Ped as describ(vendors or
ecord-in-ema Fingerprintom the STSALoad Reques
lly receive u processed
Requests. Tal control, an
dates
t an SM Manwith respect icate then i
ate and publi
ates
dated lists os beyond the
uctions
up owners (ls, generate
UFACTURER acification.
om SM Manupublication s
e using the Kntroduced as unique. Threplacing an
n that of the
STS
K.ECDH.1”, 5bed for PUBKr meter manail format (At in the PKIA website) thst (section 14
pdated infoat the begin
The integritynd the inform
nufacturer’s to the princntroduce it
c PUBKEYMAN
of Approved e scope of thi
or prospectVending Key
and UID). T
ufacturers cosection 12.C.
KMC HSM anas describedhe certificatey existing eexisting cert
600-4-1 Ed 1
5, IDKMC, QK
KEY (section ufacturer), tppendix F). DKMC via a
hen instructs4).
rmation fromnning of eacy of the infmation store
public key cciple of dual
to the KMC
N (section 11
HWIDs and/is specificati
ive owners) ys, or permithe format an
ontaining up
nd the Issuerd in section e is stored inntry for the
tificate.
1.1 : STS – En
MCHEX, Expi0). he KMC send
second chans their system
m SM Manufch day of opformation Sd for future
ertificate PU control – vC HSM as a
1.A).
/or Approvedon.
requests tot Vending Kend validation
pdated SM p
r’s public key13.D.1). T
n the KMC’s de same SM;
nhanced KM
PAGE 34 OF 6
ry, ∅, ∅)
ds to the
nnel (for m to use
facturers peration, HALL be use.
UBKEYMAN verify the a trusted
d FWIDs.
o register eys to be n of such
ublic key
y (an SM The KMC database the new
MS
62
COP
PYRIGHT © 201
14. SMWhecreat
Input
Softw
SM fi
3, STS ASSOCIA
M Vendinn an SM reqte a Vending
t:
PUBKEYK
ware or SM f
Parse PUQKMCHEX
If parsingcause).
If Expiry expired”)
irmware pro
Input: ID If this
FAIL(“SM Set QKMC
On error
Parse IDK
and Finge
If parsing
Verify thFAIL(“SM
Retrieve
If the inte
Parse IDSerialSM a
If parsing
Verify thFAIL(“SM
Retrieve
If the inte
Use VALI
ATION.
ng Key Lquires vendin Key Load Re
MC
firmware pro
UBKEYKMC usand Expiry.
g fails then
is less than ).
ocess (error p
KMC, QKMCHEXprocess ha
M.1B: Load Re= Octet-Strin
FAIL(“SM.1B
KMC using PARerprintKMC. V
g fails then FA
e FingerprinM.1B: Bad PU
from secure
egrity check
SM using PAand Fingerpr
g fails then FA
he FingerprinM.1B: Bad SM
NIST P-384 d
egrity check
DATE-KEY(Q
Load Reqng keys fromequest.
ocess (error p
sing PARSE-R Verify types
FAIL(“SM.1A
the current
prefix “SM.1B
X. as completeequest speedng-to-Point(B
B: Bad PUBKE
RSE-RECORDVerify types o
AIL(“SM.1B:
ntKMC using thUBKEY_KMC:
e storage the
fails then FA
ARSE-RECORDrintSM. Verify
AIL(“SM.1B:
ntSM using thM keys: bad fi
domain para
fails the FAI
QKMC) to provi
quest m a KMC that
prefix “SM.1A
RECORD(“PKs of retrieved
A: Bad PUBK
time then F
B”):
ed successfd limit enforcBASE16-DEC
EY_KMC: inv
D(“KMCID.1”of retrieved f
Bad PUBKEY
he retrievedbad fingerpr
e values dSM,
AIL(“SM.1B: B
D(“SMID.1”,types of ret
Bad SM keys
he retrieved ingerprint in
ameters and
L(“SM.1B: Ba
ide assuranc
STS
t SM SHALL p
A” for softwa
KECDH.1”, 5,d fields.
KEY_KMC: fa
AIL(“SM.1A:
fully withinced; try againODE(QKMCHE
valid represen
, 4, IDKMC) tofields.
Y_KMC: faile
fields and Qrint in ID_KM
QSM and IDSM
Bad SM keys
4, IDSM) to rieved fields
s: failed to p
fields and QID_SM”).
check their i
ad SM keys:
ce of validity
600-4-1 Ed 1
perform the
are or “SM.1
, PUBKEYKMC
failed to par
: Bad PUBKE
n the last n in 60 seconEX))
ntation for p
o retrieve SW
d to parse ID
QKMC (see PKMC”).
M, and check
s: stored key
retrieve MA.
parse ID_SM;
QSM (see PK
integrity.
domain para
of the KMC’
1.1 : STS – En
following pr
1B” for firmw
C), to retriev
rse PUBKEY_
EY_KMC: cert
60 secondnds”).
public key Q_
WID, KMCID,
D_KMC;” ∥ ca
KID, section
their integri
integrity fail
ANUFACTUR
;” ∥ cause).
KID, section
ameters corr
s public key.
nhanced KM
PAGE 35 OF 6
rocess to
ware):
ve IDKMC,
_KMC;” ∥
tificate is
ds then
_KMC”).
SerialKMC
ause).
10.A), or
ity.
lure”).
RER, UID,
10.A), or
rupt”).
MS
62
COP
PYRIGHT © 201
3, STS ASSOCIA
If validatvalidatio
Use VALI
If validat
Check thFR, a, b, QSM’ = dS
If dSM is omismatch
Set TVPKM
On error
Generate
Set QEST
On error
Set ZE = E
On error
Set ZS = E
On error
Set Z = ZE
Construc Set DKM
On error
Set MacKDKM as M
Construc
Then com
On erroMacTag_
Construc
Then com
On erroVKLOADR
Set QEHESet MacT
ATION.
tion fails thn”).
DATE-KEY(Q
ion fails then
at the SM hG, n, h) = N
M G (scalar m
out of range h”).
MC to a TIME
FAIL(“SM.1B
e an epheme
R to Point-to
FAIL(“SM.1B
ECC-CDH(dE,
zeroise dE an
ECC-CDH(dSM
zeroise ZE an
E ∥ ZS then zect SharedInfo
= KDF-X963
zeroise Z an
Key192 ∥ KEK1
MacKey, andct MacDataSM
mpute MacTa
r zeroise M_SM generat
ct MacDataKM
mpute ExpM
or zeroise MREQ: ExpMac
EX (type 194HTagSMHEX (ty
en FAIL(“SM
QSM) to provid
n FAIL(“SM.1
as the correNIST P 384, cmultiplication
or QSM’ ≠ QS
STAMP the c
B: Error creat
eral key pair
o-Octet-Strin
B: Error creat
QKMC) then z
nd FAIL(“SM
M, QKMC).
nd FAIL(“SM
eroise ZE ando = LVCONCA-SHA-384(Z,
nd FAIL(“SM.1
192 = DKM384
d the remaini
M = LVCONCA
agSM = HMAC
MacKey and tion fault”).
MC = LVCONC
acTagKMC = H
MacKey, KEcTag_KMC g
H) = BASE16(ype 48H) = BA
M.1B: Bad P
de assurance
1B: Bad SM k
ct value for check that dS
n of a point o
SM then FAIL(
current time
ting VKLOAD
(dE, QE) using
ng(QE).
ting VKLOAD
zeroise dE.
M.1B: Error cr
.1B: Error cre
ZS. AT(“STS.KAASharedInfo,
1B: Error cre
then zeroiseing 192 bits oAT(“U_2”, ID
C-SHA-384-1
KEK, then
CAT(“V2”, IDK
HMAC-SHA-3
EK and Mageneration fa
(QESTR) ASE16(MacT
STS
PUBKEY_KMC
e of validity o
keys: public k
its private kSM is in the ron an elliptic
(“SM.1B: Bad
according to
DREQ: RTC fa
g GENERATE
DREQ: ephem
reating VKLO
eating VKLOA
.1”, IDSM, IDK
384) then ze
eating VKLOA
e DKM. Thatof DKM as K
DSM, IDKMC, QE
192(MacKey,
FAIL(“SM.1
KMC, IDSM, TV
384-192(Mac
cTagSM, theault”).
TagSM)
600-4-1 Ed 1
C: public key
of the SM’s p
key Q_SM fai
key: using dorange [1, n-1c curve).
d SM keys: S
o the SM’s R
ault”).
E-KEY().
meral key gen
OADREQ: eph
ADREQ: stat
KMC, TVPKMC). eroise Z.
ADREQ: KDF f
t is, take theEK, then zeroSTR, TVPKMC,
, MacDataSM
B: Error cr
PKMC, QESTR)
cKey, MacDa
en FAIL(“SM
1.1 : STS – En
y Q_KMC fa
public key.
iled full valid
omain param1] and if so
SM private/p
TC.
neration faul
hemeral CDH
tic CDH fault
fault”).
e leftmost 19oise DKM. , HWID, FWI
M).
reating VKLO
.
ataKMC).
M.1B: Error
nhanced KM
PAGE 36 OF 6
ailed full
dation”).
meters (q, compute
public key
lt”).
fault”).
”).
92 bits of
D ).
OADREQ:
creating
MS
62
COP
PYRIGHT © 201
Softw
3, STS ASSOCIA
ConstrucVKLOADRQEHEX, M
Securely with a ‘pVKLOADRFingerprifrom the
Output V
ware or man
Log the LSHOULD
Send the(Appendi
ATION.
ct the VendinREQSM = BUIL
MacTagSMHEXstore KEK, Fending’ statuRESP is receiintKMC, TVPKM
KMC. VKLOADREQS
ual process:
Load Requescontain all o
e Vending Keix F).
ng Key Load RLD-RECORD(X). See also VingerprintKM
us that preveved. Storage
MC, and ExpM
SM.
st to the softother fields oey Load Requ
Request: “VKLOAD.RE
VKLOADREQ
C, TVPKMC, anents it from e SHALL inclu
MacTagKMC wi
tware audit lof VKLOADREuest VKLOAD
STS
EQ.1”, 7, IDSM
(section 0).nd ExpMacTabeing used bude integrityill be used to
og (the log SEQSM). DREQSM to th
600-4-1 Ed 1
M, IDKMC, TVP
agKMC. The Kby the HSM uy protection.o verify the Ke
SHOULD NOT
he KMC in re
1.1 : STS – En
KMC, HWID, F
EK SHALL beuntil a valid ey Load Resp
T contain QE
cord-in-ema
nhanced KM
PAGE 37 OF 6
FWID,
e flagged
ponse
EHEX, but
il format
MS
62
COP
PYRIGHT © 201
15. KMWheperfoVend
Input
Softw
3, STS ASSOCIA
MC Vendn a KMC rec
orm the follding Keys to t
t:
KMCID a VKLOADR
ware process
Log the SHOULD
Parse Vretrieve types of
If parsingcause).
Parse REVerify typ
If parsing
The Finge
If REQ_Kwrong KM
If REQ_IDPUBKEY_
Parse REUID, and
If parsing
The Finge
Find in thand UID.
If no mPUBKEY_
Parse PUIssuer. Ve
If parsingcause).
ATION.
ding Keyceives a Venlowing procethe SM.
nd IDKMC (botREQSM
s (error prefix
Load Requecontain all o
VKLOADREQSM
REQ_IDSM, Rretrieved fie
g fails then F
Q_IDKMC usinpes of retriev
g fails then FA
erprint of RE
KMCID ≠ KMMC”). DKMC ≠ IDKMC
_KMC”). EQ_IDSM usin
Serial. Verify
g fails then FA
erprint of RE
he KMC data This PUBKE
matching PU_SM found fo
UBKEYSM usinerify types o
g fails then
y Load Rnding Key Loess to authe
th known to
x “KMC.2A”)
st to the KMother fields o
M using PAREQ_IDKMC, Tlds.
FAIL(“KMC.2A
ng PARSE-REved fields.
AIL(“KMC.2A
EQ_IDKMC is ve
CID then FA
C then FAIL(
ng PARSE-REy types of re
AIL(“KMC.2A
EQ_IDSM is ve
abase the PUEYSM was secu
BKEY is fouor SM; KMC m
ng PARSE-REf retrieved fi
FAIL(“KMC.2
Responsead Request enticate the
the KMC)
):
MC audit logof VKLOADREARSE-RECORTVPKMC, HWI
A: Bad VKLO
CORD(“KMC
A: Bad VKLOA
erified later b
AIL(“KMC.2A:
(“KMC.2A: B
ECORD(“SMIetrieved field
A: Bad VKLOA
rified later b
BKEYSM and urely distribu
und then Fmay need up
ECORD(“PKECields.
2A: Error in
STS
e (VKLOADREQ
e SM, estab
g (the log SHEQSM). D(“VKLOAD.ID, FWID, Q
OADREQ: fail
CID.1”, 4, REQ
ADREQ: faile
by compariso
: Bad VKLOA
Bad VKLOAD
D.1”, 4, IDSM
ds.
ADREQ: faile
by compariso
LastTVPKMC auted to the K
AIL(“KMC.2Apdate file from
CDH.1”, 5, P
KMC data:
600-4-1 Ed 1
Q) from an Slish a share
HOULD NOT
.REQ.1”, 7, QEHEX, and M
led to parse
Q_IDKMC) to r
ed to parse ID
on against a
ADREQ: key
REQ: key lo
M) to retriev
ed to parse ID
on against a k
associated wKMC by the S
A: KMC datm SM manuf
PUBKEYSM), t
failed to pa
1.1 : STS – En
SM, that KMed KEK, and
T contain QE
VKLOADREMacTagSMHE
VKLOADREQ
retrieve REQ
D_KMC;” ∥ ca
a known IDKM
load reques
ad request
ve MANUFA
D_SM;” ∥ cau
known IDSM.
with MANUFASM Manufac
ta out of dfacturer”).
to retrieve
arse PUBKE
nhanced KM
PAGE 38 OF 6
MC SHALL transfer
HEX, but
EQSM) to X. Verify
Q_SM;” ∥
Q_KMCID.
ause).
MC.
t sent to
used old
ACTURER,
use).
ACTURER cturer.
date: no
IDSM and
Y_SM;” ∥
MS
62
COP
PYRIGHT © 201
KMC
3, STS ASSOCIA
If REQ_Irequestin
Find in tPUBKEYM
KMC HSM
If no maIssuer for
If TVPKMC
VKLOADR The KMC
time (accwindow o
If TVPKM
timestam
If HWID hardware
If FWID ifirmware
HSM firmwa
Input: PU Check ty
and MacT
If type ccause).
Set QESTRSet QE = O
If conver
Verify thcertificat
Parse PUQMANHEX
If parsingcause).
Set QMAN
If conveQ_MAN”
Parse IDM
fields. Ve
ATION.
DSM ≠ IDSM ng ID_SM anthe KMC da
MAN was distrM under dua
atching PUBr PUBKEY_SM
C ≤ LastTVPREQ_SM; posC SHOULD chcording to thof (now – 30
C is outsidemp (TVP) outs
is not in thee model not is not in the
e not approve
are process (
UBKEYMAN, PUpes of inputTagSMHEX (4
checking fail
R = BASE16-DOctet-String-
sion fails the
hat PUBKEYM
te PUBKEY_MUBKEYMAN usX and ExpiryM
g fails then
= Octet-Stri
rsion fails ”).
MAN using PAerify types of
then FAIL(d database; atabase the ributed to thl control (see
KEYMAN is foM; cannot va
KMC then FAssible out-of
heck that TVhe system clo0 days) to (no
e the accepside accepta
e list of Appapproved”).
e list of Apped”).
(error prefix
UBKEYSM, IDK
s TVPKMC (TIM8H).
s then FAIL
DECODE(QEH-to-Point(QES
en FAIL(“KMC
MAN is a truMAN is not tr
ing PARSE-RMAN. Verify ty
FAIL(“KMC.2
ng-to-Point(
then FAIL(“
RSE-RECORDf retrieved fie
“KMC.2A: KKMC may hatrusted PU
he KMC by te sections 13
ound then Falidate certifi
AIL(“KMC.2A:f-order requePKMC is withiock). The wow + 3 days)
ptable windable window;
roved HWID
proved FWID
“KMC.2B”):
KMC, TVPKMC, HMESTAMP),
(“KMC.2B: B
HEX). STR).
C.2B: Bad VK
usted certificrusted”). RECORD(“PKEpes of retrie
2B: Error in K
BASE16-DEC
“KMC.2B: Er
D(“SMMAN.1elds.
STS
KMC data oave old PUBK
UBKEYMAN asthe SM Man3.D.1 and 11
FAIL(“KMC.2Aicate”).
: Bad VKLOAest or replay”n an accept
window SHOUis RECOMM
ow then FA; possible del
Ds then FAIL
Ds then FAIL(
HWID, FWID,HWID (IDEN
Bad VKLOAD
KLOADREQ: b
cate or FAIL
ECDSA.1”, 5ved fields.
KMC data: f
CODE(QMANH
rror in KMC
1”, 4, IDMAN)
600-4-1 Ed 1
ut of date: KEY_SM”). ssociated wiufacturer an
1.A).
A: Error in K
ADREQ: old ”). able windowULD be softwENDED.
AIL(“KMC.2Alayed or futu
(“KMC.2A: B
(“KMC.2A: B
, QEHEX, MaT), FWID (ID
DREQ: bad e
bad represen
L(“KMC.2B:
, PUBKEYMAN
failed to par
EX)).
C data: bad
to retrieve F
1.1 : STS – En
mismatch
th the issuend introduce
KMC data: u
timestamp
w around theware configu
A: Bad VKLOure-dated req
Bad VKLOAD
Bad VKLOAD
acTagSMHEX. DENT), QEHEX
encoding in
ntation for Q_
Error in KM
N), to retriev
rse PUBKEY_
d representa
Fingerprint a
nhanced KM
PAGE 39 OF 6
between
er. This ed to the
unknown
(TVP) in
e current urable. A
OADREQ: quest”).
REQ: SM
REQ: SM
X (194H),
input;” ∥
Q_E”).
MC data:
ve IDMAN,
MAN;” ∥
ation for
nd other
MS
62
COP
PYRIGHT © 201
3, STS ASSOCIA
If parsing
Verify thFAIL(“KM
Parse PUQSMHEX,
If parsingcause).
Set QSM =
If conver
Parse IDS
other fie
If parsing
Verify thFAIL(“KM
If Issuer certificat
If SerialScertificat
If ExpiryS
verifying Retrieve
integrity.
If the infailure”).
If ExpiryK
KMC keys Parse IDK
and Finge
If parsing
Verify thFAIL(“KM
Retrieve
If the incorrupt”)
Use VALIkey.
ATION.
g fails then FA
he FingerprinMC.2B: Error i
UBKEYSM usExpirySM, Iss
g fails then
= Octet-Strin
sion fails the
SM using PARlds. Verify ty
g fails then FA
he FingerprinMC.2B: Error i
≠ IDMAN thte; wrong IssSM > Expiryte; Serial posSM is less thaVKLOADREQfrom secure
.
ntegrity che
KMC is less ths: PUBKEY_KKMC using PAerprint. Veri
g fails then FA
he FingerprinMC.2B: Bad K
NIST P-384 d
ntegrity che).
DATE-KEY(Q
AIL(“KMC.2B
nt using thein KMC data
ing PARSE-Ruer and Sign
FAIL(“KMC.2
g-to-Point(B
en FAIL(“KMC
RSE-RECORDypes of retrie
AIL(“KMC.2B
nt using thein KMC data
hen FAIL(“KMuer key presMAN then FAtdates Issueran the curreQ: SM certifice storage the
ck fails the
han the currKMC has expiARSE-RECORify types of r
AIL(“KMC.2B
nt using theKMC keys: ba
domain para
eck fails the
QMAN) to prov
B: Error in KM
retrieved f: bad fingerp
RECORD(“PKnature. Verify
2B: Error in
ASE16-DECO
C.2B: Error in
D(“SMID.1”, 4eved fields.
B: Error in KM
e retrieved f: bad fingerp
MC.2B: Erroented”). AIL(“KMC.2Br expiry”). ent time (frocate is expiree values dKM
n FAIL(“KM
rent time (frired”). D(“KMCID.1”retrieved fiel
B: Bad KMC k
e retrieved fd fingerprint
ameters and
e FAIL(“KMC
ide assuranc
STS
MC data: faile
fields and Qprint in ID_M
KECDH.1”, 5y types of re
KMC data:
ODE(QSMHEX
n KMC data:
4, IDSM) to r
MC data: faile
fields and Qprint in ID_SM
or verifying
B: Error ver
om the HSMed”).
MC, QKMC, Exp
MC.2B: Bad K
rom the HSM
”, 4, IDKMC) ds.
keys: failed t
fields and Qt in ID_KMC”
check their i
C.2B: Bad K
ce of validity
600-4-1 Ed 1
ed to parse I
MAN (see PKMAN”).
, PUBKEYSM
trieved field
failed to pa
)).
bad represe
retrieve Seria
ed to parse I
QSM (see PKIM”).
VKLOADREQ
rifying VKLO
M RTC) then
iryKMC and ID
KMC keys:
M RTC) then
to retrieve
o parse ID_K
QKMC (see PK”).
integrity.
KMC keys:
of the SM M
1.1 : STS – En
ID_MAN;” ∥
ID, section
), to retries.
arse PUBKEY
entation for Q
alSM, Fingerp
ID_SM;” ∥ ca
ID, section 1
Q: cannot ve
OADREQ: inv
FAIL(“KMC.2
DKMC, and ch
stored key
n FAIL(“KMC
SWID, KMCI
KMC;” ∥ caus
ID, section 1
domain par
Manufacture
nhanced KM
PAGE 40 OF 6
cause).
10.A), or
eve IDSM,
Y_SM;” ∥
Q_SM”).
print and
ause).
10.A), or
erify SM
valid SM
2B: Error
eck their
integrity
C.2B: Bad
ID, Serial
se).
10.A), or
rameters
r’s public
MS
62
COP
PYRIGHT © 201
3, STS ASSOCIA
If validatvalidatio
Verify Sig
If SignatuSM certif
Use VALI
If validatvalidatio
Use VALI
If validatvalidatio
Check thFR, a, b, QKMC’ = d
If dKMC iprivate/p
Use VALI
If validatfull valida
Set ZE = E
On error
Set ZS = E
On error
Set Z = ZE
Construc Set DKM
On error
Set MacKDKM as M
Construc
Then com
On errorExpMacT
If MacTFAIL(“KM
ConstrucATION.
tion fails then”).
gnature of PU
ure is invalid ficate”).
DATE-KEY(Q
tion fails thn”).
DATE-KEY(Q
tion fails thn”).
at the KMC hG, n, h) = NKMC G (scalar
is out of rapublic key mi
DATE-KEY(Q
tion fails theation”).
ECC-CDH(dKM
FAIL(“KMC.2
ECC-CDH(dKM
zeroise ZE an
E ∥ ZS then zect SharedInfo
= KDF-X963
zeroise Z an
Key192 ∥ KEK1
MacKey, andct MacDataSM
mpute ExpM
r zeroise MTag_SM gene
TagSMHEX ≠MC.2B: Bad Vct MacDataKM
en FAIL(“KM
UBKEYSM usin
then FAIL(“K
QSM) to provid
en FAIL(“KM
QKMC) to provi
hen FAIL(“KM
has the correIST P-384, chr multiplicati
ange or QK
ismatch”).
QE) to provide
en FAIL(“KM
MC, QE).
2B: Error ver
MC, QSM).
nd FAIL(“KM
eroise ZE ando = LVCONCA-SHA-384(Z,
nd FAIL(“KMC
192 = DKM384
d the remaini
M = LVCONCA
acTagSM = H
MacKey and eration fault
BASE16(ExVKLOADREQ:
MC = LVCONC
MC.2B: Error
ng QMAN as d
KMC.2B: Erro
de assurance
MC.2B: Error
ide assuranc
MC.2B: Bad
ect value forheck that dK
on of a poin
MC’ ≠ QKMC
e assurance o
C.2B: Error
rifying VKLOA
MC.2B: Error v
ZS. AT(“STS.KAASharedInfo,
C.2B: Error ve
then zeroiseing 192 bits oAT(“U_2”, ID
MAC-SHA-38
KEK, then t”).
xpMacTagSM
bad key confCAT(“V2”, IDK
STS
in KMC dat
escribed in s
or verifying V
e of validity o
r in KMC da
ce of validity
d KMC keys
r its private kKMC is in the t on an ellipt
then FAIL(“
of validity of
verifying VK
ADREQ: ephe
verifying VKL
.1”, IDSM, IDK
384) then ze
erifying VKLO
e DKM. Thatof DKM as K
DSM, IDKMC, QE
84-192(MacK
FAIL(“KMC.2
) then zernfirmation fro
KMC, IDSM, TV
600-4-1 Ed 1
ta: public ke
section 10.B.
VKLOADREQ
of the SM’s p
ata: public k
of the KMC’
: public key
key: using dorange [1, n-1tic curve).
“KMC.2B: Ba
f the SM’s ep
KLOADREQ: p
emeral CDH f
LOADREQ: st
KMC, TVPKMC). eroise Z.
OADREQ: KD
t is, take theEK, then zeroSTR, TVPKMC,
Key, MacDat
2B: Error ve
roise MacKom SM”). PKMC, QESTR)
1.1 : STS – En
ey Q_MAN f
.
: invalid sign
public key.
key Q_SM fa
s public key.
y Q_KMC fa
omain param1] and if so
ad KMC ke
phemeral pub
public key Q_
fault”).
atic CDH fau
DF fault”).
e leftmost 19oise DKM. , HWID, FWI
taSM).
erifying VKLO
Key and K
.
nhanced KM
PAGE 41 OF 6
failed full
nature on
ailed full
ailed full
meters (q, compute
ys: KMC
blic key.
_E failed
ult”).
92 bits of
D ).
OADREQ:
EK, and
MS
62
COP
PYRIGHT © 201
Mixefirmw
3, STS ASSOCIA
Then com
On erroVKLOADR
Set MacT Construc
VKLOADRMacTagK
Securely KEK will b
Output V
ed software ware):
Store TVFAIL(“KM
Create a the first r
Find all V
For each
o Ut
o Ao U
t Log the
VKLOADR Send the
ATION.
mpute MacTa
r zeroise MRESP: MacTa
TagKMCHEX (tyct the VendinRESPKMC = BUMCHEX). store KEK.
be used to wVKLOADRESP
and SM firm
VPKMC as LMC.2C: Error c
Key Load Firecord.
Vending Keys
authorised v
Use the KMCthe KEK – for For a
recor Error
Append the WUpdate the Kthe SM (idenLoad Respo
RESPKMC). Key Load Fi
agKMC = HMA
MacKey, KEKag_KMC gene
ype 48H) = Bng Key Load RUILD-RECORD
wrap VendingPKMC.
mware proce
LastTVPKMC creating VKLile as a file-o
s authorised
vending key
C HSM to bur the VK and a given KEKrds have distrs raised durWRAPPED-KEKMC databatified by MA
onse to the
ile to the SM
AC-SHA-384-
K and Maceration fault
BASE16(MacTResponse: D(“VKLOAD.R
g Keys for tra
ess (error pre
associated LOADRESP: LAof-records (A
for use with
VK:
ild a WRAPPassociated a
K, the KMC tinct Noncesing this procEY to the Keyse and audit
ANUFACTUREKMC audit
M (for exampl
STS
192(MacKey
TagSM, thent”).
TagKMC)
RESP.1”, 4, ID
ansfer to the
efix “KMC.2C
with SM MAST_TVP_KM
Appendix G),
the SM (by
PED-KEY recoattributes. HSM SHALL.
cess SHOULDy Load File.t log to refleER and UID).
log (the lo
le as an e-ma
600-4-1 Ed 1
y, MacDataK
n FAIL(“KMC
DKMC, IDSM, TV
SM.
C” for softw
MANUFACTUMC storage e and add the
MANUFACTU
ord (section
L ensure tha
D use the erro
ect the distr
og SHOULD
ail attachme
1.1 : STS – En
MC).
C.2B: Error
VPKMC,
ware or “KMC
URER and error” ∥ cause VKLOADRE
URER and UI
10.E) – prot
at all WRAP
or prefix “KM
ribution of th
contain all
ent).
nhanced KM
PAGE 42 OF 6
creating
C.2D” for
UID, or e).
ESPKMC as
ID).
tected by
PPED-KEY
MC.2D”.
he VK to
fields of
MS
62
COP
PYRIGHT © 201
16. SMWheperfoVend
Input
Mixefirmw
3, STS ASSOCIA
M KEK Con an SM rec
orm the folloding Keys to t
t:
Key LoaWRAPPE
ed software ware):
Parse Key
If parsing∥ cause).
The SM So Io R
Ec
Ifa
o So If
ao P
VM
IfV
o PR
Ifc
o R
Iff
o Ifa
ATION.
onfirmaceives a Vendowing procesthe SM.
ad File (fiD-KEY record
and SM firm
y Load File t
g fails or if t
SHALL perfornput: VKLOA
Retrieve froExpMacTagKM
check their in
f the integragreement se
Set NOW to tf TVPKMC < (N
agreement seParse VKVKLOADRESPMacTagKMCHE
f parsing VKLOADRESP
Parse IDKM
RESP_Fingerp
f parsing faicause).
Retrieve from
f the integrifailure”).
f RESP_IDSM a different SM
ation anding Key Loass to authen
le-of-recordds.
mware proc
o recover VK
the file check
rm the followADRESPKMC.om secure sMC (all storedntegrity.
ity check faession integr
the current tNOW – 60 dession timeoLOADRESPKM
PKMC), to rEX. Verify typ
fails then P_KMC;” ∥ ca
C using printKMC. Ver
ils then FAIL
m secure sto
ity check fai
≠ IDSM then M”).
d Vendiad Responsenticate the K
s) containin
cess (error p
KLOADRESPK
ksum is inco
wing process
storage thed while gen
ils then FAIrity failure”).
time accordiays) then FA
out”). MC using retrieve REpes of retriev
FAIL(“SM.3ause).
PARSE-RECOrify types of r
L(“SM.3B: Ba
rage the IDSM
ils then FAIL
FAIL(“SM.3B
STS
ing Key Ie (VKLOADREMC, confirm
ng VKLOAD
prefix “SM.3A
MC and WRA
orrect then F
to finish est
e values KEerating the
L(“SM.3B: E.
ng to the SMAIL(“SM.3B: E
PARSE-RESP_IDKMC, ved fields.
3B: Bad V
ORD(“KMCIDretrieved fie
ad VKLOADR
M, and check
L(“SM.3B: Ba
B: Destinatio
600-4-1 Ed 1
Import ESP) from a
m the shared
DRESPKMC a
A” for softw
PPED-KEY re
FAIL(“SM.3A:
tablishing the
EK, FingerprVKLOADREQ
Error verifyin
M’s RTC. Error verifyin
RECORD(“VKLRESP_IDSM,
VKLOADRESP
.1”, 4, IDlds.
RESP: failed
k its integrity
ad SM keys:
n error: VKL
1.1 : STS – En
KMC, that SKEK, and im
nd zero o
ware or “SM
ecords.
: Bad Key Lo
e KEK:
rintKMC, TVPQSM, section
ng VKLOADR
ng VKLOADR
LOAD.RESP.1RESP_TVPK
P: failed to
DKMC) to
to parse ID_
.
stored key
OADRESP_KM
nhanced KM
PAGE 43 OF 6
M SHALL mport the
or more
M.3B” for
oad File;” KMC, and 14) and
RESP: key
RESP: key
1”, 4, KMC and
o parse
retrieve
_KMC;” ∥
integrity
MC is for
MS
62
COP
PYRIGHT © 201
3, STS ASSOCIA
o IfVK
Tt
o If(
o Ifb
o ZUI
o O For each
WRAPPEo To T
vK
o Ttc
o TA
o TP
Once all software
o Ti
o Tm
ATION.
f RESP_FingVKLOADRESPKMC)”).
This partial cto identify an
f RESP_TVPK
(TVP) in VKLOf MacTagKMC
bad key confiZeroise TVPKM
Update the KDKMC or elem
Output a such Vending KD-KEY record
The WRAPPEThe SM SHAverify the intKey. The SM SHAthat this valcircumstanceThe SM SHAAttributes, anThe SM SHAPrerequisites
required Ve SHALL instrThe SM SHAmported.
The SM MAmanagement
gerprintKMC ≠P_KMC is fo
check on IDKM
nd correct so
KMC ≠ TVPKMC
OADRESP_KMCHEX ≠ BASEfirmation fromMC and ExpM
KEK status flaments thereof
cess indicatoKey requiredd) SHALL be
ED-KEY recorALL use AEStegrity of the
LL protect thue is not ex
es. ALL protectnd SHALL en
ALL securely s: SM (sectionVending Keysuct the SM t
ALL zeroise t
AY retain IDt.
≠ Fingerprinor a differen
MC is not requome Vending
then FAIL(“MC; possible 16(ExpMacTm KMC”).
MacTagKMC froag to indicatef are not secor. d by the SMimported intd may be pa
S-192-CCMDE
e Vending Ke
he cleartext xposed outs
t the assocsure that Attstore the V
n 12.A) for ps have beenhat key tran
the KEK, pre
DKMC or ele
STS
ntKMC then nt key agree
uired for protKey Load Re
“SM.3B: Bad expired or o
TagKMC) then
om secure ste that the KEurity sensitiv
M Operator, to the SM: rsed by softwC(KEK, Nonc
ey and Attrib
value of theside the cryp
iation betwtributes and Vending Keyermitted secn imported sfer is comp
eventing furt
ements ther
600-4-1 Ed 1
FAIL(“SM.3Bement sessio
tocol securityesponse man
VKLOADRESout-of-order r
FAIL(“SM.3B
torage. EK may be usve and may b
the protec
ware or by tce, Attributebutes and to
e Vending Keptographic b
ween the Venot substitu
y and associcure storage
the SM Oplete: ther WRAPP
reof to ass
1.1 : STS – En
B: Destinatioon (with a
y – its presennagement err
SP: wrong timresponse”). B: Bad VKLO
sed. be retained.
cted Vending
he SM. es, Protectedecrypt the
ey and SHALboundary un
ending Key uted or modiated Attributechniques.
perator or o
PED-KEYs fro
sist in Vend
nhanced KM
PAGE 44 OF 6
on error: different
nce helps rors.
mestamp
OADRESP:
g Key (a
dKey) to Vending
LL ensure nder any
and its ified. utes. See
operating
om being
ding Key
MS
62
COP
PYRIGHT © 201
17. EnWhethe sactio
This variohandrelevdocu
17.A. SM
17.A.
17.A.
17.B. SM
17.B.
3, STS ASSOCIA
d-of-lifen any partic
secret key mons must be t
section detous entities. dling end-of-vant actionsmented SM
M Manufactu
1. End-of-life
The SM M The Man
further S KMCs SH There is n
SMs can Manufac
2. Storage M
The SM MECDSA kedocumen
The Man The Man The Man
PUBKEYM
The Manand distr
The Manand SHAthose PUre-signed
M
1. End-of-life
The SM Osecret da
The SM Obeen dec
ATION.
e and kecipating entitmaterial of thtaken to ens
tails the ess All SM M
-life and keys specified procedures
urer
e
Manufacturenufacturer SMs. ALL NOT accno need to r continue to
cturer’s priva
Master Key (S
Manufactureey dMAN. Thent. ufacturer SHufacturer SH
nufacturer SMAN. KMCs SHufacturer SH
ribute a new ufacturer SHLL publish n
UBKEYSM recd).
e
Operator SHata in the SMOperator SHAcommissione
ey compty in the STShat entity is ure the integ
sential aspecManufacturer
y compromiin this secas a conditio
er SHALL destSHALL notify
cept further evoke the Mo establish
ate ECDSA ke
SMK) or priv
er MAY create details of s
HALL destroyHALL notify tHALL notify HALL revoke HALL follow t
PUBKEYMAN-
HALL investignew certificaords found
HALL follow tM.
ALL notify thed.
promise S Key Managcompromise
grity of the K
cts of end-ors and KMCise. Such p
ction. KMCson of service
troy its privay the STSA a
PUBKEYSM upManufacturer
KEKs with tey dMAN is com
vate ECDSA k
te a self-signsuch a revoca
y its private Ehe STSA of thall KMCs thtrust in the
the ManufacNEW.
gate the intetes (signed to be trustw
the docume
he SM Manuf
STS
procedgement infraed or suspecKey Managem
of-life and ks SHALL hav
procedures S SHALL req
e.
ate ECDSA keand all KMC
pdates from r’s public keyhe KMC untmpromised.
key (dMAN) co
ed key revocation certific
ECDSA key dM
he (suspectehat they cancertificate.
cturer Setup
egrity of its dby the Manworthy (tha
nted Manuf
facturer (pos
600-4-1 Ed 1
dures astructure rected to be coment System
key compromve documenSHALL incluquire SM O
ey dMAN. Cs that it w
the SM Many certificate Ptil they reac
ompromise
cation certificate are beyo
MAN. ed) key compn no longer
process (sec
atabase of Pufacturer’s t is, existing
facturer proc
ssibly via a K
1.1 : STS – En
eaches end-oompromised
m.
mise procednted procedde at minim
Operators to
ill not be p
nufacturer. PUBKEYMAN –ch end-of-lif
icate using itond the scop
promise. trust the ce
ction 11) to g
PUBKEYSM cenew private g certificates
cedure to de
KMC) that the
nhanced KM
PAGE 45 OF 6
of-life, or d, certain
dures for dures for mum the o follow
roducing
– existing fe or the
ts private pe of this
ertificate
generate
rtificates key) for
s will be
estroy all
e SM has
MS
62
COP
PYRIGHT © 201
17.B.
17.B.
17.C. KM
17.C.
17.C.
The cimpa
KMC whic
3, STS ASSOCIA
The SM MPUBKEY p
2. Private EC
The SM Osecret da
The OpeManufac
The OpelegitimatRequests
All affectLoad ReqLoad Req
o Ift
o Ifrb
3. Storage M
The SM O The SM O KMCs SH
MC
1. End-of-life
The KMCoperation
The KMCSHOULD
The KMCnecessarmigration
The KMCkey comp
2. Key comp
compromiseact on the ST
standards Sh any of the
The KMC The KMC
ATION.
Manufacturepublication (
CC CDH key (
Operator SHata in the SMerator SHALcturer for maerator SHALLte Vending Ks since the suted KMCs SHquests supplquests have bf unauthoris
the affected f no unauth
required. Thboundary an
Master Key (S
Operator SHAOperator SHAALL proceed
e
C SHALL non. C SHALL senNOT make f
C SHALL seny to migraten are beyond
C SHALL destponents and
promise
or suspecteS Key Manag
SHALL specifollowing ke
C’s ECC CDH pC’s Storage M
er SHALL pub(section 12.C
(dSM) compro
HALL follow tM.
L decommisaintenance.L notify all Key Load Reuspected dat
HALL review tlied by the Sbeen processsed requestsVending Keyhorised requ
he secrecy of d the forwar
SMK) or Ven
ALL determinALL notify th
d according t
otify the STS
nd a notice further use ond a notice e Supply Grod the scope otroy its priva keys backup
ed compromgement infra
fy procedureys are comp
private key (Master Key (S
blish a suitabC).
omise
the docume
ssion the S
KMCs of thequests sentte of comprotheir audit loSM Operatosed. s have beenys and treat tuests have
f Vending Keyrd secrecy pr
nding Key (VK
ne the originhe STSA and oo their proce
SA and all
to all SM Oof the KMC’s
to all SG Ooup keys andof this documate ECC CDHps, and all da
ise of keys pastructure, a
res or procepromised or
dKMC); SMK) or any c
STS
ble revocatio
nted Manuf
M (see 17.
he compromt by the SM
omise). ogs in conjunr to determ
n processed them as combeen proceys is still proroperty of the
K) comprom
nating KMCs originating Kedures for V
SM Manufa
Operators thcertificate P
Owners that d data to anoment. H key dKMC, itata backups.
protected by nd is beyond
edural requirsuspected to
component t
600-4-1 Ed 1
n certificate
facturer proc
B.1) or ret
mise, and SHM (at minim
nction with tine if unaut
then the KMmpromised (sessed then ntected by thee KEK agreem
mise
of the compKMCs of the cK compromi
acturers tha
hat use its UBKEYKMC. rely on its
other KMC.
ts Storage M
or used by td the scope o
rements to o be compro
thereof;
1.1 : STS – En
to all KMCs.
cedure to de
urn the SM
HALL includeum logs of
the logs of lehorised Ven
MC(s) SHALLsee 17.B.3). no further ae SM’s cryptment protoco
promised VK(compromisese (section 1
t it will be
services. O
services. ItThe details o
Master Key (S
the KMC hasof this docum
handle the mised:
nhanced KM
PAGE 46 OF 6
. See SM
estroy all
M to the
e logs of all Load
egitimate ding Key
L identify
action is tographic ol.
(s). e. 17.C.2).
ceasing
Operators
t will be of such a
SMK), all
s a broad ment.
event in
MS
62
COP
PYRIGHT © 201
Such Oper
3, STS ASSOCIA
One or m
proceduresrators.
ATION.
more Vending
s SHALL inclu
g Keys (VKs)
ude notificat
for Supply G
tion of the S
STS
Groups serve
STSA, affecte
600-4-1 Ed 1
d by the KM
ed SG Owne
1.1 : STS – En
C.
ers, and affe
nhanced KM
PAGE 47 OF 6
ected SM
MS
62
COP
PYRIGHT © 201
A. No[FIP
[IEC
[ISO
[ISO
[ISO
[ISO
[ISO
[ISO
[ISO
[ISO
[ISO
[NIS
[NIS
[RFC
3, STS ASSOCIA
ormativePS PUB 186-3
C 62055-41]
O 8601]
O 10118-3]
O 11770-3]
O 14888-3]
O 15946-1]
O 18033-2]
O 18033-3]
O 19772]
O 9797-2]
ST SP800-56A
ST SP800-108
C 4648]
ATION.
e Refere3] Digita
http:/
IEC 6speci
ISO 8Repre
ISO/IPart 3
ISO/I-- Par
ISO/Iwith
ISO/Itechn
ISO/Ialgor
ISO/Ialgor
ISO/Iencry
ISO/IAuthe
A] NIST Schemhttp:/
8] NIST Pseudhttp:/
The Bhttp:/
ences al Signature Sta//csrc.nist.gov/
2055-41:2007 Efication (STS) --
8601:2004 Dataesentation of d
EC 10118-3:2003: Dedicated ha
EC 11770-3:200rt 3: Mechanism
EC 14888-3:200appendix -- Par
EC 15946-1:200niques based on
EC 18033-2:200rithms – Part 2:
EC 18033-3:201rithms -- Part 3:
EC 19772:2009yption
EC 9797-2:2011entication Code
Special Publicames Using Disc//csrc.nist.gov/pu
Special Publicadorandom Func//csrc.nist.gov/
Base16, Base32//tools.ietf.org/
andard (DSS), Ju/publications/fi
Electricity mete- Application la
elements and ates and times
04 Informationash-functions
08 Informationms using asymm
06 Informationrt 3: Discrete lo
08 Informationn elliptic curves
06 InformationAsymmetric ci
10 Information: Block ciphers
9 Information te
1 Information tes (MACs) -- Pa
tion 800-56A Rrete Logarithm
ublications/nistpu
tion 800-108 Rctions, October/publications/n
2, and Base64 D/html/rfc4648#
STS
une 2009 ps/fips186-3/fi
ering -- Paymenyer protocol fo
interchange fo
technology -- S
technology -- Smetric techniqu
technology -- Sogarithm based
technology -- Ss -- Part 1: Gene
technology – Sphers
technology -- S
echnology -- Se
technology -- Sert 2: Mechanism
Recommendatio Cryptography
ubs/800-56A/SP8
Recommendatior 2009 istpubs/800-10
Data Encodings, #section-8
600-4-1 Ed 1
ips_186-3.pdf
nt systems -- Par one-way toke
rmats – Inform
Security techniq
Security techniqes
Security techniqmechanisms
Security techniqeral
Security techniq
Security techniq
curity techniqu
ecurity techniqums using a ded
on for Pair-Wise(Revised), Marc
800-56A_Revision
on for Key Deriv
08/sp800-108.p
October 2006
1.1 : STS – En
art 41: Standarden carrier syste
mation interchan
ques -- Hash-fu
ques -- Key man
ques -- Digital s
ques -- Cryptog
ques – Encrypti
ques -- Encrypt
ues -- Authentic
ues -- Messageicated hash-fun
e Key Establishch 2007 n1_Mar08-2007.p
vation Using
nhanced KM
PAGE 48 OF 6
d transfer ms
nge –
unctions --
nagement
signatures
graphic
on
ion
cated
nction
ment
MS
62
COP
PYRIGHT © 201
B. Bib[AN
[AN
[AN
[AN
[CM
[CRC
[FIP
[FIP
[FIP
[FIP
[ISO
[ISO
[ISO
[ISO
[ISO
[ISO
[ISO
[ITU
[Lam
[NIS
3, STS ASSOCIA
bliograpNSI X9.62]
NSI X9.63]
NSI X9.82]
NSI X9.102]
M10]
C-CAT]
PS PUB 140-2
PS PUB 180-4
PS PUB 197]
PS PUB 198-1
O 9798-4]
O 10116]
O 11568-2]
O 11770-2]
O/TR 14742]
O 18031]
O 19790]
U X.680]
mmert]
ST SP800-38C
ATION.
phy ANSEllip
X9.6Agre
ANSGen
ANSWra
Chenprot
CRC http
2] Secuhttp
4] Secuhttp
Advahttp
1] The http
ISO/auth
ISO/oper
ISO key
ISO/man
ISO/and
ISO/gene
ISO/requ
Infonotahttp
On-lhttp
C] NISTOpehttp:
X9.62-2005 Putic Curve Digita
63-2001 Public Keement and Key
I X9.82-1:2006erator Mechan
I X9.102:2008 Spping of Keys a
n & Mitchell, “Ptocols”, 2010
RevEng: Catalop://reveng.sour
urity Requiremep://csrc.nist.gov
ure Hash Standap://csrc.nist.gov
anced Encryptiop://csrc.nist.gov
Keyed-Hash Mp://csrc.nist.gov
/IEC 9798-4:199hentication – Pa
/IEC 10116:2006ration for an n-
11568-2:2005 Bmanagement a
/IEC 11770-2:20nagement -- Par
/TR 14742:2010their use, July 2
/IEC 18031:201eration
/IEC 19790:201uirements for c
rmation technoation, July 2002p://www.itu.int/
ine CRC calculap://www.lamme
T Special Publicaration: the CCM://csrc.nist.gov/p
ublic Key Cryptoal Signature Alg
Key Cryptograpy Transport Usi
Random Numbnisms
Symmetric Key and Associated
Parsing ambigu
ogue of parameceforge.net/crc
ents for Cryptogv/publications/f
ard (SHS), Marcv/publications/f
on Standard (Av/publications/f
essage Authentv/publications/f
99 Information art 4: Mechanis
6 Information t-bit block ciphe
Banking -- Key mand life cycle
007 Informationrt 2: Mechanism
0 Financial serv2010
1 Information t
2 Information tryptographic m
ology -- Abstrac2 /ITU-T/studygr
ation and free liertbies.nl/comm
ation 800-38C RM Mode for Autpublications/nistp
STS
ography for thegorithm (ECDSA
phy for the Finaing Elliptic Curv
ber Generation
Cryptography FData, June 200
ities in authent
etrised CRC algoc-catalogue/16
graphic Modulefips/fips140-2/f
ch 2012 fips/fips180-4/f
ES), Novemberfips/fips197/fip
tication Code (Hfips/fips198-1/
technology – Ssms using a cryp
technology -- Ser
management (r
n technology --ms using symme
ices – Recomm
technology -- Se
technology -- Semodules
ct Syntax Notat
oups/com17/la
ibrary m/info/crc-calc
Recommendatithentication anpubs/800-38C/SP
600-4-1 Ed 1
e Financial ServiA)
ncial Services Ive Cryptography
-- Part 3: Dete
For the Financia08.
tication and key
orithms (MODB.htm#crc.cat.m
es, May 2001 fips1402.pdf
fips-180-4.pdf
r 2001 ps-197.pdf
HMAC), July 20FIPS-198-1_fina
Security techniqptographic che
ecurity techniq
retail) -- Part 2:
Security technetric technique
endations on c
ecurity techniq
ecurity techniq
ion One (ASN.1
anguages/X.680
culation.html
ion for Block Cind Confidentiali
800-38C_update
1.1 : STS – En
ices Industry --
ndustry -- Key y
rministic Rando
al Services Indu
y establishmen
BUS) modbus
008 al.pdf
ques – Entity ck function
ues -- Modes o
Symmetric cip
iques -- Key es
cryptographic a
ues -- Random
ues -- Security
1): Specification
0-0207.pdf
pher Modes of ty, July 2007
ed-July20_2007.p
nhanced KM
PAGE 49 OF 6
The
om Bit
ustry –
t
f
hers, their
lgorithms
bit
n of basic
f
df
MS
62
COP
PYRIGHT © 201
[NISPart
[NIS
[NIS
[NISDRA
[NIS
[PC
[PO
[RFC
[RFC
[RFC
[RFC
[RFC
[RFC
[RFC
[RO
[SAN
[SEC
[SEC
[STS
[W:
[W:
3, STS ASSOCIA
ST SP800-57 t 1]
ST SP800-90]
ST SP800-131
ST SP800-152AFT]
STIR 7628]
I HSM]
SIX RE]
C 2104]
C 2119]
C 2144]
C 2994]
C 3610]
C 4648]
C 5869]
OCKSOFT]
NS 1524-10]
C 1]
C 2]
S COP 402-1]
ASC]
BCD]
ATION.
NISTGen
] NISTUsinhttp
1A] NISTUse
2 RequSyst
GuidArch
Paym(HSM
Wikihttp
HMAhttp
Key http
The http
A Dehttp
Couhttp
The http
HMAhttp
A PAhttp
SANOnli
SEC1http
SEC http
] STS THE
Wikihttp
Wikihttp
T Special Publicaeral (Revised),
T Special Publicang Deterministicp://csrc.nist.gov
T Special Publicaof Cryptograph
uirements and ems, DRAFT Au
delines for Smahitecture, and H
ment Card InduM) Security Req
ipedia: Regularp://en.wikipedia
AC: Keyed-Hashp://www.ietf.or
words for use ip://www.ietf.or
CAST-128 Encrp://www.ietf.or
escription of thp://tools.ietf.org
nter with CBC-Mp://www.ietf.or
Base16, Base32p://tools.ietf.org
AC-based Extrap://tools.ietf.org
AINLESS GUIDE p://www.ross.n
S 1524-6-10:20ne vending serv
1: Elliptic Curvep://www.secg.o
2: Recommendp://www.secg.o
COP 402-1:201MANAGEMENT
ipedia: ASCII p://en.wikipedia
ipedia: Binary-cp://en.wikipedia
ation 800-57 ReMarch 2007
ation 800-90 Rec Random Bit Gv/publications/n
ation 800-131Ahic Algorithms a
Desirable Featuugust 2012
rt Grid Cyber SHigh-Level Requ
ustry (PCI) PIN Tquirements, Ver
expression (POa.org/wiki/Regu
hing for Messagrg/rfc/rfc2104.t
in RFCs to Indicrg/rfc/rfc2119.t
yption Algorithrg/rfc/rfc2144.t
e MISTY1 Encryg/html/rfc2994
MAC (CCM), Serg/rfc/rfc3610.t
2, and Base64 Dg/html/rfc4648
ct-and-Expand g/html/rfc5869
TO CRC ERRORet/crc/downloa
010 Electricity pver -- Vending c
e Cryptography org/download/a
ded Elliptic Curvorg/download/a
11 Standard TraT OF TOKEN ID
a.org/wiki/ASCI
coded decimala.org/wiki/Bina
STS
ecommendatio
ecommendatioGenerators, Janunistpubs/800-9
A Transitions: Rand Key Length
ures of U.S. Fed
ecurity: Vol. 1, uirements, Aug
Transaction Secrsion 2.0, May 2
OSIX) ular_expression
ge Authenticatitxt
cate Requiremetxt
hm, May 1997txt
yption Algorithm4
ptember 2003txt
Data Encodings8#section-8
Key Derivation9
R DETECTION ALad/crc_v3.txt
payment systemclients
version 2.0, Maaid-780/sec1-v2
ve Domain Paraaid-784/sec2-v2
nsfer SpecificatROLLOVER
II
ary-coded_decim
600-4-1 Ed 1
on for Key Mana
on for Random Nuary 2012
90A/SP800-90A
ecommendatios, January 2011
deral Cryptogra
Smart Grid Cybust 2010
curity (PTS) Har2012
n#POSIX
on, February 19
ent Levels, Marc
m, November 2
s, October 2006
Function (HKD
LGORITHMS, Au
ms -- Part 6-10:
ay 2009 2.pdf
ameters version2.pdf
tion (STS) -- CO
mal
1.1 : STS – En
agement – Part
Number Gener
on for Transition1
aphic Key Mana
ber Security Stra
dware Security
997
ch 1997
2000
6
DF), May 2010
ugust 1993
Interface stand
n 2.0, January 2
ODE OF PRACTIC
nhanced KM
PAGE 50 OF 6
t 1:
ation
ning the
agement
ategy,
y Module
dards --
2010
CE FOR
MS
62
COP
PYRIGHT © 201
[W:
[W:
[W:
[W:
[W:
[W:
[W:
3, STS ASSOCIA
CERT]
EBNF]
END]
HEX]
LEX]
OCT]
SHA-1]
ATION.
Wikihttp
Wikihttp
Wikihttp
Wikihttp
Wikihttp
Wikihttp
Wikihttp
ipedia: Public kp://en.wikipedia
ipedia: Extendep://en.wikipedia
ipedia: Endiannp://en.wikipedia
ipedia: Hexadep://en.wikipedia
ipedia: Lexicogp://en.wikipedia
ipedia: Octetp://en.wikipedia
ipedia: SHA-1p://en.wikipedia
key certificatea.org/wiki/Publ
ed Backus-Naura.org/wiki/Exte
ness a.org/wiki/Endi
cimal a.org/wiki/Hexa
raphical ordera.org/wiki/Lexic
a.org/wiki/Octe
a.org/wiki/SHA
STS
lic_key_certific
r Form ended_Backus%
ianness
adecimal
cographical_ord
et_(computing)
-1
600-4-1 Ed 1
ate
%E2%80%93Nau
der
1.1 : STS – En
ur_Form
nhanced KM
PAGE 51 OF 6
MS
62
COP
PYRIGHT © 201
C. VenThe fthat
An A“ReqNOT
Nam
AC
BD
DK
IU
KE
KRKT
SG
SG
3, STS ASSOCIA
nding Kfollowing tabmay appear
Attributes fieuired”, and contain nam
me Conten
CT TIMES
DT TIMES
KG 2
T TIMES
N 3
N 1TC 1
C 10
N 1-9
ATION.
Key attrible defines tin the Attrib
eld SHALL cMAY contain
mes other tha
nt type Pr
STAMP R
STAMP R
2D R
STAMP O
D R
1D R1D R
0D R
99P O
ibutes the attribute
butes field of
contain all cn any namesan those def
resence D
equired AKLeacthkeis
equired Bas
equired Dse
Optional Isp
equired KTre
equired Kequired K
6V
equired SuTSGlo
Optional Susu
e card namef a WRAPPED
cards (names for which thfined in this A
Description
Activation Timey becomes egacy KMC pctivation timhe current Vey is the ones, the highestase Date: ths specified in
Decoder Key Gection 6.1.4.ssued Until: arevent the key Expiry Nuhe KEN mustelative to theey Revision Ney Type (KT).5.2.2.1), ind
VDDK. upply Grouphis specificatGCs with zer
ong. upply Groupupply group.
STS
es – and encD-KEY record
es) for whiche Presence Appendix.
me: the date active for th
practice and me (also know
ending Key fe with the mot Activation Te date assoc
n [STS COP 4Generation A a date and tiey from bein
umber from [t be in the rae Base Date Number from) code from [dicating whet
p Code from tion requiresro characters
p Name, a hu.
600-4-1 Ed 1
coding of cor (section 10.
ch the Preseis “Optional
and time at he SGC. [SANS 1524-
wn as “Effectfor a supply gost recent ATime that is ciated with a402-1]. Algorithm fro
me after whng used for t[IEC 62055-4ange 0-255 a(BDT). m [IEC 62055[IEC 62055-4ther the key
[IEC 62055-4s 10-digit SGs (“0”) to ma
man-readab
1.1 : STS – En
rresponding .E).
ence is indil”. The field
which this V
-10] use the tiveDate”) togroup: the cuctivation Timin the past). TID value of
om [IEC 620
hich the SM woken encryp
41] section 6and is interpr
5-41] section41] Table 24
is a VUDK, V
41] section 6Cs; left-pad
ake then 10 d
ble name for
nhanced KM
PAGE 52 OF 6
values –
cated as SHOULD
Vending
o select urrent
me (that
f zero,
055-41]
will ption. 6.1.10. reted
n 6.1.10. (section
VCDK or
6.1.6. shorter
digits
the
MS
62
COP
PYRIGHT © 201
D. EnThe aAlgor
The aelempartiAny fuse o
D.1. CAS
The C
Func
Intelpatendescrcomm
D.2. MIS
The M
Func
IntelPCT/Jroyalobtai
3, STS ASSOCIA
ncryptioalgorithms inrithms (Table
algorithms hment of the
cular this limfuture revisioof AES (in an
ST-128 (EA=1
CAST-128 blo
tion descript
CAST-128and outp
CAST-128and outp
lectual Propnted by Entribed in this mercial uses
STY1 (EA=11
MISTY1 block
tion descript
MISTY1EN
outputs t MISTY1D
and outp
lectual PropJP96/02154 lty-free licenined in writin
http://w http://w
ATION.
on Algorn this Appene 7, section 6
have been cSTS Applica
mits the choion of the Toappropriate
12)
ock cipher, a
tion:
8ENC(K, plainputs the ciph8DEC(K, ciphe
puts the plain
perty Noticetrust Techndocument is.”
1)
k cipher, as s
tion:
NC(K, plaintethe ciphertex
EC(K, ciphertputs the plain
perty Noticcovers the M
nse on nonng. More inf
www.ietf.org/www.mitsubi
rithms fondix are reco6.1.5). These
chosen to mation Protocice to 64-bit ken Carrier D
e mode of op
s specified in
ntext) enciphertext.
ertext) decipntext.
: The designologies, Inc.s available w
specified in [
ext) encipherxt. text) deciphentext.
ce: MitsubisMISTY1 algo-discriminatoformation is
/ietf-ftp/IPR/shielectric.co
or IEC 6ommended fe algorithms
eet the reqol Data UniBlock Ciphe
Data Unit (TCperation) to p
n [ISO 18033
hers the 64-
phers the 64-
procedure . However,
worldwide on
[ISO 18033-3
rs the 64-bit
ers the 64-b
shi Electric rithm descriory terms savailable fro
/MITSUBISHom/compan
STS
62055-4for inclusions meet the se
uirements oit (APDU) as
ers and preclCDU) in [IECprotect the t
3-3] (NORMAT
-bit input pla
-bit input cip
that was use[RFC 2144] a royalty-fre
3] (NORMATIV
input plaint
bit input ciph
Corporationbed in [RFC
subject to reom:
I-MISTY y/rd/ip/pate
600-4-1 Ed 1
41 in [IEC 620
ecurity targe
of the Encryps defined inudes the po 62055-41] Soken.
TIVE) and [RFC
aintext usin
phertext usin
ed to obtain] states: “Tee basis for c
E).
text using th
hertext usin
n has assert 2994]. Mitseciprocity; t
ent/index.htm
1.1 : STS – En
55-41] as Ent of 128 bits
ption Algoritn [IEC 6205opular AES alSHOULD con
C 2144].
g the 128-b
ng the 128-b
n the CAST She CAST-12commercial a
he 128-bit ke
ng the 128-b
ted that itssubishi has othe license
ml
nhanced KM
PAGE 53 OF 6
ncryption .
thm (EA) 5-41]; in lgorithm. sider the
bit key K,
bit key K,
-boxes is 8 cipher and non-
ey K, and
bit key K,
s patent offered a must be
MS
62
COP
PYRIGHT © 201
E. DeThe f[IEC
excee
E.1. HM
Func
Proce
E.2. KDF
The HMA
This the lrepre
Withof lesimp
Func
Input
Proce
3, STS ASSOCIA
ecoder Kfollowing alg62055-41] aeds the secu
MAC-DKGA (D
tion descript
HMAC-Dgiven MeKT and re
ess:
Set Label Set Conte Set Othe Set keyda Set DK = Post-proc
DEA with Output D
F108-Feedba
KDF in FeedAC-SHA-384 (
specificationength |L| o
esentation o
in the scopess than 102lified accord
tion descript
KDF108-Fkey deriv
t:
K, a secre OtherInfo keydatal
ess:
Ensure th Ensure th
ATION.
Key Genegorithm and as a Decoderurity target o
DKGA=04)
tion:
KGA(VK, SGeterPAN andevision KRN)
l = BCD( DKGext = BCD( SrInfo = LVCOatalen accorKDF108-Feecess DK acco
h requires anDK.
ack-HMAC-SH
dback Mode (section 9.C)
n requires thof field L (a f any numer
e of this spe4 bits, and
dingly.
tion:
Feedback-HMved from K a
et key (as anfo, a non-emlen, an integ
hat K is an ochat OtherInfo
erationassociated cr Key Generf 128 bits.
GC, KT, KRN, d TI, that is d), and which
GA2D = “04” |GC10D | KT1D
ONCAT(Labelrding to the kedback-HMAording to th
n odd-parity k
HA-384
specified inpseudorand
hat the IV SHrepresentatiic value SHA
cification KDkeydatalen
MAC-SHA-38nd OtherInfo
octet stringpty octet strer giving the
ctet string offo is an octet
Algoritcryptographication Algorit
MeterPAN, derived from
is suitable fo
EA2D | TI2D )| KRN1D | Ml, “”, Contexkey size requ
AC-SHA-384(e key formakey).
section 5.2dom function
HALL be empion of keyda
ALL be big en
DF108-Feedb≤ 192 bits.
84(K, OtherIo.
). ing of non-se
e length in bi
f less than 12 string of les
STS
hm for Ic primitive athm (Table 6
EA, TI) outpthe Vending
or use with E
). MeterPAN18D
t). uirement of EVK, OtherInf
at requireme
of [NIST SPn (PRF).
pty, an iteratatalen) SHALdian.
back-HMAC-The implem
Info, keydat
ecret data.ts of keying
28 octets or ss than (210-1
600-4-1 Ed 1
IEC 620re recomme6, section 6.
puts a Decog Key (VK) foEA.
).
EA. fo, keydataleents of EA (f
P800-108] (N
ion counter LL be 32 bit
SHA-384 is omentation giv
talen) outpu
data to be ge
FAIL. 136) octets o
1.1 : STS – En
55-41 ended for inc.1.4). This a
der Key (DKor the SGC (w
en). or example
ORMATIVE), u
SHALL NOT ts, and the b
only used wven below h
uts a keyda
enerated.
or FAIL.
nhanced KM
PAGE 54 OF 6
clusion in algorithm
K) for the with type
EA=09 is
using the
be used, bit string
ith a key has been
atalen-bit
MS
62
COP
PYRIGHT © 201
3, STS ASSOCIA
Ensure th Set L to a Compute Output th
ATION.
hat keydatala 32-bit big-ee K1 = HMAChe leftmost k
len is less thaendian bit str-SHA-384-19keydatalen b
an 192 bits Aring represen92( K, OtherIbits of K1.
STS
AND keydatantation of keInfo ∥ L ).
600-4-1 Ed 1
alen ≤ BitLeneydatalen.
1.1 : STS – En
ngth(K) or FA
nhanced KM
PAGE 55 OF 6
AIL.
MS
62
COP
PYRIGHT © 201
F. ReThis mess
Given
-R-
The sthe e
3, STS ASSOCIA
cord-informat is in
sage. The rec
n a record RE
-STS:recEC wrappe-STS:rec
starting guaending guard
ATION.
-email ftended to re
cord is easily
EC with reco
type BEGIed to 64 type ENDS
rd is the octd is x’2D2D53
formatepresent a s
y identified a
ord type recty
INS-- characteS--
tet string x’2354533A ∥ re
single recordnd extracted
ype, a record
ers or le
2D2D535453ectype ∥ x’20
STS
d (section 8.d by a human
d-in-email is
ess per l
33A ∥ rectype0454E44532D
600-4-1 Ed 1
H) within thn operator o
rendered as
line
e ∥ x’204245D2D.
1.1 : STS – En
he body of ar by softwar
s follows:
547494E532D
nhanced KM
PAGE 56 OF 6
an e-mail re.
D2D, and
MS
62
COP
PYRIGHT © 201
G. FilThis easilycorru
A texis teror by
A file(whit[W:SEOL c
A fileForm
FCChLLRCEmWh
Noterecor
3, STS ASSOCIA
le-of-recformat is inty parsed buption.
xt file is an orminated by y the End-Of-
e-of-recordstespace). ThHA-1] checkcharacter.
e-of-records m [W:EBNF]:
ile-of-reontent hecksum ine F ecord omment mpty hitespace
e that record rd.
ATION.
cords fotended to rey software
ordered sequa single End
-File (EOF) co
is a text fhe last line ksum over th
is fully spe
ecords = = = = = = = = e =
lines may ha
ormat epresent on
and includ
uence of lined-Of-Line (EOondition. Th
file in whichin the file
he preceding
cified by the
Content, Line, LF BASE16( Record | x’0A ; Printabl “#”, Pri { Whites x’20 | x
ave trailing w
e or more redes an insec
s. Each line OL) character
e EOL may b
h each line e is a commg lines (inclu
e following
, “#”, ChF, { Line SHA-1( C| Comment
le, { Whiintable ;space } ;x’08 | x’
whitespace,
STS
ecords (sectcure checks
contains onr LF (x’0A, of
be omitted fr
is either a ment contaiding EOL ch
production,
hecksum ;e, LF } ;Content )t | Empty
itespace 0D ;
which shoul
600-4-1 Ed 1
tion 8.H) in asum to det
nly Printable ften given asrom the last
record, a cning a BASaracters), an
given in Ex
) ;
y ;
}
d be remove
1.1 : STS – En
a text file. Tect acciden
ASCII characs ‘\n’ in sourline of the fi
comment, oSE16-encodend must not
xtended Back
ed before pa
nhanced KM
PAGE 57 OF 6
The file is ntal data
cters and rce code) le.
or empty d SHA-1 have an
kus-Naur
rsing the
MS
62
COP
PYRIGHT © 201
H. SuThe speci
Alg
M
CA
ECB any bl
algKD
FeeHMAC
HM38
H
SH
AE
CCM any bl
alg
EC
1-PasMode
E
P-38ECC o
KDF-X
1 Nor
3, STS ASSOCIA
ummaryfollowing taification, and
gorithm Cl
MISTY1 6
AST-128 6
mode for lock cipher gorithm
nCip
DF108-edback-C-SHA-384
SymD
AC-SHA-84-192
PseFu
HMAC D
AuC
HA-384 Dig
ES-192 12
mode for lock cipher gorithm
nCip
CC CDH Asya
ss Unified el C(1e, 2s)
Asya
ECDSA Dig
84 for any operation
EP
X963-SHA-384
KeFu
mative standa
ATION.
y of crypable summad indicates th
assification
64-bit Block Cipher
64-bit Block Cipher
n-bit Block pher mode of operation mmetric Key Derivation Function
F
eudorandom nction (PRF)
Dedicated Message thentication
Code (MAC)
O
gest function (hash)
28-bit Block Cipher
n-bit Block pher mode of operation
EA
ymmetric key agreement primitive
ymmetric key agreement
scheme
ital signature
CC Domain Parameters
y Derivation nction (KDF)
ards are in bo
ptographarises all crhe standards
Mode of Operation
ECB
ECB
ECB
Feedback mode(iterated PRF over HMAC-
SHA-384) N/A
Operates over adigest (hash)
function
N/A
CCM
CCM (Nonce-based Authenticated
Encryption withAdditional Data
Domain parameters: NIST P-384; KDF-X963
Operates over ECC CDH primitive
Domain parameters: NIST P-384;
SHA-384 P-384
Counter mode (iterated PRF
over SHA-384)
old.
hic primryptographics to which th
Key
Decoder Ke(DK)
Decoder Ke(DK)
DeECB provid
guarane Vending Ke
(VK)
HMAC with S1023 bits, an
384 ba Maximum ke
Security-
Non-keyed ffor digital siKey Exchang
Key (KEK)
h )
DeCCM providethe assumpt
(dSM, QSM)and
(dKMC, QKMC
2 static (as fECC CDH) pl
1 ephemeral SM: (dE, QE
(dMAN, QMAN
Also known ECC operati
Shared Secrfrom ECC CD
STS
mitives a primitives
hey conform:
Key Leng(bits)
ey 128
ey 128
etermined by Bes confidentialtees for multi-b
ey 160
SHA-384 has a mnd a security-stits (depending ey length depen-strength depe
unction. Securgnatures and Mge 192
etermined by Bes confidentialiion that the no
a given k
C)
384
for us for
E)
384
N) 384
as “ansix9p384ons in this dom
192 bits of seet
DH Depends oCDH (mini
192 bits enrequire
600-4-1 Ed 1
and stan(algorithms
:
gth )
Secustrengt
12
12
Block Cipher. ity only, with wblock encryptio
16(up to 1
192-b
maximum key lerength of up toon application)nds on digest funds on key leng
ity-strength is 1MAC, 384 bits fo
19(inte
limited Block Cipher. ity and integrity
once is not reuskey.
19
19
19
4r1” and “secp3main can provide
ecurity. on ECC
mum ntropy ed)
192
1.1 : STS – En
ndards ) employed
urity-th (bits)
Sta
28 ISO
28 ISO RF
weaker on.
ISONIST S
60 192 with it key)
NIST S
ength of o 192 or ).
RFISO
FIPS Punction. gth.
ISOFIPS P
RF
192 bits or KDF.
ISO FIPS P
92 egrity
to 128)
ISO FIPS
y under ed with
ISONIST S
RF
92 ISO AN
NIST SS
92 NIST SAN
ISO
92 ISO AN
FIPS PS
384r1”. e up to
FIPS PAN
Sbits ISO
ANS
nhanced KM
PAGE 58 OF 6
by this
andards1
18033-3
18033-3 FC 2144 O 10116 SP800-38A
SP800-108
FC 4868 O 9797-2 PUB 198-1
O 9797-2 PUB 198-1FC 2104
10118-3 PUB 180-418033-3
S PUB 197
O 19772 SP800-38CFC 3610
11770-3 SI X9.63 SP800-56ASEC 1 SP800-56ASI X9.63 11770-3
14888-3 SI X9.62 PUB 186-3SEC 1 PUB 186-3SI X9.62 SEC 2 11770-3 SI X9.63 SEC 1
MS
62
COP
PYRIGHT © 201
The fwith
A
Mfor to
CAfor to
KDF1HMAC
Lfor s
d
AEfor a
encry
ECC for sh
a
For diin P
NIST p
KDF-Xwit
for kfrom a
sh
Unificonfi
HMACand
Com
1 The
3, STS ASSOCIA
following tabvarious stan
Algorithm
MISTY1, ECB ken encryption
AST-128, ECB ken encryption
108-Feedback-C-SHA-384 withLVCONCAT symmetric key derivation
ES-192, CCM authenticated yption and key wrapping CDH C(1e, 2s)
r asymmetric hared secret agreement
ECDSA igital signature
PK certificates P-384 domain
parameters
X963-SHA-384 h LVCONCAT key derivation asymmetrically
hared secret
ied Model key irmation (with C-SHA-384-192d LVCONCAT)
ments:
[ISO/TR
referenceappropri
o [T
NIST 7628 re
ATION.
ble indicates ndards bodie
ISO
ISO/TR 14ISO 1803ISO 101
ISO/TR 14ISO 1803ISO 101
h No relevant s
HMAC: ISO and ISO/TR
SHA-384: ISO and ISO/TR
ISO 1803ISO 197
AES: ISO/TR
ISO 1177
ISO/TR 14ISO 1488
ISO/TR 14No ISO staspecifies c
y
ISO 1177
Conforms t11770-
14742] and e to other ate for the fo[ISO/TR 1474The body of
quirements fo
alignment os and projec
4742 33-3 116 4742 33-3 116 standard 9797-2 14742 10118-3 14742
NISTNISTFIPSFIPS
Ffunct
33-3 772 R 14742
NISTFIP
NIST
70-3 NISTNIST
4742 88-3
NISTFIPS
4742 ndard
curves
NISTFIPS
70-3 NISTNIST
NIST Mee
Setto ISO -3
Parti
inteMee
Set
[NIST SP800standards –
oreseeable f42] providesf the standa
or approval be
of cryptograpcts, with resp
NIST
MISTY1 and C by any
T SP800-131AT SP800-108 S PUB 198-1 S PUB 180-4 ormatting tion complies
fully T SP800-131APS PUB 197 T SP800-38C
T SP800-131AT SP800-56A (Set ED)
T SP800-131AS PUB 186-3
T SP800-131A S PUB 186-3
T SP800-131AT SP800-135
or SP800-131A;ts SP800-56A
t ED targets. ally conforms but not
eroperable; ts SP800-56A t ED targets
0-131A] are– cryptografuture. s recommenard does no
eyond 2030 a
STS
phic primitivepect to the co
NISTIR 7628 Smart Grid1
CAST-128 are nNIST or FIPS sta
Approved beyond 2030
Approved beyond 2030
Approved beyond 2030,
192-bit security
Approved beyond 2030
Approved beyond 2030
Approved beyond 2030
No relevant guidance
e ‘super-stanphic algorit
ndations for ot cover key
re based on N
600-4-1 Ed 1
es employedontext or pu
SP800-152Federal KM
ot approved andard.
Exceeds “Augmentesecurity; no
interoperab
Exceeds “Augmentesecurity; no
interoperabExceeds
“Augmentesecurity; no
interoperabExceeds
“Augmentedmeets ‘Desira
Exceeds “Augmentesecurity; no
interoperabNon-complia
only NIST concatenatiKDF permitt
Meets “Augmenterequiremen
ndards’ that hms and ke
the financiy establishm
NIST SP800-57
1.1 : STS – En
d by this specrpose of use
2 MC
Oth
RFC Approved
& CRYRFC
Approve
d” ot ble
EquivaRFC 58intero
d” ot ble
ANSI Approved
& CRY
d” ot ble
NSA SANSI
SE
d”; able’
NSA SANSI
SE
d” ot ble
NSA SANSI
SE
ant: T ion ted
ANSISE
d” nts
Partially to ANS
standardon key co
for C(
recommendey lengths
al services ment algorith
7 and NIST SP8
nhanced KM
PAGE 59 OF 6
cification e:
hers
2994 d by NESSIEYPTREC 2144
ed by CSEC
alent to 869; not perable
X9.102 d by NESSIE YPTREC
Suite B X9.63
EC 1
Suite B X9.62
EC 1 Suite B X9.62
EC 2
X9.63 EC 1
conforms SI X9.63; is unclear
onfirmation (1e, 2s)
d – with that are
industry. hms, but
800-131.
MS
62
COP
PYRIGHT © 201
3, STS ASSOCIA
Ad
o [ifrbr
An algoralignmen
An algorioccurs wSP800-15(as with K
Non-com
ATION.
Annex A citedoes not cov[NIST SP800-n a [FIPS PU
for these arecommend but does apprecommendsithm is fully
nt includes seithm may co
when this spe52) or the staKDFs and key
mpliance and
es key estabver authentic131A] specif
UB 140-2] celgorithms aECC curves prove the scs the curves
aligned witecurity equivonform to a cification haandard specy confirmatioconformanc
blishment mcated encrypfies NIST Apprtified HSM,nd associator cover keychemes in [in [FIPS PUBh the cited svalence and standard wit
as a higher secifies that foron). ce are color-
STS
mechanisms ition modes oproved algor and indicated key lengy confirmatioNIST SP800-5186-3]. standard(s) interoperabithout being ecurity targermatting of i
coded.
600-4-1 Ed 1
in [ISO 1177of operationrithms that mtes the permgths. The on in key ag56A], and th
unless otherility. fully interopt than the stnput fields i
1.1 : STS – En
70-3]. The n. may be imple
mitted periodstandard d
greement alghat standard
rwise indicat
perable. Thitandard (as ws application
nhanced KM
PAGE 60 OF 6
standard
emented ds of use does not gorithms, d in turn
ted. Full
s usually with NIST n specific
MS
62
COP
PYRIGHT © 201
I. SumA ref
3, STS ASSOCIA
mmary oference list o
BCD(Dec BASE16(O BASE16-D Integer-t Octet-Str Field-Elem Octet-Str Point-to- Octet-Str CRC16-M LVCONCA DFCONCA DFPARSE BUILD-RE Printa
PARSE-RE O1, O2
AES-192- AES-192- SHA-384 HMAC-SH KDF-X963 ECC-CDH ECDSA-SI ECDSA-V
“invalid” GENERAT VALIDAT CAST-128 CAST-128 MISTY1EN
MISTY1DE
HMAC-D KDF108-F
ATION.
of functof functions d
imal String) Octet String)DECODE(Hexo-Octet-Strinring-to-Integment-to-Octring-to-Field--Octet-Stringring-to-Point
MODBUS(OctAT(I1, I2, …, In
AT(DELIM, I1
E(DELIM, OctECORD(rectyable ASCII StrECORD(recty2, …, On, Oi Pr-CCMENC(Key,-CCMDEC(Key,(Octet StringHA-384-192(3-SHA-384(S
HP-384(dA in [1,IGNP-384,SHA-38
ERIFYP-384,SHA
| Error TE-KEY() EE-KEY(QB a P8ENC(Key, Pla8DEC(Key, Cip
NC(Key, Plaint
EC(Key, CipheKGA(VK, SGCFeedback-HM
tions defined elsew
Octet Stri) Hexadecxadecimal Stng(Integer, M
ger(Octet Stritet-StringDoma
-ElementDoma
gDomain(Point) tDomain(Octet et String)
n), Ii an Octet
1, I2, …, In), DEtet String) ype, n, I1, I2, …ring | Errorype, n, Octetrintable | Err, Nonce, Add, Nonce, Add
g) Digest ((Key, Text) SharedSecret,n-1], QB a Po
84(dA in [1, n-
A-384(QB a Po
ECC Key Pair Point) TRUintext) Cihertext) Ptext) Ciphertext) PlaC, KT, KRN, MMAC-SHA-38
where in this
ing | Error cimal Stringring) Octe
MaxInteger) ing, MaxInte
ain(Field Elem
ain(Octet Stri Octet StrString) (x 16-bit Big E
t String, OcteELIM 1P, Ii Pr O1, O2, …, O
…, In), rectyp
t String), rectror ditional, Plainditional, Ciph(Octet String MAC; all Ot, SharedInfooint) Shar-1], M an Octoint, M an O
(dA in [1,n-1UE | Error phertext; allPlaintext; allhertext; all Oaintext; all OMeterPAN, EA84(Derivation
STS
s document:
et String | Er Octet Str
eger) Integment) Octe
ng) Field ring | Error
P,yP) not necndian integeetLen(Ii) ≤ 25rintable P
On, Oi Printabe IDENT, Ii P
type IDENT,
ntext) Ciphertext) Pg) Octet String o, keydatalenredSecret (Otet String) Octet String,
], QA a Point
l Octet Stringl Octet String
Octet String Octet String
A, TI) KeynKey, OtherI
600-4-1 Ed 1
rror ing | Error ger | Error et String | ErElement | Er
essarily a vaer 55, n ≤ 255 Printable ASCble | Error rintable
phertext | Erlaintext | Er
n) Key Mactet String) (r, s) both i
, (r,s) a Sign
t)
g g
nfo, keydata
1.1 : STS – En
rror rror
lid Point | Er
Octet StrinCII String | Er
ror; all Octetror; all Octet
aterial (Octet
n [1, n-1] | Enature) “
alen) Key
nhanced KM
PAGE 61 OF 6
rror
ng | Error rror
t String t String
t String)
Error “valid” |
Material
MS
62
COP
PYRIGHT © 201
J. SumThe S
The S
KMC
3, STS ASSOCIA
mmary oSTSA SHOUL
The secu The secu The requ
STSA SHOUL
Manufac KMC nam Approved Approved
standards to
A procedtrusted m
A proced(section 1
ProcedurSMK) or o
ATION.
of requiD provide Co
rity requiremrity requirem
uirements for
D provide re
cturer namesmes (see sectd HWIDs (sed FWIDs (see
o be develop
dure for SM manner (sectdure for KMC13.C). res or proceof Vending K
ired Cododes of Pract
ments for anments for a Kr approving S
egistry servic
s (see sectiontion 13.B). e section 13e section 13.
ped by the ST
Manufacturtion 11). Cs to publish
edural requirKeys (section
des of Prtice for:
SM (see secKMC HSM (seSM hardware
es for:
n 11).
.B). B).
TSA SHALL in
rers to publi
h their publi
rements to n 17.C.2).
STS
ractice a
ction 12.A).ee section 13e and firmwa
nclude:
sh their pub
c keys to SM
handle the
600-4-1 Ed 1
and Reg
3.A). are (see sect
blic key certi
M Operators
compromise
1.1 : STS – En
gistries
tion 12.A).
ificates to KM
in a trusted
e of KMC ke
nhanced KM
PAGE 62 OF 6
MCs in a
d manner
eys (dKMC,
MS
62
CONFIDENTIAL
Document no: RPT-0031-120
Version: 1.2
File name: RPT-0031-120.doc
Date: 13 November 2012
ZiliantSystems
Review of the new STS Key Management Specification
Review Report
Confidential
RPT-0031-120 Confidential Page 2 of 9
Table of contents
1 Scope ....................................................................................................... 3 2 Overview ................................................................................................... 3 3 Observations ............................................................................................. 4
3.1 General .............................................................................................. 4 3.2 Key agreement method ..................................................................... 4
3.3 SM Initialisation ................................................................................. 5 3.4 KMC Initialisation ............................................................................... 6 3.5 SM Vending Key Load Request ......................................................... 6 3.6 KMC Vending Key Load Response ................................................... 7 3.7 SM Key Load File Processing? .......................................................... 7
3.8 Encryption Algorithms for IEC 62055-41............................................ 7 3.9 Decoder Key Generation Algorithm for IEC 62055-41 ....................... 7
4 Conclusions .............................................................................................. 8 5 References ............................................................................................... 8 6 Definitions and Abbreviations ................................................................... 9
Confidential
RPT-0031-120 Confidential Page 3 of 9
1 Scope
This report provides feedback on an independent review of the new STS Key
Management System as described in the new specification [1]. The scope of the
review mainly covers the security protocol between the Key Management Centre
(KMC) and the Security Module (SM) but also comments on the choice of block
ciphers and the key derivation method.
2 Overview
The current implementation of the interface between the KMC and the SM is to be
upgraded to improve security and provide more flexibility with regard to multiple
KMC’s per SM. The upgrade should also consider the fact that SM’s may be
deployed in remote locations with limited communications infrastructure. The KMC-
SM upgrade forms part of an overall upgrade of the STS key management
infrastructure to facilitate wider expansion into international markets (notably the
USA). Therefore the new design must be based on internationally accepted
standards wherever possible. The review was conducted on the proposed design
with these aims in mind and certain observations were made. These observations
are described in the following paragraphs.
Confidential
RPT-0031-120 Confidential Page 4 of 9
3 Observations
3.1 General
The STS Key Management Specification [1] provides a detailed description of the
KMC-SM cryptographic protocol and places high priority on international standards
compliance. Attention is given to providing non-ambiguous descriptions of data fields
and processes. This is good for implementers and is also good security practice. The
use of public key cryptography in the new design will better support future variations
of the infrastructure in terms of international deployments. In general the use of
public key cryptography combined with adherence to widely accepted standards is in
line with STSA’s requirements for international expansion. In reviewing the
specification we have made several observations and remarked on these below.
Some remarks are merely confirmations or informational while others are cautionary
and may require attention. While we have made some recommendations in the latter
case, these issues may simply require additional clarification or expansion.
3.2 Key agreement method
1. The key agreement method described in the specification corresponds to the
NIST SP800-56A variation C(1, 2, ECC-CDH) scheme [2] which is in turn
based on the ANSI X9.63-2001 1-Pass Unified scheme [3]. In this variation of
ECC-CDH only one side generates ephemeral keys. This is typically used in a
store-and-forward one-pass scheme such as e-mail. This method is in line
with the requirement to support offline CDU’s. The key agreement data
exchanges could be e-mailed as attached files or a manual system could be
employed using a single round-trip courier.
2. The key agreement initiator (SM) possesses a long-term static key pair and
generates an ephemeral key pair per-session, whereas the responder (KMC)
only possesses a long-term static key pair. Information encrypted under the
established shared key remains protected even if the SM’s keys are
compromised but not if the KMC’s keys are compromised. This is sometimes
referred to as “one-party” or “half” forward secrecy. In this application it is the
vending station’s SM that carries the higher risk of being compromised rather
than the KMC’s HSM. If the KMC’s static keys were compromised due to a
Confidential
RPT-0031-120 Confidential Page 5 of 9
physical attack on the KMC HSM then the entire KMC key database would be
compromised anyway. Therefore half forward secrecy is probably acceptable.
3. The key agreement method appears to support key confirmation on the SM
side but this is not described in the specification at this stage. There needs to
be an additional section explaining how the SM processes the KMC key
exchange data block.
4. In the upper tier of the new STS key management hierarchy (KDC-KMC)
online capability is more likely. In this case it would be preferable to use
something equivalent to NIST’s C(2, 2, ECC-CDH) Scheme with Bilateral Key
Confirmation. This would allow the re-use of the ECC-CDH base algorithm.
However care should be taken with the re-use of the KMC static keys in this
case. Menezes et al. [4] have shown that under certain circumstances the re-
use of static keys in both the 1-pass and 3-pass variations of the Unified
Model (NIST SP800-56A [2]) can allow active attacks on the 3-pass version
by replaying exchanges from the 1-pass version.
3.3 SM Initialisation
1. The SM pre-requisites sound reasonable although they do imply the
availability of a fair amount of processing power. The SM must be capable of
performing Elliptic Curve Cryptography (ECC) calculations including ECC
ephemeral key generation.
2. Public keys are specified as “SHOULD” have a limited lifespan. This will
typically be disregarded by implementers. It would be better to either specify
“MUST” or else provide other checks and balances to limit the damage that a
compromised/hacked/stolen SM could wreak on the system. The latter
checks-and-balances route may be preferable. Implementing and operating
public key expiry and rollover management is not trivial and is often
problematic in Public Key Infrastructures (PKI’s).
3. Pre-requisite standards are specified for SM compliance but no assurance
level is specified. Here it would be better to either specify “SHOULD” or else
the appropriate assurance level should be specified.
Confidential
RPT-0031-120 Confidential Page 6 of 9
4. The SM public keys are required by the KMC, which would normally require
the KMC to authenticate the SM “face-to-face”. However, the Manufacturer’s
private key (dMANUF) will be used to sign a file containing the SM public keys
thereby creating a certificate of sorts ([1] 9.D). In this case there is only the
need for a Manufacturer face-to-face meeting with the KMC to provide the
KMC with the Manufacturer’s public key. There should probably be a
document specifying this face-to-face protocol as well as the manufacturer file
signing procedure.
5. The SM’s PUBKEY record field 1 (IDSM) is not cryptographically bound to field
2 (QSM). Although there is a hash/fingerprint binding embedded in IDSM this
can be re-generated over a different set of SM identifiers outside of the SM.
Therefore it is possible to produce two different PUBKEY’s using the same
QSM, or a PUBKEY with the same SM identifiers as an existing SM but with a
different QSM. The former scenario might allow one SM to receive the VK for
two different SG’s. The latter scenario might allow a ghost SM to generate a
request for a legitimate SM’s VK. This may not constitute a valid threat since
there may well be other checks and balances in the system to catch these
scenarios. Indeed the PUBKEY extraction and subsequent signing using the
manufacturer’s private key will all take place within the confines of the
manufacturer’s secure facility. However, the larger the physical disjuncture
between these two processes the larger the threat. It might be prudent to
either self-sign SM PUBKEYs before extraction from the SM and/or include a
step in the KMC to check for duplicates of QSM and IDSM.
6. There is currently no description of the processes wherein the SM’s public
keys are signed by the manufacturer. What tool does the manufacturer use
for this purpose? We recommend that the previous point be taken into
consideration during the development of this procedure.
3.4 KMC Initialisation
The pre-requisites for the KMC HSM and KMC itself seem reasonable.
3.5 SM Vending Key Load Request
The SM Vending Key Load Request procedure appears to be in line with the NIST
SP800-56A recommendations for variation C(1, 2, ECC-CDH) [2].
Confidential
RPT-0031-120 Confidential Page 7 of 9
3.6 KMC Vending Key Load Response
The KMC Vending Key Load Response procedure appears to be in line with the
NIST SP800-56A recommendations for variation C(1, 2, ECC-CDH) [2].
3.7 SM Key Load File Processing?
As noted earlier there needs to be an additional section explaining how the SM
processes the final KMC key exchange data block and the Key Load File (KLF).
3.8 Encryption Algorithms for IEC 62055-41
1. The requirement for a 64-bit output block limits the number of choices, hence
only two algorithms are listed here (CAST-128 and MISTY-1). Blowfish could
also have been included here as it has undergone a fair amount of
cryptanalysis and not been found wanting. Yet despite the fact that Blowfish
has been included in many applications, it has never really been endorsed as
a standard for use in any government or other large organisational body.
CAST-128 has been more widely adopted. CAST-128 is more likely to be
accepted in the US as it was invented by Canadians and accepted for use by
the Canadian government. CAST-128 is royalty-free and license-free whereas
this is not as clear-cut in the MISTY-1 case. MISTY-1 is royalty-free but is not
license-free and it has proven difficult to establish the exact terms of the
license. MISTY-1 has also undergone less peer-review than CAST-128. We
would recommend the use of CAST-128.
2. In the long term a cipher based on a larger data block would be preferable.
However one can argue that the normal “Birthday Attack” criticism of a 64-bit
data block is not applicable here since not enough encrypted data will be
produced by any single key. This may not be the case in the upper tier of the
system (KMC-KMS). In this case an algorithm such as AES-128 or AES-256
is recommended.
3.9 Decoder Key Generation Algorithm for IEC 62055-41
1. The NIST method is in keeping with typical key expansion/derivation methods
and the method described in the specification [1] abides by NIST’s
recommendations such as context-binding. NIST recommendations are
respected worldwide and will be particularly favourable in US markets.
Confidential
RPT-0031-120 Confidential Page 8 of 9
4 Conclusions
In conclusion we think that the specification is well aligned with STSA’s requirements.
However we recommend that the implications of the non-binding of SM identifiers to
their corresponding public keys during the manufacturing process should be further
investigated (see section 3.3 - 2). We further recommend that some attention be
given to the implications of the longevity of public keys in the case where no key
expiry management is mandated (see section 3.3 - 5).
5 References
[1] STS Key Management Specification, PR-D2-0922 Rev 0.9 (PPT)
[2] NIST Special Publication 800-56A Recommendation for Pair-Wise Key
Establishment Schemes Using Discrete Logarithm Cryptography (Revised),
March 2007
[3] X9.63-2001 Public Key Cryptography for the Financial Services Industry -- Key
Agreement and Key Transport Using Elliptic Curve Cryptography
[4] Sanjit Chatterjee, Alfred Menezes, Berkant Ustaoglu, “Combined Security
Analysis of the One- and Three-Pass Unified Model Key Agreement Protocols”,
11th International Conference on Cryptology in India, Hyderabad, India,
December 12-15, 2010. Proceedings
Confidential
RPT-0031-120 Confidential Page 9 of 9
6 Definitions and Abbreviations
CDU Credit Dispensing Unit
DH Diffie-Hellman (key agreement protocol)
DKGA Decoder Key Generation Algorithm
ECC Elliptic Curve Cryptography
ECDH Elliptic Curve Diffie-Hellman
ECC-CDH Elliptic Curve Cryptography. Cofactor Diffie-Hellman
HSM Hardware Security Module
KDC Key Distribution Centre
KLF Key Load File
KMC Key Management Centre
PFS Perfect Forward Secrecy
PKI Public Key Infrastructure
PPT Prism Payment Technologies
SM Security Module
STS Standard Transfer Specification
STSA STS Association
CONFIDENTIAL
Document no: RPT-0032-120
Version: 1.2
File name: RPT-0032-120.doc
Date: 7 December 2012
ZiliantSystems
Review of the updated STS Key Management Specification
Review Report
Confidential
RPT-0032-120 Confidential Page 2 of 7
Table of contents
1 Scope ....................................................................................................... 3 2 Overview ................................................................................................... 3 3 Observations ............................................................................................. 4
3.1 General .............................................................................................. 4 3.2 Key agreement method ..................................................................... 4
3.3 SM Manufacturer setup ..................................................................... 4 3.4 SM Initialisation ................................................................................. 5 3.5 KMC Initialisation ............................................................................... 5 3.6 SM Vending Key Load Request ......................................................... 5 3.7 KMC Vending Key Load Response ................................................... 6
3.8 SM KEK Confirmation and Vending Key Import ................................ 6 3.9 End-of-life and key compromise procedures ..................................... 6
3.10 Encryption Algorithms for IEC 62055-41............................................ 6 4 Conclusions .............................................................................................. 6 5 References ............................................................................................... 7 6 Definitions and Abbreviations ................................................................... 7
Confidential
RPT-0032-120 Confidential Page 3 of 7
1 Scope
An initial review was conducted of the new STS Key Management System as
described in the earlier specification [2]. A corresponding report [3] highlighted
certain aspects of the specification that required more clarity and an updated
specification has subsequently been produced [1]. The updated specification is the
subject of this report. The scope of this report is to follow-up on the agreed changes
and to review any new cryptographic content.
2 Overview
The updated specification [1] provides a lot more detail but this mainly expands on
earlier detail to provide better clarity and less ambiguity. Additional content has also
been added but this is in line with discussions around the earlier review.
Some observations were made in reviewing the updated specification. These
observations are described in the following paragraphs.
Confidential
RPT-0032-120 Confidential Page 4 of 7
3 Observations
3.1 General
1. Dual control and split knowledge key handling is often referred to in the
specification and It might be useful to add a reference to a corresponding
standard e.g. ANSI X9.17-1985 (there may also be newer standards for this).
2. As agreed at the review meeting, all occurrences of “MUST” have now been
changed to “SHALL”.
3. The intention that the infrastructure may remain in use until the year 2045
(see [1] 5. Overview) seems unreasonable. Given the great strides in
cryptography over the last 35 years, something like 2030 might be a more
reasonable lifetime to aim for.
3.2 Key agreement method
1. The key agreement description has been enhanced with the addition of
diagrams. These are a welcome addition.
2. The final step in key agreement processing i.e. SM extraction of the vending
key (raised in [3] 3.2.2) has now been addressed by the inclusion of a final
“SM KEK Confirmation and Vending Key Import” ([1] 16.).
3.3 SM Manufacturer setup
A KMS procedure or Operational procedure is mentioned in the updated specification
([1] 11) for the purpose of publishing and verifying PUBKEYMAN. A recommended
procedure is also provided for this in 11.A [1]. This is an important step as it pertains
to “initial trust”. In a template-style PKI, authenticating the origin of PUBKEYMAN
would normally require a face-to-face meeting with the exchange of identity
documents etc. However, this does depend on the situation, e.g. in some cases the
SM manufacturer may also provide the KMS service, or, a trusted relationship may
already exist between these two entities. An e-mail system with 2nd channel
fingerprint verification should only be acceptable in cases where a trusted
relationship already exists. In this case the 2nd channel phone call is reasonably
Confidential
RPT-0032-120 Confidential Page 5 of 7
strong since the two parties recognise each other’s voice. If no prior relationship
exists then a face-to-face meeting is recommended.
3.4 SM Initialisation
1. The SM Public key lifespan is now addressed under the section “SM
Manufacturer Setup” (see [1] 11).
2. The pre-requisite standards and assurance level for SM compliance has now
been addressed in section 12.A [1].
3. The issue of SM public key identity binding in the previous review report [3]
3.3.5 has now been addressed by section 12.B [1]. A recommended
procedure for generating and signing the SM public key has also been
provided in section 12.B.1 [1].
4. The question around the Manufacturer signing process ([3] 3.3.6) has now
been addressed by the new procedures in sections 11, 12.B.1 and 12.C [1].
3.5 KMC Initialisation
In section 13.C.1 [1] the KMC public key PUBKEYKMC is e-mailed to the Manufacturer
with 2nd channel telephonic fingerprint verification. As in 3.3 above, if no prior
relationship exists we recommend face-to-face exchange of KMC and Manufacturer
public keys (PUBKEYKMC and PUBKEYMAN). After discussing this point with PPT we
agree that there is no direct threat. However it is good practice to provide mutual
authentication in any cryptographic system even if one-party authentication is all that
is required as there may be future unintended consequences. Perhaps one example
would be that a meter vendor who is able to get hold of a CDU might be able to vend
using a “STSA approved” CDU to an isolated group of “STSA-approved” meters. This
would allow the vendor to be “legal” in the country while cutting STSA out of the loop.
3.6 SM Vending Key Load Request
More detail has been added here but no essential change to the key agreement
method. More comprehensive error checking has been provided and key expiry is
also now handled here.
Confidential
RPT-0032-120 Confidential Page 6 of 7
3.7 KMC Vending Key Load Response
More detail has been added here but no essential change to the key agreement
method. More comprehensive error checking has been provided. Key expiry is also
now handled here and a better description of replay detection has been provided.
3.8 SM KEK Confirmation and Vending Key Import
As requested in in the earlier report [3] 3.3.7 an additional section has now been
provided in the updated specification (section 16 [1]) explaining how the final key
agreement data block is handled by the SM and how the vending key is extracted.
3.9 End-of-life and key compromise procedures
Section 17 [1] has been added to specify end-of-life and compromise procedures for
each crypto entity. While this was not highlighted in the previous report [3], it was
highlighted in the review feedback meeting with STSA and PPT.
3.10 Encryption Algorithms for IEC 62055-41
The question around the MISTY license in the previous report ([3] 3.8.1) has now
been addressed in D.2 [1].
4 Conclusions
In conclusion, the only notable observations are the overall lifetime of the system
(see 3.1.3) and the recommendation with regard to face-to-face meetings (see 3.3
and 3.5). In general we are happy that the updated specification meets STSA’s
requirements.
Confidential
RPT-0032-120 Confidential Page 7 of 7
5 References
[1] STS - Key Management Specification, STS600-4-1 Ed 1.0
[2] STS Key Management Specification, PR-D2-0922 Rev 0.9 (PPT)
[3] Review of the new STS Key Management System, RPT-0031-110 (Ziliant)
6 Definitions and Abbreviations
CDU Credit Dispensing Unit
KEK Key Encrypting Key
KMC Key Management Centre
PPT Prism Payment Technologies
SM Security Module
STS Standard Transfer Specification
STSA STS Association
Top Related