5.3.1 What are ANSI X9 standards?
American National Standards Institute (ANSI) is broken down into committees, one being ANSI X9 2. The committee ANSI X9 develops standards for the financial industry, more specifically for personal identification number (PIN) management, check processing, electronic transfer of funds, etc. Within the committee of X9, there are subcommittees; further broken down are the actual documents, such as X9.9 and X9.17.
ANSI X9.9 [ANS86a] is a United States national wholesale banking standard for authentication of financial transactions. ANSI X9.9 addresses two issues: message formatting and the particular message authentication algorithm. The algorithm defined by ANSI X9.9 is the so-called DES-MAC (see Question 2.1.7) based on DES (see Section 3.2) in either CBC or CFB modes (see Question 2.1.4). A more detailed standard for retail banking was published as X9.19 [ANS96].
The equivalent international standards are ISO 8730 [ISO87]. and ISO 8731 for ANSI X9.9, and ISO 9807 for ANSI X9.19. The ISO standards differ slightly in that they do not limit themselves to DES to obtain the message authentication code but allow the use of other message authentication codes and block ciphers (see Question 5.3.4).
ANSI X9.17 [ANS95] is the Financial Institution Key Management (Wholesale) standard. It defines the protocols to be used by financial institutions, such as banks, to transfer encryption keys. This protocol is aimed at the distribution of secret keys using symmetric (secret-key) techniques. Financial institutions need to change their bulk encryption keys on a daily or per-session basis due to the volume of encryptions performed. This does not permit the costs and other inefficiencies associated with manual transfer of keys. The standard therefore defines a three-level hierarchy of keys:
- The highest level is the master key (KKM), which is always manually distributed.
- The next level consists of key-encrypting keys (KEKs), which are distributed on-line.
- The lowest level has data keys (KDs), which are also distributed on-line.
The data keys are used for bulk encryption and are changed on a per-session or per-day basis. New data keys are encrypted with the key-encrypting keys and distributed to the users. The key-encrypting keys are changed periodically and encrypted with the master key. The master keys are changed less often but are always distributed manually in a very secure manner.
ANSI X9.17 defines a format for messages to establish new keys and replace old ones called CSM (cryptographic service messages). ANSI X9.17 also defines two-key triple-DES encryption (see Question 3.2.6) as a method by which keys can be distributed. ANSI X9.17 is gradually being supplemented by public-key techniques such as Diffie-Hellman encryption (see Question 3.6.1).
One of the major limitations of ANSI X9.17 is the inefficiency of communicating in a large system since each pair of terminal systems that need to communicate with each other will need to have a common master key. To resolve this problem, ANSI X9.28 was developed to support the distribution of keys between terminal systems that do not share a common key center. The protocol defines a multiple-center group as two or more key centers that implement this standard. Any member of the multiple-center group is able to exchange keys with any other member.
ANSI X9.30 [ANS97] is the United States financial industry standard for digital signatures based on the federal Digital Signature Algorithm (DSA), and ANSI X9.31 [ANS98] is the counterpart standard for digital signatures based on the RSA algorithm. ANSI X9.30 requires the SHA-1 hash algorithm encryption (see Question 3.6.5); ANSI X9.31 requires the MDC-2 hash algorithm [ISO92c]. A related document, X9.57, covers certificate management encryption.
ANSI X9.42 [ANS94a] is a draft standard for key agreement based on the Diffie-Hellman algorithm, and ANSI X9.44 [ANS94b] is a draft standard for key transport based on the RSA algorithm. The former is intended to specify techniques for deriving a shared secret key; techniques currently being considered include basic Diffie-Hellman encryption (see Question 3.6.1), authenticated Diffie-Hellman encryption, and the MQV protocols [MQV95]. Some work to unify the various approaches is currently in progress. ANSI X9.44 will specify techniques for transporting a secret key with the RSA algorithm. It is currently based on IBM's Optimal Asymmetric Encryption Padding, a ``provably secure'' padding technique related to work by Bellare and Rogaway [BR94].
ANSI X9.42 was previously part of ANSI X9.30, and ANSI X9.44 was previously part of ANSI X9.31.