A key block is a special cryptographic structure designed to protect cryptographic keys when they are transported over networks which are potentially insecure. The concept of the key block was invented by Susan Lanford, and named after the company founder Mohammed M Atalla. Many security issues associated with the use of 'key variants' prior to the arrival of key blocks for transporting keys were resolved by Atalla's invention. The concept of key blocks became popular, normed and found widespread implementation, in particular in security sensitive applications like payment networks.
Almost immediately after it was invented, the key block was standardised by ISO and ANSI. Several other formats appeared during the time, based on the same original logic. Initially it was accepted by ANSI as AKB - ANSI Key Block, later it became TR-31. The PCI PIN also mandates the use of key blocks.
Why do we need Key Blocks?
When a large number of keys have to be securely transported, a simple encryption of these keys with a key encryption key (e.g a KEK) is insufficient as there are potentially several unknowns, such as:
- What exactly does the ciphered key represent?
- What is the serial number or unique identifier of the key that has been ciphered and transmitted, for what system must it be used and how can I identify that key in general?
- How should that key be used?
If such information is missing, the key cannot be used in a system where there is more than one cryptographic key. It would simply be impossible to tell which key is used for which purpose. However, if we add the information as a simple plaintext, then there is a risk that the entire data (key+information in plaintext) may be tampered since we are dealing with potentially insecure, foreign and unprotected environments. This creates huge security risks as a malicious attacker can edit the information regarding the keys and create all sorts of unwanted and hazardous behaviour.
One easy solution may be to cipher the entire data: key+ information with the KEK but, in a complex, secure, and distributed cryptographic system where the keys must be routed without knowing the KEK, this is not really possible. This is not the only issue. Attackers could still change part of the byte stream provided that a certain format is respected, potentially compromising the systems who receive the key data.
Key blocks were designed specifically to protect cryptographic systems from such attacks.
Key Block Definitions by the ANSI TR-31 report
The ANSI TR-31 report defines “generic” key blocks as abstract structures which provide a key together with a header field that contains non-sensitive data and with a payload field containing all the sensitive data, which are ciphered (including the key itself). The integrity of the header, plus the payload must be checked by adding an extra field. It must be strictly impossible to modify anything in the header or the payload without modifying the integrity check data.
In the report, there is much freedom regarding the construction of the header field that contains the non-sensitive key attributes. The sensitive key attributes, which are contained in the encrypted payload, could embed information such as, for example, the ciphering mode, the cleartext key length, etc.
The integrity mechanism is also flexible: it can be a HASH-MAC, a signature using PKI for example, or any similar mechanism.
Despite this leverage, there are restrictions. For example, the “Electronic Code Book (ECB) mode, which is known to be vulnerable to several attacks, must never be used if the data ciphers are superior in size to a block length.
According to the report, acceptable cipher modes include CBC and CCM.
Another important restriction is that the encryption of the sensitive information itself, including the key, must be performed only by 3DES or AES ciphers.
Key Block Security
As previously mentioned, key blocks must protect the system that receives the protected keys against a variety of attacks, including differential cryptographic attacks.
Key blocks must prevent the data being intercepted by a malevolent middleman and the recombination of the ciphered key component(s). This is accomplished very simply and efficiently by using the authentication part (the MAC part).
KBEC and KBAC
In a standard key block, there are two encryption keys. One, the key block encryption key (KBEC), used to cipher the key component. The other is the key block authentication key (KBAC), used for computing the MAC part, over the header + unciphered key part. Both keys are usually generated from a single Master Key via a derivation process.
Here is a standard representation of the whole cryptographic process:
These two keys are represented as derived from a single master key (the KPK- Key Protection Key).
Analysis of the Security of a key block
The security of a key block is directly dependent on how secure its ciphering and its integrity mechanism are. For example a key block that would use insecure hashes such as SHA-1 or MD-5 as its integrity mechanism would be deemed insecure. Such hashes algorithms are insecure because collisions can be engineered.
A key block is secure only if both the KBAC and KBEC keys space have a good entropy. For example, ‘almost’ a Shannon - entropy of 8.
A key block using an insecure padding such as CBC will be considered insufficiently secure.
Finally, if all of the security constraints are respected, the key block will provide excellent security and will be resistant to all known attacks.
While the concept is simple, key blocks have been found to significantly improve the protection of cryptographic keys - beyond merely using key encryption keys for distribution. If correctly implemented, key blocks will ensure the confidentiality and integrity of a key during its transfer via potentially insecure channels.
The Atalla Key Block is a very important format, and is at the root of all cryptographic block formats found within PCI and ANSI standards. It solves important issues regarding the security of keys when they are in transit within a potentially hostile environment.
Read more about the Utimaco Atalla AT1000 Hardware Security Module (HSM), a payments security module for protecting sensitive data and associated keys.
About the author
Martin Rupp is a cryptographer, mathematician and cyber-scientist. He has been developing and implementing cybersecurity solutions for banks and security relevant organizations for 20 years. Martin currently researches the application of Machine Learning and Blockchain in Cybersecurity.