COP

PYRIGHT © 201

1. IntrThis Transarchiconfo

It extIEC 6

The iCASTpayloadvaimple

Two referfinal

2. Aud

3. Not

This Assowith mercdama

3, STS ASSOCIA

STS

roductiodocument ssfer Specificitecture, remorming to NI

tends the co62055-41 ent

intention is tT or MISTY, oad and thntage of themented in a

review reporence. RPT-0release afte

dience STS Asso STS SM a

tices DISCLAIM

document wciation. PRISrespect to a

chantability oages.

PATENTS

ATION.

600-4-1

Enhan

on pecifies an e

cation (STS). mote codingST recomme

odes of practtities to prov

to implemenas a first ste 20-digit ne improveda 2nd step on

orts from an 031-120 covr corrections

ciation. and KMC dev

MER

was prepareSM makes noanything in tor fitness fo

AND INTELL

1 Standa

nced Key

enhanced KeSome of th

g of distribendations.

tice of the STvide security

nt the recomep, thus manumeric tok 128-bit key

nce the requi

independenvers the revies and recomm

velopers.

ed by Prism o representathis documeor a particula

LECTUAL PRO

ard Tran

y Manag

ey Managemhe main fea

buted HSM,

TS Associatioconsistent w

mmendationsaintaining baken carrier y security leirements for

nt security coew prior themended cha

Payment Teations or waent, and shalar purpose o

OPERTY

STS

nsfer Sp

gement S

ment System atures are: p

key expiry

on and recomwith contemp

s of section Dackward com

for keypadevel. The 12larger bandw

onsultant (Zie final release

nges were m

echnologies rranties whel not be liabor for any in

600-4-1 Ed 1

pecificat

System

(infrastructuprovision fo and enhan

mmends maporary stand

D and E, thempatibility wd implement28-bit AES bwidth token

iliant Systeme while RPT-

made.

(Pty) Ltd (“ether expresble for any imndirect, spec

1.1 : STS – En

tion -

ure) for the Sr a distributnced securit

aintenance odards.

e 64-bit blockwith the 64-b

tation, whilblock ciphers become cle

ms) are appe-0032-120 co

PRISM”) forssed or implimplied warrcial or conse

nhanced KM

PAGE 1 OF 6

Standard ted KMC ty levels

of various

k ciphers bit token e taking r will be earer.

nded for overs the

the STS ied by or anties of

equential

MS

62

COP

PYRIGHT © 201

Somerespo

The RECOas de

3, STS ASSOCIA

e elements oonsible for id

TERMINO

keywords MOMMENDED,escribed in [R

ATION.

of this docudentifying an

OLOGY

MUST, MUS, MAY, and ORFC 2119].

ment may bny or all such

ST NOT, REQOPTIONAL, w

be the subjech patent right

QUIRED, SHwhen they ap

STS

ct of patent ts.

ALL, SHALL ppear in this

600-4-1 Ed 1

rights. PRIS

NOT, SHOdocument, a

1.1 : STS – En

SM shall not

ULD, SHOUare to be int

nhanced KM

PAGE 2 OF 6

t be held

LD NOT, erpreted

MS

62

COP

PYRIGHT © 201

4. Con1. Int

2. Au

3. No

4. Co

5. Ov

6. De6.A6.6.

7. Ke7.A7.7.

8. Da8.A

8.8.8.

8.8.8.

8.

9. Cry9.A9.9.9.9.9.9.

3, STS ASSOCIA

ntents troduction ...

udience ........

otices ...........

ontents .........

verview ........

efinitions, AbA. Definitions ..B. AbbreviationC. Symbols ......

ey ManagemA. Setup procesB. Key publicatC. Vending Key

ata Types andA. Types ..........

8.A.1. Alph8.A.2. Sizes8.A.3. IDEN8.A.4. TIM

B. BCD .............C. BASE16 and D. Integer, field

8.D.1. Integ8.D.2. Octe8.D.3. Field8.D.4. Octe8.D.5. Poin8.D.6. Octe

E. CRC16-MODF. LVCONCAT ..G. Delimited Fi

8.G.1. DFC8.G.2. DFPA

H. Records ......

8.H.1. BUIL8.H.2. PAR

yptographic A. AES-192 in CB. SHA-384 ......C. HMAC-SHA-3D. KDF-X963-SHE. ECC CDH in NF. One-Pass UnG. ECDSA in NIS

ATION.

....................

....................

....................

....................

....................

bbreviations .......................

ns ...........................................

ent Process ss for SM Manuion after SM m

y Load Request

d Encodings .......................

habets .........s ..................NT ................ESTAMP .............................BASE16-DECOD

d element and p

ger-to-Octetet-String-to-Id-Element-toet-String-to-Fnt-to-Octet-Set-String-to-PBUS .......................................eld strings ......

ONCAT ........ARSE ..................................

LD-RECORD .SE-RECORD .

Primitives ...CCM mode .......

.......................384-192 ..........HA-384 ............NIST P-384 ......nified Model KeST P-384 .........

....................

....................

....................

....................

....................

and Symbols........................................................................

(diagrams) ..ufacturers and anufacture or mand Response .

............................................

....................

....................

....................

............................................DE ....................point conversio

t-String (I2OSInteger (OS2o-Octet-StrinField-Elemen

String (EC2OSPoint (OS2EC........................................................................

....................

............................................

....................

....................

............................................................................................................................................y Agreement S........................

....................

....................

....................

....................

....................

s ..........................................................................................

....................KMCs ...............maintenance ...........................

............................................

....................

....................

....................

....................................................................

ons ...................

SP) ...............2IP) ...............ng (FE2OSP) .nt (OS2FEP) .SP) ...............CP) .......................................................................................

....................

............................................

....................

....................

............................................................................................................................................cheme C(1, 2, E........................

STS

....................

....................

....................

....................

....................

............................................................................................

............................................................................................

............................................

....................

....................

....................

............................................................................................

....................

....................

....................

....................

....................

............................................................................................

....................

............................................

....................

....................

............................................................................................................................................ECC CDH) .................................

600-4-1 Ed 1

....................

....................

....................

....................

....................

............................................................................................

............................................................................................

............................................

....................

....................

....................

............................................................................................

....................

....................

....................

....................

....................

............................................................................................

....................

............................................

....................

....................

............................................................................................................................................................................................

1.1 : STS – En

...................

...................

...................

...................

...................

...........................................................................................

...........................................................................................

...........................................

...................

...................

...................

...........................................................................................

...................

...................

...................

...................

...................

...........................................................................................

...................

...........................................

...................

...................

...........................................................................................................................................................................................

nhanced KM

PAGE 3 OF 6

............ 1

............ 1

............ 1

............ 3

............ 6

............ 7

............... 7

............... 7

............... 7

............ 9

............... 9

............... 9

............. 10

.......... 11

............. 11

.......... 11

.......... 11

.......... 12

.......... 12

............. 12

............. 12

............. 13

.......... 13

.......... 13

.......... 13

.......... 13

.......... 13

.......... 13

............. 14

............. 14

............. 15

.......... 15

.......... 16

............. 16

.......... 16

.......... 16

.......... 18

............. 18

............. 18

............. 18

............. 19

............. 19

............. 20

............. 20

MS

62

COP

PYRIGHT © 201

9.9.

10. D1010101010

11. S11

12. S1212

12

13. K131313

13

14. S

15. K

16. S

17. E17

17

17

A. No

B. Bib

C. Ve

3, STS ASSOCIA

9.G.1. ECD9.G.2. ECD

H. GENERATE-KI. VALIDATE-KE

Data Formats0.A. PKID ..........0.B. PUBKEY .....0.C. VKLOADREQ0.D. VKLOADRE0.E. WRAPPED-

10.E.1. Att

M Manufact1.A. Recommen

M Initialisati2.A. Prerequisit2.B. SM Initialis

12.B.1. Rec2.C. SM PUBKEY

KMC Initialisa3.A. Prerequisit3.B. Prerequisit3.C. KMC Setup

13.C.1. Rec3.D. KMC opera

13.D.1. SM13.D.2. Ap13.D.3. Sup13.D.4. SM

M Vending K

KMC Vending

M KEK Confi

nd-of-life an7.A. SM Manufa

17.A.1. End17.A.2. Sto

7.B. SM ............

17.B.1. End17.B.2. Priv17.B.3. Sto

7.C. KMC ..........

17.C.1. End17.C.2. Key

ormative Ref

bliography ...

ending Key at

ATION.

SA-SIGN ......SA-VERIFY...

KEY ..................Y .....................

s and Structu..............................................Q ....................SP ...................KEY .................

ributes ........

turer Setup .nded process to

ion ..............es: SM ............ation and PUBK

commendedY publication ...

ation ............es: KMC HSM .es: KMC .................................

commendedation ................

M Manufactuproved HWIpply Group m

M PUBKEY up

Key Load Req

g Key Load Re

irmation and

nd key compracturer ............

d-of-life .......orage Master

.......................

d-of-life .......vate ECC CD

orage Master.......................

d-of-life .......y compromis

ferences ......

....................

ttributes .....

....................

....................................................................

ures ......................................................................................................................................

....................

....................o generate and

............................................KEY certification

process to g........................

............................................................................................

process to g........................

rer PUBKEYM

D & FWID lismanagementdates ...........

quest ...........

esponse .......

d Vending Ke

romise proce........................

....................r Key (SMK) o........................

....................H key (dSM) cr Key (SMK) o........................

....................se .................

....................

....................

....................

....................

....................................................................

............................................................................................................................................

....................

....................publish PUBKEY

............................................n ......................

generate and........................

............................................................................................

generate and........................

MAN updates .st updates ...t instruction....................

....................

....................

ey Import .....

edures .................................

....................or private EC........................

....................compromiseor Vending K........................

....................

....................

....................

....................

....................

STS

....................

....................................................................

............................................................................................................................................

....................

....................YMAN ................

....................................................................

d certify PUB........................

............................................................................................

d publish PU........................

....................

....................s ......................................

....................

....................

....................

............................................

....................CDSA key (dM

........................

....................

....................Key (VK) com........................

....................

....................

....................

....................

....................

600-4-1 Ed 1

....................

....................................................................

............................................................................................................................................

....................

............................................

....................................................................

BKEYSM .................................

............................................................................................

BKEYKMC ..............................

....................

....................

....................

....................

....................

....................

....................

............................................

....................MAN) comprom........................

....................

....................mpromise .....

........................

....................

....................

....................

....................

....................

1.1 : STS – En

...................

...................................................................

...........................................................................................................................................

...................

...........................................

...................................................................

...........................................

...........................................................................................

...........................................

...................

...................

...................

...................

...................

...................

...................

...........................................

...................mise ....................................

...................

...................

...........................................

...................

...................

...................

...................

...................

nhanced KM

PAGE 4 OF 6

.......... 21

.......... 21

............. 21

............. 21

.......... 23

............. 23

............. 23

............. 24

............. 25

............. 25

.......... 25

.......... 27

............. 27

.......... 29

............. 29

............. 30

.......... 30

............. 31

.......... 32

............. 32

............. 32

............. 33

.......... 33

............. 34

.......... 34

.......... 34

.......... 34

.......... 34

.......... 35

.......... 38

.......... 43

.......... 45

............. 45

.......... 45

.......... 45

............. 45

.......... 45

.......... 46

.......... 46

............. 46

.......... 46

.......... 46

.......... 48

.......... 49

.......... 52

MS

62

COP

PYRIGHT © 201

D. EnD.D.

E. DeE.E.

F. Re

G. Fil

H. Su

I. Sum

J. Sum

3, STS ASSOCIA

ncryption Alg.1. CAST-128 (E.2. MISTY1 (EA=

ecoder Key G1. HMAC-DKGA2. KDF108-Feed

cord-in-ema

le-of-records

ummary of cr

mmary of fun

mmary of re

ATION.

gorithms for A=12) .............

=11) .................

Generation AA (DKGA=04) ...dback-HMAC-S

ail format .....

s format ......

ryptographic

nctions ........

quired Code

IEC 62055-4................................................

lgorithm for........................HA-384............

....................

....................

c primitives a

....................

s of Practice

1 .................................................................

IEC 62055-4................................................

....................

....................

and standard

....................

e and Registr

STS

....................................................................

41 .................................................................

....................

....................

ds .................

....................

ies ...............

600-4-1 Ed 1

....................................................................

....................................................................

....................

....................

....................

....................

....................

1.1 : STS – En

...................................................................

...................................................................

...................

...................

...................

...................

...................

nhanced KM

PAGE 5 OF 6

.......... 53

............. 53

............. 53

.......... 54

............. 54

............. 54

.......... 56

.......... 57

.......... 58

.......... 61

.......... 62

MS

62

COP

PYRIGHT © 201

5. OveThis Specrelev

The i

1

2

34

The manarecom

All crAlgorSmarfor U

This d

1 Thisthat e

3, STS ASSOCIA

erview document sification (ST

vant cryptogr

nfrastructur

1. StandardManagem

2. Conformwith the the year

3. Enable se4. Support t

security taragement ommendation

ryptographicrithms – othrt Grid Cybe

US Federal Cr

document co

Definitioin conjun

Key mankey mana

Specificaof logical

Definitiomanagem

Initial keand KMC

The opesent by t

A referen Recomm

Generatiincluded

s specificationexceed the se

ATION.

specifies a KS) – as contraphic techn

re is intended

dise Securityment Centre to contempexpectation2045. ecure remotethe STSA Cod

rget has beperations,

ns of [NIST SP

c protocols aer than thosr Security by

ryptographic

ontains the f

ns of the Ternction with tagement proagement protion of Data l data fields. ns of Crypto

ment processy managem

C Initialisatiorational keyhe SM to thence to Vendiendations fon Algorithmin a revision

n has a higher curity require

Key Managemtemplated iniques, proto

d to:

y Module (S(KMC) to an

porary stand that the spe

e coding of Sde of Practic

en set at 1in accordanP800-57 PART

nd algorithmse prescribedy [NISTIR 762 Key Manage

following info

rms, Abbrevhe corresponocess diagra

ocesses. Types and E

ographic Prises. ent and trusn.

y managemee KMC, and tng Key Attribor new Encm (STS DKG

n of [IEC 620

security targeement of that

ment Systemn [IEC 62055

ocols, and dat

M) initialisan SM. dards for keecified crypt

SMs to simplce for Token

128 bits fornce with tT 1] and [NIS

ms in this sped or constrai28], and meement Syste

ormation:

iations and Snding section

ams summar

Encodings th

imitives and

st establishm

ent process, the Vending butes that mcryption AlgoGA) that me055-41].

et than [NIST standard, but

STS

m (infrastruc5-41] sectionta formats.

ation and ve

ey managemtographic tec

ify logistical ID rollover [S

r the wholethe key anST SP800-131

ecification aned by [IECet or exceedms [NIST SP8

Symbols thatns of [IEC 62rising the ste

at are used

d Data Form

ment proces

comprising Key Load Re

may be transforithms (STSeet the secu

SP800-152 Dt do not meet

600-4-1 Ed 1

cture) for thn 9 and Ann

ending key t

ment and crychniques ma

processes. STS COP 402

e system annd algorithmA].

re standardi62055-41] –

d1 the Augm800-152 DRA

t are used, w2055-41]. eps in the in

to provide e

mats and Str

ses, compris

the Vendinesponse fromferred with tS EA) and aurity target

RAFT] and thut the interope

1.1 : STS – En

he Standard nex A – incl

transfer fro

yptographic ay remain in

2-1].

nd 192 bits m security-

sed by ISO a– are approve

ented RequAFT].

which should

nitial and ope

exact represe

uctures use

sing SM Initi

g Key Load m the KMC.

he vending ka new Decoand which

us uses largerrability requir

nhanced KM

PAGE 6 OF 6

Transfer uding all

m a Key

security, use until

for key -strength

and NIST. ed for US irements

d be read

erational

entations

d in key

ialisation

Request

key. oder Key

may be

r key sizes rements.

MS

62

COP

PYRIGHT © 201

6. Def6.A. Def

See a

BCD

Big

Bit s

Crypbou

Oct

Oct

6.B. Abb

See a

HSM

IV

KMC

PRF

RBG

RTC

SM

6.C. Sym

a ×

a / b

a ÷ ⌈a⌉

∑ ai

3, STS ASSOCIA

finitionsinitions

also [IEC 620

D

Endian

string

ptographic undary

et

et string

breviations

also [IEC 620

M

C

F

G

C

mbols

b or a.b

b

b

for i=1 to n

ATION.

s, Abbre

055-41]sectio

Packe(4 bit

For e

Byte [W:E

A bit

ContiCrypt

An ei

A varand interpis an

055-41]sectio

Hardwusualcrypt

InitiaStarti

Key Msyste

Pseud

Rand

Real-

Secur

Integ

Real d

Integ

The c

The s

eviation

on 3.1 “Term

ed Binary Codets).

xample BCD(“1

ordering fromEND].

string is an ord

inuous perimetographic Modu

ght-bit byte. Se

riable-length orWikipedia:Octepreted as an ococtet).

on 3.2 “Abbr

ware Security lly refers to a tographic opera

lisation Vectoring Variable (SV

Management Cm (as in [IEC 6

dorandom func

om Bit Generat

time Clock.

rity Module (ca

ger multiplicatio

division; the qu

ger division with

ceiling of real n

sum of values a

s and Sy

ms and definit

ed Decimal [W

1234”) = x’1234

m most signifi

dered sequence

eter that estaule (Security M

ee Wikipedia:O

rdered sequencet [W:OCT]. ctet string (star

reviations”.

Module, also Security Mod

ations.

r, used in somV).

Centre, an infra62055-41]).

ction.

tor such as tho

alled a “Cryptog

on; the product

uotient of a divi

h truncation; th

umber a: the sm

1 + a2 + … + an.

STS

ymbols

tions”.

W:BCD]. Each

4.

icant to least

e of 0’s and 1’s.

ablishes the podule). See [IS

ctet [W:OCT].

ce of octets (eAny bit string

rting from the l

called a Crypule used by th

me block ciphe

astructure com

se defined in [I

graphic Module

t of integers a a

ided by b as a r

he largest intege

mallest integer

600-4-1 Ed 1

decimal digit i

significant. Se

physical and/oSO 19790].

.

ight-bit bytes).g with length eft of the bit st

ptographic Mohe KMC to ma

er modes of o

ponent used to

SO 18031] or

e” in [IEC 6205

and b.

real number.

er x where x ≤ a

≥ a. ⌈a/b⌉ = (a

1.1 : STS – En

is encoded as o

ee Wikipedia:E

or logical bou

See [ITU X.68a multiple of

tring, each grou

dule. This abanage keys an

operation. Als

o manage keys

[NIST SP800-9

55-41]).

a/b. a+b-1)÷b.

nhanced KM

PAGE 7 OF 6

one nibble

Endianness

unds of a

80] (ASN.1) 8 may be

up of 8 bits

bbreviation d perform

o called a

s in an STS

90].

MS

62

COP

PYRIGHT © 201

a ≡ ∅ [n,ma ∥ b|L| a ⨁x’H1

BitLOcte

3, STS ASSOCIA

b (mod q)

m] b

b 1H2…H2nH2n+1

Len(x) etLen(x)

ATION.

a is c

A nul

The i

The o

The le

The b

1 An ocn-octH2i-1H

For e

Lengt

Lengt

ongruent to b m

l or empty field

nterval (range)

ordered concate

ength in bits of

bitwise exclusiv

ctet string reprtet string S = s1

H2i such that si =

xample, x’0123

th in bits of bit

th in octets of o

modulo q.

d.

of integers bet

enation of the

f the octet- or b

ve-OR (bitwise a

resented as a se1 s2 … sn is rep= H2i-1 × 16 + H2

345 is a sequen

string or octet

octet string x.

STS

tween and inclu

octet- or bit-str

bit-string L.

addition modul

equence of Basresented by a

2i. See also BAS

ce of octets 0x0

string x.

600-4-1 Ed 1

uding n and m.

rings a and b.

o 2) of octet- o

se16 digits (0-9pair of digits

SE16() in section

01, 0x23, 0x45.

1.1 : STS – En

or bit-strings a a

, A-F). Each ocin the Base16

n 8.C.

nhanced KM

PAGE 8 OF 6

and b.

ctet si in an 6 alphabet

MS

62

COP

PYRIGHT © 201

7. Key7.A. Setu

The San S(whe

The Kand every

7.B. Key

Whemanu⑤ in

and to thThe kand

3

3, STS ASSOCIA

y Managup process fo

SM ManufacM Manufac

enever the m

KMC Initialisinfrequentlyy 2 to 3 year

publication

never fresh cufacture, refn the followi

Se

S

SM InitialThe SM gepair for ke

gives the publiche Manufacturekey pair is used⑦.

3

KM

1 SEsKK

ATION.

gement Por SM Manu

cturer Setup turer adopt

manufacturer

sation procey thereafter s).

after SM m

cryptographfurbishment ing diagram)

ecure manuf

SM

lisation enerates a keyey establishmec key (PUBKEYS

er. d in steps ⑥

MC

SM ManufactuEach SM Manufsigning, and senKMC (by e-mailKMCs import th

Processufacturers an

process (Stets this key mr’s digital sign

ss (Step ②(whenever t

anufacture o

ic trust mustor mainten

must be per

facturing faci

S

y nt, M)

4identity ausing the (from stecertified p

2 KMCEachestabkey ((to b

rer Setup facturer generands the public k) (to be used in

he public keys f

s (diagrand KMCs

ep ① in themanagemenning key pair

) is performthe KMC’s k

or maintena

t be establishance – the Srformed.

ility

SM Manuf

SM PUBKEY PuThe SM Manufcertifies (signsnd public key (Manufacturer’

p ①), and senpublic key to ea

e

C Initialisation KMC generateblishment, and PUBKEYKMC) to e used in steps

ates a key pair fkey (PUBKEYMAN

n steps ④ and from SM manuf

STS

ams)

e following dt specificatir expires, typ

ed once whkey establish

ance

hed in a SecuSM Initialisa

facturer

ublication facturer ) the SM’s PUBKEYSM) ’s signing key ds the

ach KMC (by e-mail).

es a key pair forpublishes the pall SM Operato⑥ and ⑦).

for digital N) to each ⑤). facturers.

600-4-1 Ed 1

iagram) is peon, and infr

pically every

en a KMC ishment key p

urity Moduletion process

5SM Eachcert

(and identity) verifies the cethe Manufact(PUBKEYMAN imthen stores thin the databas

SM Man

r key public ors

SM O

1.1 : STS – En

erformed onrequently th3 to 5 years)

s first commpair expires,

e (SM) – suchs (steps ③,

KMC

PUBKEY Imporh KMC receivesified SM public from the Manu

ertificate (signaturer’s public kemported in stephe certified SM se.

ufacturer

Operator

Physical delivery of

SM

nhanced KM

PAGE 9 OF 6

nce when hereafter ).

issioned, typically

h as after ④ and

t the key

ufacturer, ture) using

ey p ①), public key

MS

62

COP

PYRIGHT © 201

7.C. Ven

Whea Venuses an auKMC

VT(Ptrmis

3, STS ASSOCIA

nding Key Loa

never an SMnding Key Lothe SM’s cer

uthentic SM,to the SM a

SM Operat

Vending Key LoThe KMC finds tPUBKEYSM) in ithe SM based oesponse file co

more Vending Ks sent to the SM

ATION.

ad Request a

M needs new oad Request rtified public, then repliesnd includes

tor

ad Response the SM’s public ts database, autn the request, antaining a VKLO

Keys (as WRAPPM Operator (as

and Respons

or updated (step ⑥ in t

c key (imports with a Vendzero or more

SM

key thenticates and generates aOADRESP and zPED-KEY recordan e-mail attac

se

Vending Keythe followingted in step ⑤ding Key Loae VKs.

a zero or s). The file

chment).

STS

ys (VKs) fromg diagram) t⑤) to verifyad Response

6

7

VendinAn SM given a

the

600-4-1 Ed 1

m any KMC, that is sent tothat the req(step ⑦) th

KMC

ng Key Load Rein a production

a KMC’s public ke SM Operator,

VKLOADREQ wKMC (by e

1.1 : STS – En

the SM musto the KMC. T

quest originahat authentic

quest n environment key (PUBKEYKMC

and generateswhich is sent toe-mail).

nhanced KM

PAGE 10 OF 6

t prepare The KMC ted from cates the

is C) by a

o that

MS

62

COP

PYRIGHT © 201

8. Dat8.A. Typ

Somesectio

8.A.1

The f

Alp

Prin

Alph(Let

Dec

Hex[W:

Alph

8.A.2

The fparti

Not

nT

n-m

xnT

3, STS ASSOCIA

ta Typeses

e data elemon specifies

. Alphabets

following tab

habet

ntable ASCII

habetic tter)

cimal

xadecimal HEX]

hanumeric

. Sizes

following tabcular alphab

tation D

Ad

mT Aacn

T Alen

ATION.

s and En

ments must alphabets, s

ble names an

Short name

P

A

D

H

AN

ble gives a cbet:

Description

A fixed-lengthecimal numb

A variable-len minimum haracters. name from se

A variable-lenength a mulame from se

ncodings

be represenize notation

nd describes

[POSIX RE]

[\x20..\x7E]or

[[:print:]]

[A-Za-z]or

[[:alpha:]]

[0-9] or

[[:digit:]]

[0-9A-F]

[A-Za-z0-9]

ompact nota

h field of n cber, and T is

ngth field of length of n

n and m are ection 8.A.1.

ngth field of ltiple of x (ection 8.A.1

s

nted using as and encod

various alph

Descrip

] Each o[W:ASCprintabinclusiv

A printthat is, ‘a’ (x’61

A print‘9’ (x’3base 10

A print‘9’ (x’3the alp

A chara

ation used to

characters fra short nam

characters fn and a madecimal num

characters fa decimal nand n is a lite

STS

a limited alpings.

habets:

ption

octet is a siC] encodingble charactve).

able ASCII cha letter in th

1) to ‘z’ (x’7A

able ASCII ch39) inclusiv0 encoding.

able ASCII ch9) or ‘A’ (x’4habet for Ba

acter that is e

o express fix

rom alphabeme from secti

from alphabaximum len

mbers, and T

from alphabnumber). T ieral ‘n’.

600-4-1 Ed 1

phabet and/

ngle characg, and SHALLters [W:AS

haracter in the range ‘A’ A) inclusive.

haracter in thve, used as

haracter in th41) to ‘F’ (x’4ase16 encodi

either Alpha

xed- or varia

et T. n is a on 8.A.1.

bet T, with gth of m

T is a short

bet T, with is a short

1.1 : STS – En

or a fixed s

cter in the L be in the C] (x’20

the English a(x’41) to ‘Z’

he range ‘0’ s the alpha

he range ‘0’ 46) inclusive,ing.

betic or Dec

ble-length fi

Examples

1D, 3AN, 8H

2-4D, 0-16A

2nH

nhanced KM

PAGE 11 OF 6

size. This

US-ASCII range of – x’7E

alphabet, (x’5A) or

(x’30) to abet for

(x’30) to , used as

cimal.

ields of a

H

A

MS

62

COP

PYRIGHT © 201

8.A.3

An IDchara‘, x’2RE] [

8.A.4

A TIMand t

The “D, h,calenmm i

Notealter

8.B. BCD

PackeEach

Func

Exam

8.C. BAS

The Bstring

Func

Noteuppe

3, STS ASSOCIA

. IDENT

DENT is a speacters that aD), period (‘A-Za-z][A-Za

4. TIMESTAM

MESTAMP is time point us

“T” and “Z” a m, s are De

ndar day of tis a minute f

e that the unative repre

D

ed Binary Codigit is enco

tion descript

BCD(X) ostring X BCD(X) o

mple: If X=”01

SE16 and BAS

Base 16 encogs in the form

tion descript

BASE16(Xof hexad(i = 1, 2, …is the sam

BASE16-DBASE16-DHexadeci

e that in keeercase alphab

ATION.

ecial type coare either Alp.’, x’2E) or co

a-z0-9_\-.,]{0

MP

an instant insing [ISO 860

are literal, inecimal . YYYthe month (trom “00” to

se of hh=”2sentations, e

oded Decimaoded as one n

tion:

outputs the p(type 2nD).

outputs x’d1d

12345” with

SE16-DECOD

oding [RFC 4m of hexade

tion:

X) where X idecimal cha…, n), h2i-1 is me translatioDECODE(X) DECODE(BASimal alphabe

eping with tbetic charact

omprising onphanumeric omma (‘,’, x’20,98} (maxim

n Coordinate01] (NORMAT

ndicating a tYY is a calendthe first day “59”, and ss

24” for midnextended for

al [W:BCD] inibble (4 bits

packed Binar If X=d1d2…

d2…d2n-1d2n.

OctetLen(X)

DE

4648] (NORM

cimal [W:HE

s a sequenceracters h1 hthe top 4 bi

on of the botis the inversSE16(X)) = Xet.

the definitioters ‘A’ to ‘F’

ne Alphabeticor one of th2C). IDENT ium length 9

ed UniversalTIVE) basic for

imestamp (“dar year, MMis “01”). hh

s is a second

night or ss=rmats or sep

is a compacts) in the outp

ry Coded Dec…d2n where d

)=6, then BC

MATIVE, SECTIO

EX] strings.

e of octets x2 … h2n+1 (alsits of xi transttom 4 bits ose of BASE1X. The oper

on of the H’ are permitt

STS

c letter (1A)e following:s described 9 characters

Time (UTC) rmat: YYYYM

“T”) in UTC (M is a calen

h is an hour ofrom “00” to

=”60” for a parators are p

t representaput.

cimal represdi is an octe

D(X)=x’0123

ON 8) is inten

1 x2 … xn (an so an octetslated into th

of xi. 16(X), also kration SHALL

exadecimal ted in the ou

600-4-1 Ed 1

followed byunderscore by the regula

s).

representedMMDDThhmm

“Z”) format. ndar month of day in theo “59”.

leap secondpermitted.

tion for strin

entation of 2et in the de

345 with Octe

nded to repr

octet string)t string) suche Hexadeci

nown as theL fail if X is

alphabet inutput.

1.1 : STS – En

y zero to nine(‘_’, x’5F), hyar expressio

d as a complmssZ.

All charact(Jan = “01”)e range “00”

d are prohib

ngs of decim

2n-charactercimal alpha

etLen(BCD(X

esent arbitra

) outputs a sch that for mal alphabe

e decode op not a strin

n section 8.A

nhanced KM

PAGE 12 OF 6

ety-eight yphen (‘-n [POSIX

lete date

ers Y, M, , DD is a

” to “23”,

bited. No

mal digits.

r decimal bet then

X))=3.

ary octet

sequence every xi

et and h2i

peration: ng in the

A.1, only

MS

62

COP

PYRIGHT © 201

8.D. Inte

The f5.4.3

A fierepreellipt

A poPointstringelliptthe “

Withsectio

8.D.1

Is

Lx

8.D.2

Oo

O

8.D.3

FD

8.D.4

OD

O

8.D.5

PoO

8.D.6

Otto

3, STS ASSOCIA

eger, field ele

functions de3, [ANSI X9.6

eld element esented by atic curve q is

int P on an et P may be g representatic curve poin“PC” octet in

in the scopeon 9.E), and

1. Integer-to-

nteger-to-Ostring represe

Let len=⌈log2

x = ∑ (28(len-i) ×

2. Octet-Strin

Octet-String-outputs the i

Octet-String-

3. Field-Elem

Field-ElemenDomain para

4. Octet-Strin

Octet-String-Domain para

Octet-String-

5. Point-to-O

Point-to-Octeoutputs the oOctet-StringD

6. Octet-Strin

Octet-String-the coordinathe Domainordered con

ATION.

ement and p

escribed here2] section A.

of the prima big endian

a 384-bit int

elliptic curverepresentedations of xP nts (thus the[ANSI X9.63

e of this spefield elemen

-Octet-String

ctet-String(xentation of x

2(L) / 8⌉, th× Si) for i = 1

ng-to-Integer

-to-Integer(Snteger x rep

-to-Integer(I

ent-to-Octet

nt-to-Octet-Sameters.

ng-to-Field-E

-to-Field-Eleameters.

-to-Field-Ele

ctet-String (

et-StringDoma

octet string SDomain(yP).

ng-to-Point (

-to-PointDoma

ates (field ele parametercatenation o

point conver

e are define.5, [ANSI X9.

me field Fqoctet string teger.

e over Fq had by an orde

and yP. Thise prefix octet3] section 4.3

ecification ants have corr

g (I2OSP)

x, L) accepts x. Conversion

en output Sto len.

r (OS2IP)

S, L) accepts presented by

nteger-to-O

t-String (FE2

StringDomain(x

Element (OS2

mentDomain(S

ment(Field-E

EC2OSP)

ain(P) acceptS = x’04 ∥ Fie

OS2ECP)

ain(S) acceptsements) xP as. Conversioof fixed-leng

rsions

d in [ISO 18.63] section 4

is an integof length ex

as coordinateered concates specificatiot is x’04 as fo3.6).

ll points SHAresponding l

an integer xn fails if x is o

S where S i

a octet striny S. Conversi

ctet-String(x

2OSP)

x) is Integer-

2FEP)

S) is Octet-St

Element-to-O

s a point P =eld-Element

s octet strinand yP in Fqon fails if Ogth octet str

STS

8033-2] (NOR

4.3 and [NIST

er in the raxactly ⌈log2(q

es (xP, yP) thaenation of aon permits oor field “H” in

ALL be on thimitations.

x in the rangoutside the r

is the string

ng S with lenon fails if x is

x, L), L) = x.

to-Octet-Str

tring-to-Inte

Octet-String

= (xP,yP) that-to-Octet-St

g S and out. Let FELen =

OctetLen(S) rings PC (1

600-4-1 Ed 1

RMATIVE) sectT SP800-56A

ange [0, q-1q) / 8⌉ octets

at are both f prefix octet

only the uncn [ISO 18033

he NIST P-38

ge [0, L-1] anrange [0, L-1

g of octets

ngth len=⌈logs outside the

ring(x, q) wh

ger(S, q) wh

g(x)) = x.

t is not the pringDomain(xP)

puts a point= ⌈log2(q)/8⌉ ≠ 1+2.FELenoctet), SL (F

1.1 : STS – En

tions 5.2.5, 5A] Appendix C

1], and mays. For the NI

field element x’04 and t

compressed 3-2] section 5

84 elliptic cu

nd outputs t].

S1 S2 … Slen s

g2(L) / 8⌉ octe range [0, L-

here q is give

here q is give

point at Infi) ∥ Field-Elem

t P constructwhere q is

. Interpret FELen octets

nhanced KM

PAGE 13 OF 6

5.3.1 and C.

also be ST P-384

nts of Fq. the octet form for

5.4.3 and

urve (see

the octet

satisfying

tets, and -1].

en by the

en by the

nity, and ment-to-

ted from given by S as an s) and SR

MS

62

COP

PYRIGHT © 201

(yg

O

8.E. CRC

The CRC1

Func

This [IEC

The C

Lammimple

8.F. LVCO

(Mneordemapp

LVCOand min int

3, STS ASSOCIA

FELen octetyP = Octet-Stguaranteed t

Octet-String-

C16-MODBUS

16-bit chec16/MODBUS

tion descript

CRC16-Musing a Cthe initia

specificatio62055-41] fo

CRC paramet

width poly init refin refout xorout check

mert’s On-linementations

ONCAT

emonic: “Lenred concateping of the in

ONCAT is desmessage autterpretation,

FixedInpu SharedInf

[NIST SP8 MacData

[NIST SP8

ATION.

ts). FAIL if Pring-to-Field

to be a valid

-to-Point(Po

S

cksum specif[CRC-CAT]

tion:

MODBUS(x) cCyclic Redunl checksum 0

on treats thormats the C

ters in the Ro

16 0x8005 0xffff True True 0x0000 0x4b37 (in

ne CRC calcus.

ngth-Value Cnation of ocnputs, can be

signed to fothentication., and meets

ut for the KDfo for the

800-56A] seca (also called800-56A] sec

PC ≠ x’04. Cd-ElementDom

point on the

int-to-Octet

fied in [IEC.

computes andancy Code 0xFFFF.

he CRC as CRC as a two

ocksoft™ mo

nput=”12345

ulator [LAMM

Concatenatioctet strings e parsed una

ormat input . It follows tthe requirem

DF in [NIST SPKDF in [A

ction 5.8.1.d M) for key cction 8.2.

ompute xP =main(SR), thene curve.

t-String(P)) =

C 62055-41]

d outputs a with the ge

an integeroctet little-e

odel [ROCKSO

56789”)

MERT] support

n”) LVCONCeach with a

ambiguously

fields to cryhe principle

ments for the

P800-108] (sANSI X9.63]

confirmation

STS

= Octet-Strinn output p

= P.

(NORMATIVE)

16-bit checkenerator poly

r (16-bit biendian value

OFT] are:

ts this checks

AT is a forma length prefy into the orig

yptographic fs of [CM10] e following in

ections 5 an (section 8

n in [ISO 117

600-4-1 Ed 1

ng-to-Field-Eoint P = (xP,

) section 6.

ksum over thynomial (x16g endian b

e.

sum and can

atting functifix. The outginal inputs,

functions suto avoid exp

nput data fie

d 7). 8), equivale

70-3] section

1.1 : STS – En

ElementDomain

,yP). Point P

.3.7, also kn

e input octe6 + x15 + x2 +bit string),

n be used to

ion that prodtput is a onand is prefix

ch as key dploitable amelds:

nt to Othe

n 9, [ANSI X9

nhanced KM

PAGE 14 OF 6

n(SL) and P is not

nown as

t string x + 1) and

whereas

o validate

duces an e-to-one

x-free.

erivation mbiguities

erInfo in

9.63] and

MS

62

COP

PYRIGHT © 201

Func

Input

Proce

8.G. Deli

A denon-a

DFCOan odelimoutp

DFPA

8.G.1

Func

Input

Proce

3, STS ASSOCIA

tion descript

LVCONCAinput octparsed in

t:

I1, I2, …, I

ess:

If n > 255 Set S to a For j = 1,

o Ifo So S

Output S

imited Field

limited strinalphabetic d

ONCAT (mnerdered conc

miter from thuts for the sa

ARSE is the co

1. DFCONCAT

tion descript

DFCONCAof the inASCII cha

t:

DELIM, t I1, I2, …, I

ess:

If DELIM Set S to a For j = 1,

o Ifo S

Output S

ATION.

tion:

AT(I1, I2, …, tet strings I1

nto the origin

In, the n inpu

5 then FAIL. a 1 octet (8-b2, …, n do: f OctetLen(Ij

Set L to a 1 oS = S ∥ L ∥ Ij. S.

strings

g is an ordeelimiter (a c

emonic: “Delcatenation ohe printableame numbe

orrespondin

T

tion:

AT(DELIM, I1

put printablaracter DELIM

he delimiter In, the n inpu

is not a prinan empty oct2, …, n do: f any octet in

S = S ∥ Ij ∥ DES.

In) outputs 1, I2, …, In (0nal inputs.

ut octet string

bit) integer r

j) > 255 thenoctet (8-bit) i

red concateharacter out

limited Field of printable e ASCII alphar of input fie

g parsing fun

1, I2, …, In) oe ASCII strin

M. The outp

character (put printable A

table ASCII ctet string.

n Ij equals DEELIM.

as an octet 0≤n<256, Oc

gs.

epresentatio

n FAIL. nteger repre

nation of fietside the fiel

ConcatenatASCII strings

abet. The ouelds.

nction.

utputs as a ngs I1, I2, …, put can be un

printable ASCASCII strings.

character (1P

ELIM or is no

STS

string a onectetLen(Ii)<2

on of n.

esentation of

elds that are d alphabet).

tion”) is a fos that are sutput is pref

printable ASIn none of w

nambiguousl

CII, 1P).

P) then FAIL.

ot printable A

600-4-1 Ed 1

e-to-one pre256) that ca

f OctetLen(Ij

separated f

rmatting funseparated frofix-free with

SCII string a owhich may cy parsed into

ASCII then FA

1.1 : STS – En

efix-free encn be unamb

j).

from each ot

nction that pom each otrespect to

one-to-one econtain the po the origina

AIL.

nhanced KM

PAGE 15 OF 6

coding of biguously

ther by a

produces her by a all other

encoding printable al inputs.

MS

62

COP

PYRIGHT © 201

Notea pre

8.G.2

Func

Input

Proce

8.H. Rec

A recspeci

A recand astring

8.H.1

B(DcR

8.H.2

P(

P

3, STS ASSOCIA

e that the ouefix-free enco

2. DFPARSE

tion descript

DFPARSEDFPARSEstring S icharacte

t:

DELIM, t S, the oct

ess:

If DELIM If the last If any oct Split S int Output n

cords

cord is a dataification all d

cord combina checksum.g that does n

1. BUILD-REC

BUILD-RECOR0 < n < 256),

DELIM = ‘|’. computes CR ∥ BASE16(C

2. PARSE-REC

PARSE-RECO0 < n < 256),

Process:

DELIM is If S does

type ” ∥ r If OctetLe

ATION.

utput always oding of the

tion:

E(DELIM, S) E(DELIM,DFCs not a validrs ending in

he delimiter tet string to

is not a print octet in S istet in S is notto fields O1,

n and O1, O2,

a structure wdata transfer

es into a pr The type in

not contain t

CORD

RD(rectype, , and n prinThis functio

C = CRC16-MOC).

CORD

RD(rectype,, and an octe

‘|’. s not start wrectype). en(S) < (Octe

ends with thinputs.

is the inversCONCAT(DELd output of DDELIM).

character (pbe parsed.

table ASCII cs not DELIMt printable AO2, …, On de…, On.

with multipler and storage

intable ASCIndicator muthe delimiter

n, I1, I2, …, In

table ASCII on construcODBUS(R)

n, S) acceet string S.

with the stri

etLen(rectyp

he delimiter

se of DFCONLIM, I1, I2, …,DFCONCAT(D

printable ASC

character (1Pthen FAIL(“B

ASCII then FAlimited by th

e fields and ae formats are

I string: a tyst be an IDEr character ‘

n) accepts asstrings that

cts R = DFCO(C is a 16

epts as inpu

ng rectype ∥pe)+5) then F

STS

character D

NCAT, also k, In)) = I1, I2, …DELIM, …) (t

CII, 1P).

P) then FAIL.Bad encoding

AIL(“Bad charhe character

a printable Ae defined as

ype indicatorNT, and eac|’.

s input an IDSHALL NOT

ONCAT(DELIM6-bit big en

ut an IDENT

∥ DELIM the

FAIL(“Missing

600-4-1 Ed 1

DELIM; this is

known as th…, In. The othat is, a stri

g in input”). racters in inpDELIM.

ASCII represerecords.

r, an orderedh field must

ENT rectypecontain the

M = ‘|’, recndian bit s

T rectype, a

en FAIL(“Inpu

g CRC on rec

1.1 : STS – En

s necessary t

e parsing opperation failng of printa

put”).

entation. W

d sequence t be a printa

e, a positive ie delimiter cctype, I1, I2

string) and

a positive in

ut is not a r

cord ” ∥ recty

nhanced KM

PAGE 16 OF 6

to obtain

peration: s if octet ble ASCII

ithin this

of fields, ble ASCII

integer n character 2, …, In),

outputs

nteger n

record of

ype).

MS

62

COP

PYRIGHT © 201

3, STS ASSOCIA

Split S int Compute If C’ ≠ BA Parse R u If n ≠ m t Output O

ATION.

to R ∥ C’, whe C = CRC16-ASEI6(C) thenusing DFPARSthen FAIL(“WO1, O2, …, On.

ere C’ is the MODBUS(R)

n FAIL(“Bad cSE(DELIM, R

Wrong numbe

last 4 charac), C is a 16-bichecksum on

R) to recover er of fields in

STS

cters of S. t big endian

n record ” ∥ rfields O1, O2

n record ” ∥ r

600-4-1 Ed 1

bit string. ectype).

2, …, Om. Proectype).

1.1 : STS – En

opagate erro

nhanced KM

PAGE 17 OF 6

rs.

MS

62

COP

PYRIGHT © 201

9. Cry9.A. AES

The [FIPS[NIST

This B0, an

Func

9.B. SHA

The S

Func

9.C. HMA

HMA(HMAhash

With1024accor

Func

Input

Proce

3, STS ASSOCIA

yptograpS-192 in CCM

AES block c PUB 197],

T SP800-38C

specificationnd SHALL NO

tion descript

AES-192-over the(maximuinput platag.

AES-192-(maximuciphertex192-bit kover plai

A-384

SHA-384 has

tion descript

SHA-384

AC-SHA-384

AC-SHA-384-1AC) specifiedfunction SH

in the scope4 bits (the brdingly.

tion descript

HMAC-SHcompute

t:

K, a secre text, the

ess:

ATION.

phic PrimM mode

cipher with operated i] and [RFC 3

n requires thOT permit or

tion:

-CCMENC(K, Ne octet strinm length 223

aintext using

-CCMDEC(K, Nm length 22

xt includes akey K and 96intext and ad

h function, a

tion:

(X) outputs a

4-192

192 is defind in [ISO 97A-384 (sectio

e of this speblock size of

tion:

HA-384-192(ed over the n

et key (as andata on whi

mitives

192-bit ciphin CCM m3610], with a

at the CCM accept any o

N, additionalng inputs pl3-1 octets) usg K and N, an

N, addition3+15 octets) 128-bit keye6-bit nonce dditional usi

as specified i

a 384-bit dig

ned in RFC 4797-2] (NORM

on 9.B), with

ecification Hf SHA-384).

(K, text) oun-octet input

octet stringch the HMA

her key as mode as spa tag length (

implementaother value f

l, plaintext) laintext (masing the 192nd outputs a

al, cipherte) and additied authenticN to produng K and N,

n [ISO 10118

gest compute

4868 as theMATIVE) and h the MAC tr

HMAC-SHA-38The implem

utputs a 19 text (0 ≤ n <

). C is compute

STS

specified in pecified in (MAC) of 128

ation SHALL ufor the Flags

computes a aximum leng2-bit key K ana ciphertext

ext) accepts ional (maximcation tag, dece plaintextand outputs

8-3] (NORMA

ed over the i

e keyed-has[FIPS PUB 19

runcated to t

84-192 is onmentation g

92-bit messa< 216) using th

ed.

600-4-1 Ed 1

[ISO 18033[ISO 19772

8 bits.

use a Flags O Octet.

128-bit keyegth 223-1 octnd 96-bit nothat include

octet strinmum lengtheciphers thet, verifies ths plaintext.

ATIVE) and [FIP

nput bit strin

h message 98-1] and [Rthe leftmost

nly used witiven below

age authenthe m-octet k

1.1 : STS – En

3-3] (NORMAT

2] (NORMATI

Octet value o

ed authentictets) and adnce N, encip

es the authe

ng inputs ci 223-1 octets

e ciphertext ue authentica

PS PUB 180-4

ng X.

authenticatiRFC 2104], u

192 bits.

th a key of lhas been s

tication codkey K (0 < m

nhanced KM

PAGE 18 OF 6

TIVE) and VE) and

of x’7B in

ation tag dditional phers the ntication

iphertext s) where using the ation tag

4].

ion code using the

less than implified

e (MAC) < 128).

MS

62

COP

PYRIGHT © 201

9.D. KDF

The (NOR

Withand simp

Func

Input

Proce

9.E. ECC

The [ANSand [

This curve“ansi

3, STS ASSOCIA

B = 128, ipad = x’3 opad = x’ If OctetLe If OctetLe Append z Compute Output th

F-X963-SHA-

Key DerivatMATIVE, ANNE

in the scopesmall Z andlified accord

tion descript

KDF-X963from an SharedIn

t:

Z, a bit st SharedIn keydatal

ess:

hashlen produced

If BitLen( If OctetLe If keydat Set coun Compute Output th

CDH in NIST

Cofactor DifSI X9.63] sect[SEC 1] secti

specificatione and domaiix9p384r1”)

ATION.

an integer co3636…, an o’5C5C…, an oen(K) ≥ B theen(text) ≥ 21

zeros (octetse MAC = SHAhe leftmost

384

tion FunctioEX B.3), and

e of this specd SharedInfodingly.

tion:

3-SHA-384(Zasymmetric

nfo (maximum

tring of secrenfo, an octet len, an integ

= 384, an d by the hash(Z) ≥ 210 thenen(SharedIntalen > hashlter (a 32-bit,

e KeyData = he leftmost k

T P-384

ffie-Hellman tion 5.4.2 (“Mon 3.3.2.

n requires tn parameterand [SEC 2

onstant givinctet string cooctet string cen FAIL. 16 then FAIL.s x’00) to theA-384( (K0 ⨁192 bits of M

n (KDF) spe[SEC 1] secti

cification KDo (less than

Z, SharedInfcally shared m length 216

et data (maxstring of noner giving the

constant inth function (Sn FAIL. nfo) ≥ 216 thelen then FAIL, big-endian SHA-384( Z keydatalen b

(CDH) primModified Dif

hat all CDHrs that are sp2] (as “secp

ng the block onstant of leconstant of le

e end of key Kopad) ∥ SHA

MAC.

ecified in seion 3.6.1, usi

F-X963-SHA- 219 bits). T

fo, keydatalsecret Z (m

-1 octets).

imum lengthn-secret data

e length in bi

teger givingSHA-384).

en FAIL. L. bit string) to∥ counter ∥ Sbits of KeyDa

mitive specififfie-Hellman

operations pecified in [F384r1”). Oct

STS

size in octetsength B (the oength B (the

K to create aA-384( (K0 ⨁ection 5.6.3 ing the hash

-384 is only The impleme

len) outputsmaximum len

h 210-1 bits).a, 0 < OctetLts of keying

g the length

o x’00000001SharedInfo )ata.

ed in [ISO 1Primitive”),

SHALL be pFIPS PUB 186tet string re

600-4-1 Ed 1

s of the hashoctet x’36 re

e octet x’5C r

a B-octet stri ipad) ∥ text

of [ANSI Xfunction SH

used with keentation giv

s a keydatangth 210-1 b

Len(SharedIndata to be ge

h in bits of

1. .

1770-3] (NO

[NIST SP800

performed u6-3] (NORMAT

epresentatio

1.1 : STS – En

h function (Sepeated B timrepeated B ti

ing K0. t ) ).

9.63], [ISO A-384 (secti

eydatalen = ven below h

alen-bit key its) and oct

nfo) ≤ (216-1)enerated.

the digest

ORMATIVE) (A-56A] sectio

using the NITIVE), [ANSI Xns of points

nhanced KM

PAGE 19 OF 6

HA-384). mes). imes).

11770-3]

on 9.B).

384 bits, has been

derived tet string

).

(output)

Annex D), n 5.7.1.2

ST P-384 X9.62] (as s on the

MS

62

COP

PYRIGHT © 201

elliptsectio(sect

CDH [ISO

Func

Input

Proce

9.F. One

The Hellmspeciused

The comp

Key cinstemessusedconsi

The sincluand K

9.G. ECD

The [ANS

3, STS ASSOCIA

tic curve SHon 5.4.3, [Aion 8.D.5).

uses scalar (15946-1] (NO

tion descript

ECC-CDHis given bkey QB (astring Z.

t:

dA, the p QB, the p

ess:

Use dom Compute

curve). If P is the Set Z to x Zeroise in

e-Pass Unifie

One-Pass Uman (ECC CDified in [NIST with bilater

scheme is aplies with tha

confirmationad of a ran

sage, but slig in key conistent with t

scheme is noded in the VKEK Confirm

DSA in NIST P

Elliptic CurvSI X9.62], [FIP

ATION.

HALL use unANSI X9.63] s

(integer) muORMATIVE) se

tion:

HDomain(dA, QB

by the Domaa point on t

rivate key ofpublic key of

ain paramete the point

e point at infxP (the x-coontermediate

ed Model Key

nified ModeDH) primitivT SP800-56A

ral key confir

a compositeat standard a

n from the Sndom nonceghtly reducinnfirmation ishe entity aut

ot detailed hVending Key ation (sectio

P-384

ve Digital SigPS PUB 186-3

ncompressedsection 4.3.6

ltiplication oection A.1.2 a

B) accepts A’ain parametehe elliptic c

f entity A (anentity B (a p

ters (q, FR, a,P = (xP,yP) =

finity then FArdinate of P) results and

y Agreemen

el key agreeve, also knoA] (NORMATIV

rmation.

e of [ISO 11although it is

SM to the Ke, allowing ng freshnesss not requirthentication

here; insteadLoad Reque

on 16) proces

gnature Algo3] and [SEC

d form affi6) as describ

on an ellipticand A.4, and

s private keyers, always Nurve), and c

n integer in toint on the c

, b, G, n, h ) = h dA QB (sc

AIL. ). output Field

t Scheme C(

ement schemwn as C(1,

VE) section 6

770-3] key s not specific

KMC is modifthe confirm

s guaranteesred to be rrequiremen

d the schemest (section 1sses.

orithm (ECDS1].

STS

ne coordinabed by the

c curve over in [SEC 1].

y dA (an inteNIST P-384 incomputes an

he range [1,ncurve).

= NIST P-384alar multipli

d-Element-to

1, 2, ECC CD

me using th2, ECC CDH

6.2.1.2 and

agreement cally identifie

fied to use mation to bes. This modirandom) andnts of [ISO 97

me steps and14), Vending

SA) specified

600-4-1 Ed 1

ates ([ISO 18Point-to-Oct

a finite prim

eger in the ran this specificnd outputs a

n-1]).

4. ication of a

o-Octet-Strin

DH)

e Elliptic CuH) or C(1e, [ANSI X9.63

mechanismed and descr

a Time Variae included iification is pd the first p798-4].

all procedug Key Load R

d in [ISO 14

1.1 : STS – En

8033-2] (NO

tet-String co

me field, as d

ange [1,n-1] cation) and Ba shared sec

point on a

ng(Z).

urve Cofacto2s). The sc

3] section 6.5

s 1 and 2 aribed.

ant Parametn the first ermitted (thprotocol me

ural prerequiesponse (sec

4888-3] (NO

nhanced KM

PAGE 20 OF 6

ORMATIVE) onversion

efined in

where n B’s public ret octet

n elliptic

or Diffie-cheme is 5, and is

and thus

ter (TVP) protocol

he Nonce essage is

isites are ction 15)

RMATIVE),

MS

62

COP

PYRIGHT © 201

This curvehash

9.G.1

9.G.2

9.H. GEN

The [ANS

This param

Func

Proce

9.I. VALI

The psectio(“ECC

Func

3, STS ASSOCIA

specificatione and domafunction SH

1. ECDSA-SIG

ECDSA-SIGNn is given byoutputs a sig

In this specif

2. ECDSA-VER

ECDSA-VERIgiven by the(r, s); checksvalid or not:

In this specif

NERATE-KEY

Elliptic CurvSI X9.63] sect

specificationmeters; see

tion descript

GENERAT[1,n-1] wthe P-384

ess:

Use dom Select a u

o Os

o So Ifo S

Compute Output th

IDATE-KEY

public key vaon 5.2.2.1 (“C Full Public

tion descript

ATION.

n requires thin parameteALL BE SHA-

GN

NDomain,Hash(dA

y the Domaingnature (r, s)

fication the D

RIFY

IFYDomain,Hash(e Domain pas the purpor “valid” or “i

fication the D

e key genertion 5.2.1 an

n requires thsections 9.E

tion:

TE-KEY() genwhere n is giv4 curve).

ain parametunique and uObtain a stristrength of 1Set I = Octet-f (I > n – 2) t

Set dA = I + 1e the public khe key pair d

alidation prim“Standard PuKey Validatio

tion:

hat all ECDSAers that are 384 (section

A, M) acceptsn parameter) where r, s a

Domain is al

(QA, M, (r, s)arameters), arted signaturinvalid”.

Domain is al

ration primitnd [FIPS PUB

hat all CDHand 9.G.

nerates and oven by NIST

ters (q, FR, a,unpredictablng S of 384 92 bits or m-String-to-Fiehen discard . key QA = dA GdA and QA.

mitive specifublic Key Valon Routine”)

A operationsspecified in

n 9.B).

s A’s private rs) and a meare both in [

ways NIST P-

)) accepts A’a message Mre and outpu

ways NIST P-

tive specifie186-3] sectio

and ECDSA

outputs a raP-384) and

, b, G, n, h) =e integer dA

bits from aore. eld-ElementS and I and r

G (scalar mul

fied in [ISO 1idation Prim).

STS

s SHALL BE [FIPS PUB 1

key dA (an inssage M (an1,n-1].

-384, and th

s public key M (an octet st

uts an indica

-384, and th

d in [ISO 15on B.4 (using

keys use th

ndom privatthe correspo

= NIST P-384in the rangerandom bit

t(S). repeat the ge

ltiplication o

15946-1] (NO

mitive”), and

600-4-1 Ed 1

performed u86-3] (NORM

nteger in the octet string

e Hash funct

QA (a point tring), and a ation of whe

e Hash funct

5946-1] (NOR

g candidate t

he NIST P-38

te key dA (anonding publi

. e [1, n-1]: generator (R

eneration.

f a point on

ORMATIVE) sec[NIST SP800-

1.1 : STS – En

using the NISMATIVE), and

e range [1,n-g), and comp

tion is SHA-3

on the ellip purported s

ether the sig

tion is SHA-3

RMATIVE) sectesting).

4 curve and

n integer in tic key QA (a

RBG) with a

an elliptic cu

ction 7, [AN-56A] sectio

nhanced KM

PAGE 21 OF 6

ST P-384 that the

1] where putes and

384.

ptic curve signature nature is

384.

ction 6.1,

d domain

he range point on

security-

urve).

SI X9.63] n 5.6.2.5

MS

62

COP

PYRIGHT © 201

Proce

3, STS ASSOCIA

VALIDATnot the id

ess:

Use dom If QB is th If xQ is no Verify tha Verify tha Output T

ATION.

TE-KEY(QB) odentity elem

ain paramethe point at Inot in the rangat (yQ)2 ≡ (xat P = n Q (sc

TRUE.

utputs TRUEment, or fails

ters (q, FR, a,nfinity then Fge [0, q-1] orxQ)3 + a.xQ +calar multipl

E if QB = (xQ,yotherwise.

, b, G, n, h ) =FAIL. r yQ is not in + b (mod q)lication) is th

STS

yQ) is a poin

= NIST P-384

the range [0or FAIL.

he point at In

600-4-1 Ed 1

t on the NIS

4.

0, q-1] then F

nfinity or FAI

1.1 : STS – En

ST P-384 curv

FAIL.

L.

nhanced KM

PAGE 22 OF 6

ve and is

MS

62

COP

PYRIGHT © 201

10. Da10.A. PK

A PKseria

The r

The r

Pos

To vPARSrecov

10.B. PU

A PUThe c

The Pand p

3, STS ASSOCIA

ata FormKID

IDA is a recol number of

The tuple The tupl

entity A. Given PK

record type i

rectype rectype rectype

record conta

sition Field

1 Man2 UID

3 Seria

4 Finge

verify the FSE-RECORD()vered Finger

UBKEY

UBKEYA is pubcertificate m

PUBKEY is repermitted us

rectype =reserved

rectype =

ATION.

mats and

ord (section 8entity A with

e (Manufactue (Manufact

KIDA it is diffic

indicates the

= “SMID.1” = “SMMAN.= “KMCID.1

ains the follo

d

ufacturer

al

erprint

Fingerprint and compu

rprint with th

blic key certay be signed

epresented asage of the p

= “PK.ECDH. for use in th

= “PK.ECDSA

d Structu

8.H) that ideh A’s public k

urer, UID) unturer, UID, S

cult to find a

e role of the

if entity A is .1” if A is an ” if A is a KM

wing fields, i

Type

IDENT IDENT

TIMESTAMP

16H

of a PKIDA

te Fingerprinhe computed

ificate [W:Cd by an Issue

as a record (public key:

1” for a ECChe key manaA.1” for an EC

ures

entifies entitkey:

niquely identSerial) uniqu

a public key Q

entity in the

an SM; SM Manufac

MC.

in order:

Descripti

IdentifiesA UniqueManufacbe globa

P The timegeneratesigning oA collisiofields andLet S = LVSerial, Pothe leftm

A and purpnt' using thed Fingerprint

CERT] that ider, self-signed

(section 8.H)

C Cofactor Dgement procCDSA public

STS

y A by bindi

tifies entity Auely identifie

QA’ ≠ QA that

key manage

cturer;

ion

s the manufae IDentifier octurer; the tully unique.

e at which A’sed. The key por key agreemon resistant hd record typVCONCAT(reoint-To-Octe

most 16 chara

orted publie recovered ft'.

entifies entitd, or unsigne

), and the re

Diffie Hellmacesses specifkey with NIS

600-4-1 Ed 1

ng together

A. es a public

satisfies the

ement infras

acturer of enof entity A wiuple (Manufa

s key pair (dA

pair SHALL Nment before hash that bine to A’s publ

ectype, Manuet-String(QA)acters of BAS

c key QA': fields and QA

ty A and coned.

ecord type in

n (section 9fied in this doST P-384 dom

1.1 : STS – En

the unique

key associa

e Fingerprint

tructure:

ntity A. ith respect toacturer, UID)

A, QA) was NOT be used

this date. nds the precelic key QA. ufacturer, U)), then FingeSE16(SHA-38

parse PKIDA', then com

ntains A’s pu

ndicates the

.E) public keocument;

main parame

nhanced KM

PAGE 23 OF 6

name or

ted with

t.

o the ) must

for

eding

UID, erprint is 84(S)).

DA using mpare the

ublic key.

purpose

ey that is

eters.

MS

62

COP

PYRIGHT © 201

The r

Pos

To vedescrwher

10.C. VK

A Veis con

The r

Pos

3, STS ASSOCIA

record conta

sition Field

1 Subje

2 QAHE

3 Expir

4 Issue

5 Signa

erify the Sigribed for there QISSUER is th

KLOADREQ

nding Key Lonstructed by

record conta

ition Field

1 IDSM 2 IDKMC

3 TVPK

4 HWID

5 FWID

6 QEHE

ATION.

ains the follo

d

ect (IDA)

EX

ry

er

ature

gnature of ae Signature fhe Issuer’s p

oad Request y the SM and

ains the follo

d

C KMC D D

EX

wing fields, i

Type

Printable

194H

TIMESTAMP

∅ or Printable∅ or 192H

a PUBKEYA: pfield) and veublic key.

VKLOADREQd sent to the

wing fields, i

Type

PrintablePrintable

TIMESTAMIDENT IDENT

194H

in order:

Descripti

PKID (secincludes tEntity A’sBASE16(P

P The time SHALL beAn expirefor key agmay be uexpiry daPKID of thSignatureA digital sfields andunsignedLet M = LString(QA

let (r, s) =Issuer’s pBASE16(IOctet-Str

parse PUBKErify Signatur

QSM is a recorKMC to requ

in order:

Descrip

PKID (se PKID (se

MP Time vaSM hardSM firm12.A). SM ephencode

STS

on

ction 10.A) ofthe public kes public key QPoint-To-Octat which A’s

e greater thaed key pair Sgreement, alsed to verifyte. he Issuer rese. Leave empsignature thad record type.

LVCONCAT(reA), Expiry, Iss= ECDSA-SIGNprivate key, tnteger-to-O

ring(s, n)) wh

EYA using PAre using ECD

rd (section 8uest vending

ption

ection 10.A) ection 10.A)ariant paramdware mode

mware applic

hemeral publd as BASE16

600-4-1 Ed 1

f the owner ey FingerprinQA, encoded tet-String(QA

s key pair (dA

n the Serial fHALL NOT belthough an ey signatures c

sponsible forpty if the PUat binds togee, or empty i

ectype, Subjsuer), and N(dISSUER, M)hen the Signctet-String(r

here n is give

ARSE-RECORDSA-VERIFY(Q

.H) of type “g keys.

of the requeof the targe

meter taken fel and revisiocation and ve

lic key QE (se6(Point-To-O

1.1 : STS – En

of the publicnt.

as A)). A, QA) expiresfield of the Se used for sig

expired ECDScreated befo

r generating tBKEY is unsig

ether the pref the PUBKEY

ject, Point-To

where dISSUE

nature is r, n) ∥ Integeen by NIST P-

D(), construQISSUER, M, Sig

“VKLOAD.REQ

esting SM. t KMC. rom the SM’

on (see sectioersion (see se

ee section 0) Octet-String(Q

nhanced KM

PAGE 24 OF 6

c key QA;

s. Expiry Subject. gning or

SA key ore the

the gned. eceding Y is

o-Octet-

ER is the

er-to--384.

ct M (as gnature),

Q.1” that

’s RTC. on 12.A). ection

QE)).

MS

62

COP

PYRIGHT © 201

Pos

10.D. VK

A Vethat

The r

Pos

10.E. WR

A Wrto thmech

The r

Pos

10.E.1

Attrib(typeto th

3, STS ASSOCIA

ition Field

7 MacT

KLOADRESP

nding Key Lois constructe

record conta

ition Field

1 IDKMC

2 IDSM

3 TVPK

4 MacT

RAPPED-KEY

rapped Key ihe SM. Thishanism 2.

record conta

sition Field

1 Nonc

2 Attri

3 Prote

1. Attributes

butes are a ce P), i = 1,2, …he Vending K

ATION.

d

TagSMHEX

oad Responsed by the KM

ains the follo

d

C

KMC

TagKMCHEX

Y

s a record (ss constitute

ains the follo

d

ce

butes

ectedKey

s

collection of…,n. The encKey attribute

Type

48H

se VKLOADREMC and sent t

wing fields, i

Type

IDENT IDENT

TIMESTAM

48H

section 8.H) s a symmet

wing fields, i

Type D

24H A Eaun

P Thdedear

H ThKeasalA

f unique attrcoding, rangees table give

Descrip

SM key encode

ESPKMC is a reto the SM in

in order:

Descrip

PKID (sePKID (se

MP Time vaVKLOADKMC keencode

of type “KEYtric key tran

in order:

escription

96-bit valueach WRAPPEnique noncehe attributeselimited prinescribed in sre defined inhe key mateey (KEK) usins associated phabet. Prottributes, K)

ribute namese and interp

en in Append

STS

ption

confirmatiod as BASE16

ecord (sectioresponse to

ption

ection 10.A) ection 10.A) ariant paramDREQSM. ey confirmatid as BASE16

Y.1” that is cnsfer scheme

e representedED-KEY unde. s associated ntable ASCII section 10.E.1

n Appendix Crial K, protec

ng authenticadata) and en

otectedKey =).

s Ni (type 3Aretation of V

dix C, but in

600-4-1 Ed 1

on MacTagSM

6(MacTagSM)

on 8.H) of tyo a successfu

of the respoof the reque

meter copied

ion MacTagK

6(MacTagKMC

constructed be consistent

d in the Hexar a specific K

with the keystring using a1 below. Su

C. cted under thated encryptncoded in th= BASE16(AE

AN) and corrVNi is determ

all cases VN

1.1 : STS – En

M (see section).

pe “VKLOADl VKLOADRE

onding KMC. esting SM. from the SM

KMC (see sectC).

by the KMC t with [ISO

adecimal alpKEK must hav

y, encoded aa card formapported attr

he Key Exchation (with Ate Hexadecim

ES-CCM(KEK,

esponding vmined by Ni a

Ni SHALL be p

nhanced KM

PAGE 25 OF 6

n 14)

D.RESP.1” Q.

M’s

ion 15)

and sent 11770-2]

phabet. ve a

s a at as ributes

ange ttributes mal , Nonce,

values VNi according printable

MS

62

COP

PYRIGHT © 201

ASCIImaxi

The Acard S1,…,ASCII

1 The

3, STS ASSOCIA

I (and exclumum length

Attributes fiformat: eacSn be the nI alphabet (n

length limit o

ATION.

ude the rec of 252 char

eld of a WRch name Ni aames N1,…,N

no duplicates

of 252 charact

cord and fieacters1.

RAPPED-KEY and associatNn sorted ins are permitt

ters ensures th

eld delimite

is encoded ed value VN

strictly ascted), then At

hat each strin

STS

er characters

as a delimiti is concatenending lexicttributes = D

ng Ni ∥ VNi is a

600-4-1 Ed 1

s ‘|’=x’7C a

ed printablenated to formcographical oDFCONCAT(‘,’

valid input fie

1.1 : STS – En

and ‘,’=x’2C)

e ASCII stringm a single corder [W:LEX’, S1∥VS1, …, S

eld to LVCONC

nhanced KM

PAGE 26 OF 6

) with a

g using a card. Let X] in the Sn∥VSn).

CAT.

MS

62

COP

PYRIGHT © 201

11. SMPrior

The M(cons

11.A. Re

The f

3, STS ASSOCIA

M Manufar to SM initia

Select a uo T

Generatekeys.

o Tpg

o Tso

o Tp

Publish to T

Po T

Uo A

otmc

Manufacturesistent with

When thpair and

The Mano T

se

A KMC SHSM key pcertify PU

ecommended

following pro

The SM M

ATION.

facturerlisation an S

unique nameThe STSA SHOe an asymme

The key paparameters generated usThe key pair split knowleoperator to sThe secret keprerequisiteshe self-signe

The public kePUBKEYMAN; sThe PUBKEY Usage PeriodA procedureoperational dthe public kemanually cocommunicati

er’s key pair [NIST SP800-

e Manufactupublish the pufacturer SH

The Manufacsuch that thexpired key. HALL NOT tr

pair was geneUBKEYSM.

d process to

ocess is RECO

Manufacture

r SetupM Manufact

e MANUFACTOULD providetric digital s

ir SHALL beand having sing an RBG h

SHALL be gedge and du

sign an SM pey SHALL be s for a KMC Hed public keyey SHALL be see section 0Expiry SHAL

d (see below)e to publish documentatey is not exponfirming tion channel.

SHALL have-57 PART 1]):

urer’s key papublic key in

HALL NOT cecturer’s priv

he signature

ust any PUBerated) is mo

generate an

OMMENDED

er selects a u

turer SHALL:

TURER (an IDde a registry signature key

e an ECDSAa security-shaving equivenerated an

ual control. ublic key usiprotected by

HSM (sectiony to all KMCs

published as0) with recorLL be set to).

PUBKEYMAN

ion. Each repired, and SHthe public

e a lifespan (

air expires, t the mannerrtify SM pub

vate key dMA

operation

KEYSM for whore recent th

nd publish P

D:

nique name

STS

DENT) to ideservice for My pair for the

A key pair trength of a

valent (or strd managed It SHALL Nng the privay an HSM. Tn 13.A). . s a self-signe

rd type “PK.E the time of

N SHALL be ecipient of tHALL check

key’s finge

(Originator U

the Manufacr prescribed

blic keys usinAN SHALL be SHALL NOT

hich the Serihan the expir

UBKEYMAN

MANUFACT

600-4-1 Ed 1

ntify itself. Manufacturee purpose of

using the at least 192ronger) securwith respect

NOT be poste digital sig

The HSM SHA

ed PUBKEY rECDSA.1”. f generation

specified byhe PUBKEYM

the validity erprint ove

Usage Period

cturer SHALLby this sectiog an expiredassociated generate a

al (the pointry date of th

TURER (an ID

1.1 : STS – En

r names. f certifying S

NIST P-384 bits, and Srity-strengtht to the prinssible for annature key.

ALL meet the

ecord (refer

n plus the O

y KMC stanMAN SHALL chof the publi

er an inde

d) of at most

L generate a on.

d key. with an exp

a signature

t in time at we PUBKEYMAN

DENT).

nhanced KM

PAGE 27 OF 6

M public

domain SHALL be h. nciples of ny single

e security

red to as

Originator

dards or heck that ic key by

ependent

t 3 years

new key

piry date using an

which the N used to

MS

62

COP

PYRIGHT © 201

3, STS ASSOCIA

The ManQMAN) usPUB 186-

The Mantime at w

The ManPKIDMAN. is genera

On demaemail for

Operatin(by telepimport an

ATION.

nufacturer uing the NIST-3], [ANSI X9ufacturer co

which dMAN wnufacturer cExpiry is at

ated using dM

and by any Krmat (Appeng under the

phone) and cnd trust the

ses an HSMT P-384 dom9.62] and/or onstructs a Pwas generate

constructs amost 3 years

MAN. MC, the Mandix F). principle of

confirm the PUBKEYMAN.

to generateain paramet[SEC 1].

PKIDMAN with d. a PUBKEYMA

s after the Se

nufacturer se

f dual controFingerprint i

STS

e and store ters, in acco

rectype “SM

AN with recterial. The Iss

ends to the K

ol, two KMC in the PKIDM

600-4-1 Ed 1

a unique ECrdance with

MMAN.1”, UI

type “PK.ECsuer is PKIDM

KMC the PUB

operators caMAN, then inst

1.1 : STS – En

CDSA key pa[ISO 14888-

ID “A”, and S

DSA.1” andMAN and the S

BKEYMAN in re

all the Manutruct their sy

nhanced KM

PAGE 28 OF 6

air (dMAN, -3], [FIPS

Serial the

Subject Signature

ecord-in-

ufacturer ystem to

MS

62

COP

PYRIGHT © 201

12. SM12.A. Pre

An SM

An SM[FIPScompPract

3, STS ASSOCIA

M Initialierequisites:

M SHALL hav

A high qSP800-22entropy distinct.

A determsecurity-s

o T[

A real-timboundary

o Tm

Secure sprotectiousing tec

Keys and

o WeO

o Ap

Tested ispecificat

An authe HWID (s

MANUFA FWID (str UID (strin

device shmodel na

M SHOULD cS PUB 140-2pliance are tice detailing

ATION.

isation SM

ve:

uality entro2. The SM source, for e

ministic Randstrength of 1

The RBG SHASEC 1]. me clock (RTy. The RTC SHOmaintenancetorage for s

on. Key sepchniques from

sensitive da

Within the cerased on taOR Authenticallyprevious techmplementattion.

entic copy of string of typACTURER, MOring of type ng of type IDhall have a ame or code

comply with 2], or [PCI beyond the

g the security

opy source tSHALL impl

example by

dom Bit Gen192 bits or mALL comply

TC) for whic

OULD NOT dre interval of tsensitive dataration and m [ISO 11568

ata may be st

cryptographimper, and S

y encrypted hnique. tions of all

the NIST P-3pe IDENT), ODEL and REIDENT), a firmDENT), a uniMANUFACTUcan be used

a recognisedHSM]. Thescope of th

y requiremen

hat has beeement a coensuring tha

nerator (RBGmore.

with [ISO 18

ch the state

rift by more tthe SM. ta. All keyssubstitution

8-2]).

tored using o

c boundary SHALL includ

under a Sto

cryptograph

384 domain a hardware

EVISION. mware applique hardwaURER-unique

d as a UID pre

d standard foe target sechis documennts for an SM

STS

en assessed ntinuous quat adjacent

G) seeded fr

8031], [NIST

is protected

than 3 days

s and sensitin prevention

one of the fo

of the SM, de integrity p

orage Key th

hic primitive

parameters.e identifier t

cation and vre identifier

e UID, not mefix to guara

or cryptogracurity level nt. The STS

M.

600-4-1 Ed 1

using statistuality test oblocks read

rom the ent

SP800-90],

d within the

over the doc

ive data SHAn SHALL be a

ollowing tech

in non-volaprotection (s

hat is secur

es (section

that SHALL

version identr or assignedmerely a MOantee this.

ph modules or evaluatio

SA SHOULD

1.1 : STS – En

tical tests frn the outpufrom the so

tropy source

[ANSI X9.82

e SM’s crypt

cumented lif

ALL include assured (for

hniques:

atile memorsuch as a che

ely stored u

9) required

be compos

tifier. d soft identifODEL-unique

such as [ISOon criteria maintain a

nhanced KM

PAGE 29 OF 6

rom NIST ut of the ource are

e, with a

2] and/or

tographic

fetime or

integrity example

ry that is ecksum);

using the

by this

sed of a

fier. Each e UID. A

O 19790], for such Code of

MS

62

COP

PYRIGHT © 201

12.B. SM

Secuthat tto an

A MaThe inclu

12.B.

The f

3, STS ASSOCIA

M Initialisatio

re key agreethe SM cont

ny person.

anufacturer Sprocess SHAde at minim

Completeby the ST

In a physo B

to I

ko U

ao E

1. Recomme

following pro

This proc Perform

specificat Load into Set the S Instruct t

o So G

o Sw(

o ScS

o SwsATION.

on and PUBK

ement betwetain secret in

SHALL have ALL be perfoum:

e the producTSA. sically secureBy means of this process. nstruct the S

key QSM. Use the Mana PUBKEYSM cEnsure that Q It SH

QOP t By im

coup

ended proce

ocess is RECO

cess SHALL ba physical i

tion and intao the SM firmM RTC to thethe SM to geSet Serial (tyGenerate a u dSM i

partySet IDSM = BUwhere Fingesection 10.A

Securely stocryptographiSHALL includSet PUBKEYS

where QSMHEset to “99991

KEY certificat

een an SM annformation th

a documenteormed befor

ction of the

e facility and physical insp

SM to gener

nufacturer’s certificate. QSM is protecALL NOT be

to be signed mplication t

pled.

ss to genera

OMMENDED

e performedinspection oact. mware that he current da

enerate a unipe TIMESTA

unique ECDHis known ony (including tUILD-RECORDrprint is com

A). re dSM, QSM

c boundary e integrity pM-NOSIG = BUIEX is encode1231T11595

tion

nd a KMC – ihat is unique

ed process fre an SM is

SM, includin

under dual cpection verif

rate a unique

private key d

cted against mpossible forunder the M

the generati

ate and certif

D as a final ste

d under dual of the SM to

has been appte and time ique PUBKEYMP) to the c key pair (dSM

nly to the SMthe SM manuD(“SMID.1”, mputed from

and IDSM.in non-volarotection (suILD-RECORDed as descri9Z”.

STS

ncluding aute to the SM,

or SM initialdelivered b

ng loading fi

control: fy the integri

e key pair (d

dMAN to certi

modificationr any individ

Manufacturerion and cer

fy PUBKEYSM

ep during ma

control. o confirm th

proved by the(using a relia

YSM-NOSIG. Thecurrent date M, QSM) using

M and SHALLufacturer) un4, MANUFA

m QSM and ot

These valutile memory

uch as a checD(“PK.ECDH.1

bed for PUB

600-4-1 Ed 1

thentication and unknow

isation and Py the Manu

rmware that

ity of all equ

SM, QSM) and

ify the public

n or substitutual to causer’s private kertificate of Q

M

anufacture o

hat it is full

e STSA. able clock). e SM SHALL: according to

g GENERATEL NOT be render any circCTURER, UIDther fields a

ues SHALL by that is eracksum). 1”, 5, IDSM, QBKEY (section

1.1 : STS – En

of the SM – wn and unpre

PUBKEY certufacturer, an

t has been p

ipment to be

d to return th

c key QSM, p

tion. e a chosen pey dMAN. QSM must b

of the SM:

y manufactu

o the RTC. -KEY().

evealed to acumstances. D, Serial, Fingas described

be stored wased on tam

QSMHEX, Expin 0). Expiry

nhanced KM

PAGE 30 OF 6

requires edictable

tification. nd SHALL

produced

e used in

he public

roducing

ublic key

e tightly

ured per

ny other

gerprint) for PKID

ithin the per, and

iry, ∅, ∅) MAY be

MS

62

COP

PYRIGHT © 201

12.C. SM

WheSM mManu

3, STS ASSOCIA

o R Instruct

PUBKEYS

o Tp

o Tt

o TP

Store PU

M PUBKEY pu

never the asmanufactureufacturer SH

To revokcertificat

To revokQSM = (0,0

The Man The file s

ATION.

Return the uthe Manufa

SM. The HSM SHperforming tThe HSM SHthan the ExpThe HSM crPKIDMAN, andBKEYSM, and

ublication

ssociation bee or mainte

HALL publish

ke a public tion process ke a public 0) (an invalidufacturer ad

sent to all KM

nsigned PUBacturer’s HS

HALL requirehe signatureALL NOT creiry of PUBKEreates PUBK

d generates t discard PUB

etween an SMenance (sectthe updated

key with rto create an

key withoud point). dds each updMCs (for exam

BKEYSM-NOSIG.SM to sign

e dual authee operation.eate a signatEYMAN. KEYSM (basethe SignatureBKEYSM-NOSIG.

M and a pubtion 7.B) or

d association

replacement updated PUut replacem

dated PUBKEmple as an e

STS

the PUBK

entication o

ture if the Se

ed on PUBKe using dMAN

blic key is crer a suspect to all KMCs

t follow theUBKEYSM. ment constru

YSM to a file--mail attach

600-4-1 Ed 1

EYSM-NOSIG to

f two truste

erial of PUB

KEYSM-NOSIG), .

eated or moded key com:

e SM Initial

uct and sig

-of-records (Ament).

1.1 : STS – En

o create a

ed operator

KEYSM-NOSIG is

sets the I

dified – suchmpromise –

isation and

n a PUBKEY

Appendix G)

nhanced KM

PAGE 31 OF 6

certified

rs before

s greater

ssuer to

h as after the SM

PUBKEY

YSM with

.

MS

62

COP

PYRIGHT © 201

13. KM13.A. Pre

The crypt

The H

13.B. Pre

The K

The hardw

The S3, STS ASSOCIA

MC Initiaerequisites:

KMC SHALL tographic op

The HSMequivalen[ISO 1979

The STSAHSM.

HSM SHALL h

A high qSP800-22entropy distinct.

A determsecurity-s

o T[

A real-timboundary

Secure sprotectiousing tecsecure st

Tested ispecificat

An authe

erequisites:

KMC SHALL h

KMCID (so T

SWID (str A list of

Vending A list of

Vending

STSA SHOUware and fir

STSA SHOULATION.

alisationKMC HSM

use a Hardperations spe

M SHALL be nt evaluatio90], or [PCI H

A SHOULD m

have:

uality entro2. The HSMsource, for e

ministic Randstrength of 1

The RBG SHASEC 1].

me clock (RTy. torage for s

on. Key sepchniques fromtorage technmplementattion.

entic copy of

KMC

have:

string of typeThe STSA SHOring of type Approved HKeys to) an SApproved FWKeys to) an S

LD maintainmware (base

D provide a r

n

dware Securecified in this

certified to n level of a HSM].

maintain a Co

opy source tM SHALL imp

example by

dom Bit Gen192 bits or mALL comply

TC) for which

sensitive dataration and m [ISO 1156iques. tions of all

the NIST P-3

e IDENT), a uOULD providIDENT), a sofWID values.SM unless thWID values.SM unless th

n a Code of ed on the SM

registry serv

ity Module s document.

[FIPS PUB recognised

ode of Practic

hat has beeplement a co

ensuring tha

nerator (RBGmore.

with [ISO 18

h the state i

ta. All keyssubstitution

68-2]). See P

cryptograph

384 domain

unique namede a registry ftware applic. The KMC Shat SM’s HW

The KMC Shat SM’s FWI

Practice deM Prerequisit

vice for Appro

STS

(HSM) to m

140-2] Secustandard for

ce detailing

en assessed ontinuous quat adjacent

G) seeded fr

8031], [NIST

is protected

s and sensitin preventionPrerequisites:

hic primitive

parameters.

or identifierservice for Kcation and vHALL NOT nID is in the A

SHALL NOT nD is in the A

etailing the tes in section

oved HWID a

600-4-1 Ed 1

manage all k

rity Level 3 r cryptograp

the security

using statistuality test oblocks read

rom the ent

SP800-90],

within the

ive data SHAn SHALL be a: SM (section

es (section

r. KMC names. ersion ident

negotiate a KApproved listnegotiate a Kpproved list

requirementn 12.A).

and FWID va

1.1 : STS – En

keys and per

or higher, phic modules

requiremen

tical tests fron the outpu

from the so

tropy source

[ANSI X9.82

HSM’s crypt

ALL include assured (for n 12.A) for p

9) required

ifier. KEK with (ort. KEK with (or.

ts for appro

alues.

nhanced KM

PAGE 32 OF 6

rform all

or to an s such as

nts for an

rom NIST ut of the ource are

e, with a

2] and/or

tographic

integrity example

permitted

by this

r transfer

r transfer

oving SM

MS

62

COP

PYRIGHT © 201

13.C. KM

Prior

13.C.

The f

3, STS ASSOCIA

MC Setup

r to accepting

Generatewith SMs

o Tpg

o Ts

o T The key

(consiste The pub

PUBKEYK

the end o A proced

documenexpired, key’s fing

When ththe publi

1. Recomme

following pro

The KMC The KMC

the NIST [ANSI X9

o G

The KMCto KMCID

o So S

w(

The KMCat most 3

o CO

o Ss

ATION.

g Vending Ke

e an asymms. The key paiparameters generated usThe key pair split knowledThe secret ke

pair SHALLent with [NISTblic key SHA

MC; see sectiof the Origindure to publntation. Eacand SHALL c

gerprint overe KMC’s key

ic key in the

ended proce

ocess is RECO

C selects a unC uses an HS

P-384 doma.62] and/or [Generate a u dKMC

otheC constructs D, and Serial Set Serial (tySet IDKMC = where Fingersection 10.A

C constructs a3 years after Compute theOriginator UsSecurely storstorage and S

ey Load Requ

etric digital

r SHALL be and having sing an RBG h

SHALL be gedge and dualey SHALL be L have a lifT SP800-57 P

ALL be publion 0.) with ator Usage Pish PUBKEYK

ch recipient ocheck the valr an indepeny pair expiremanner pres

ss to genera

OMMENDED

nique name KM to generaain paramete[SEC 1].

unique ECDHis known onr party undea PKIDKMC wthe time at wpe TIMESTABUILD-RECO

rprint is comA). a PUBKEYKMC

the Serial. Te Expiry datsage Period (re dKMC, QKM

SHALL includ

uests from S

signature ke

an ECC CDa security-shaving equivenerated an control. protected byfespan (OrigPART 1]). ished as anrecord type

Period.

KMC SHALL beof the PUBKlidity of the

ndent commues, the KMC scribed by th

ate and publi

D:

KMCID (an IDate and storeers, in accor

key pair (dKM

nly to the KMer any circum

with rectype “which dKMC wMP) to the cORD(“KMCID

mputed from

C with rectypThe Issuer ante of the ke(maximum 3

MC, Expiry ande integrity p

STS

Ms, the KMC

ey pair for t

DH key pairtrength of a

valent (or strd managed

y an HSM. ginator Usag

n unsigned “PK.ECDH.1

e specified bEYKMC SHALLpublic key byunication chSHALL gene

his section.

ish PUBKEYK

DENT). e a unique Erdance with

MC, QKMC) usiMC HSM and

mstances. “KMC.1”, Mawas generatecurrent date D.1”, 4, SW

m QKMC and o

pe “PK.ECDHd Signatureey pair (dKM

3 years). nd IDKMC. Tprotection.

600-4-1 Ed 1

C SHALL:

the purpose

r using the at least 192ronger) securwith respect

ge Period) o

PUBKEY rec”. The Expir

by KMC stanL check that y manually cannel.

erate a new

KMC

ECDSA key pa[ISO 14888-

ng GENERATd SHALL NOT

anufacturer ed. according to

WID, KMCID, other fields a

.1” and Subjare empty.

MC, QKMC) as

hese values

1.1 : STS – En

of establish

NIST P-384 bits, and Srity-strengtht to the prin

of at most

cord (referrery field SHAL

dards or opethe public k

confirming th

key pair and

air (dKMC, QK

3], [FIPS PUB

TE-KEY(). T be reveale

set to SWID

o the RTC. Serial, Fing

as described

ect PKIDKMC.

the Serial

SHALL be i

nhanced KM

PAGE 33 OF 6

hing KEKs

domain SHALL be h. nciples of

3 years

ed to as LL reflect

erational key is not he public

d publish

MC) using B 186-3],

ed to any

, UID set

gerprint) for PKID

Expiry is

plus the

n secure

MS

62

COP

PYRIGHT © 201

13.D. KM

Durinand beforconfi

13.D.

Whehas bintegcertif

See t

13.D.

The KThe f

13.D.

The Suppsent requ

13.D.

The Kcertif

The KManuSHOUindexcertif

3, STS ASSOCIA

o Sw

On demaSM Oper

The SM example the PUBK

MC operation

ng operationthe STSA. Sre processinirmed crypto

1. SM Manu

n the KMC rbeen updategrity and auficate.

the recomme

2. Approved

KMC may reformat and v

3. Supply Gr

KMC may reply Groups, u

to specific Sests is beyon

4. SM PUBK

KMC will perficates (PUBK

KMC SHALL ufacturer’s ULD check thxed by MANficate’s Seria

ATION.

Set PUBKEYK

where QKMCHand by any Srator the PUB

Operator covia the tele

KEYKMC in a V

n

n the KMC wSuch updateng Vending ographically o

ufacturer PU

receives notied, the KMCthenticity o

ended proce

d HWID & FW

eceive from tvalidation of

roup manage

eceive from update registSMs (identifiend the scope

EY updates

riodically recKEYSM); see S

validate eacPUBKEYMAN hat each SM NUFACTURERal should be g

KMC = BUILD-HEX is encodeM Operator BKEYKMC in reonfirms thephone or fro

Vending Key L

will periodicaes SHALL be

Key Load Ror under dua

BKEYMAN upd

fication thatC should – w

f the certifi

ess to genera

WID list upda

the STSA updthese lists is

ement instru

Supply Groutration detaied by MANU

e of this spec

ceive files froSM PUBKEY p

ch certificatepreviously ipublic key is

R and UID, rgreater than

-RECORD(“Ped as describ(vendors or

ecord-in-ema Fingerprintom the STSALoad Reques

lly receive u processed

Requests. Tal control, an

dates

t an SM Manwith respect icate then i

ate and publi

ates

dated lists os beyond the

uctions

up owners (ls, generate

UFACTURER acification.

om SM Manupublication s

e using the Kntroduced as unique. Threplacing an

n that of the

STS

K.ECDH.1”, 5bed for PUBKr meter manail format (At in the PKIA website) thst (section 14

pdated infoat the begin

The integritynd the inform

nufacturer’s to the princntroduce it

c PUBKEYMAN

of Approved e scope of thi

or prospectVending Key

and UID). T

ufacturers cosection 12.C.

KMC HSM anas describedhe certificatey existing eexisting cert

600-4-1 Ed 1

5, IDKMC, QK

KEY (section ufacturer), tppendix F). DKMC via a

hen instructs4).

rmation fromnning of eacy of the infmation store

public key cciple of dual

to the KMC

N (section 11

HWIDs and/is specificati

ive owners) ys, or permithe format an

ontaining up

nd the Issuerd in section e is stored inntry for the

tificate.

1.1 : STS – En

MCHEX, Expi0). he KMC send

second chans their system

m SM Manufch day of opformation Sd for future

ertificate PU control – vC HSM as a

1.A).

/or Approvedon.

requests tot Vending Kend validation

pdated SM p

r’s public key13.D.1). T

n the KMC’s de same SM;

nhanced KM

PAGE 34 OF 6

ry, ∅, ∅)

ds to the

nnel (for m to use

facturers peration, HALL be use.

UBKEYMAN verify the a trusted

d FWIDs.

o register eys to be n of such

ublic key

y (an SM The KMC database the new

MS

62

COP

PYRIGHT © 201

14. SMWhecreat

Input

Softw

SM fi

3, STS ASSOCIA

M Vendinn an SM reqte a Vending

t:

PUBKEYK

ware or SM f

Parse PUQKMCHEX

If parsingcause).

If Expiry expired”)

irmware pro

Input: ID If this

FAIL(“SM Set QKMC

On error

Parse IDK

and Finge

If parsing

Verify thFAIL(“SM

Retrieve

If the inte

Parse IDSerialSM a

If parsing

Verify thFAIL(“SM

Retrieve

If the inte

Use VALI

ATION.

ng Key Lquires vendin Key Load Re

MC

firmware pro

UBKEYKMC usand Expiry.

g fails then

is less than ).

ocess (error p

KMC, QKMCHEXprocess ha

M.1B: Load Re= Octet-Strin

FAIL(“SM.1B

KMC using PARerprintKMC. V

g fails then FA

e FingerprinM.1B: Bad PU

from secure

egrity check

SM using PAand Fingerpr

g fails then FA

he FingerprinM.1B: Bad SM

NIST P-384 d

egrity check

DATE-KEY(Q

Load Reqng keys fromequest.

ocess (error p

sing PARSE-R Verify types

FAIL(“SM.1A

the current

prefix “SM.1B

X. as completeequest speedng-to-Point(B

B: Bad PUBKE

RSE-RECORDVerify types o

AIL(“SM.1B:

ntKMC using thUBKEY_KMC:

e storage the

fails then FA

ARSE-RECORDrintSM. Verify

AIL(“SM.1B:

ntSM using thM keys: bad fi

domain para

fails the FAI

QKMC) to provi

quest m a KMC that

prefix “SM.1A

RECORD(“PKs of retrieved

A: Bad PUBK

time then F

B”):

ed successfd limit enforcBASE16-DEC

EY_KMC: inv

D(“KMCID.1”of retrieved f

Bad PUBKEY

he retrievedbad fingerpr

e values dSM,

AIL(“SM.1B: B

D(“SMID.1”,types of ret

Bad SM keys

he retrieved ingerprint in

ameters and

L(“SM.1B: Ba

ide assuranc

STS

t SM SHALL p

A” for softwa

KECDH.1”, 5,d fields.

KEY_KMC: fa

AIL(“SM.1A:

fully withinced; try againODE(QKMCHE

valid represen

, 4, IDKMC) tofields.

Y_KMC: faile

fields and Qrint in ID_KM

QSM and IDSM

Bad SM keys

4, IDSM) to rieved fields

s: failed to p

fields and QID_SM”).

check their i

ad SM keys:

ce of validity

600-4-1 Ed 1

perform the

are or “SM.1

, PUBKEYKMC

failed to par

: Bad PUBKE

n the last n in 60 seconEX))

ntation for p

o retrieve SW

d to parse ID

QKMC (see PKMC”).

M, and check

s: stored key

retrieve MA.

parse ID_SM;

QSM (see PK

integrity.

domain para

of the KMC’

1.1 : STS – En

following pr

1B” for firmw

C), to retriev

rse PUBKEY_

EY_KMC: cert

60 secondnds”).

public key Q_

WID, KMCID,

D_KMC;” ∥ ca

KID, section

their integri

integrity fail

ANUFACTUR

;” ∥ cause).

KID, section

ameters corr

s public key.

nhanced KM

PAGE 35 OF 6

rocess to

ware):

ve IDKMC,

_KMC;” ∥

tificate is

ds then

_KMC”).

SerialKMC

ause).

10.A), or

ity.

lure”).

RER, UID,

10.A), or

rupt”).

MS

62

COP

PYRIGHT © 201

3, STS ASSOCIA

If validatvalidatio

Use VALI

If validat

Check thFR, a, b, QSM’ = dS

If dSM is omismatch

Set TVPKM

On error

Generate

Set QEST

On error

Set ZE = E

On error

Set ZS = E

On error

Set Z = ZE

Construc Set DKM

On error

Set MacKDKM as M

Construc

Then com

On erroMacTag_

Construc

Then com

On erroVKLOADR

Set QEHESet MacT

ATION.

tion fails thn”).

DATE-KEY(Q

ion fails then

at the SM hG, n, h) = N

M G (scalar m

out of range h”).

MC to a TIME

FAIL(“SM.1B

e an epheme

R to Point-to

FAIL(“SM.1B

ECC-CDH(dE,

zeroise dE an

ECC-CDH(dSM

zeroise ZE an

E ∥ ZS then zect SharedInfo

= KDF-X963

zeroise Z an

Key192 ∥ KEK1

MacKey, andct MacDataSM

mpute MacTa

r zeroise M_SM generat

ct MacDataKM

mpute ExpM

or zeroise MREQ: ExpMac

EX (type 194HTagSMHEX (ty

en FAIL(“SM

QSM) to provid

n FAIL(“SM.1

as the correNIST P 384, cmultiplication

or QSM’ ≠ QS

STAMP the c

B: Error creat

eral key pair

o-Octet-Strin

B: Error creat

QKMC) then z

nd FAIL(“SM

M, QKMC).

nd FAIL(“SM

eroise ZE ando = LVCONCA-SHA-384(Z,

nd FAIL(“SM.1

192 = DKM384

d the remaini

M = LVCONCA

agSM = HMAC

MacKey and tion fault”).

MC = LVCONC

acTagKMC = H

MacKey, KEcTag_KMC g

H) = BASE16(ype 48H) = BA

M.1B: Bad P

de assurance

1B: Bad SM k

ct value for check that dS

n of a point o

SM then FAIL(

current time

ting VKLOAD

(dE, QE) using

ng(QE).

ting VKLOAD

zeroise dE.

M.1B: Error cr

.1B: Error cre

ZS. AT(“STS.KAASharedInfo,

1B: Error cre

then zeroiseing 192 bits oAT(“U_2”, ID

C-SHA-384-1

KEK, then

CAT(“V2”, IDK

HMAC-SHA-3

EK and Mageneration fa

(QESTR) ASE16(MacT

STS

PUBKEY_KMC

e of validity o

keys: public k

its private kSM is in the ron an elliptic

(“SM.1B: Bad

according to

DREQ: RTC fa

g GENERATE

DREQ: ephem

reating VKLO

eating VKLOA

.1”, IDSM, IDK

384) then ze

eating VKLOA

e DKM. Thatof DKM as K

DSM, IDKMC, QE

192(MacKey,

FAIL(“SM.1

KMC, IDSM, TV

384-192(Mac

cTagSM, theault”).

TagSM)

600-4-1 Ed 1

C: public key

of the SM’s p

key Q_SM fai

key: using dorange [1, n-1c curve).

d SM keys: S

o the SM’s R

ault”).

E-KEY().

meral key gen

OADREQ: eph

ADREQ: stat

KMC, TVPKMC). eroise Z.

ADREQ: KDF f

t is, take theEK, then zeroSTR, TVPKMC,

, MacDataSM

B: Error cr

PKMC, QESTR)

cKey, MacDa

en FAIL(“SM

1.1 : STS – En

y Q_KMC fa

public key.

iled full valid

omain param1] and if so

SM private/p

TC.

neration faul

hemeral CDH

tic CDH fault

fault”).

e leftmost 19oise DKM. , HWID, FWI

M).

reating VKLO

.

ataKMC).

M.1B: Error

nhanced KM

PAGE 36 OF 6

ailed full

dation”).

meters (q, compute

public key

lt”).

fault”).

”).

92 bits of

D ).

OADREQ:

creating

MS

62

COP

PYRIGHT © 201

Softw

3, STS ASSOCIA

ConstrucVKLOADRQEHEX, M

Securely with a ‘pVKLOADRFingerprifrom the

Output V

ware or man

Log the LSHOULD

Send the(Appendi

ATION.

ct the VendinREQSM = BUIL

MacTagSMHEXstore KEK, Fending’ statuRESP is receiintKMC, TVPKM

KMC. VKLOADREQS

ual process:

Load Requescontain all o

e Vending Keix F).

ng Key Load RLD-RECORD(X). See also VingerprintKM

us that preveved. Storage

MC, and ExpM

SM.

st to the softother fields oey Load Requ

Request: “VKLOAD.RE

VKLOADREQ

C, TVPKMC, anents it from e SHALL inclu

MacTagKMC wi

tware audit lof VKLOADREuest VKLOAD

STS

EQ.1”, 7, IDSM

(section 0).nd ExpMacTabeing used bude integrityill be used to

og (the log SEQSM). DREQSM to th

600-4-1 Ed 1

M, IDKMC, TVP

agKMC. The Kby the HSM uy protection.o verify the Ke

SHOULD NOT

he KMC in re

1.1 : STS – En

KMC, HWID, F

EK SHALL beuntil a valid ey Load Resp

T contain QE

cord-in-ema

nhanced KM

PAGE 37 OF 6

FWID,

e flagged

ponse

EHEX, but

il format

MS

62

COP

PYRIGHT © 201

15. KMWheperfoVend

Input

Softw

3, STS ASSOCIA

MC Vendn a KMC rec

orm the follding Keys to t

t:

KMCID a VKLOADR

ware process

Log the SHOULD

Parse Vretrieve types of

If parsingcause).

Parse REVerify typ

If parsing

The Finge

If REQ_Kwrong KM

If REQ_IDPUBKEY_

Parse REUID, and

If parsing

The Finge

Find in thand UID.

If no mPUBKEY_

Parse PUIssuer. Ve

If parsingcause).

ATION.

ding Keyceives a Venlowing procethe SM.

nd IDKMC (botREQSM

s (error prefix

Load Requecontain all o

VKLOADREQSM

REQ_IDSM, Rretrieved fie

g fails then F

Q_IDKMC usinpes of retriev

g fails then FA

erprint of RE

KMCID ≠ KMMC”). DKMC ≠ IDKMC

_KMC”). EQ_IDSM usin

Serial. Verify

g fails then FA

erprint of RE

he KMC data This PUBKE

matching PU_SM found fo

UBKEYSM usinerify types o

g fails then

y Load Rnding Key Loess to authe

th known to

x “KMC.2A”)

st to the KMother fields o

M using PAREQ_IDKMC, Tlds.

FAIL(“KMC.2A

ng PARSE-REved fields.

AIL(“KMC.2A

EQ_IDKMC is ve

CID then FA

C then FAIL(

ng PARSE-REy types of re

AIL(“KMC.2A

EQ_IDSM is ve

abase the PUEYSM was secu

BKEY is fouor SM; KMC m

ng PARSE-REf retrieved fi

FAIL(“KMC.2

Responsead Request enticate the

the KMC)

):

MC audit logof VKLOADREARSE-RECORTVPKMC, HWI

A: Bad VKLO

CORD(“KMC

A: Bad VKLOA

erified later b

AIL(“KMC.2A:

(“KMC.2A: B

ECORD(“SMIetrieved field

A: Bad VKLOA

rified later b

BKEYSM and urely distribu

und then Fmay need up

ECORD(“PKECields.

2A: Error in

STS

e (VKLOADREQ

e SM, estab

g (the log SHEQSM). D(“VKLOAD.ID, FWID, Q

OADREQ: fail

CID.1”, 4, REQ

ADREQ: faile

by compariso

: Bad VKLOA

Bad VKLOAD

D.1”, 4, IDSM

ds.

ADREQ: faile

by compariso

LastTVPKMC auted to the K

AIL(“KMC.2Apdate file from

CDH.1”, 5, P

KMC data:

600-4-1 Ed 1

Q) from an Slish a share

HOULD NOT

.REQ.1”, 7, QEHEX, and M

led to parse

Q_IDKMC) to r

ed to parse ID

on against a

ADREQ: key

REQ: key lo

M) to retriev

ed to parse ID

on against a k

associated wKMC by the S

A: KMC datm SM manuf

PUBKEYSM), t

failed to pa

1.1 : STS – En

SM, that KMed KEK, and

T contain QE

VKLOADREMacTagSMHE

VKLOADREQ

retrieve REQ

D_KMC;” ∥ ca

a known IDKM

load reques

ad request

ve MANUFA

D_SM;” ∥ cau

known IDSM.

with MANUFASM Manufac

ta out of dfacturer”).

to retrieve

arse PUBKE

nhanced KM

PAGE 38 OF 6

MC SHALL transfer

HEX, but

EQSM) to X. Verify

Q_SM;” ∥

Q_KMCID.

ause).

MC.

t sent to

used old

ACTURER,

use).

ACTURER cturer.

date: no

IDSM and

Y_SM;” ∥

MS

62

COP

PYRIGHT © 201

KMC

3, STS ASSOCIA

If REQ_Irequestin

Find in tPUBKEYM

KMC HSM

If no maIssuer for

If TVPKMC

VKLOADR The KMC

time (accwindow o

If TVPKM

timestam

If HWID hardware

If FWID ifirmware

HSM firmwa

Input: PU Check ty

and MacT

If type ccause).

Set QESTRSet QE = O

If conver

Verify thcertificat

Parse PUQMANHEX

If parsingcause).

Set QMAN

If conveQ_MAN”

Parse IDM

fields. Ve

ATION.

DSM ≠ IDSM ng ID_SM anthe KMC da

MAN was distrM under dua

atching PUBr PUBKEY_SM

C ≤ LastTVPREQ_SM; posC SHOULD chcording to thof (now – 30

C is outsidemp (TVP) outs

is not in thee model not is not in the

e not approve

are process (

UBKEYMAN, PUpes of inputTagSMHEX (4

checking fail

R = BASE16-DOctet-String-

sion fails the

hat PUBKEYM

te PUBKEY_MUBKEYMAN usX and ExpiryM

g fails then

= Octet-Stri

rsion fails ”).

MAN using PAerify types of

then FAIL(d database; atabase the ributed to thl control (see

KEYMAN is foM; cannot va

KMC then FAssible out-of

heck that TVhe system clo0 days) to (no

e the accepside accepta

e list of Appapproved”).

e list of Apped”).

(error prefix

UBKEYSM, IDK

s TVPKMC (TIM8H).

s then FAIL

DECODE(QEH-to-Point(QES

en FAIL(“KMC

MAN is a truMAN is not tr

ing PARSE-RMAN. Verify ty

FAIL(“KMC.2

ng-to-Point(

then FAIL(“

RSE-RECORDf retrieved fie

“KMC.2A: KKMC may hatrusted PU

he KMC by te sections 13

ound then Falidate certifi

AIL(“KMC.2A:f-order requePKMC is withiock). The wow + 3 days)

ptable windable window;

roved HWID

proved FWID

“KMC.2B”):

KMC, TVPKMC, HMESTAMP),

(“KMC.2B: B

HEX). STR).

C.2B: Bad VK

usted certificrusted”). RECORD(“PKEpes of retrie

2B: Error in K

BASE16-DEC

“KMC.2B: Er

D(“SMMAN.1elds.

STS

KMC data oave old PUBK

UBKEYMAN asthe SM Man3.D.1 and 11

FAIL(“KMC.2Aicate”).

: Bad VKLOAest or replay”n an accept

window SHOUis RECOMM

ow then FA; possible del

Ds then FAIL

Ds then FAIL(

HWID, FWID,HWID (IDEN

Bad VKLOAD

KLOADREQ: b

cate or FAIL

ECDSA.1”, 5ved fields.

KMC data: f

CODE(QMANH

rror in KMC

1”, 4, IDMAN)

600-4-1 Ed 1

ut of date: KEY_SM”). ssociated wiufacturer an

1.A).

A: Error in K

ADREQ: old ”). able windowULD be softwENDED.

AIL(“KMC.2Alayed or futu

(“KMC.2A: B

(“KMC.2A: B

, QEHEX, MaT), FWID (ID

DREQ: bad e

bad represen

L(“KMC.2B:

, PUBKEYMAN

failed to par

EX)).

C data: bad

to retrieve F

1.1 : STS – En

mismatch

th the issuend introduce

KMC data: u

timestamp

w around theware configu

A: Bad VKLOure-dated req

Bad VKLOAD

Bad VKLOAD

acTagSMHEX. DENT), QEHEX

encoding in

ntation for Q_

Error in KM

N), to retriev

rse PUBKEY_

d representa

Fingerprint a

nhanced KM

PAGE 39 OF 6

between

er. This ed to the

unknown

(TVP) in

e current urable. A

OADREQ: quest”).

REQ: SM

REQ: SM

X (194H),

input;” ∥

Q_E”).

MC data:

ve IDMAN,

MAN;” ∥

ation for

nd other

MS

62

COP

PYRIGHT © 201

3, STS ASSOCIA

If parsing

Verify thFAIL(“KM

Parse PUQSMHEX,

If parsingcause).

Set QSM =

If conver

Parse IDS

other fie

If parsing

Verify thFAIL(“KM

If Issuer certificat

If SerialScertificat

If ExpiryS

verifying Retrieve

integrity.

If the infailure”).

If ExpiryK

KMC keys Parse IDK

and Finge

If parsing

Verify thFAIL(“KM

Retrieve

If the incorrupt”)

Use VALIkey.

ATION.

g fails then FA

he FingerprinMC.2B: Error i

UBKEYSM usExpirySM, Iss

g fails then

= Octet-Strin

sion fails the

SM using PARlds. Verify ty

g fails then FA

he FingerprinMC.2B: Error i

≠ IDMAN thte; wrong IssSM > Expiryte; Serial posSM is less thaVKLOADREQfrom secure

.

ntegrity che

KMC is less ths: PUBKEY_KKMC using PAerprint. Veri

g fails then FA

he FingerprinMC.2B: Bad K

NIST P-384 d

ntegrity che).

DATE-KEY(Q

AIL(“KMC.2B

nt using thein KMC data

ing PARSE-Ruer and Sign

FAIL(“KMC.2

g-to-Point(B

en FAIL(“KMC

RSE-RECORDypes of retrie

AIL(“KMC.2B

nt using thein KMC data

hen FAIL(“KMuer key presMAN then FAtdates Issueran the curreQ: SM certifice storage the

ck fails the

han the currKMC has expiARSE-RECORify types of r

AIL(“KMC.2B

nt using theKMC keys: ba

domain para

eck fails the

QMAN) to prov

B: Error in KM

retrieved f: bad fingerp

RECORD(“PKnature. Verify

2B: Error in

ASE16-DECO

C.2B: Error in

D(“SMID.1”, 4eved fields.

B: Error in KM

e retrieved f: bad fingerp

MC.2B: Erroented”). AIL(“KMC.2Br expiry”). ent time (frocate is expiree values dKM

n FAIL(“KM

rent time (frired”). D(“KMCID.1”retrieved fiel

B: Bad KMC k

e retrieved fd fingerprint

ameters and

e FAIL(“KMC

ide assuranc

STS

MC data: faile

fields and Qprint in ID_M

KECDH.1”, 5y types of re

KMC data:

ODE(QSMHEX

n KMC data:

4, IDSM) to r

MC data: faile

fields and Qprint in ID_SM

or verifying

B: Error ver

om the HSMed”).

MC, QKMC, Exp

MC.2B: Bad K

rom the HSM

”, 4, IDKMC) ds.

keys: failed t

fields and Qt in ID_KMC”

check their i

C.2B: Bad K

ce of validity

600-4-1 Ed 1

ed to parse I

MAN (see PKMAN”).

, PUBKEYSM

trieved field

failed to pa

)).

bad represe

retrieve Seria

ed to parse I

QSM (see PKIM”).

VKLOADREQ

rifying VKLO

M RTC) then

iryKMC and ID

KMC keys:

M RTC) then

to retrieve

o parse ID_K

QKMC (see PK”).

integrity.

KMC keys:

of the SM M

1.1 : STS – En

ID_MAN;” ∥

ID, section

), to retries.

arse PUBKEY

entation for Q

alSM, Fingerp

ID_SM;” ∥ ca

ID, section 1

Q: cannot ve

OADREQ: inv

FAIL(“KMC.2

DKMC, and ch

stored key

n FAIL(“KMC

SWID, KMCI

KMC;” ∥ caus

ID, section 1

domain par

Manufacture

nhanced KM

PAGE 40 OF 6

cause).

10.A), or

eve IDSM,

Y_SM;” ∥

Q_SM”).

print and

ause).

10.A), or

erify SM

valid SM

2B: Error

eck their

integrity

C.2B: Bad

ID, Serial

se).

10.A), or

rameters

r’s public

MS

62

COP

PYRIGHT © 201

3, STS ASSOCIA

If validatvalidatio

Verify Sig

If SignatuSM certif

Use VALI

If validatvalidatio

Use VALI

If validatvalidatio

Check thFR, a, b, QKMC’ = d

If dKMC iprivate/p

Use VALI

If validatfull valida

Set ZE = E

On error

Set ZS = E

On error

Set Z = ZE

Construc Set DKM

On error

Set MacKDKM as M

Construc

Then com

On errorExpMacT

If MacTFAIL(“KM

ConstrucATION.

tion fails then”).

gnature of PU

ure is invalid ficate”).

DATE-KEY(Q

tion fails thn”).

DATE-KEY(Q

tion fails thn”).

at the KMC hG, n, h) = NKMC G (scalar

is out of rapublic key mi

DATE-KEY(Q

tion fails theation”).

ECC-CDH(dKM

FAIL(“KMC.2

ECC-CDH(dKM

zeroise ZE an

E ∥ ZS then zect SharedInfo

= KDF-X963

zeroise Z an

Key192 ∥ KEK1

MacKey, andct MacDataSM

mpute ExpM

r zeroise MTag_SM gene

TagSMHEX ≠MC.2B: Bad Vct MacDataKM

en FAIL(“KM

UBKEYSM usin

then FAIL(“K

QSM) to provid

en FAIL(“KM

QKMC) to provi

hen FAIL(“KM

has the correIST P-384, chr multiplicati

ange or QK

ismatch”).

QE) to provide

en FAIL(“KM

MC, QE).

2B: Error ver

MC, QSM).

nd FAIL(“KM

eroise ZE ando = LVCONCA-SHA-384(Z,

nd FAIL(“KMC

192 = DKM384

d the remaini

M = LVCONCA

acTagSM = H

MacKey and eration fault

BASE16(ExVKLOADREQ:

MC = LVCONC

MC.2B: Error

ng QMAN as d

KMC.2B: Erro

de assurance

MC.2B: Error

ide assuranc

MC.2B: Bad

ect value forheck that dK

on of a poin

MC’ ≠ QKMC

e assurance o

C.2B: Error

rifying VKLOA

MC.2B: Error v

ZS. AT(“STS.KAASharedInfo,

C.2B: Error ve

then zeroiseing 192 bits oAT(“U_2”, ID

MAC-SHA-38

KEK, then t”).

xpMacTagSM

bad key confCAT(“V2”, IDK

STS

in KMC dat

escribed in s

or verifying V

e of validity o

r in KMC da

ce of validity

d KMC keys

r its private kKMC is in the t on an ellipt

then FAIL(“

of validity of

verifying VK

ADREQ: ephe

verifying VKL

.1”, IDSM, IDK

384) then ze

erifying VKLO

e DKM. Thatof DKM as K

DSM, IDKMC, QE

84-192(MacK

FAIL(“KMC.2

) then zernfirmation fro

KMC, IDSM, TV

600-4-1 Ed 1

ta: public ke

section 10.B.

VKLOADREQ

of the SM’s p

ata: public k

of the KMC’

: public key

key: using dorange [1, n-1tic curve).

“KMC.2B: Ba

f the SM’s ep

KLOADREQ: p

emeral CDH f

LOADREQ: st

KMC, TVPKMC). eroise Z.

OADREQ: KD

t is, take theEK, then zeroSTR, TVPKMC,

Key, MacDat

2B: Error ve

roise MacKom SM”). PKMC, QESTR)

1.1 : STS – En

ey Q_MAN f

.

: invalid sign

public key.

key Q_SM fa

s public key.

y Q_KMC fa

omain param1] and if so

ad KMC ke

phemeral pub

public key Q_

fault”).

atic CDH fau

DF fault”).

e leftmost 19oise DKM. , HWID, FWI

taSM).

erifying VKLO

Key and K

.

nhanced KM

PAGE 41 OF 6

failed full

nature on

ailed full

ailed full

meters (q, compute

ys: KMC

blic key.

_E failed

ult”).

92 bits of

D ).

OADREQ:

EK, and

MS

62

COP

PYRIGHT © 201

Mixefirmw

3, STS ASSOCIA

Then com

On erroVKLOADR

Set MacT Construc

VKLOADRMacTagK

Securely KEK will b

Output V

ed software ware):

Store TVFAIL(“KM

Create a the first r

Find all V

For each

o Ut

o Ao U

t Log the

VKLOADR Send the

ATION.

mpute MacTa

r zeroise MRESP: MacTa

TagKMCHEX (tyct the VendinRESPKMC = BUMCHEX). store KEK.

be used to wVKLOADRESP

and SM firm

VPKMC as LMC.2C: Error c

Key Load Firecord.

Vending Keys

authorised v

Use the KMCthe KEK – for For a

recor Error

Append the WUpdate the Kthe SM (idenLoad Respo

RESPKMC). Key Load Fi

agKMC = HMA

MacKey, KEKag_KMC gene

ype 48H) = Bng Key Load RUILD-RECORD

wrap VendingPKMC.

mware proce

LastTVPKMC creating VKLile as a file-o

s authorised

vending key

C HSM to bur the VK and a given KEKrds have distrs raised durWRAPPED-KEKMC databatified by MA

onse to the

ile to the SM

AC-SHA-384-

K and Maceration fault

BASE16(MacTResponse: D(“VKLOAD.R

g Keys for tra

ess (error pre

associated LOADRESP: LAof-records (A

for use with

VK:

ild a WRAPPassociated a

K, the KMC tinct Noncesing this procEY to the Keyse and audit

ANUFACTUREKMC audit

M (for exampl

STS

192(MacKey

TagSM, thent”).

TagKMC)

RESP.1”, 4, ID

ansfer to the

efix “KMC.2C

with SM MAST_TVP_KM

Appendix G),

the SM (by

PED-KEY recoattributes. HSM SHALL.

cess SHOULDy Load File.t log to refleER and UID).

log (the lo

le as an e-ma

600-4-1 Ed 1

y, MacDataK

n FAIL(“KMC

DKMC, IDSM, TV

SM.

C” for softw

MANUFACTUMC storage e and add the

MANUFACTU

ord (section

L ensure tha

D use the erro

ect the distr

og SHOULD

ail attachme

1.1 : STS – En

MC).

C.2B: Error

VPKMC,

ware or “KMC

URER and error” ∥ cause VKLOADRE

URER and UI

10.E) – prot

at all WRAP

or prefix “KM

ribution of th

contain all

ent).

nhanced KM

PAGE 42 OF 6

creating

C.2D” for

UID, or e).

ESPKMC as

ID).

tected by

PPED-KEY

MC.2D”.

he VK to

fields of

MS

62

COP

PYRIGHT © 201

16. SMWheperfoVend

Input

Mixefirmw

3, STS ASSOCIA

M KEK Con an SM rec

orm the folloding Keys to t

t:

Key LoaWRAPPE

ed software ware):

Parse Key

If parsing∥ cause).

The SM So Io R

Ec

Ifa

o So If

ao P

VM

IfV

o PR

Ifc

o R

Iff

o Ifa

ATION.

onfirmaceives a Vendowing procesthe SM.

ad File (fiD-KEY record

and SM firm

y Load File t

g fails or if t

SHALL perfornput: VKLOA

Retrieve froExpMacTagKM

check their in

f the integragreement se

Set NOW to tf TVPKMC < (N

agreement seParse VKVKLOADRESPMacTagKMCHE

f parsing VKLOADRESP

Parse IDKM

RESP_Fingerp

f parsing faicause).

Retrieve from

f the integrifailure”).

f RESP_IDSM a different SM

ation anding Key Loass to authen

le-of-recordds.

mware proc

o recover VK

the file check

rm the followADRESPKMC.om secure sMC (all storedntegrity.

ity check faession integr

the current tNOW – 60 dession timeoLOADRESPKM

PKMC), to rEX. Verify typ

fails then P_KMC;” ∥ ca

C using printKMC. Ver

ils then FAIL

m secure sto

ity check fai

≠ IDSM then M”).

d Vendiad Responsenticate the K

s) containin

cess (error p

KLOADRESPK

ksum is inco

wing process

storage thed while gen

ils then FAIrity failure”).

time accordiays) then FA

out”). MC using retrieve REpes of retriev

FAIL(“SM.3ause).

PARSE-RECOrify types of r

L(“SM.3B: Ba

rage the IDSM

ils then FAIL

FAIL(“SM.3B

STS

ing Key Ie (VKLOADREMC, confirm

ng VKLOAD

prefix “SM.3A

MC and WRA

orrect then F

to finish est

e values KEerating the

L(“SM.3B: E.

ng to the SMAIL(“SM.3B: E

PARSE-RESP_IDKMC, ved fields.

3B: Bad V

ORD(“KMCIDretrieved fie

ad VKLOADR

M, and check

L(“SM.3B: Ba

B: Destinatio

600-4-1 Ed 1

Import ESP) from a

m the shared

DRESPKMC a

A” for softw

PPED-KEY re

FAIL(“SM.3A:

tablishing the

EK, FingerprVKLOADREQ

Error verifyin

M’s RTC. Error verifyin

RECORD(“VKLRESP_IDSM,

VKLOADRESP

.1”, 4, IDlds.

RESP: failed

k its integrity

ad SM keys:

n error: VKL

1.1 : STS – En

KMC, that SKEK, and im

nd zero o

ware or “SM

ecords.

: Bad Key Lo

e KEK:

rintKMC, TVPQSM, section

ng VKLOADR

ng VKLOADR

LOAD.RESP.1RESP_TVPK

P: failed to

DKMC) to

to parse ID_

.

stored key

OADRESP_KM

nhanced KM

PAGE 43 OF 6

M SHALL mport the

or more

M.3B” for

oad File;” KMC, and 14) and

RESP: key

RESP: key

1”, 4, KMC and

o parse

retrieve

_KMC;” ∥

integrity

MC is for

MS

62

COP

PYRIGHT © 201

3, STS ASSOCIA

o IfVK

Tt

o If(

o Ifb

o ZUI

o O For each

WRAPPEo To T

vK

o Ttc

o TA

o TP

Once all software

o Ti

o Tm

ATION.

f RESP_FingVKLOADRESPKMC)”).

This partial cto identify an

f RESP_TVPK

(TVP) in VKLOf MacTagKMC

bad key confiZeroise TVPKM

Update the KDKMC or elem

Output a such Vending KD-KEY record

The WRAPPEThe SM SHAverify the intKey. The SM SHAthat this valcircumstanceThe SM SHAAttributes, anThe SM SHAPrerequisites

required Ve SHALL instrThe SM SHAmported.

The SM MAmanagement

gerprintKMC ≠P_KMC is fo

check on IDKM

nd correct so

KMC ≠ TVPKMC

OADRESP_KMCHEX ≠ BASEfirmation fromMC and ExpM

KEK status flaments thereof

cess indicatoKey requiredd) SHALL be

ED-KEY recorALL use AEStegrity of the

LL protect thue is not ex

es. ALL protectnd SHALL en

ALL securely s: SM (sectionVending Keysuct the SM t

ALL zeroise t

AY retain IDt.

≠ Fingerprinor a differen

MC is not requome Vending

then FAIL(“MC; possible 16(ExpMacTm KMC”).

MacTagKMC froag to indicatef are not secor. d by the SMimported intd may be pa

S-192-CCMDE

e Vending Ke

he cleartext xposed outs

t the assocsure that Attstore the V

n 12.A) for ps have beenhat key tran

the KEK, pre

DKMC or ele

STS

ntKMC then nt key agree

uired for protKey Load Re

“SM.3B: Bad expired or o

TagKMC) then

om secure ste that the KEurity sensitiv

M Operator, to the SM: rsed by softwC(KEK, Nonc

ey and Attrib

value of theside the cryp

iation betwtributes and Vending Keyermitted secn imported sfer is comp

eventing furt

ements ther

600-4-1 Ed 1

FAIL(“SM.3Bement sessio

tocol securityesponse man

VKLOADRESout-of-order r

FAIL(“SM.3B

torage. EK may be usve and may b

the protec

ware or by tce, Attributebutes and to

e Vending Keptographic b

ween the Venot substitu

y and associcure storage

the SM Oplete: ther WRAPP

reof to ass

1.1 : STS – En

B: Destinatioon (with a

y – its presennagement err

SP: wrong timresponse”). B: Bad VKLO

sed. be retained.

cted Vending

he SM. es, Protectedecrypt the

ey and SHALboundary un

ending Key uted or modiated Attributechniques.

perator or o

PED-KEYs fro

sist in Vend

nhanced KM

PAGE 44 OF 6

on error: different

nce helps rors.

mestamp

OADRESP:

g Key (a

dKey) to Vending

LL ensure nder any

and its ified. utes. See

operating

om being

ding Key

MS

62

COP

PYRIGHT © 201

17. EnWhethe sactio

This variohandrelevdocu

17.A. SM

17.A.

17.A.

17.B. SM

17.B.

3, STS ASSOCIA

d-of-lifen any partic

secret key mons must be t

section detous entities. dling end-of-vant actionsmented SM

M Manufactu

1. End-of-life

The SM M The Man

further S KMCs SH There is n

SMs can Manufac

2. Storage M

The SM MECDSA kedocumen

The Man The Man The Man

PUBKEYM

The Manand distr

The Manand SHAthose PUre-signed

M

1. End-of-life

The SM Osecret da

The SM Obeen dec

ATION.

e and kecipating entitmaterial of thtaken to ens

tails the ess All SM M

-life and keys specified procedures

urer

e

Manufacturenufacturer SMs. ALL NOT accno need to r continue to

cturer’s priva

Master Key (S

Manufactureey dMAN. Thent. ufacturer SHufacturer SH

nufacturer SMAN. KMCs SHufacturer SH

ribute a new ufacturer SHLL publish n

UBKEYSM recd).

e

Operator SHata in the SMOperator SHAcommissione

ey compty in the STShat entity is ure the integ

sential aspecManufacturer

y compromiin this secas a conditio

er SHALL destSHALL notify

cept further evoke the Mo establish

ate ECDSA ke

SMK) or priv

er MAY create details of s

HALL destroyHALL notify tHALL notify HALL revoke HALL follow t

PUBKEYMAN-

HALL investignew certificaords found

HALL follow tM.

ALL notify thed.

promise S Key Managcompromise

grity of the K

cts of end-ors and KMCise. Such p

ction. KMCson of service

troy its privay the STSA a

PUBKEYSM upManufacturer

KEKs with tey dMAN is com

vate ECDSA k

te a self-signsuch a revoca

y its private Ehe STSA of thall KMCs thtrust in the

the ManufacNEW.

gate the intetes (signed to be trustw

the docume

he SM Manuf

STS

procedgement infraed or suspecKey Managem

of-life and ks SHALL hav

procedures S SHALL req

e.

ate ECDSA keand all KMC

pdates from r’s public keyhe KMC untmpromised.

key (dMAN) co

ed key revocation certific

ECDSA key dM

he (suspectehat they cancertificate.

cturer Setup

egrity of its dby the Manworthy (tha

nted Manuf

facturer (pos

600-4-1 Ed 1

dures astructure rected to be coment System

key compromve documenSHALL incluquire SM O

ey dMAN. Cs that it w

the SM Many certificate Ptil they reac

ompromise

cation certificate are beyo

MAN. ed) key compn no longer

process (sec

atabase of Pufacturer’s t is, existing

facturer proc

ssibly via a K

1.1 : STS – En

eaches end-oompromised

m.

mise procednted procedde at minim

Operators to

ill not be p

nufacturer. PUBKEYMAN –ch end-of-lif

icate using itond the scop

promise. trust the ce

ction 11) to g

PUBKEYSM cenew private g certificates

cedure to de

KMC) that the

nhanced KM

PAGE 45 OF 6

of-life, or d, certain

dures for dures for mum the o follow

roducing

– existing fe or the

ts private pe of this

ertificate

generate

rtificates key) for

s will be

estroy all

e SM has

MS

62

COP

PYRIGHT © 201

17.B.

17.B.

17.C. KM

17.C.

17.C.

The cimpa

KMC whic

3, STS ASSOCIA

The SM MPUBKEY p

2. Private EC

The SM Osecret da

The OpeManufac

The OpelegitimatRequests

All affectLoad ReqLoad Req

o Ift

o Ifrb

3. Storage M

The SM O The SM O KMCs SH

MC

1. End-of-life

The KMCoperation

The KMCSHOULD

The KMCnecessarmigration

The KMCkey comp

2. Key comp

compromiseact on the ST

standards Sh any of the

The KMC The KMC

ATION.

Manufacturepublication (

CC CDH key (

Operator SHata in the SMerator SHALcturer for maerator SHALLte Vending Ks since the suted KMCs SHquests supplquests have bf unauthoris

the affected f no unauth

required. Thboundary an

Master Key (S

Operator SHAOperator SHAALL proceed

e

C SHALL non. C SHALL senNOT make f

C SHALL seny to migraten are beyond

C SHALL destponents and

promise

or suspecteS Key Manag

SHALL specifollowing ke

C’s ECC CDH pC’s Storage M

er SHALL pub(section 12.C

(dSM) compro

HALL follow tM.

L decommisaintenance.L notify all Key Load Reuspected dat

HALL review tlied by the Sbeen processsed requestsVending Keyhorised requ

he secrecy of d the forwar

SMK) or Ven

ALL determinALL notify th

d according t

otify the STS

nd a notice further use ond a notice e Supply Grod the scope otroy its priva keys backup

ed compromgement infra

fy procedureys are comp

private key (Master Key (S

blish a suitabC).

omise

the docume

ssion the S

KMCs of thequests sentte of comprotheir audit loSM Operatosed. s have beenys and treat tuests have

f Vending Keyrd secrecy pr

nding Key (VK

ne the originhe STSA and oo their proce

SA and all

to all SM Oof the KMC’s

to all SG Ooup keys andof this documate ECC CDHps, and all da

ise of keys pastructure, a

res or procepromised or

dKMC); SMK) or any c

STS

ble revocatio

nted Manuf

M (see 17.

he compromt by the SM

omise). ogs in conjunr to determ

n processed them as combeen proceys is still proroperty of the

K) comprom

nating KMCs originating Kedures for V

SM Manufa

Operators thcertificate P

Owners that d data to anoment. H key dKMC, itata backups.

protected by nd is beyond

edural requirsuspected to

component t

600-4-1 Ed 1

n certificate

facturer proc

B.1) or ret

mise, and SHM (at minim

nction with tine if unaut

then the KMmpromised (sessed then ntected by thee KEK agreem

mise

of the compKMCs of the cK compromi

acturers tha

hat use its UBKEYKMC. rely on its

other KMC.

ts Storage M

or used by td the scope o

rements to o be compro

thereof;

1.1 : STS – En

to all KMCs.

cedure to de

urn the SM

HALL includeum logs of

the logs of lehorised Ven

MC(s) SHALLsee 17.B.3). no further ae SM’s cryptment protoco

promised VK(compromisese (section 1

t it will be

services. O

services. ItThe details o

Master Key (S

the KMC hasof this docum

handle the mised:

nhanced KM

PAGE 46 OF 6

. See SM

estroy all

M to the

e logs of all Load

egitimate ding Key

L identify

action is tographic ol.

(s). e. 17.C.2).

ceasing

Operators

t will be of such a

SMK), all

s a broad ment.

event in

MS

62

COP

PYRIGHT © 201

Such Oper

3, STS ASSOCIA

One or m

proceduresrators.

ATION.

more Vending

s SHALL inclu

g Keys (VKs)

ude notificat

for Supply G

tion of the S

STS

Groups serve

STSA, affecte

600-4-1 Ed 1

d by the KM

ed SG Owne

1.1 : STS – En

C.

ers, and affe

nhanced KM

PAGE 47 OF 6

ected SM

MS

62

COP

PYRIGHT © 201

A. No[FIP

[IEC

[ISO

[ISO

[ISO

[ISO

[ISO

[ISO

[ISO

[ISO

[ISO

[NIS

[NIS

[RFC

3, STS ASSOCIA

ormativePS PUB 186-3

C 62055-41]

O 8601]

O 10118-3]

O 11770-3]

O 14888-3]

O 15946-1]

O 18033-2]

O 18033-3]

O 19772]

O 9797-2]

ST SP800-56A

ST SP800-108

C 4648]

ATION.

e Refere3] Digita

http:/

IEC 6speci

ISO 8Repre

ISO/IPart 3

ISO/I-- Par

ISO/Iwith

ISO/Itechn

ISO/Ialgor

ISO/Ialgor

ISO/Iencry

ISO/IAuthe

A] NIST Schemhttp:/

8] NIST Pseudhttp:/

The Bhttp:/

ences al Signature Sta//csrc.nist.gov/

2055-41:2007 Efication (STS) --

8601:2004 Dataesentation of d

EC 10118-3:2003: Dedicated ha

EC 11770-3:200rt 3: Mechanism

EC 14888-3:200appendix -- Par

EC 15946-1:200niques based on

EC 18033-2:200rithms – Part 2:

EC 18033-3:201rithms -- Part 3:

EC 19772:2009yption

EC 9797-2:2011entication Code

Special Publicames Using Disc//csrc.nist.gov/pu

Special Publicadorandom Func//csrc.nist.gov/

Base16, Base32//tools.ietf.org/

andard (DSS), Ju/publications/fi

Electricity mete- Application la

elements and ates and times

04 Informationash-functions

08 Informationms using asymm

06 Informationrt 3: Discrete lo

08 Informationn elliptic curves

06 InformationAsymmetric ci

10 Information: Block ciphers

9 Information te

1 Information tes (MACs) -- Pa

tion 800-56A Rrete Logarithm

ublications/nistpu

tion 800-108 Rctions, October/publications/n

2, and Base64 D/html/rfc4648#

STS

une 2009 ps/fips186-3/fi

ering -- Paymenyer protocol fo

interchange fo

technology -- S

technology -- Smetric techniqu

technology -- Sogarithm based

technology -- Ss -- Part 1: Gene

technology – Sphers

technology -- S

echnology -- Se

technology -- Sert 2: Mechanism

Recommendatio Cryptography

ubs/800-56A/SP8

Recommendatior 2009 istpubs/800-10

Data Encodings, #section-8

600-4-1 Ed 1

ips_186-3.pdf

nt systems -- Par one-way toke

rmats – Inform

Security techniq

Security techniqes

Security techniqmechanisms

Security techniqeral

Security techniq

Security techniq

curity techniqu

ecurity techniqums using a ded

on for Pair-Wise(Revised), Marc

800-56A_Revision

on for Key Deriv

08/sp800-108.p

October 2006

1.1 : STS – En

art 41: Standarden carrier syste

mation interchan

ques -- Hash-fu

ques -- Key man

ques -- Digital s

ques -- Cryptog

ques – Encrypti

ques -- Encrypt

ues -- Authentic

ues -- Messageicated hash-fun

e Key Establishch 2007 n1_Mar08-2007.p

vation Using

pdf

nhanced KM

PAGE 48 OF 6

d transfer ms

nge –

unctions --

nagement

signatures

graphic

on

ion

cated

nction

ment

pdf

MS

62

COP

PYRIGHT © 201

B. Bib[AN

[AN

[AN

[AN

[CM

[CRC

[FIP

[FIP

[FIP

[FIP

[ISO

[ISO

[ISO

[ISO

[ISO

[ISO

[ISO

[ITU

[Lam

[NIS

3, STS ASSOCIA

bliograpNSI X9.62]

NSI X9.63]

NSI X9.82]

NSI X9.102]

M10]

C-CAT]

PS PUB 140-2

PS PUB 180-4

PS PUB 197]

PS PUB 198-1

O 9798-4]

O 10116]

O 11568-2]

O 11770-2]

O/TR 14742]

O 18031]

O 19790]

U X.680]

mmert]

ST SP800-38C

ATION.

phy ANSEllip

X9.6Agre

ANSGen

ANSWra

Chenprot

CRC http

2] Secuhttp

4] Secuhttp

Advahttp

1] The http

ISO/auth

ISO/oper

ISO key

ISO/man

ISO/and

ISO/gene

ISO/requ

Infonotahttp

On-lhttp

C] NISTOpehttp:

X9.62-2005 Putic Curve Digita

63-2001 Public Keement and Key

I X9.82-1:2006erator Mechan

I X9.102:2008 Spping of Keys a

n & Mitchell, “Ptocols”, 2010

RevEng: Catalop://reveng.sour

urity Requiremep://csrc.nist.gov

ure Hash Standap://csrc.nist.gov

anced Encryptiop://csrc.nist.gov

Keyed-Hash Mp://csrc.nist.gov

/IEC 9798-4:199hentication – Pa

/IEC 10116:2006ration for an n-

11568-2:2005 Bmanagement a

/IEC 11770-2:20nagement -- Par

/TR 14742:2010their use, July 2

/IEC 18031:201eration

/IEC 19790:201uirements for c

rmation technoation, July 2002p://www.itu.int/

ine CRC calculap://www.lamme

T Special Publicaration: the CCM://csrc.nist.gov/p

ublic Key Cryptoal Signature Alg

Key Cryptograpy Transport Usi

Random Numbnisms

Symmetric Key and Associated

Parsing ambigu

ogue of parameceforge.net/crc

ents for Cryptogv/publications/f

ard (SHS), Marcv/publications/f

on Standard (Av/publications/f

essage Authentv/publications/f

99 Information art 4: Mechanis

6 Information t-bit block ciphe

Banking -- Key mand life cycle

007 Informationrt 2: Mechanism

0 Financial serv2010

1 Information t

2 Information tryptographic m

ology -- Abstrac2 /ITU-T/studygr

ation and free liertbies.nl/comm

ation 800-38C RM Mode for Autpublications/nistp

STS

ography for thegorithm (ECDSA

phy for the Finaing Elliptic Curv

ber Generation

Cryptography FData, June 200

ities in authent

etrised CRC algoc-catalogue/16

graphic Modulefips/fips140-2/f

ch 2012 fips/fips180-4/f

ES), Novemberfips/fips197/fip

tication Code (Hfips/fips198-1/

technology – Ssms using a cryp

technology -- Ser

management (r

n technology --ms using symme

ices – Recomm

technology -- Se

technology -- Semodules

ct Syntax Notat

oups/com17/la

ibrary m/info/crc-calc

Recommendatithentication anpubs/800-38C/SP

600-4-1 Ed 1

e Financial ServiA)

ncial Services Ive Cryptography

-- Part 3: Dete

For the Financia08.

tication and key

orithms (MODB.htm#crc.cat.m

es, May 2001 fips1402.pdf

fips-180-4.pdf

r 2001 ps-197.pdf

HMAC), July 20FIPS-198-1_fina

Security techniqptographic che

ecurity techniq

retail) -- Part 2:

Security technetric technique

endations on c

ecurity techniq

ecurity techniq

ion One (ASN.1

anguages/X.680

culation.html

ion for Block Cind Confidentiali

800-38C_update

1.1 : STS – En

ices Industry --

ndustry -- Key y

rministic Rando

al Services Indu

y establishmen

BUS) modbus

008 al.pdf

ques – Entity ck function

ues -- Modes o

Symmetric cip

iques -- Key es

cryptographic a

ues -- Random

ues -- Security

1): Specification

0-0207.pdf

pher Modes of ty, July 2007

ed-July20_2007.p

nhanced KM

PAGE 49 OF 6

The

om Bit

ustry –

t

f

hers, their

lgorithms

bit

n of basic

f

df

MS

62

COP

PYRIGHT © 201

[NISPart

[NIS

[NIS

[NISDRA

[NIS

[PC

[PO

[RFC

[RFC

[RFC

[RFC

[RFC

[RFC

[RFC

[RO

[SAN

[SEC

[SEC

[STS

[W:

[W:

3, STS ASSOCIA

ST SP800-57 t 1]

ST SP800-90]

ST SP800-131

ST SP800-152AFT]

STIR 7628]

I HSM]

SIX RE]

C 2104]

C 2119]

C 2144]

C 2994]

C 3610]

C 4648]

C 5869]

OCKSOFT]

NS 1524-10]

C 1]

C 2]

S COP 402-1]

ASC]

BCD]

ATION.

NISTGen

] NISTUsinhttp

1A] NISTUse

2 RequSyst

GuidArch

Paym(HSM

Wikihttp

HMAhttp

Key http

The http

A Dehttp

Couhttp

The http

HMAhttp

A PAhttp

SANOnli

SEC1http

SEC http

] STS THE

Wikihttp

Wikihttp

T Special Publicaeral (Revised),

T Special Publicang Deterministicp://csrc.nist.gov

T Special Publicaof Cryptograph

uirements and ems, DRAFT Au

delines for Smahitecture, and H

ment Card InduM) Security Req

ipedia: Regularp://en.wikipedia

AC: Keyed-Hashp://www.ietf.or

words for use ip://www.ietf.or

CAST-128 Encrp://www.ietf.or

escription of thp://tools.ietf.org

nter with CBC-Mp://www.ietf.or

Base16, Base32p://tools.ietf.org

AC-based Extrap://tools.ietf.org

AINLESS GUIDE p://www.ross.n

S 1524-6-10:20ne vending serv

1: Elliptic Curvep://www.secg.o

2: Recommendp://www.secg.o

COP 402-1:201MANAGEMENT

ipedia: ASCII p://en.wikipedia

ipedia: Binary-cp://en.wikipedia

ation 800-57 ReMarch 2007

ation 800-90 Rec Random Bit Gv/publications/n

ation 800-131Ahic Algorithms a

Desirable Featuugust 2012

rt Grid Cyber SHigh-Level Requ

ustry (PCI) PIN Tquirements, Ver

expression (POa.org/wiki/Regu

hing for Messagrg/rfc/rfc2104.t

in RFCs to Indicrg/rfc/rfc2119.t

yption Algorithrg/rfc/rfc2144.t

e MISTY1 Encryg/html/rfc2994

MAC (CCM), Serg/rfc/rfc3610.t

2, and Base64 Dg/html/rfc4648

ct-and-Expand g/html/rfc5869

TO CRC ERRORet/crc/downloa

010 Electricity pver -- Vending c

e Cryptography org/download/a

ded Elliptic Curvorg/download/a

11 Standard TraT OF TOKEN ID

a.org/wiki/ASCI

coded decimala.org/wiki/Bina

STS

ecommendatio

ecommendatioGenerators, Janunistpubs/800-9

A Transitions: Rand Key Length

ures of U.S. Fed

ecurity: Vol. 1, uirements, Aug

Transaction Secrsion 2.0, May 2

OSIX) ular_expression

ge Authenticatitxt

cate Requiremetxt

hm, May 1997txt

yption Algorithm4

ptember 2003txt

Data Encodings8#section-8

Key Derivation9

R DETECTION ALad/crc_v3.txt

payment systemclients

version 2.0, Maaid-780/sec1-v2

ve Domain Paraaid-784/sec2-v2

nsfer SpecificatROLLOVER

II

ary-coded_decim

600-4-1 Ed 1

on for Key Mana

on for Random Nuary 2012

90A/SP800-90A

ecommendatios, January 2011

deral Cryptogra

Smart Grid Cybust 2010

curity (PTS) Har2012

n#POSIX

on, February 19

ent Levels, Marc

m, November 2

s, October 2006

Function (HKD

LGORITHMS, Au

ms -- Part 6-10:

ay 2009 2.pdf

ameters version2.pdf

tion (STS) -- CO

mal

1.1 : STS – En

agement – Part

Number Gener

.pdf

on for Transition1

aphic Key Mana

ber Security Stra

dware Security

997

ch 1997

2000

6

DF), May 2010

ugust 1993

Interface stand

n 2.0, January 2

ODE OF PRACTIC

nhanced KM

PAGE 50 OF 6

t 1:

ation

ning the

agement

ategy,

y Module

dards --

2010

CE FOR

MS

62

COP

PYRIGHT © 201

[W:

[W:

[W:

[W:

[W:

[W:

[W:

3, STS ASSOCIA

CERT]

EBNF]

END]

HEX]

LEX]

OCT]

SHA-1]

ATION.

Wikihttp

Wikihttp

Wikihttp

Wikihttp

Wikihttp

Wikihttp

Wikihttp

ipedia: Public kp://en.wikipedia

ipedia: Extendep://en.wikipedia

ipedia: Endiannp://en.wikipedia

ipedia: Hexadep://en.wikipedia

ipedia: Lexicogp://en.wikipedia

ipedia: Octetp://en.wikipedia

ipedia: SHA-1p://en.wikipedia

key certificatea.org/wiki/Publ

ed Backus-Naura.org/wiki/Exte

ness a.org/wiki/Endi

cimal a.org/wiki/Hexa

raphical ordera.org/wiki/Lexic

a.org/wiki/Octe

a.org/wiki/SHA

STS

lic_key_certific

r Form ended_Backus%

ianness

adecimal

cographical_ord

et_(computing)

-1

600-4-1 Ed 1

ate

%E2%80%93Nau

der

1.1 : STS – En

ur_Form

nhanced KM

PAGE 51 OF 6

MS

62

COP

PYRIGHT © 201

C. VenThe fthat

An A“ReqNOT

Nam

AC

BD

DK

IU

KE

KRKT

SG

SG

3, STS ASSOCIA

nding Kfollowing tabmay appear

Attributes fieuired”, and contain nam

me Conten

CT TIMES

DT TIMES

KG 2

T TIMES

N 3

N 1TC 1

C 10

N 1-9

ATION.

Key attrible defines tin the Attrib

eld SHALL cMAY contain

mes other tha

nt type Pr

STAMP R

STAMP R

2D R

STAMP O

D R

1D R1D R

0D R

99P O

ibutes the attribute

butes field of

contain all cn any namesan those def

resence D

equired AKLeacthkeis

equired Bas

equired Dse

Optional Isp

equired KTre

equired Kequired K

6V

equired SuTSGlo

Optional Susu

e card namef a WRAPPED

cards (names for which thfined in this A

Description

Activation Timey becomes egacy KMC pctivation timhe current Vey is the ones, the highestase Date: ths specified in

Decoder Key Gection 6.1.4.ssued Until: arevent the key Expiry Nuhe KEN mustelative to theey Revision Ney Type (KT).5.2.2.1), ind

VDDK. upply Grouphis specificatGCs with zer

ong. upply Groupupply group.

STS

es – and encD-KEY record

es) for whiche Presence Appendix.

me: the date active for th

practice and me (also know

ending Key fe with the mot Activation Te date assoc

n [STS COP 4Generation A a date and tiey from bein

umber from [t be in the rae Base Date Number from) code from [dicating whet

p Code from tion requiresro characters

p Name, a hu.

600-4-1 Ed 1

coding of cor (section 10.

ch the Preseis “Optional

and time at he SGC. [SANS 1524-

wn as “Effectfor a supply gost recent ATime that is ciated with a402-1]. Algorithm fro

me after whng used for t[IEC 62055-4ange 0-255 a(BDT). m [IEC 62055[IEC 62055-4ther the key

[IEC 62055-4s 10-digit SGs (“0”) to ma

man-readab

1.1 : STS – En

rresponding .E).

ence is indil”. The field

which this V

-10] use the tiveDate”) togroup: the cuctivation Timin the past). TID value of

om [IEC 620

hich the SM woken encryp

41] section 6and is interpr

5-41] section41] Table 24

is a VUDK, V

41] section 6Cs; left-pad

ake then 10 d

ble name for

nhanced KM

PAGE 52 OF 6

values –

cated as SHOULD

Vending

o select urrent

me (that

f zero,

055-41]

will ption. 6.1.10. reted

n 6.1.10. (section

VCDK or

6.1.6. shorter

digits

the

MS

62

COP

PYRIGHT © 201

D. EnThe aAlgor

The aelempartiAny fuse o

D.1. CAS

The C

Func

Intelpatendescrcomm

D.2. MIS

The M

Func

IntelPCT/Jroyalobtai

3, STS ASSOCIA

ncryptioalgorithms inrithms (Table

algorithms hment of the

cular this limfuture revisioof AES (in an

ST-128 (EA=1

CAST-128 blo

tion descript

CAST-128and outp

CAST-128and outp

lectual Propnted by Entribed in this mercial uses

STY1 (EA=11

MISTY1 block

tion descript

MISTY1EN

outputs t MISTY1D

and outp

lectual PropJP96/02154 lty-free licenined in writin

http://w http://w

ATION.

on Algorn this Appene 7, section 6

have been cSTS Applica

mits the choion of the Toappropriate

12)

ock cipher, a

tion:

8ENC(K, plainputs the ciph8DEC(K, ciphe

puts the plain

perty Noticetrust Techndocument is.”

1)

k cipher, as s

tion:

NC(K, plaintethe ciphertex

EC(K, ciphertputs the plain

perty Noticcovers the M

nse on nonng. More inf

www.ietf.org/www.mitsubi

rithms fondix are reco6.1.5). These

chosen to mation Protocice to 64-bit ken Carrier D

e mode of op

s specified in

ntext) enciphertext.

ertext) decipntext.

: The designologies, Inc.s available w

specified in [

ext) encipherxt. text) deciphentext.

ce: MitsubisMISTY1 algo-discriminatoformation is

/ietf-ftp/IPR/shielectric.co

or IEC 6ommended fe algorithms

eet the reqol Data UniBlock Ciphe

Data Unit (TCperation) to p

n [ISO 18033

hers the 64-

phers the 64-

procedure . However,

worldwide on

[ISO 18033-3

rs the 64-bit

ers the 64-b

shi Electric rithm descriory terms savailable fro

/MITSUBISHom/compan

STS

62055-4for inclusions meet the se

uirements oit (APDU) as

ers and preclCDU) in [IECprotect the t

3-3] (NORMAT

-bit input pla

-bit input cip

that was use[RFC 2144] a royalty-fre

3] (NORMATIV

input plaint

bit input ciph

Corporationbed in [RFC

subject to reom:

I-MISTY y/rd/ip/pate

600-4-1 Ed 1

41 in [IEC 620

ecurity targe

of the Encryps defined inudes the po 62055-41] Soken.

TIVE) and [RFC

aintext usin

phertext usin

ed to obtain] states: “Tee basis for c

E).

text using th

hertext usin

n has assert 2994]. Mitseciprocity; t

ent/index.htm

1.1 : STS – En

55-41] as Ent of 128 bits

ption Algoritn [IEC 6205opular AES alSHOULD con

C 2144].

g the 128-b

ng the 128-b

n the CAST She CAST-12commercial a

he 128-bit ke

ng the 128-b

ted that itssubishi has othe license

ml

nhanced KM

PAGE 53 OF 6

ncryption .

thm (EA) 5-41]; in lgorithm. sider the

bit key K,

bit key K,

-boxes is 8 cipher and non-

ey K, and

bit key K,

s patent offered a must be

MS

62

COP

PYRIGHT © 201

E. DeThe f[IEC

excee

E.1. HM

Func

Proce

E.2. KDF

The HMA

This the lrepre

Withof lesimp

Func

Input

Proce

3, STS ASSOCIA

ecoder Kfollowing alg62055-41] aeds the secu

MAC-DKGA (D

tion descript

HMAC-Dgiven MeKT and re

ess:

Set Label Set Conte Set Othe Set keyda Set DK = Post-proc

DEA with Output D

F108-Feedba

KDF in FeedAC-SHA-384 (

specificationength |L| o

esentation o

in the scopess than 102lified accord

tion descript

KDF108-Fkey deriv

t:

K, a secre OtherInfo keydatal

ess:

Ensure th Ensure th

ATION.

Key Genegorithm and as a Decoderurity target o

DKGA=04)

tion:

KGA(VK, SGeterPAN andevision KRN)

l = BCD( DKGext = BCD( SrInfo = LVCOatalen accorKDF108-Feecess DK acco

h requires anDK.

ack-HMAC-SH

dback Mode (section 9.C)

n requires thof field L (a f any numer

e of this spe4 bits, and

dingly.

tion:

Feedback-HMved from K a

et key (as anfo, a non-emlen, an integ

hat K is an ochat OtherInfo

erationassociated cr Key Generf 128 bits.

GC, KT, KRN, d TI, that is d), and which

GA2D = “04” |GC10D | KT1D

ONCAT(Labelrding to the kedback-HMAording to th

n odd-parity k

HA-384

specified inpseudorand

hat the IV SHrepresentatiic value SHA

cification KDkeydatalen

MAC-SHA-38nd OtherInfo

octet stringpty octet strer giving the

ctet string offo is an octet

Algoritcryptographication Algorit

MeterPAN, derived from

is suitable fo

EA2D | TI2D )| KRN1D | Ml, “”, Contexkey size requ

AC-SHA-384(e key formakey).

section 5.2dom function

HALL be empion of keyda

ALL be big en

DF108-Feedb≤ 192 bits.

84(K, OtherIo.

). ing of non-se

e length in bi

f less than 12 string of les

STS

hm for Ic primitive athm (Table 6

EA, TI) outpthe Vending

or use with E

). MeterPAN18D

t). uirement of EVK, OtherInf

at requireme

of [NIST SPn (PRF).

pty, an iteratatalen) SHALdian.

back-HMAC-The implem

Info, keydat

ecret data.ts of keying

28 octets or ss than (210-1

600-4-1 Ed 1

IEC 620re recomme6, section 6.

puts a Decog Key (VK) foEA.

).

EA. fo, keydataleents of EA (f

P800-108] (N

ion counter LL be 32 bit

SHA-384 is omentation giv

talen) outpu

data to be ge

FAIL. 136) octets o

1.1 : STS – En

55-41 ended for inc.1.4). This a

der Key (DKor the SGC (w

en). or example

ORMATIVE), u

SHALL NOT ts, and the b

only used wven below h

uts a keyda

enerated.

or FAIL.

nhanced KM

PAGE 54 OF 6

clusion in algorithm

K) for the with type

EA=09 is

using the

be used, bit string

ith a key has been

atalen-bit

MS

62

COP

PYRIGHT © 201

3, STS ASSOCIA

Ensure th Set L to a Compute Output th

ATION.

hat keydatala 32-bit big-ee K1 = HMAChe leftmost k

len is less thaendian bit str-SHA-384-19keydatalen b

an 192 bits Aring represen92( K, OtherIbits of K1.

STS

AND keydatantation of keInfo ∥ L ).

600-4-1 Ed 1

alen ≤ BitLeneydatalen.

1.1 : STS – En

ngth(K) or FA

nhanced KM

PAGE 55 OF 6

AIL.

MS

62

COP

PYRIGHT © 201

F. ReThis mess

Given

-R-

The sthe e

3, STS ASSOCIA

cord-informat is in

sage. The rec

n a record RE

-STS:recEC wrappe-STS:rec

starting guaending guard

ATION.

-email ftended to re

cord is easily

EC with reco

type BEGIed to 64 type ENDS

rd is the octd is x’2D2D53

formatepresent a s

y identified a

ord type recty

INS-- characteS--

tet string x’2354533A ∥ re

single recordnd extracted

ype, a record

ers or le

2D2D535453ectype ∥ x’20

STS

d (section 8.d by a human

d-in-email is

ess per l

33A ∥ rectype0454E44532D

600-4-1 Ed 1

H) within thn operator o

rendered as

line

e ∥ x’204245D2D.

1.1 : STS – En

he body of ar by softwar

s follows:

547494E532D

nhanced KM

PAGE 56 OF 6

an e-mail re.

D2D, and

MS

62

COP

PYRIGHT © 201

G. FilThis easilycorru

A texis teror by

A file(whit[W:SEOL c

A fileForm

FCChLLRCEmWh

Noterecor

3, STS ASSOCIA

le-of-recformat is inty parsed buption.

xt file is an orminated by y the End-Of-

e-of-recordstespace). ThHA-1] checkcharacter.

e-of-records m [W:EBNF]:

ile-of-reontent hecksum ine F ecord omment mpty hitespace

e that record rd.

ATION.

cords fotended to rey software

ordered sequa single End

-File (EOF) co

is a text fhe last line ksum over th

is fully spe

ecords = = = = = = = = e =

lines may ha

ormat epresent on

and includ

uence of lined-Of-Line (EOondition. Th

file in whichin the file

he preceding

cified by the

Content, Line, LF BASE16( Record | x’0A ; Printabl “#”, Pri { Whites x’20 | x

ave trailing w

e or more redes an insec

s. Each line OL) character

e EOL may b

h each line e is a commg lines (inclu

e following

, “#”, ChF, { Line SHA-1( C| Comment

le, { Whiintable ;space } ;x’08 | x’

whitespace,

STS

ecords (sectcure checks

contains onr LF (x’0A, of

be omitted fr

is either a ment contaiding EOL ch

production,

hecksum ;e, LF } ;Content )t | Empty

itespace 0D ;

which shoul

600-4-1 Ed 1

tion 8.H) in asum to det

nly Printable ften given asrom the last

record, a cning a BASaracters), an

given in Ex

) ;

y ;

}

d be remove

1.1 : STS – En

a text file. Tect acciden

ASCII characs ‘\n’ in sourline of the fi

comment, oSE16-encodend must not

xtended Back

ed before pa

nhanced KM

PAGE 57 OF 6

The file is ntal data

cters and rce code) le.

or empty d SHA-1 have an

kus-Naur

rsing the

MS

62

COP

PYRIGHT © 201

H. SuThe speci

Alg

M

CA

ECB any bl

algKD

FeeHMAC

HM38

H

SH

AE

CCM any bl

alg

EC

1-PasMode

E

P-38ECC o

KDF-X

1 Nor

3, STS ASSOCIA

ummaryfollowing taification, and

gorithm Cl

MISTY1 6

AST-128 6

mode for lock cipher gorithm

nCip

DF108-edback-C-SHA-384

SymD

AC-SHA-84-192

PseFu

HMAC D

AuC

HA-384 Dig

ES-192 12

mode for lock cipher gorithm

nCip

CC CDH Asya

ss Unified el C(1e, 2s)

Asya

ECDSA Dig

84 for any operation

EP

X963-SHA-384

KeFu

mative standa

ATION.

y of crypable summad indicates th

assification

64-bit Block Cipher

64-bit Block Cipher

n-bit Block pher mode of operation mmetric Key Derivation Function

F

eudorandom nction (PRF)

Dedicated Message thentication

Code (MAC)

O

gest function (hash)

28-bit Block Cipher

n-bit Block pher mode of operation

EA

ymmetric key agreement primitive

ymmetric key agreement

scheme

ital signature

CC Domain Parameters

y Derivation nction (KDF)

ards are in bo

ptographarises all crhe standards

Mode of Operation

ECB

ECB

ECB

Feedback mode(iterated PRF over HMAC-

SHA-384) N/A

Operates over adigest (hash)

function

N/A

CCM

CCM (Nonce-based Authenticated

Encryption withAdditional Data

Domain parameters: NIST P-384; KDF-X963

Operates over ECC CDH primitive

Domain parameters: NIST P-384;

SHA-384 P-384

Counter mode (iterated PRF

over SHA-384)

old.

hic primryptographics to which th

Key

Decoder Ke(DK)

Decoder Ke(DK)

DeECB provid

guarane Vending Ke

(VK)

HMAC with S1023 bits, an

384 ba Maximum ke

Security-

Non-keyed ffor digital siKey Exchang

Key (KEK)

h )

DeCCM providethe assumpt

(dSM, QSM)and

(dKMC, QKMC

2 static (as fECC CDH) pl

1 ephemeral SM: (dE, QE

(dMAN, QMAN

Also known ECC operati

Shared Secrfrom ECC CD

STS

mitives a primitives

hey conform:

Key Leng(bits)

ey 128

ey 128

etermined by Bes confidentialtees for multi-b

ey 160

SHA-384 has a mnd a security-stits (depending ey length depen-strength depe

unction. Securgnatures and Mge 192

etermined by Bes confidentialiion that the no

a given k

C)

384

for us for

E)

384

N) 384

as “ansix9p384ons in this dom

192 bits of seet

DH Depends oCDH (mini

192 bits enrequire

600-4-1 Ed 1

and stan(algorithms

:

gth )

Secustrengt

12

12

Block Cipher. ity only, with wblock encryptio

16(up to 1

192-b

maximum key lerength of up toon application)nds on digest funds on key leng

ity-strength is 1MAC, 384 bits fo

19(inte

limited Block Cipher. ity and integrity

once is not reuskey.

19

19

19

4r1” and “secp3main can provide

ecurity. on ECC

mum ntropy ed)

192

1.1 : STS – En

ndards ) employed

urity-th (bits)

Sta

28 ISO

28 ISO RF

weaker on.

ISONIST S

60 192 with it key)

NIST S

ength of o 192 or ).

RFISO

FIPS Punction. gth.

ISOFIPS P

RF

192 bits or KDF.

ISO FIPS P

92 egrity

to 128)

ISO FIPS

y under ed with

ISONIST S

RF

92 ISO AN

NIST SS

92 NIST SAN

ISO

92 ISO AN

FIPS PS

384r1”. e up to

FIPS PAN

Sbits ISO

ANS

nhanced KM

PAGE 58 OF 6

by this

andards1

18033-3

18033-3 FC 2144 O 10116 SP800-38A

SP800-108

FC 4868 O 9797-2 PUB 198-1

O 9797-2 PUB 198-1FC 2104

10118-3 PUB 180-418033-3

S PUB 197

O 19772 SP800-38CFC 3610

11770-3 SI X9.63 SP800-56ASEC 1 SP800-56ASI X9.63 11770-3

14888-3 SI X9.62 PUB 186-3SEC 1 PUB 186-3SI X9.62 SEC 2 11770-3 SI X9.63 SEC 1

MS

62

COP

PYRIGHT © 201

The fwith

A

Mfor to

CAfor to

KDF1HMAC

Lfor s

d

AEfor a

encry

ECC for sh

a

For diin P

NIST p

KDF-Xwit

for kfrom a

sh

Unificonfi

HMACand

Com

1 The

3, STS ASSOCIA

following tabvarious stan

Algorithm

MISTY1, ECB ken encryption

AST-128, ECB ken encryption

108-Feedback-C-SHA-384 withLVCONCAT symmetric key derivation

ES-192, CCM authenticated yption and key wrapping CDH C(1e, 2s)

r asymmetric hared secret agreement

ECDSA igital signature

PK certificates P-384 domain

parameters

X963-SHA-384 h LVCONCAT key derivation asymmetrically

hared secret

ied Model key irmation (with C-SHA-384-192d LVCONCAT)

ments:

[ISO/TR

referenceappropri

o [T

NIST 7628 re

ATION.

ble indicates ndards bodie

ISO

ISO/TR 14ISO 1803ISO 101

ISO/TR 14ISO 1803ISO 101

h No relevant s

HMAC: ISO and ISO/TR

SHA-384: ISO and ISO/TR

ISO 1803ISO 197

AES: ISO/TR

ISO 1177

ISO/TR 14ISO 1488

ISO/TR 14No ISO staspecifies c

y

ISO 1177

Conforms t11770-

14742] and e to other ate for the fo[ISO/TR 1474The body of

quirements fo

alignment os and projec

4742 33-3 116 4742 33-3 116 standard 9797-2 14742 10118-3 14742

NISTNISTFIPSFIPS

Ffunct

33-3 772 R 14742

NISTFIP

NIST

70-3 NISTNIST

4742 88-3

NISTFIPS

4742 ndard

curves

NISTFIPS

70-3 NISTNIST

NIST Mee

Setto ISO -3

Parti

inteMee

Set

[NIST SP800standards –

oreseeable f42] providesf the standa

or approval be

of cryptograpcts, with resp

NIST

MISTY1 and C by any

T SP800-131AT SP800-108 S PUB 198-1 S PUB 180-4 ormatting tion complies

fully T SP800-131APS PUB 197 T SP800-38C

T SP800-131AT SP800-56A (Set ED)

T SP800-131AS PUB 186-3

T SP800-131A S PUB 186-3

T SP800-131AT SP800-135

or SP800-131A;ts SP800-56A

t ED targets. ally conforms but not

eroperable; ts SP800-56A t ED targets

0-131A] are– cryptografuture. s recommenard does no

eyond 2030 a

STS

phic primitivepect to the co

NISTIR 7628 Smart Grid1

CAST-128 are nNIST or FIPS sta

Approved beyond 2030

Approved beyond 2030

Approved beyond 2030,

192-bit security

Approved beyond 2030

Approved beyond 2030

Approved beyond 2030

No relevant guidance

e ‘super-stanphic algorit

ndations for ot cover key

re based on N

600-4-1 Ed 1

es employedontext or pu

SP800-152Federal KM

ot approved andard.

Exceeds “Augmentesecurity; no

interoperab

Exceeds “Augmentesecurity; no

interoperabExceeds

“Augmentesecurity; no

interoperabExceeds

“Augmentedmeets ‘Desira

Exceeds “Augmentesecurity; no

interoperabNon-complia

only NIST concatenatiKDF permitt

Meets “Augmenterequiremen

ndards’ that hms and ke

the financiy establishm

NIST SP800-57

1.1 : STS – En

d by this specrpose of use

2 MC

Oth

RFC Approved

& CRYRFC

Approve

d” ot ble

EquivaRFC 58intero

d” ot ble

ANSI Approved

& CRY

d” ot ble

NSA SANSI

SE

d”; able’

NSA SANSI

SE

d” ot ble

NSA SANSI

SE

ant: T ion ted

ANSISE

d” nts

Partially to ANS

standardon key co

for C(

recommendey lengths

al services ment algorith

7 and NIST SP8

nhanced KM

PAGE 59 OF 6

cification e:

hers

2994 d by NESSIEYPTREC 2144

ed by CSEC

alent to 869; not perable

X9.102 d by NESSIE YPTREC

Suite B X9.63

EC 1

Suite B X9.62

EC 1 Suite B X9.62

EC 2

X9.63 EC 1

conforms SI X9.63; is unclear

onfirmation (1e, 2s)

d – with that are

industry. hms, but

800-131.

MS

62

COP

PYRIGHT © 201

3, STS ASSOCIA

Ad

o [ifrbr

An algoralignmen

An algorioccurs wSP800-15(as with K

Non-com

ATION.

Annex A citedoes not cov[NIST SP800-n a [FIPS PU

for these arecommend but does apprecommendsithm is fully

nt includes seithm may co

when this spe52) or the staKDFs and key

mpliance and

es key estabver authentic131A] specif

UB 140-2] celgorithms aECC curves prove the scs the curves

aligned witecurity equivonform to a cification haandard specy confirmatioconformanc

blishment mcated encrypfies NIST Apprtified HSM,nd associator cover keychemes in [in [FIPS PUBh the cited svalence and standard wit

as a higher secifies that foron). ce are color-

STS

mechanisms ition modes oproved algor and indicated key lengy confirmatioNIST SP800-5186-3]. standard(s) interoperabithout being ecurity targermatting of i

coded.

600-4-1 Ed 1

in [ISO 1177of operationrithms that mtes the permgths. The on in key ag56A], and th

unless otherility. fully interopt than the stnput fields i

1.1 : STS – En

70-3]. The n. may be imple

mitted periodstandard d

greement alghat standard

rwise indicat

perable. Thitandard (as ws application

nhanced KM

PAGE 60 OF 6

standard

emented ds of use does not gorithms, d in turn

ted. Full

s usually with NIST n specific

MS

62

COP

PYRIGHT © 201

I. SumA ref

3, STS ASSOCIA

mmary oference list o

BCD(Dec BASE16(O BASE16-D Integer-t Octet-Str Field-Elem Octet-Str Point-to- Octet-Str CRC16-M LVCONCA DFCONCA DFPARSE BUILD-RE Printa

PARSE-RE O1, O2

AES-192- AES-192- SHA-384 HMAC-SH KDF-X963 ECC-CDH ECDSA-SI ECDSA-V

“invalid” GENERAT VALIDAT CAST-128 CAST-128 MISTY1EN

MISTY1DE

HMAC-D KDF108-F

ATION.

of functof functions d

imal String) Octet String)DECODE(Hexo-Octet-Strinring-to-Integment-to-Octring-to-Field--Octet-Stringring-to-Point

MODBUS(OctAT(I1, I2, …, In

AT(DELIM, I1

E(DELIM, OctECORD(rectyable ASCII StrECORD(recty2, …, On, Oi Pr-CCMENC(Key,-CCMDEC(Key,(Octet StringHA-384-192(3-SHA-384(S

HP-384(dA in [1,IGNP-384,SHA-38

ERIFYP-384,SHA

| Error TE-KEY() EE-KEY(QB a P8ENC(Key, Pla8DEC(Key, Cip

NC(Key, Plaint

EC(Key, CipheKGA(VK, SGCFeedback-HM

tions defined elsew

Octet Stri) Hexadecxadecimal Stng(Integer, M

ger(Octet Stritet-StringDoma

-ElementDoma

gDomain(Point) tDomain(Octet et String)

n), Ii an Octet

1, I2, …, In), DEtet String) ype, n, I1, I2, …ring | Errorype, n, Octetrintable | Err, Nonce, Add, Nonce, Add

g) Digest ((Key, Text) SharedSecret,n-1], QB a Po

84(dA in [1, n-

A-384(QB a Po

ECC Key Pair Point) TRUintext) Cihertext) Ptext) Ciphertext) PlaC, KT, KRN, MMAC-SHA-38

where in this

ing | Error cimal Stringring) Octe

MaxInteger) ing, MaxInte

ain(Field Elem

ain(Octet Stri Octet StrString) (x 16-bit Big E

t String, OcteELIM 1P, Ii Pr O1, O2, …, O

…, In), rectyp

t String), rectror ditional, Plainditional, Ciph(Octet String MAC; all Ot, SharedInfooint) Shar-1], M an Octoint, M an O

(dA in [1,n-1UE | Error phertext; allPlaintext; allhertext; all Oaintext; all OMeterPAN, EA84(Derivation

STS

s document:

et String | Er Octet Str

eger) Integment) Octe

ng) Field ring | Error

P,yP) not necndian integeetLen(Ii) ≤ 25rintable P

On, Oi Printabe IDENT, Ii P

type IDENT,

ntext) Ciphertext) Pg) Octet String o, keydatalenredSecret (Otet String) Octet String,

], QA a Point

l Octet Stringl Octet String

Octet String Octet String

A, TI) KeynKey, OtherI

600-4-1 Ed 1

rror ing | Error ger | Error et String | ErElement | Er

essarily a vaer 55, n ≤ 255 Printable ASCble | Error rintable

phertext | Erlaintext | Er

n) Key Mactet String) (r, s) both i

, (r,s) a Sign

t)

g g

nfo, keydata

1.1 : STS – En

rror rror

lid Point | Er

Octet StrinCII String | Er

ror; all Octetror; all Octet

aterial (Octet

n [1, n-1] | Enature) “

alen) Key

nhanced KM

PAGE 61 OF 6

rror

ng | Error rror

t String t String

t String)

Error “valid” |

Material

MS

62

COP

PYRIGHT © 201

J. SumThe S

The S

KMC

3, STS ASSOCIA

mmary oSTSA SHOUL

The secu The secu The requ

STSA SHOUL

Manufac KMC nam Approved Approved

standards to

A procedtrusted m

A proced(section 1

ProcedurSMK) or o

ATION.

of requiD provide Co

rity requiremrity requirem

uirements for

D provide re

cturer namesmes (see sectd HWIDs (sed FWIDs (see

o be develop

dure for SM manner (sectdure for KMC13.C). res or proceof Vending K

ired Cododes of Pract

ments for anments for a Kr approving S

egistry servic

s (see sectiontion 13.B). e section 13e section 13.

ped by the ST

Manufacturtion 11). Cs to publish

edural requirKeys (section

des of Prtice for:

SM (see secKMC HSM (seSM hardware

es for:

n 11).

.B). B).

TSA SHALL in

rers to publi

h their publi

rements to n 17.C.2).

STS

ractice a

ction 12.A).ee section 13e and firmwa

nclude:

sh their pub

c keys to SM

handle the

600-4-1 Ed 1

and Reg

3.A). are (see sect

blic key certi

M Operators

compromise

1.1 : STS – En

gistries

tion 12.A).

ificates to KM

in a trusted

e of KMC ke

nhanced KM

PAGE 62 OF 6

MCs in a

d manner

eys (dKMC,

MS

62

CONFIDENTIAL

Document no: RPT-0031-120

Version: 1.2

File name: RPT-0031-120.doc

Date: 13 November 2012

ZiliantSystems

Review of the new STS Key Management Specification

Review Report

Confidential

RPT-0031-120 Confidential Page 2 of 9

Table of contents

1 Scope ....................................................................................................... 3 2 Overview ................................................................................................... 3 3 Observations ............................................................................................. 4

3.1 General .............................................................................................. 4 3.2 Key agreement method ..................................................................... 4

3.3 SM Initialisation ................................................................................. 5 3.4 KMC Initialisation ............................................................................... 6 3.5 SM Vending Key Load Request ......................................................... 6 3.6 KMC Vending Key Load Response ................................................... 7 3.7 SM Key Load File Processing? .......................................................... 7

3.8 Encryption Algorithms for IEC 62055-41............................................ 7 3.9 Decoder Key Generation Algorithm for IEC 62055-41 ....................... 7

4 Conclusions .............................................................................................. 8 5 References ............................................................................................... 8 6 Definitions and Abbreviations ................................................................... 9

Confidential

RPT-0031-120 Confidential Page 3 of 9

1 Scope

This report provides feedback on an independent review of the new STS Key

Management System as described in the new specification [1]. The scope of the

review mainly covers the security protocol between the Key Management Centre

(KMC) and the Security Module (SM) but also comments on the choice of block

ciphers and the key derivation method.

2 Overview

The current implementation of the interface between the KMC and the SM is to be

upgraded to improve security and provide more flexibility with regard to multiple

KMC’s per SM. The upgrade should also consider the fact that SM’s may be

deployed in remote locations with limited communications infrastructure. The KMC-

SM upgrade forms part of an overall upgrade of the STS key management

infrastructure to facilitate wider expansion into international markets (notably the

USA). Therefore the new design must be based on internationally accepted

standards wherever possible. The review was conducted on the proposed design

with these aims in mind and certain observations were made. These observations

are described in the following paragraphs.

Confidential

RPT-0031-120 Confidential Page 4 of 9

3 Observations

3.1 General

The STS Key Management Specification [1] provides a detailed description of the

KMC-SM cryptographic protocol and places high priority on international standards

compliance. Attention is given to providing non-ambiguous descriptions of data fields

and processes. This is good for implementers and is also good security practice. The

use of public key cryptography in the new design will better support future variations

of the infrastructure in terms of international deployments. In general the use of

public key cryptography combined with adherence to widely accepted standards is in

line with STSA’s requirements for international expansion. In reviewing the

specification we have made several observations and remarked on these below.

Some remarks are merely confirmations or informational while others are cautionary

and may require attention. While we have made some recommendations in the latter

case, these issues may simply require additional clarification or expansion.

3.2 Key agreement method

1. The key agreement method described in the specification corresponds to the

NIST SP800-56A variation C(1, 2, ECC-CDH) scheme [2] which is in turn

based on the ANSI X9.63-2001 1-Pass Unified scheme [3]. In this variation of

ECC-CDH only one side generates ephemeral keys. This is typically used in a

store-and-forward one-pass scheme such as e-mail. This method is in line

with the requirement to support offline CDU’s. The key agreement data

exchanges could be e-mailed as attached files or a manual system could be

employed using a single round-trip courier.

2. The key agreement initiator (SM) possesses a long-term static key pair and

generates an ephemeral key pair per-session, whereas the responder (KMC)

only possesses a long-term static key pair. Information encrypted under the

established shared key remains protected even if the SM’s keys are

compromised but not if the KMC’s keys are compromised. This is sometimes

referred to as “one-party” or “half” forward secrecy. In this application it is the

vending station’s SM that carries the higher risk of being compromised rather

than the KMC’s HSM. If the KMC’s static keys were compromised due to a

Confidential

RPT-0031-120 Confidential Page 5 of 9

physical attack on the KMC HSM then the entire KMC key database would be

compromised anyway. Therefore half forward secrecy is probably acceptable.

3. The key agreement method appears to support key confirmation on the SM

side but this is not described in the specification at this stage. There needs to

be an additional section explaining how the SM processes the KMC key

exchange data block.

4. In the upper tier of the new STS key management hierarchy (KDC-KMC)

online capability is more likely. In this case it would be preferable to use

something equivalent to NIST’s C(2, 2, ECC-CDH) Scheme with Bilateral Key

Confirmation. This would allow the re-use of the ECC-CDH base algorithm.

However care should be taken with the re-use of the KMC static keys in this

case. Menezes et al. [4] have shown that under certain circumstances the re-

use of static keys in both the 1-pass and 3-pass variations of the Unified

Model (NIST SP800-56A [2]) can allow active attacks on the 3-pass version

by replaying exchanges from the 1-pass version.

3.3 SM Initialisation

1. The SM pre-requisites sound reasonable although they do imply the

availability of a fair amount of processing power. The SM must be capable of

performing Elliptic Curve Cryptography (ECC) calculations including ECC

ephemeral key generation.

2. Public keys are specified as “SHOULD” have a limited lifespan. This will

typically be disregarded by implementers. It would be better to either specify

“MUST” or else provide other checks and balances to limit the damage that a

compromised/hacked/stolen SM could wreak on the system. The latter

checks-and-balances route may be preferable. Implementing and operating

public key expiry and rollover management is not trivial and is often

problematic in Public Key Infrastructures (PKI’s).

3. Pre-requisite standards are specified for SM compliance but no assurance

level is specified. Here it would be better to either specify “SHOULD” or else

the appropriate assurance level should be specified.

Confidential

RPT-0031-120 Confidential Page 6 of 9

4. The SM public keys are required by the KMC, which would normally require

the KMC to authenticate the SM “face-to-face”. However, the Manufacturer’s

private key (dMANUF) will be used to sign a file containing the SM public keys

thereby creating a certificate of sorts ([1] 9.D). In this case there is only the

need for a Manufacturer face-to-face meeting with the KMC to provide the

KMC with the Manufacturer’s public key. There should probably be a

document specifying this face-to-face protocol as well as the manufacturer file

signing procedure.

5. The SM’s PUBKEY record field 1 (IDSM) is not cryptographically bound to field

2 (QSM). Although there is a hash/fingerprint binding embedded in IDSM this

can be re-generated over a different set of SM identifiers outside of the SM.

Therefore it is possible to produce two different PUBKEY’s using the same

QSM, or a PUBKEY with the same SM identifiers as an existing SM but with a

different QSM. The former scenario might allow one SM to receive the VK for

two different SG’s. The latter scenario might allow a ghost SM to generate a

request for a legitimate SM’s VK. This may not constitute a valid threat since

there may well be other checks and balances in the system to catch these

scenarios. Indeed the PUBKEY extraction and subsequent signing using the

manufacturer’s private key will all take place within the confines of the

manufacturer’s secure facility. However, the larger the physical disjuncture

between these two processes the larger the threat. It might be prudent to

either self-sign SM PUBKEYs before extraction from the SM and/or include a

step in the KMC to check for duplicates of QSM and IDSM.

6. There is currently no description of the processes wherein the SM’s public

keys are signed by the manufacturer. What tool does the manufacturer use

for this purpose? We recommend that the previous point be taken into

consideration during the development of this procedure.

3.4 KMC Initialisation

The pre-requisites for the KMC HSM and KMC itself seem reasonable.

3.5 SM Vending Key Load Request

The SM Vending Key Load Request procedure appears to be in line with the NIST

SP800-56A recommendations for variation C(1, 2, ECC-CDH) [2].

Confidential

RPT-0031-120 Confidential Page 7 of 9

3.6 KMC Vending Key Load Response

The KMC Vending Key Load Response procedure appears to be in line with the

NIST SP800-56A recommendations for variation C(1, 2, ECC-CDH) [2].

3.7 SM Key Load File Processing?

As noted earlier there needs to be an additional section explaining how the SM

processes the final KMC key exchange data block and the Key Load File (KLF).

3.8 Encryption Algorithms for IEC 62055-41

1. The requirement for a 64-bit output block limits the number of choices, hence

only two algorithms are listed here (CAST-128 and MISTY-1). Blowfish could

also have been included here as it has undergone a fair amount of

cryptanalysis and not been found wanting. Yet despite the fact that Blowfish

has been included in many applications, it has never really been endorsed as

a standard for use in any government or other large organisational body.

CAST-128 has been more widely adopted. CAST-128 is more likely to be

accepted in the US as it was invented by Canadians and accepted for use by

the Canadian government. CAST-128 is royalty-free and license-free whereas

this is not as clear-cut in the MISTY-1 case. MISTY-1 is royalty-free but is not

license-free and it has proven difficult to establish the exact terms of the

license. MISTY-1 has also undergone less peer-review than CAST-128. We

would recommend the use of CAST-128.

2. In the long term a cipher based on a larger data block would be preferable.

However one can argue that the normal “Birthday Attack” criticism of a 64-bit

data block is not applicable here since not enough encrypted data will be

produced by any single key. This may not be the case in the upper tier of the

system (KMC-KMS). In this case an algorithm such as AES-128 or AES-256

is recommended.

3.9 Decoder Key Generation Algorithm for IEC 62055-41

1. The NIST method is in keeping with typical key expansion/derivation methods

and the method described in the specification [1] abides by NIST’s

recommendations such as context-binding. NIST recommendations are

respected worldwide and will be particularly favourable in US markets.

Confidential

RPT-0031-120 Confidential Page 8 of 9

4 Conclusions

In conclusion we think that the specification is well aligned with STSA’s requirements.

However we recommend that the implications of the non-binding of SM identifiers to

their corresponding public keys during the manufacturing process should be further

investigated (see section 3.3 - 2). We further recommend that some attention be

given to the implications of the longevity of public keys in the case where no key

expiry management is mandated (see section 3.3 - 5).

5 References

[1] STS Key Management Specification, PR-D2-0922 Rev 0.9 (PPT)

[2] NIST Special Publication 800-56A Recommendation for Pair-Wise Key

Establishment Schemes Using Discrete Logarithm Cryptography (Revised),

March 2007

[3] X9.63-2001 Public Key Cryptography for the Financial Services Industry -- Key

Agreement and Key Transport Using Elliptic Curve Cryptography

[4] Sanjit Chatterjee, Alfred Menezes, Berkant Ustaoglu, “Combined Security

Analysis of the One- and Three-Pass Unified Model Key Agreement Protocols”,

11th International Conference on Cryptology in India, Hyderabad, India,

December 12-15, 2010. Proceedings

Confidential

RPT-0031-120 Confidential Page 9 of 9

6 Definitions and Abbreviations

CDU Credit Dispensing Unit

DH Diffie-Hellman (key agreement protocol)

DKGA Decoder Key Generation Algorithm

ECC Elliptic Curve Cryptography

ECDH Elliptic Curve Diffie-Hellman

ECC-CDH Elliptic Curve Cryptography. Cofactor Diffie-Hellman

HSM Hardware Security Module

KDC Key Distribution Centre

KLF Key Load File

KMC Key Management Centre

PFS Perfect Forward Secrecy

PKI Public Key Infrastructure

PPT Prism Payment Technologies

SM Security Module

STS Standard Transfer Specification

STSA STS Association

CONFIDENTIAL

Document no: RPT-0032-120

Version: 1.2

File name: RPT-0032-120.doc

Date: 7 December 2012

ZiliantSystems

Review of the updated STS Key Management Specification

Review Report

Confidential

RPT-0032-120 Confidential Page 2 of 7

Table of contents

1 Scope ....................................................................................................... 3 2 Overview ................................................................................................... 3 3 Observations ............................................................................................. 4

3.1 General .............................................................................................. 4 3.2 Key agreement method ..................................................................... 4

3.3 SM Manufacturer setup ..................................................................... 4 3.4 SM Initialisation ................................................................................. 5 3.5 KMC Initialisation ............................................................................... 5 3.6 SM Vending Key Load Request ......................................................... 5 3.7 KMC Vending Key Load Response ................................................... 6

3.8 SM KEK Confirmation and Vending Key Import ................................ 6 3.9 End-of-life and key compromise procedures ..................................... 6

3.10 Encryption Algorithms for IEC 62055-41............................................ 6 4 Conclusions .............................................................................................. 6 5 References ............................................................................................... 7 6 Definitions and Abbreviations ................................................................... 7

Confidential

RPT-0032-120 Confidential Page 3 of 7

1 Scope

An initial review was conducted of the new STS Key Management System as

described in the earlier specification [2]. A corresponding report [3] highlighted

certain aspects of the specification that required more clarity and an updated

specification has subsequently been produced [1]. The updated specification is the

subject of this report. The scope of this report is to follow-up on the agreed changes

and to review any new cryptographic content.

2 Overview

The updated specification [1] provides a lot more detail but this mainly expands on

earlier detail to provide better clarity and less ambiguity. Additional content has also

been added but this is in line with discussions around the earlier review.

Some observations were made in reviewing the updated specification. These

observations are described in the following paragraphs.

Confidential

RPT-0032-120 Confidential Page 4 of 7

3 Observations

3.1 General

1. Dual control and split knowledge key handling is often referred to in the

specification and It might be useful to add a reference to a corresponding

standard e.g. ANSI X9.17-1985 (there may also be newer standards for this).

2. As agreed at the review meeting, all occurrences of “MUST” have now been

changed to “SHALL”.

3. The intention that the infrastructure may remain in use until the year 2045

(see [1] 5. Overview) seems unreasonable. Given the great strides in

cryptography over the last 35 years, something like 2030 might be a more

reasonable lifetime to aim for.

3.2 Key agreement method

1. The key agreement description has been enhanced with the addition of

diagrams. These are a welcome addition.

2. The final step in key agreement processing i.e. SM extraction of the vending

key (raised in [3] 3.2.2) has now been addressed by the inclusion of a final

“SM KEK Confirmation and Vending Key Import” ([1] 16.).

3.3 SM Manufacturer setup

A KMS procedure or Operational procedure is mentioned in the updated specification

([1] 11) for the purpose of publishing and verifying PUBKEYMAN. A recommended

procedure is also provided for this in 11.A [1]. This is an important step as it pertains

to “initial trust”. In a template-style PKI, authenticating the origin of PUBKEYMAN

would normally require a face-to-face meeting with the exchange of identity

documents etc. However, this does depend on the situation, e.g. in some cases the

SM manufacturer may also provide the KMS service, or, a trusted relationship may

already exist between these two entities. An e-mail system with 2nd channel

fingerprint verification should only be acceptable in cases where a trusted

relationship already exists. In this case the 2nd channel phone call is reasonably

Confidential

RPT-0032-120 Confidential Page 5 of 7

strong since the two parties recognise each other’s voice. If no prior relationship

exists then a face-to-face meeting is recommended.

3.4 SM Initialisation

1. The SM Public key lifespan is now addressed under the section “SM

Manufacturer Setup” (see [1] 11).

2. The pre-requisite standards and assurance level for SM compliance has now

been addressed in section 12.A [1].

3. The issue of SM public key identity binding in the previous review report [3]

3.3.5 has now been addressed by section 12.B [1]. A recommended

procedure for generating and signing the SM public key has also been

provided in section 12.B.1 [1].

4. The question around the Manufacturer signing process ([3] 3.3.6) has now

been addressed by the new procedures in sections 11, 12.B.1 and 12.C [1].

3.5 KMC Initialisation

In section 13.C.1 [1] the KMC public key PUBKEYKMC is e-mailed to the Manufacturer

with 2nd channel telephonic fingerprint verification. As in 3.3 above, if no prior

relationship exists we recommend face-to-face exchange of KMC and Manufacturer

public keys (PUBKEYKMC and PUBKEYMAN). After discussing this point with PPT we

agree that there is no direct threat. However it is good practice to provide mutual

authentication in any cryptographic system even if one-party authentication is all that

is required as there may be future unintended consequences. Perhaps one example

would be that a meter vendor who is able to get hold of a CDU might be able to vend

using a “STSA approved” CDU to an isolated group of “STSA-approved” meters. This

would allow the vendor to be “legal” in the country while cutting STSA out of the loop.

3.6 SM Vending Key Load Request

More detail has been added here but no essential change to the key agreement

method. More comprehensive error checking has been provided and key expiry is

also now handled here.

Confidential

RPT-0032-120 Confidential Page 6 of 7

3.7 KMC Vending Key Load Response

More detail has been added here but no essential change to the key agreement

method. More comprehensive error checking has been provided. Key expiry is also

now handled here and a better description of replay detection has been provided.

3.8 SM KEK Confirmation and Vending Key Import

As requested in in the earlier report [3] 3.3.7 an additional section has now been

provided in the updated specification (section 16 [1]) explaining how the final key

agreement data block is handled by the SM and how the vending key is extracted.

3.9 End-of-life and key compromise procedures

Section 17 [1] has been added to specify end-of-life and compromise procedures for

each crypto entity. While this was not highlighted in the previous report [3], it was

highlighted in the review feedback meeting with STSA and PPT.

3.10 Encryption Algorithms for IEC 62055-41

The question around the MISTY license in the previous report ([3] 3.8.1) has now

been addressed in D.2 [1].

4 Conclusions

In conclusion, the only notable observations are the overall lifetime of the system

(see 3.1.3) and the recommendation with regard to face-to-face meetings (see 3.3

and 3.5). In general we are happy that the updated specification meets STSA’s

requirements.

Confidential

RPT-0032-120 Confidential Page 7 of 7

5 References

[1] STS - Key Management Specification, STS600-4-1 Ed 1.0

[2] STS Key Management Specification, PR-D2-0922 Rev 0.9 (PPT)

[3] Review of the new STS Key Management System, RPT-0031-110 (Ziliant)

6 Definitions and Abbreviations

CDU Credit Dispensing Unit

KEK Key Encrypting Key

KMC Key Management Centre

PPT Prism Payment Technologies

SM Security Module

STS Standard Transfer Specification

STSA STS Association