IBM Crypto Education Community

 View Only

 TR31 KEK keys with legacy transaction keys

Rafal Kaczmarz's profile image
Rafal Kaczmarz posted Fri April 04, 2025 04:40 AM

Hi, 

Currently I use legacy key format (16B of encrypted raw key value for double DES key) when exchanging keys for one interface. This legacy format is used for both KEK keys and transaction keys. Pre-xor technique is used for importing keys and they are imported in half key processing (so there are 2 importer KEK's used to import a transaction key).

There are plans to migrate to TR31 format for exchanging KEK keys (but only KEK at this point) - and I don't know if it would be possible to import TR31 KEK keys (IMPORTER and EXPORTER) and use it for importing/exporting transaction keys in a legacy format.  TR31 will be wrapped by 256b AES key and will store 2K3DES keys (MAC GEN/MAC VER and ENCIPHER/DECIPHER).

Can you help to find the answer?

Eric Rossman's profile image
Eric Rossman

In theory, you could use a pair of TR31 key blocks (for half key processing) using the same services you currently use.