IBM Crypto Education Community

IBM Crypto Education Community

IBM Crypto Education Community

Join the IBM Crypto Education community to explore and understand IBM cryptography technology. This community is operated and maintained by the IBM Crypto Development team.

 View Only

  • 1.  ICSF support for X9 TR34–2012

    Posted Thu March 23, 2017 07:58 PM

    I hope this is an appropriate forum for the following.

    Currently ICSF has support for ASC X9 TR-31 2010 (Interoperable Secure Key Exchange Key Block Specification for Symmetric Algorithms) .  However ICSF does not currently support for ASC X9 TR-34 2012 (Interoperable Method for Distribution of Symmetric Keys using Asymmetric Techniques: Part 1 - Using Factoring-Based Public Key Cryptography Unilateral Key Transport), which is a "interoperable method" to distribute TR-31 Key Block Protection Keys (among other things, I'm sure).

    NCR ATM hardware (specifically their "Encrypting PIN Pads") and software (Aptra Edge V7) support both TR-31 for symmetric exchanging of "bundling" of keys (TR-31 key blocks) and TR-34 for distribution of symmetric keys (TR-31 Key Block Protection Key) using RSA asymmetric encryption with SHA-256 Digital Signatures.  TR-34 is the only method supported by NCR ATMs to comply with PCI 3 (Payment Card Industry) requirements that SHA-1 no longer be used.

    If you are an NCR ATM customer, or even just someone who wants IBM to support the latest cryptographic standards, please vote for my RFE requesting TR-34 support:  http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=102736.

    Thank you,

    Frank

    fswarbrick


  • 2.  Re: ICSF support for X9 TR34–2012

    Posted Tue March 28, 2017 10:57 AM

    Hi Frank,

    There's no problem with posting your RFE link here for more votes. :-) Hopefully additional interested parties will notice and vote as well.

    Eysha Shirrine


  • 3.  Re: ICSF support for X9 TR34–2012

    Posted Thu April 20, 2017 12:49 PM

    So the RFE has been updated to status "Planned for future release".  That is good news.  I don't suppose there is any way to get some sort of vague idea of a timeframe?  (Months? Years?)

    Our host card processing vendor has been pondering a "roll your own" solution and I was wondering if I could get some thoughts on that.  It appears to me, from what I've researched, that a "roll your own" solution using ICSF is not possible because what I see as a lack of an API primitive to encrypt both a key and data about the key under an RSA public key.  I see how you can encrypt a key under a public key, and you can encrypt data under a public key, but I see now way to do both together.  Am I missing something?

    Thanks, Frank

    fswarbrick


  • 4.  Re: ICSF support for X9 TR34–2012

    Posted Wed April 03, 2019 06:49 PM

    We ended up moving our ATMs to a non z/OS host system, and thus have mitigated our need for this feature.  Nonetheless I am still curious as to when this might be implemented...

    fswarbrick


  • 5.  Re: ICSF support for X9 TR34–2012

    Posted Fri August 23, 2019 04:25 PM

    It looks like IBM just released ICSF FMID HCR77D0, which includes support for TR-34 symmetric key management.

    Yay?

    fswarbrick


Related Content