ISO 11568-2:2005

INTERNATIONAL ISO
STANDARD 11568-2
Second edition
2005-10-01
Banking — Key management (retail) —
Part 2:
Symmetric ciphers, their key
management and life cycle
Banque — Gestion de clés (services aux particuliers) —
Partie 2: Algorithmes cryptographiques symétriques, leur gestion de
clés et leur cycle de vie
Reference number
©
ISO 2005
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO 2005
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2005 – All rights reserved

Contents Page
Foreword. iv
Introduction . v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions. 2
4 General environment for key management techniques. 4
4.1 General. 4
4.2 Functionality of a secure cryptographic device . 4
4.3 Key generation . 5
4.4 Key calculation (variants) . 6
4.5 Key hierarchies . 6
4.6 Key Life Cycle . 7
4.7 Key storage . 9
4.8 Key restoration from back up. 10
4.9 Key distribution and loading . 10
4.10 Key use . 11
4.11 Key replacement . 11
4.12 Key destruction. 12
4.13 Key deletion. 12
4.14 Key archive. 12
4.15 Key termination. 12
5 Techniques for the provision of key management services . 13
5.1 Introduction . 13
5.2 Key encipherment. 13
5.3 Key variants. 13
5.4 Key derivation . 14
5.5 Key transformation. 14
5.6 Key offsetting . 15
5.7 Key notarization. 16
5.8 Key tagging . 17
5.9 Key verification . 18
5.10 Key identification. 19
5.11 Controls and audit . 19
5.12 Key integrity . 20
6 Symmetric key life cycle . 20
6.1 General. 20
6.2 Key generation . 20
6.3 Key storage . 20
6.4 Key restoration from back up. 21
6.5 Key distribution and loading . 21
6.6 Key use . 23
6.7 Key replacement . 23
6.8 Key destruction, deletion, archive and termination. 24
7 Key management services cross reference. 25
Annex A (normative) Notation used in this part of ISO 11568. 26
Annex B (normative) Approved algorithms for symmetric key management . 27
Annex C (normative) Abbreviations . 28
Bibliography . 29

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO 11568-2 was prepared by Technical Committee ISO/TC 68, Financial services, Subcommittee SC 2,
Security management and general banking operations.
This second edition cancels and replaces the first edition (ISO 11568-2:1994), which has been technically
revised. It also cancels and replaces ISO 11568-3:1994, the content of which has been incorporated into this
part of ISO 11568.
ISO 11568 consists of the following parts, under the general title Banking — Key management (retail):
⎯ Part 1: Principles
⎯ Part 2: Symmetric ciphers, their key management and life cycle
⎯ Part 4: Asymmetric cryptosystems — Key management and life cycle
⎯ Part 5: Key life cycle for public key cryptosystems [To be withdrawn and incorporated into Part 4]
⎯ Part 6: Key management schemes [since withdrawn]
iv © ISO 2005 – All rights reserved

Introduction
ISO 11568-2 is one of a series of standards describing procedures for the secure management of
cryptographic keys used to protect messages in a retail financial services environment, for instance,
messages between an acquirer and a card acceptor, or an acquirer and a card issuer.
This part of ISO 11568 addresses the key management requirements that are applicable in the domain of
retail financial services. Typical of such services are point-of-sale/point-of-service (POS) debit and credit
authorizations and automated teller machine (ATM) transactions.
This part of ISO 11568 describes key management techniques which, when used in combination, provide the
key management services identified in ISO 11568-1. These services are:
⎯ key separation;
⎯ key substitution prevention;
⎯ key identification;
⎯ key synchronization;
⎯ key integrity;
⎯ key confidentiality;
⎯ key compromise detection.
The key management services and the corresponding key management techniques are cross-referenced in
Clause 7.
This part of ISO 11568 also describes the key life cycle in the context of secure management of cryptographic
keys for symmetric ciphers. It states both requirements and implementation methods for each step in the life
of such a key, utilizing the key management principles, services and techniques described herein and in
ISO 11568-1. This part of ISO 11568 does not cover the management or key life cycle for keys used in
asymmetric ciphers, which are covered in ISO 11568-4.
In the development of the ISO 11568 series due consideration was given to ISO/IEC 11770; the mechanisms
adopted and described in this part of ISO 11568 are those required to satisfy the needs of the financial
services industry.
INTERNATIONAL STANDARD ISO 11568-2:2005(E)

Banking — Key management (retail) —
Part 2:
Symmetric ciphers, their key management and life cycle
1 Scope
This part of ISO 11568 specifies techniques for the protection of symmetric and asymmetric cryptographic
keys in a retail banking environment using symmetric ciphers and the life-cycle management of the associated
symmetric keys. The techniques described enable compliance with the principles described in ISO 11568-1.
The techniques described are applicable to any symmetric key management operation. The notation used in
this part of ISO 11568 is given in Annex A.
Algorithms approved for use with the techniques described in this part of ISO 11568 are given in Annex B.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO 9564-1:2002, Banking — Personal Identification Number (PIN) management and security — Part 1: Basic
principles and requirements for online PIN handling in ATM and POS systems
ISO/IEC 10116, Information Technology — Security techniques — Modes of operation for an n-bit block
cipher
ISO 11568-1:2005, Banking — Key management (retail) — Part 1: Principles
ISO 13491-1, Banking — Secure cryptographic devices (retail) — Part 1: Concepts, requirements and
evaluation methods
ISO 13491-2:2000, Banking — Secure cryptographic devices (retail) — Part 2: Security compliance checklists
for devices used in magnetic stripe card systems
ISO 16609:2004, Banking — Requirements for message authentication using symmetric techniques
ISO/IEC 18033-1, Information technology — Security techniques — Encryption algorithms — Part 1: General
1)
ISO/TR 19038 , Banking and related financial services — Triple DEA — Modes of operation —
Implementation guidelines
ANSI X9.24 Part 1-2004, Retail Financial Services Symmetric Key Management Part 1: Using Symmetric
Techniques
ANSI X9.65, Triple Data Encryption Algorithm (TDEA), Implementation Standard

1) To be published
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
cipher
pair of operations that effect transformations between plaintext and ciphertext under the control of a parameter
called a key
NOTE The encipherment operation transforms data (plaintext) into an unintelligible form (ciphertext). The
decipherment operation restores the original text.
3.2
counter
incrementing count used between two parties, e.g. to control successive key distributions under a particular
key encipherment key
3.3
data integrity
property that data has not been altered or destroyed in an unauthorized manner
3.4
data key
randomly or pseudo-randomly generated cryptographic key used for the encipherment, decipherment or
authentication of data
3.5
dual control
process of utilizing two or more separate entities (usually persons), operating in concert to protect sensitive
functions or information whereby no single entity is able to access or utilize the materials, e.g. cryptographic
key
3.6
exclusive-or
see modulo-2 addition
3.7
hexadecimal digit
single character in the range 0-9, A-F (upper case), representing a four-bit string
3.8
key component
one of at least two randomly or pseudo-randomly generated parameters having the characteristics (e.g. format,
randomness) of a cryptographic key that is combined with one or more like parameters, e.g. by means of
modulo-2 addition, to form a cryptographic key
3.9
key mailer
tamper evident envelope that has been designed to convey a key component to an authorized person
3.10
key offset
result of adding a counter to a cryptographic key using modulo-2 addition
3.11
key space
set of all possible keys used within a cipher
2 © ISO 2005 – All rights reserved

3.12
key transfer device
secure cryptographic device that provides key import, storage and export functionalities
[ISO 13491-2:2000, Annex F]
3.13
key transformation
derivation of a new key from an existing key using a non-reversible process
3.14
message authentication code
MAC
code in a message between an originator and a recipient, used to validate the source and part or all of the text
of a message
NOTE The code is the result of an agreed calculation.
3.15
modulo-2 addition
exclusive-or
XOR
binary addition with no carry, giving the following values:
0 + 0 = 0
0 + 1 = 1
1 + 0 = 1
1 + 1 = 0
3.16
n-bit block cipher
block cipher algorithm with the property that plaintext blocks and ciphertext blocks are n-bits in length
3.17
notarization
method of modifying a key encipherment key in order to authenticate the identities of the originator and the
ultimate recipient
3.18
offset
see key offset
3.19
originator
party that is responsible for originating a cryptographic message
3.20
pseudo-random
process that is statistically random and essentially unpredictable although generated by an algorithmic
process
3.21
recipient
party that is responsible for receiving a cryptographic message
3.22
secure cryptographic device
device that provides security storage for secret information such as keys and provides security services based
on this secret information
[ISO 13491-2]
3.23
split knowledge
condition under which two or more parties separately and confidentially have custody of the constituent part of
a single cryptographic key which, individually, conveys no knowledge of the resultant cryptographic key
4 General environment for key management techniques
4.1 General
The techniques that may be used to provide the key management services are described in Clause 5 and the
key life cycle in Clause 6. This clause describes the environment within which those techniques operate and
introduces some fundamental concepts and operations, which are common to several techniques.
4.2 Functionality of a secure cryptographic device
4.2.1 General
The most fundamental cryptographic operations for a symmetric block cipher are to encipher and decipher a
block of data using a supplied secret key. For multiple blocks of data, these operations might use a mode of
operation of the cipher as described in ISO/IEC 10116. At this level, no meaning is given to the data, and no
particular significance is given to the keys. Typically, in order to provide the required protection for keys and
other sensitive information, a secure cryptographic device must provide a higher level functional interface,
whereby each operation includes several of the fundamental cryptographic operations using some
combination of keys and data obtained from the interface or from an intermediate result. These complex
cryptographic operations are known as functions, and each one operates only on data and keys of the
appropriate type.
4.2.2 Data types
Application level cryptography assigns meaning to data, and data with differing meanings need to be
manipulated and protected in different ways by the secure cryptographic device. Data with a specific meaning
constitutes a data type.
The secure cryptographic device ensures that it is not possible to manipulate a data type in an inappropriate
manner; e.g. a PIN is a data type which must remain secret, whereas other transaction data may constitute a
data type which requires authentication but not secrecy.
A cryptographic key may be regarded as a special data type. A secure cryptographic device ensures that a
key can exist only in the permitted forms given in 4.7.2.
4.2.3 Key types
A key is categorized according to the type of data on which it operates and the manner in which it operates.
The secure cryptographic device ensures that key separation is maintained, so that a key cannot be used with
an inappropriate data type or in an inappropriate manner; e.g. a PIN encipherment key is a key type that is
used only to encipher PINs, whereas a key encipherment key (KEK) is a key type that is used only to encipher
other keys. Also a KEK may require categorization such that it operates only on one type of key, e.g. one type
of KEK may encipher a PIN encipherment key, while another may encipher a message authentication code
(MAC) key.
4 © ISO 2005 – All rights reserved

4.2.4 Cryptographic functions
The set of functions supported by the secure cryptographic device directly reflects the cryptographic
requirements of the application. It might include such functions as:
⎯ enciphering a PIN;
⎯ verifying an enciphered PIN;
⎯ generating a MAC;
⎯ generating an enciphered random key.
The design of the secure cryptographic device is such that no individual function may be used to obtain
unauthorized sensitive information. Additionally, no combination of functions exists which may result in such
data being obtained. Such a design is referred to as being logically secure. A secure cryptographic device
may be required to manage keys of several types. Cryptographic keys used in such a system may be held
securely outside of the cryptographic device by being stored in an enciphered form by using KEKs which
either exist only within the cryptographic device, or are enciphered under a higher level KEK. One technique
of providing key separation is to use a different KEK type for the encipherment of each type of key. When this
technique is used, and an enciphered key is passed to the secure cryptographic device, the key is deciphered
using the KEK type appropriate for the expected key type. If this key is an incorrect type, and thus is
enciphered under some other KEK type associated with some other key type, the decipherment produces a
meaningless key value.
4.3 Key generation
4.3.1 General
The key management principles given in ISO 11568-1 require that keys be generated using a process that
ensures that it is not possible to predict any key or determine that certain keys within the key space are more
probable than others.
In order to conform with this principle, keys and key components shall be generated using a random or
pseudo-random process. The pseudo-random key generation process may be either non-repeatable or
repeatable.
The random or pseudo-random process used, shall be such that it is not feasible to predict any key or to
determine that certain keys are more probable than other keys from the set of all possible keys.
Except for the variants of a key, the non-reversible transformations of a key, and keys enciphered under a key
or derived from a key, compromise of one secret key shall not feasibly provide useful information about any
other secret key.
4.3.2 Non repeatable key generation
This process may involve a non-deterministic value such as the output of a random number generator, or may
be a pseudo-random process.
An example of a pseudo-random process for generating a key, Kx, is as follows, where K is a secret
cryptographic key reserved for key generation, V is a secret seed value and DT is a date-time vector updated
on each key generation:
Kx = eK[eK (DT) ⊕ V]
and generate a new V as follows:
V = eK[Kx ⊕ eK (DT)]
NOTE This method, among others, may be found in ISO 18031.
4.3.3 Repeatable key generation
It is sometimes convenient to generate one or more keys, perhaps thousands, from a single key using a
repeatable process. Such a process allows for any of the resultant keys to be regenerated, as required, in any
location that possesses the seed key and appropriate generation data, and facilitates significant reductions in
the number of keys which require manual management, storage or distribution.
The generation process shall be such that if the initial key is unpredictable within the key space (as required
by the key management principles), then so is each resultant key.
The procedure may be used iteratively, as a key generated from one initial key may subsequently be used as
an initial key to generate others.
The generation process shall be non-reversible, such that disclosure of a generated key discloses neither the
initial key nor any other generated key. An example of such a process is the encipherment of a non-secret
value using the initial key.
4.4 Key calculation (variants)
It is possible to obtain a number of keys from a single key using a reversible process. An example of such a
process is the modulo-2 addition of the key and a non-secret value.
Key calculation has the qualities of speed and simplicity, but disclosure of one key calculated in this manner
discloses the original key and all other keys calculated from it.
4.5 Key hierarchies
A key hierarchy is a conceptual structure in which the confidentiality of certain keys is dependent upon the
confidentiality of other keys. By definition, disclosure of a key at one level of the key hierarchy shall not
disclose any key at a higher level.
Key encipherment introduces a key hierarchy whereby a key encipherment key (KEK) is considered to be at a
higher level than the key that it enciphers. The simplest is a two-level hierarchy, whereby the working keys are
enciphered by KEKs which are themselves stored in a cryptographic device. In a three-level hierarchy, these
KEKs are also managed in an enciphered form using a higher-level KEK. The concept may be extended to
four or more layers.
Similarly, when an initial key or key generating key (KGK) participates in the generation of other keys using a
deterministic process, a hierarchy may result whereby the KGK is considered to be at a higher level than the
generated keys.
Keys at the higher levels of the key hierarchy shall be of equal or greater strength than the keys they are
protecting.
Due consideration shall be paid to known attacks when assessing the equivalent strength of various
cryptographic algorithms. Generally an algorithm can be said to provide s bits of strength where the best-
s−1
known attack would take, on average, 2 T to attack, where T is the amount of time that is required to
perform one encryption of a plaintext value and comparison of the result against the corresponding ciphertext
value.
120−log k
E.g., in reference 2, an attack against 112-bit TDEA is presented that requires O(k) space and 2
operations, where k is the number of known plaintext-ciphertext pairs. As discussed in reference 3, given 2
known plaintext-ciphertext pairs, this reduces the strength of two-key (112-bit) TDEA to 2 . Recommended
equivalent key sizes at the time of publication are given in Table 1. In assessing these numbers consideration
Shall be paid to any further developments in cryptanalysis, factoring and computing generally.
6 © ISO 2005 – All rights reserved

Table 1 — Encryption algorithms — Equivalent strengths
Effective Strength Symmetric RSA Elliptic Curve
80 112-bit TDEA (with 2 known pairs) 1 024 160
112-bit TDEA (with no known pairs)
112 2 048 224
168-bit TDEA
NOTE At the time of publication, in the retail banking environment, where TDEA keys are used for protecting other keys, and are
changed such that the collection of quantities of plaintext/ciphertext pairs sufficient to significantly weaken the underlying cipher is
improbable, 112-bit TDEA can be considered to offer sufficient security for the protection of 168-bit TDEA and 2 048-bit RSA keys.
4.6 Key Life Cycle
The states that make up a key's lifetime are collectively referred to as the key's life cycle. Keys shall be
protected at all stages throughout their life cycle. An operation that changes a key's state is referred to as a
life cycle operation. This subclause specifies the requirements for attaining a given state or performing a given
operation.
The key life cycle consists of three phases as follows.
a) Pre-use: during which the key is generated and optionally stored prior to its use.
b) Use: during which the key is distributed amongst communicating parties for operational use.
In a process where both communicating parties contribute to the generation of a new key, key generation and
distribution are closely integrated.
Some key management schemes are designed for transforming keys automatically during operational use.
c) Post-use: during which a key is archived or terminated.
Figure 1 gives a schematic overview of the key life cycle. It shows how a given operation on a key changes its
state.
A key is considered to be a single object of which multiple instances can exist at different locations and in
different forms. A clear distinction is made between the following operations:
⎯ destruction of a single key instance;
⎯ deletion of a key from a given location, which implies destruction of all instances of this key at that
location;
⎯ termination of a key, which implies deletion of the key from all locations.
Figure 1 — Key life cycle schematic
8 © ISO 2005 – All rights reserved

4.7 Key storage
4.7.1 General
The objective of secure key storage is to protect keys against unauthorized disclosure, modification and/or
substitution and to provide key separation.
4.7.2 Permissible forms
4.7.2.1 General
A key shall exist only in the following forms:
⎯ plaintext key;
⎯ key components;
⎯ enciphered key.
4.7.2.2 Plaintext key
Plaintext secret key(s) whose compromise would affect multiple parties shall exist only within a secure
cryptographic device.
Plaintext secret key(s) whose compromise would affect only one party shall exist only within a secure
cryptographic device or a physically secure environment operated by or on behalf of that party.
4.7.2.3 Key components
A key existing in the form of at least two or more separate key components shall be protected by the
techniques of split knowledge and dual control. For host-based systems it is recommended that a key is
comprised of a minimum of three components.
A key component shall be accessible only to that person or group of persons to whom it has been entrusted
for the minimum duration required.
If a key component is in human comprehensible form (e.g., printed in plaintext inside a key mailer) it shall be
known to only one authorized person at only one point in time, and only for as long as required for the
component to be entered into a secure cryptographic device.
No person with access to one component of the key shall have access to any other component of that key.
Key components shall be stored in such a way that unauthorized access has a high probability of being
detected.
If key components are stored in enciphered form, all requirements for enciphered keys shall apply.
4.7.2.4 Enciphered key
Encipherment of a key using a key encipherment key shall take place within a secure cryptographic device.
4.7.3 Key integrity
The integrity of a key shall be protected using techniques such as:
a) digital signatures;
b) MACs;
c) key block binding methods.
4.7.4 Protection against substitution
The unauthorized substitution of stored keys shall be prevented by one or more of the following means:
a) physically and procedurally preventing unauthorized access to the key-storage area;
b) storing a key enciphered as a function of its intended use;
c) ensuring that it is not possible to know both a plaintext value and its corresponding ciphertext enciphered
under a key encipherment key.
4.7.5 Provisions for key separation
In order to ensure that a stored key is useable only for its intended purpose, key separation for stored keys
shall be provided by one or more of the following:
a) physically segregating stored keys as a function of their intended purpose;
b) storing a key enciphered under a key encipherment key dedicated to encipherment of a specific type of
key;
c) modifying or appending information to a key as a function of its intended purpose, prior to encipherment
of the key for storage.
4.8 Key restoration from back up
Key back up is storage of a copy for the purpose of reinstating a key that is accidentally destroyed, but the
compromise of which is not suspected.
The requirements for key restoration from back up are the same as for key distribution and loading described
in 4.9.
4.9 Key distribution and loading
4.9.1 General
A secure cryptographic device should remain in a physically secure environment until loaded with one or more
keys.
Keys shall be protected during their distribution and loading by one of more the following forms:
a) plaintext within a cryptographic device;
b) in component form;
c) enciphered.
4.9.2 Plaintext keys
The minimum requirements for the distribution and loading of plaintext keys are as follows.
a) The key distribution process shall not disclose any portion of a plaintext key.
b) A plaintext key shall be loaded into a cryptographic device only when it can be assured that the device
has not been subject to prior tampering which might lead to the disclosure of keys or sensitive data.
10 © ISO 2005 – All rights reserved

c) A plaintext key shall be transferred between secure cryptographic devices only when it can be ensured
that there is no tap at the interface that might disclose the transferred key.
d) A secure cryptographic device shall transfer a plaintext key only when at least two authorized persons are
authenticated by the device, e.g. by means of passwords.
e) When a device is used to transfer keys between the cryptographic device that generated the key and the
cryptographic device that will use the key, it shall be a secure cryptographic device. After loading of the
key into the target device the key transfer device shall not retain any information that might disclose that
key.
4.9.3 Key components
The minimum requirements for the distribution and loading of a key component are:
a) the key component distribution process shall not disclose any portion of a key component to an
unauthorized person;
b) a key component shall be loaded into a cryptographic device only when it can be ensured that the device
has not been subject to prior tampering that might lead to the disclosure of keys or sensitive data;
c) a key component shall be transferred to a cryptographic device only when it can be ensured that there is
no tap at the interface that might disclose the transferred component;
d) the key distribution and loading process shall be performed according to the principles of dual control and
split knowledge.
4.9.4 Enciphered keys
An enciphered key may be distributed and loaded electronically via a communications channel.
The distribution process of an enciphered key shall protect against key substitution and modification.
NOTE Methods for achieving the above requirements can be found in ISO/IEC 11770-2.
4.10 Key use
Unauthorized key use shall be prevented. A key shall be used for its intended function and only in its intended
location, however a variant of a key may be used for a different function from that of the original key.
A key shall be used for a single function only.
Any key shall exist in the minimum number of locations consistent with effective system operation. Any key
that exists in a transaction-originating device shall not exist in any other such device.
A key shall cease to be used when its compromise is known or suspected.
4.11 Key replacement
A key and its variants shall be replaced when compromise or substitution of the key is known or suspected. If
the key under suspicion is a key encipherment key or a key from which other keys are derived, then all keys
that are hierarchically under it shall also be replaced.
A key shall be replaced within the least time deemed feasible to perform a dictionary or key exhaustion attack.
This time will depend upon the specific implementation and the technology available at the time of the attack.
Replacement of a key shall take place in all operational locations where the key exists.
Replaced keys shall not be returned to active use.
There are two ways of replacing keys:
⎯ by distributing a new key;
⎯ by non-reversibly transforming the current key.
When the compromise of a key is known or suspected the key shall be replaced by distribution of a new key
and not by the non-reversible transformation of the original key.
Key replacement requires destruction of the old key.
Transformation of a key prevents backtracking; i.e., compromise of the current key does not compromise
previously used keys.
4.12 Key destruction
An instance of a key shall be destroyed when it is no longer required for active use. Electronic instances of a
key can be destroyed by erasure. However, information may still reside in other forms so that the key may
subsequently be restored for active use.
When a secure cryptographic device is to be permanently removed from service, all keys stored within the
device shall be destroyed.
4.13 Key deletion
When a key is no longer required at an operational location it shall be deleted.
Key deletion occurs when all instances of the key have been destroyed at a given location.
4.14 Key archive
An archived key shall only be used to verify the legitimacy of transactions that occurred prior to archiving.
After such verification, the instance of the key necessary to perform the verification shall be destroyed.
An archived key shall not be returned to operational use.
Archived keys shall be securely stored for the life of all data or keys enciphered under such keys.
A key shall be archived in such a way that the risk of exposure of keys that are still in operational use is not
increased.
An archived key shall be retained for no longer than is necessary to meet regulatory, legal and/or business
obligations.
4.15 Key termination
Key termination occurs when the key has been deleted from all locations where it has ever occurred.
Subsequent to key termination, no information shall exist from which the key can feasibly be reconstructed.
12 © ISO 2005 – All rights reserved

5 Techniques for the provision of key management services
5.1 Introduction
This clause describes the techniques that shall be used, individually or in combination, to provide the key
management services introduced in ISO 11568-1. Some techniques provide multiple key management
services. A cross reference between the key management services and the techniques is given in Clause 7.
The selected techniques shall be implemented in a secure cryptographic device (see ISO 13491-1 and -2) that
ensures the intended purpose of the technique and its security objectives are achieved.
5.2 Key encipherment
Key encipherment is a technique whereby one key is enciphered using another key. The resulting enciphered
key may then be managed securely outside of the protected environment of a secure cryptographic device. A
key used to perform such encipherment is called a key encipherment key (KEK). Although key encipherment
ensures key confidentiality is maintained, other techniques may need to be employed in association with the
key encipherment in order to ensure adequate key separation and to prevent key substitution and to ensure
key integrity.
Where the length of the enciphered key exceeds the block size of the key encrypting cipher, the individual
blocks of the enciphered key shall:
a) have integrity whereby each block in the key has not been altered in an unauthorized manner since the
time it was generated, transmitted or stored by an authorized source;
b) be used in the appropriate order as specified by the particular mode;
c) be considered a fixed quantity in which an individual block cannot be manipulated whilst leaving the other
block(s) unchanged;
d) be such that they cannot be unbundled for any unauthorized purpose.
5.3 Key variants
Key variants is a technique for obtaining a set of keys from a single key, with each resulting key having a
different key type.
This technique provides key separation while eliminating the need to manage a separate, unrelated key of
each required type. Each variant key is calculated from the original key and one constant from a set of
non-secret constants using a repeatable process (f), as illustrated in Figure 2. The process of repeatable key
calculation is described in 4.3.3.
A constant having a unique value in the set of constants shall be allocated to each key type to be calculated
from the original key using the key variants technique.

Figure 2 — Variant key calculation
A variant key calculated using a reversible process shall exist only in the cryptographic device which contains
the original key.
The key variants technique is applicable at all levels of a key hierarchy. A single key may be used to calculate
a set of KEKs of different types, i.e., each KEK is to be used to encipher a different key type. Alternatively, a
single key may generate a set of working keys of different types.
5.4 Key derivation
Key derivation is a technique by which a (potentially large) number of keys is generated (“derived”) from a
single initial key and non-secret variable data, with each resulting key being the initial key for a different
secure cryptographic device – typically the PIN pad of a POS terminal. The initial key is called a “derivation
key” and each key generated from it is called a “derived key”. Key derivation provides key separation by
generating a (statistically) unique key for each cryptographic device without the need to manage a large
number of separate, unrelated keys. This eliminates the need to store the ciphertext of each initial key at the
acquirer or receiving node, as when a key is needed for subsequent use it is derived again from the derivation
key and appropriate derivation data.
The derived key generation procedure utilizes a non-reversible process, as illustrated in Figure 3, using the
derivation key and data that uniquely identifies the target cryptographic device.

Figure 3 — Generation of a derived key
The use of a non-reversible process ensures that the compromise of a derived key does not disclose the
derivation key or any other derived keys. However, compromise of a derivation key discloses all keys derived
from it.
Key calculation (see 4.4) through its use of a reversible process is not suitable for use as a
...