ISO 11568-2:2012

INTERNATIONAL ISO
STANDARD 11568-2
Third edition
2012-02-01
Financial services — Key management
(retail) —
Part 2:
Symmetric ciphers, their key
management and life cycle
Services financiers — Gestion de clés (services aux particuliers) —
Partie 2: Algorithmes cryptographiques symétriques, leur gestion de
clés et leur cycle de vie
Reference number
©
ISO 2012
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO’s
member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2012 – All rights reserved

Contents Page
Foreword .iv
Introduction . v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 General environment for key management techniques . 4
4.1 General . 4
4.2 Functionality of a secure cryptographic device . 4
4.3 Key generation . 5
4.4 Key calculation (variants) . 6
4.5 Key hierarchies . 6
4.6 Key life cycle . 7
4.7 Key storage . 9
4.8 Key restoration from back-up .10
4.9 Key distribution and loading .10
4.10 Key use . 11
4.11 Key cryptoperiod . 11
4.12 Key replacement .12
4.13 Key destruction .12
4.14 Key deletion .12
4.15 Key archive .13
4.16 Key termination .13
5 Techniques for the provision of key management services .13
5.1 General .13
5.2 Key encipherment .13
5.3 Key variants .13
5.4 Key derivation .14
5.5 Key transformation .14
5.6 Key offsetting .15
5.7 Key notarization .16
5.8 Key tagging .16
5.9 Key verification .18
5.10 Key identification .18
5.11 Controls and audit .19
5.12 Key integrity .19
6 Symmetric key life cycle .20
6.1 General .20
6.2 Key generation .20
6.3 Key storage .20
6.4 Key restoration from back-up .21
6.5 Key distribution and loading .21
6.6 Key use .23
6.7 Key replacement .23
6.8 Key destruction, deletion, archive and termination .23
7 Key management services cross-reference .24
Annex A (normative) Notation used in this part of ISO 11568 .26
Annex B (normative) Approved algorithms for symmetric key management .27
Annex C (normative) Abbreviations .28
Bibliography .29
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International
Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO 11568-2 was prepared by Technical Committee ISO/TC 68, Financial services, Subcommittee SC 2,
Financial Services, security.
This third edition cancels and replaces the second edition (ISO 11568-2:2005), which has been technically revised.
ISO 11568 consists of the following parts, under the general title Financial services — Key management (retail):
— Part 1: Principles
— Part 2: Symmetric ciphers, their key management and life cycle
— Part 4: Asymmetric cryptosystems — Key management and life cycle
iv © ISO 2012 – All rights reserved

Introduction
ISO 11568 is one of a series of standards describing procedures for the secure management of cryptographic
keys used to protect messages in a retail financial services environment, for instance, messages between an
acquirer and a card acceptor, or an acquirer and a card issuer.
This part of ISO 11568 addresses the key management requirements that are applicable in the domain of
retail financial services. Typical of such services are point-of-sale/point-of-service (POS) debit and credit
authorizations and automated teller machine (ATM) transactions.
This part of ISO 11568 describes key management techniques which, when used in combination, provide the
key management services identified in ISO 11568-1. These services are:
— key separation;
— key substitution prevention;
— key identification;
— key synchronization;
— key integrity;
— key confidentiality;
— key compromise detection.
The key management services and corresponding key management techniques are cross-referenced in Clause 7.
This part of ISO 11568 also describes the key life cycle in the context of secure management of cryptographic
keys for symmetric ciphers. It states both requirements and implementation methods for each step in the
life of such a key, utilizing the key management principles, services and techniques described herein and
in ISO 11568-1. This part of ISO 11568 does not cover the management or key life cycle for keys used in
asymmetric ciphers, which are covered in ISO 11568-4.
In the development of ISO 11568, due consideration was given to ISO/IEC 11770; the mechanisms adopted
and described in this part of ISO 11568 are those required to satisfy the needs of the financial services industry.
INTERNATIONAL STANDARD ISO 11568-2:2012(E)
Financial services — Key management (retail) —
Part 2:
Symmetric ciphers, their key management and life cycle
1 Scope
This part of ISO 11568 specifies techniques for the protection of symmetric and asymmetric cryptographic
keys in a retail banking environment using symmetric ciphers and the life-cycle management of the associated
symmetric keys. The techniques described enable compliance with the principles described in ISO 11568-1.
The techniques described are applicable to any symmetric key management operation.
The notation used in this part of ISO 11568 is given in Annex A.
Algorithms approved for use with the techniques described in this part of ISO 11568 are given in Annex B.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced document
(including any amendments) applies.
ISO 9564-1, Financial services — Personal Identification Number (PIN) management and security — Part 1:
Basic principles and requirements for PINs in card-based systems
ISO/IEC 10116, Information technology — Security techniques — Modes of operation for an n-bit block cipher
ISO 11568-1:2005, Banking — Key management (retail) — Part 1: Principles
ISO 11568-4, Banking — Key management (retail) — Part 4: Asymmetric cryptosystems — Key management
and life cycle
ISO 13491-1, Banking — Secure cryptographic devices (retail) — Part 1: Concepts, requirements and
evaluation methods
ISO 13491-2:2005, Banking — Secure cryptographic devices (retail) — Part 2: Security compliance checklists
for devices used in financial transactions
ISO 16609, Financial services — Requirements for message authentication using symmetric techniques
ISO/IEC 18033-3, Information technology — Security techniques — Encryption algorithms — Part 3: Block ciphers
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
NOTE Abbreviations used in this part of ISO 11568 are given in Annex C.
3.1
cipher
pair of operations that effect transformations between plaintext and ciphertext under the control of a
parameter called a key
NOTE The encipherment operation transforms data (plaintext) into an unintelligible form (ciphertext). The decipherment
operation restores the plaintext.
3.2
counter
incrementing count used between two parties, e.g. to control successive key distributions under a particular
key encipherment key
3.3
cryptographic key
mathematical value that is used in an algorithm to transform plain text into cipher text, or vice versa
3.4
data integrity
property that data has not been altered or destroyed in an unauthorized manner
3.5
data key
cryptographic key used for the encipherment, decipherment or authentication of data
3.6
dual control
process of utilizing two or more separate entities (usually persons) operating in concert to protect sensitive
functions or information, whereby no single entity is able to access or utilize the materials
NOTE Materials might be, for example, the cryptographic key.
3.7
hexadecimal digit
single character in the range 0 to 9, A to F (upper case), representing a four-bit string
3.8
key component
one of at least two randomly or pseudo-randomly generated parameters having the characteristics (e.g. format,
randomness) of a cryptographic key that is combined with one or more like parameters (e.g. by means of
modulo-2 addition) to form a cryptographic key
3.9
key mailer
tamper-evident envelope that has been designed to convey a key component to an authorized person
3.10
key offset
offset
result of adding a counter to a cryptographic key using modulo-2 addition
3.11
key space
set of all possible keys used within a cipher
3.12
key transfer device
secure cryptographic device that provides key import, storage and export functionalities
NOTE See ISO 13491-2:2005, Annex F.
2 © ISO 2012 – All rights reserved

3.13
key transformation
derivation of a new key from an existing key using a non-reversible process
3.14
MAC
message authentication code
code in a message between an originator and a recipient, used to validate the source and part or all of the
text of a message
NOTE The code is the result of an agreed calculation.
3.15
modulo-2 addition
XOR
exclusive-or
binary addition with no carry, giving the following values:
0 + 0 = 0
0 + 1 = 1
1 + 0 = 1
1 + 1 = 0
3.16
n-bit block cipher
block cipher algorithm with the property that plaintext blocks and ciphertext blocks are n-bits in length
3.17
notarization
method of modifying a key encipherment key in order to authenticate the identities of the originator and the
ultimate recipient
3.18
originator
party that is responsible for originating a cryptographic message
3.19
pseudo-random
statistically random and essentially unpredictable although generated by an algorithmic process
NOTE Pseudo-random number generators commonly found in commercial software packages do not provide
sufficient randomness for use in cryptographic operations.
3.20
recipient
party that is responsible for receiving a cryptographic message
3.21
secure cryptographic device
SCD
device that provides secure storage for secret information, such as keys, and provides security services based
on this secret information
NOTE See ISO 13491-2.
3.22
split knowledge
condition under which two or more parties separately and confidentially have custody of the constituent part of
a single cryptographic key which, individually, conveys no knowledge of the resultant cryptographic key
4 General environment for key management techniques
4.1 General
The techniques that may be used to provide the key management services are described in Clause 5 and the
key life cycle in Clause 6. This clause describes the environment within which those techniques operate and
introduces some fundamental concepts and operations, which are common to several techniques.
4.2 Functionality of a secure cryptographic device
4.2.1 General
The most fundamental cryptographic operations for a symmetric block cipher are to encipher and decipher a
block of data using a supplied secret key. For multiple blocks of data, these operations might use a mode of
operation of the cipher as described in ISO/IEC 10116. At this level, no meaning is given to the data, and no
particular significance is given to the keys. Typically, in order to provide the required protection for keys and
other sensitive information, a secure cryptographic device provides a higher level functional interface, whereby
each operation includes several of the fundamental cryptographic operations using some combination of keys
and data obtained from the interface or from an intermediate result. These complex cryptographic operations
are known as functions, and each one operates only on data and keys of the appropriate type.
4.2.2 Data types
Application level cryptography assigns meaning to data, and data with differing meanings are manipulated and
protected in different ways by the secure cryptographic device. Data with a specific meaning constitutes a data type.
The secure cryptographic device ensures that it is not possible to manipulate a data type in an inappropriate
manner. For example, a PIN is a data type which is required to remain secret, whereas other transaction data
may constitute a data type which requires authentication but not secrecy.
A cryptographic key may be regarded as a special data type. A secure cryptographic device ensures that a key
can exist only in the permitted forms given in 4.7.2.
4.2.3 Key types
A key is categorized according to the type of data on which it operates and the manner in which it operates.
The secure cryptographic device ensures that key separation is maintained, so that a key cannot be used with
an inappropriate data type or in an inappropriate manner. For example, a PIN encipherment key is a key type
that is used only to encipher PINs, whereas a key encipherment key (KEK) is a key type that is used only to
encipher other keys. Additionally, a KEK may require categorization such that it operates only on one type
of key, e.g. one type of KEK may encipher a PIN encipherment key, while another may encipher a message
authentication code (MAC) key.
4.2.4 Cryptographic functions
The set of functions supported by the secure cryptographic device directly reflects the cryptographic
requirements of the application. It might include such functions as:
— enciphering a PIN;
— verifying an enciphered PIN;
— generating a MAC;
4 © ISO 2012 – All rights reserved

— generating an enciphered random key.
The design of the secure cryptographic device is such that no individual function can be used to obtain
unauthorized sensitive information. Additionally, no combination of functions exists which might result in such
data being obtained. Such a design is referred to as being logically secure. A secure cryptographic device may
be required to manage keys of several types. Cryptographic keys used in such a system may be held securely
outside of the cryptographic device by being stored in an enciphered form using KEKs, which either exist only
within the cryptographic device, or are enciphered under a higher level KEK. One technique of providing key
separation is to use a different KEK type for the encipherment of each type of key. When this technique is used,
and an enciphered key is passed to the secure cryptographic device, the key is deciphered using the KEK type
appropriate for the expected key type. If this key is an incorrect type, and thus is enciphered under some other
KEK type associated with some other key type, the decipherment produces a meaningless key value.
4.3 Key generation
4.3.1 General
The key management principles given in ISO 11568-1 require that keys be generated using a process that
ensures that it is not possible to predict any key or determine that certain keys within the key space are more
probable than others.
In order to conform with this principle, keys and key components shall be generated using a random or pseudo-
random process. The pseudo-random key generation process may be either non-repeatable or repeatable.
The random or pseudo-random process used shall be such that it is not feasible to predict any key or to
determine that certain keys are more probable than other keys from the set of all possible keys.
Other than the variants of a key, the non-reversible transformations of a key and keys enciphered under a key
or derived from a key, one secret key shall not feasibly provide useful information about any other secret key.
4.3.2 Non-repeatable key generation
This process may involve a non-deterministic value such as the output of a random number generator, or it may
be a pseudo-random process.
An example of a pseudo-random process for generating a key, Kx, is as follows:
Kx = eK[eK (DT) ⊕ V]
where
K is a secret cryptographic key reserved for key generation,
V
is a secret seed value, and
DT is a date-time vector updated on each key generation.
A new seed value, V, is generated as follows:
V = eK[Kx ⊕ eK (DT)]
NOTE This method, among others, can be found in ISO/IEC 18031.
4.3.3 Repeatable key generation
It is sometimes convenient to generate one or more keys, perhaps thousands, from a single key using a
repeatable process. Such a process allows for any of the resultant keys to be regenerated, as required, in any
location that possesses the seed key and appropriate generation data, and facilitates significant reductions in
the number of keys which require manual management, storage or distribution.
The generation process shall be such that if the initial key is unpredictable within the key space (as required by
the key management principles), then so is each resultant key.
The procedure may be used iteratively, as a key generated from one initial key may subsequently be used as
an initial key to generate others.
The generation process shall be non-reversible, such that disclosure of a generated key discloses neither the
initial key nor any other generated key. An example of such a process is the encipherment of a non-secret value
using the initial key.
4.4 Key calculation (variants)
It is possible to obtain a number of keys from a single key using a reversible process. An example of such a
process is the modulo-2 addition of the key and a non-secret value.
Key calculation has the qualities of speed and simplicity, but disclosure of one key calculated in this manner
discloses the original key and all other keys calculated from it.
4.5 Key hierarchies
A key hierarchy is a conceptual structure in which the confidentiality of certain keys is dependent upon the
confidentiality of other keys. By definition, disclosure of a key at one level of the key hierarchy shall not disclose
any key at a higher level.
Key encipherment introduces a key hierarchy whereby a KEK is considered to be at a higher level than the key
that it enciphers. The simplest is a two-level hierarchy, whereby the working keys are enciphered by KEKs which
are themselves stored in a cryptographic device. In a three-level hierarchy, these KEKs are also managed in an
enciphered form using a higher-level KEK. The concept may be extended to four or more layers.
Similarly, when an initial key or key generating key (KGK) participates in the generation of other keys using a
deterministic process, a hierarchy may result whereby the KGK is considered to be at a higher level than the
generated keys.
Keys at the higher levels of the key hierarchy shall be of equal or greater strength than the keys they are protecting.
Due consideration shall be paid to known attacks when assessing the equivalent strength of various
cryptographic algorithms. Generally, an algorithm can be said to provide s bits of strength where the best-
s−1
known attack would take, on average, 2 T to attack, where T is the amount of time that is required to perform
one encryption of a plaintext value and to compare the result against the corresponding ciphertext value.
Recommended equivalent key sizes at the time of publication are given in Table 1. In assessing these numbers,
consideration shall be paid to any further developments in cryptanalysis, factoring and computing generally.
See ISO/TR 14742 for additional information.
Table 1 — Encryption algorithms: equivalent strengths
Effective Strength Symmetric RSA Elliptic curve
80 112-bit TDEA (with 2 known pairs) 1 024 160
112-bit TDEA (with no known pairs)
112 2 048 224
168-bit TDEA
128 128-bit AES 3 072 256
192 192-bit AES 7 680 384
256 256-bit AES 15 360 521
NOTE At the time of publication, in the retail banking environment, where TDEA keys are used for protecting other keys and are
changed such that the collection of quantities of plaintext/ciphertext pairs sufficient to significantly weaken the underlying cipher is
improbable, 112-bit TDEA can be considered to offer sufficient security for the protection of 168-bit TDEA and 2 048-bit RSA keys.
6 © ISO 2012 – All rights reserved

4.6 Key life cycle
The phases that make up a key’s lifetime are collectively referred to as the key’s life cycle. Keys shall be protected
at all stages throughout their life cycle. An operation that changes a key’s state is referred to as a life cycle
operation. This subclause specifies the requirements for attaining a given state or performing a given operation.
The key life cycle consists of three phases as follows.
a) Pre-use, during which the key is generated and optionally stored prior to its use.
b) Use, during which the key is distributed among communicating parties for operational use.
In a process where both communicating parties contribute to the generation of a new key, key generation and
distribution are closely integrated.
Some key management schemes are designed for transforming keys automatically during operational use.
c) Post-use, during which a key is archived or terminated.
Figure 1 gives a schematic overview of the key life cycle. It shows how a given operation on a key changes its state.
A key is considered to be a single object of which multiple instances can exist at different locations and in
different forms. A clear distinction is made between the following operations:
— destruction of a single key instance;
— deletion of a key from a given location, which implies destruction of all instances of this key at that location;
— termination of a key, which implies deletion of the key from all locations.
Figure 1 — Key life cycle schematic
8 © ISO 2012 – All rights reserved

4.7 Key storage
4.7.1 General
The objective of secure key storage is to protect keys against unauthorized disclosure, modification and/or
substitution, and to provide key separation.
4.7.2 Permissible forms
4.7.2.1 General
A key shall exist only in the following forms:
— plaintext key;
— key components;
— enciphered key.
4.7.2.2 Plaintext key
Plaintext secret keys, the compromise of which would affect multiple parties, shall exist only within a secure
cryptographic device.
Plaintext secret keys, the compromise of which would affect only one party, shall exist only within a secure
cryptographic device or a physically secure environment operated by or on behalf of that party.
4.7.2.3 Key components
A key existing in the form of at least two or more separate key components shall be protected by the techniques
of split knowledge and dual control.
Key components shall be created such that knowledge of any bit of a component does not provide knowledge
of any bit of the corresponding key. For example, each component of a “double length” key is the full length of
the final “double length” key.
A key component shall be accessible only to that person or group of persons to whom it has been entrusted
for the minimum duration required.
If a key component is in human comprehensible form (e.g. printed in plaintext inside a key mailer) it shall
be visible to only one authorized person at only one point in time, and only for as long as required for the
component to be entered into a secure cryptographic device.
No person with access to one component of the key shall have access to any other component of that key.
Key components shall be stored in such a way that unauthorized access has a high probability of being detected.
If key components are stored in enciphered form, all requirements for enciphered keys shall apply.
When in component form, it is recommended that a key encrypting key that protects a large number of keys,
such as an acquirer or issuer top-level key, comprises at least three components.
4.7.2.4 Enciphered key
Encipherment of a key using a KEK shall take place within a secure cryptographic device.
4.7.3 Key integrity
The integrity of a key shall be protected using techniques such as:
a) MACs (see ISO 16609);
b) key block binding methods;
c) digital signatures (see ISO 11568-4).
4.7.4 Protection against substitution
The unauthorized substitution of stored keys shall be prevented by one or more of the following means:
a) physically and procedurally preventing unauthorized access to the key-storage area;
b) storing a key enciphered as a function of its intended use;
c) ensuring that it is not possible to know both a plaintext value and its corresponding ciphertext
enciphered under a KEK.
4.7.5 Provisions for key separation
In order to ensure that a stored key is usable only for its intended purpose, key separation for stored keys shall
be provided by one or more of the following means:
a) physically segregating stored keys as a function of their intended purpose;
b) storing a key enciphered under a KEK dedicated to encipherment of a specific type of key;
c) modifying or appending information to a key as a function of its intended purpose, prior to encipherment of
the key for storage.
4.8 Key restoration from back-up
Key back-up is storage of a copy for the purpose of reinstating a key that is accidentally destroyed, but the
compromise of which is not suspected.
The requirements for key restoration from back-up are the same as for key distribution and loading described in 4.9.
4.9 Key distribution and loading
4.9.1 General
A secure cryptographic device should remain in an environment as defined in ISO 13491-2:2005, H.3 until
loaded with one or more keys.
Keys shall be protected during their distribution and loading by one or more of the following forms:
a) plaintext within an SCD or during transfer between SCDs (see 4.9.2);
b) in component form (see 4.9.3);
c) enciphered (see 4.9.4).
4.9.2 Plaintext keys
The minimum requirements for the distribution and loading of plaintext keys are as follows.
a) The key distribution process shall not disclose any portion of a plaintext key.
b) A plaintext key shall be loaded into a cryptographic device only when it can be ensured that the device has
not been subject to prior tampering which might lead to the disclosure of keys or sensitive data.
c) A plaintext key shall be transferred between secure cryptographic devices only when it can be ensured
that there is no tap at the interface that might disclose the transferred key.
10 © ISO 2012 – All rights reserved

d) A secure cryptographic device shall transfer a plaintext key only when at least two authorized persons are
authenticated by the device, e.g. by means of passwords.
e) A key transfer device is a portable device used to transfer keys between the SCD that generated the key
and the SCD that will use the key. A key transfer device shall be a secure cryptographic device. After
loading of the key into the target device, the key transfer device shall not retain any information that might
disclose that key.
f) A key injection device is a device used within a key injection facility to transfer keys to the SCD that will use
the keys. A key injection device shall be an SCD and shall remain at all times within a key injection facility
while in service.
4.9.3 Key components
The minimum requirements for the distribution and loading of a key component are as follows.
a) The key component distribution process shall not disclose any portion of a key component to an
unauthorized person.
b) A key component shall be loaded into a cryptographic device only when it can be ensured that the device
has not been subject to prior tampering that might lead to the disclosure of keys or sensitive data.
c) A key component shall be transferred to a cryptographic device only when it can be ensured that there is
no tap at the interface that might disclose the transferred component.
d) The key distribution and loading process shall be performed according to the principles of dual control and
split knowledge.
4.9.4 Enciphered keys
An enciphered key may be distributed and loaded electronically via a communications channel.
The distribution process of an enciphered key shall protect against key substitution and modification.
NOTE Methods for achieving the above requirements can be found in ISO/IEC 11770-2.
4.10 Key use
Unauthorized key use shall be prevented. A key shall be used for its intended function and only in its intended
location. However, a variant of a key may be used for a different function from that of the original key.
A key shall be used for a single function only.
Any key shall exist in the minimum number of locations consistent with effective system operation. Any key that
exists in a transaction-originating device shall not exist in any other such device.
A key shall cease to be used when its compromise is known or suspected.
4.11 Key cryptoperiod
Key cryptoperiods serve to:
a) limit the information (related to a specific key) available for cryptanalysis;
b) limit exposure in the case of compromise of a single key;
c) limit the use of a particular technology to its estimated effective lifetime; and
d) limit the time available for computationally intensive cryptanalytic attacks (in applications where long-term
key protection is not required).
The cryptoperiod of a key shall be no longer than the least time deemed feasible to perform a dictionary or key
exhaustion attack (see ISO/TR 14742 for guidance on usable key life). This time will depend upon the specific
implementation and the technology available at the time of the attack.
Keys may be classified based on temporal considerations as follows.
1) Long-term keys, e.g. key-encrypting keys, keys used to validate PINs.
2) Short-term keys, e.g. session keys used for PIN encryption, MACs.
In well-designed crypto systems, key hierarchies are employed to lessen the effects of key compromise. By
layering keys into a key hierarchy, each individual key is used less often than would be the case if only single
fixed keys were used. Additionally, the higher level (long-term) key encrypting keys are usually used in a manner
that prevents access to plaintext/ciphertext pairs for cryptanalysis. In order for such systems to be effective, the
lower level (short-term) keys should be replaced on a sufficiently frequent basis to a) limit exposure in case of
key compromise, and b) reduce the total plaintext/ciphertext pairs potentially available for cryptanalysis.
At the conclusion of a key’s cryptoperiod, it shall be replaced (see 4.12).
4.12 Key replacement
A key and its variants shall be replaced when compromise or substitution of the key is known or suspected. If
the key under suspicion is a KEK or a key from which other keys are derived, then all keys that are hierarchically
under it shall also be replaced.
Replacement of a key shall take place in all operational locations where the key exists.
Replaced keys shall not be returned to active use.
There are two ways of replacing keys:
— by distributing a new key;
— by non-reversibly transforming the current key.
When the compromise of a key is known or suspected, the key shall be replaced by distribution of a new key
and not by the non-reversible transformation of the original key.
Key replacement requires destruction of the old key.
Transformation of a key prevents backtracking, i.e. compromise of the current key does not compromise
previously used keys.
4.13 Key destruction
An instance of a key shall be destroyed when it is no longer required for active use. Electronic instances of
a key can be destroyed by erasure. However, information may still reside in other forms so that the key may
subsequently be restored for active use.
When a secure cryptographic device is to be permanently removed from service, all keys stored within the
device shall be destroyed.
4.14 Key deletion
When a key is no longer required at an operational location it shall be deleted.
Key deletion occurs when all instances of the key have been destroyed at a given location.
12 © ISO 2012 – All rights reserved

4.15 Key archive
An archived key shall only be used to verify the legitimacy of transactions that occurred prior to archiving. After
such verification, the instance of the key necessary to perform the verification shall be destroyed.
An archived key shall not be returned to operational use.
Archived keys shall be securely stored for the life of all data or keys enciphered under such keys.
A key shall be archived in such a way that the risk of exposure of keys that are still in operational use is not increased.
An archived key shall be retained for no longer than is necessary to meet regulatory, legal and/or business obligations.
4.16 Key termination
Key termination occurs when the key has been deleted from all locations where it has ever occurred. Subsequent
to key termination, no information shall exist from which the key can feasibly be reconstructed.
5 Techniques for the provision of key management services
5.1 General
This clause describes the techniques that shall be used, individually or in combination, to provide the key
management services introduced in ISO 11568-1. Some techniques provide multiple key management services.
A cross-reference between the key management services and the techniques is given in Clause 7.
The selected techniques shall be implemented in a secure cryptographic device (see ISO 13491-1 and
ISO 13491-2) that ensures the intended purpose of the technique and its security objectives are achieved.
5.2 Key encipherment
Key encipherment is a technique whereby one key is enciphered using another key. The resulting enciphered
key may then be managed securely outside the protected environment of a secure cryptographic device. A
KEK is used to perform such encipherment. Although key encipherment ensures that key confidentiality is
maintained, other techniques might need to be employed in association with the key encipherment in order to
ensure adequate key separation, to prevent key substitution and to ensure key integrity.
Where the length of the enciphered key exceeds the block size of the key encrypting cipher, the individual
blocks of the enciphered key shall:
a) have integrity, whereby no block in the key has been altered in an unauthorized manner since the time it
was generated, transmitted or stored by an authorized source;
b) be used in the appropriate order, as specified by the particular mode;
c) be considered a fixed quantity in which an individual block cannot be manipulated while leaving the other
block(s) unchanged;
d) be such that they cannot be unbundled for any unauthorized purpose.
5.3 Key variants
Key variants allow a set of keys to be obtained from a single key, with each resulting key having a different key type.
This technique provides key separation while eliminating the need to manage a separate, unrelated key of each
required type. Each variant key is calculated from the original key and one constant from a set of non-secret
constants using a repeatable process, f, as illustrated in Figure 2. The process of repeatable key calculation is
described in 4.3.3.
A constant having a unique value in the set of constants shall be allocated to each key type to be calculated
from the original key using the key variants technique.
Figure 2 — Variant key calculation
A variant key calculated using a reversible process shall exist only in the cryptographic device which contains
the original key.
The key variants technique is applicable at all levels of a key hierarchy. A single key may be used to calculate
a set of KEKs of different types, i.e. each KEK is to be used to encipher a different key type. Alternatively, a
single key may generate a set of working keys of different types.
5.4 Key derivation
Key derivation is a technique by which a (potentially large) number of keys is generated (“derived”) from a
single initial key and non-secret variable data, with each re
...