15 September 1998
Thanks to JM


-----Original Message-----
From:	  Michael Versace [SMTP:Michael.Versace@bos.frb.org]
Sent:	  Monday, September 07, 1998 8:50 AM
To:	  ansi-epay@lists.commerce.net
Subject:  Paper on DES Transition
 
        The attached DRAFT paper has been distributed by ASC X9F3 for 
     comment.  There is a possibility that this paper will be used as a 
     basis for discussion at the ASC X9F meeting (with ABA) here in 
     Boston on 9/9 and 9/10.  Both Gene Kathol and I will be attending.
     
        At this point, this paper has no X9 official standing.  X9A 
     comments are welcome.
     
     Best Regards
     Michael Versace
     Federal Reserve Financial Services
     Retail Payments Office
     Vice Chair, X9A


[DRAFT]

Retail Financial Systems

Continue to use DES during transition

1. For PIN management

1. immediately move to the use of a unique key per transaction in accordance with ANSI X9.24.

2. migrate to algorithm independent implementations

a. Triple DES for PIN protection and key management as soon as possible

b. The Advanced Encryption Standard (AES) for PIN protection, when available

c. provide for a transition to public key cryptography for key management using ANSI X9.42, X9.44, or X9.63.

d. New implementations should:

1) be algorithm independent

2) use an easily replaceable module (either a standard PCI bus or PCMCIA card interface) for the cryptographic algorithm and processes

2. For authentication

1. use X9.19 Message Authentication Codes (MAC) for authentication, using a new key for every session or transaction.

2. migrate to:

a. public key signatures (X9.30, X9.31, X9 62) or HMACs (X9.71, Keyed Hash for Message Authentication).

b. public key certificates using ISO CD-15782-1 and CD-15782-3. The ANSI standards X9.57, ANSI X9.55 are very similar, but are not algorithm independent.

c. public key cryptography for key management using X9.42, X9.44, or X9.63.

d. implementations should be algorithm independent.

3. For Encryption (other than PINs)

Migrate to algorithm independent implementations:

1. Triple DES encryption and key management using public key cryptography as soon as possible

2. The Advanced Encryption Standard (AES), when available

3. public key cryptography for authentication key management using ANSI X9.42, X9.44, or X9 63

4. implementations should be algorithm independent.

Wholesale Financial Systems

1. During the transition

Continue to use DES during transition, using one key per session.

2. For authentication

1. continue to use X9.9 Message Authentication Codes (MAC) for authentication, using a new key for every session or transaction.

2. use the Triple DES key management option in X9.17 for key management

3. migrate to:

a. public key signatures using ANSI X9.30, X9.31, X9 62) or HMACs (X9. 71, Keyed Hash for Message Authentication.

b. public key cryptography for management using ANSI X9.42, X9.44, or X9 63.

3. For encryption

1. immediately:
a. move to the use of one key session

b. cease using DES to protect information that must be kept confidential or whose integrity must be preserved for any times over a minute.

c. use the Triple DES key management option in X9.17 for key management

3. migrate to:

a. Algorithm independent implementations
1) Triple DES as defined in ANSI X9.52 as soon as possible

2) The Advanced Encryption Standard (AES), when available

b. public key cryptography for management (X9.42, X9.44, X9 63)

Recommendations to ASC X9

Because of the recent successful attack on the DES algorithm, (Name of organization) requests that ASC X9:

1. Refurbish and recommend measures on improving the security of existing standards

Standard(s) Action requested/Comments
X9.8-1995, Personal Identification Number (PIN) Management and Security and X9.24-1992, Financial Services Retail Key Management 1. Users migrate to Triple DES for PIN protection and key management as soon as possible

2. Modify X9.8 and X9.24 to require that new implementations:

a. be algorithm independent

b. use an easily replaceable module (either a standard PCI bus or PCMCIA card interface) for the cryptographic algorithm and processes

c. provide for a transition to public key cryptography using, as appropriate ANSI X9.30, X9.31, X9.42, X9.44, X9.62, X9.63.

X9.9-1986 (R-1994), Financial Institution Message Authentication (Wholesale) 1. X9 Technical Report that recommends to users that they move to the MAC computation process of X9.19, Financial Institution Retail Message Authentication.

2. Pave the way for movement to X9.72-199x, Peer Entity Authentication Using Public Key.

3. Withdraw when X9.72 is approved.

X9.17-1995, Financial Institution Key Management (Wholesale) 1. X9 Technical Report that shows how to transport a Triple DES key using X9.17.

2. Pave the way for movement to X9.70 and algorithm independent public key.

3. Withdraw when X9.70 is approved.

X9.23-1988 (R-1995), Encryption of Wholesale Financial Messages 1. X9 Technical Report that shows users how to move a Triple DES.

2. Pave the way for movement to X9.73, Cryptographic Message Syntax.

3. Withdraw when X9.73 is approved.

X9.26-1990 (R-1996), Financial Institution Sign-On Authentication for Wholesale Financial Services 1. X9 Technical Report that points out problems and urges users to move immediately to public key signatures.

2. Withdraw in six months.


2. Complete and publish the following standards and guidelines in accordance with the priority given

Highest Priority

Standard

Action requested/Comments

X9.44, Management of Symmetric Algorithms Keys Using Reversible Public Key Cryptography Complete and ballot as soon as possible.
X9.52, Triple Data Encryption Algorithms Modes of Operation This document is in public comment. Make drafts available (sale) pending final approval.
X9.62, The Elliptic Curve Digital Signature Algorithm This document is in reconsideration ballot. Make drafts available (sale) pending final approval.
X9.63, Key Agreement and Key Management Using Elliptic Curve-Based Cryptography Complete and ballot as soon as possible.
X9.70-199x, Symmetric Key Distribution Using Public Key Complete and ballot as soon as possible. (This is the replacement for X9.17.)
X9.71, Keyed Hash for Message Authentication Complete and ballot as soon as possible. (This is one replacement for X9.9.)
X9.72-199x, Peer Entity Authentication Using Public Key Complete and ballot as soon as possible.
X9.73, Cryptographic Message Syntax Complete and ballot as soon as possible.
X9.77, Public Key Infrastructure Protocols Complete and ballot as soon as possible after IETF firms up their standard.
TG-19: Validation procedures, Part 2: Triple DES Modes of Operation Make drafts available (sale) pending completion and approval.

Secondary Priority

Standard

Action requested/Comments

X9.68, Digital Certificates for High Transaction Volume Financial Systems Complete and ballot as soon as coordination with other standards organization is finished.
TG-19: Validation procedures, Part 1: General Complete and get into ballot.
TG-19: Validation procedures, Part 3: ECDSA Complete and get into ballot.
TG-19: Validation procedures, Part 4: rDSA Signature Algorithm Complete and get into ballot.
TG-19: Validation procedures, Part 5: X9.42, Diffie Hellman key agreement Complete and get into ballot.
TG-19: Validation procedures, Part 7: X9.63, EC key agreement and key management Complete and get into ballot.
TG-19: Validation procedures, Part 8: X9.44, RSA key management Complete and get into ballot.

Tertiary Priority

Standard

Action requested/Comments

X9.82, Random Number Generation Complete and get into ballot.
X9.80, Prime Number Generation Complete and get into ballot.
X9.76, Partial Key Refreshing Mechanism for Threshold Digital Signatures Complete and get into ballot.
X9.78, Attribute Certificate Extensions Complete and move to ISO WD-15782-2.
X9.74, Conformance Testing for Certification Path Processing Complete and get into ballot.
X9.79, Framework and Format Standard for Certificate Policies Complete and get into ballot.
TG-19: Validation procedures, Part 6: Certificate Path Processing Complete and get into ballot.
TG-17, Mathematical Background for Elliptic Curve Cryptography Complete and get into ballot.



[End]

[Converted to HTML by JYA; section numbering conformed.]