Key checksum value

In cryptography, a Key Checksum Value (KCV) is the checksum of a cryptographic key.^[1] It is used to validate the key integrity or compare keys without knowing their actual values. The KCV is computed by encrypting a block of bytes, each with value '00' or '01', with the cryptographic key and retaining the first 6 hexadecimal characters of the encrypted result. It is used in key management in different ciphering devices, like SIM-cards or Hardware Security Modules (HSM).

In the GlobalPlatform technical specifications the KCV is defined for DES/3DES and AES keys as follows:^[2]

For a DES key, the key check value is computed by encrypting 8 bytes, each with value '00', with the key to be checked and retaining the 3 highest-order bytes of the encrypted result. For a AES key, the key check value is computed by encrypting 16 bytes, each with value '01', with the key to be checked and retaining the 3 highest-order bytes of the encrypted result.

The same definition is used by the GSMA.^[3]

KCV for symmetric key management in retail financial services[edit]

The payments cards industry uses the following definition, as documented in requirement 15-1 of PCI PIN Security standard.^[4] The same definitions can also be found in the ASC X9 standards under ANSI x9.24-1-2017 Retail Financial Services Symmetric Key Management Part 1^[5]

Check values may be computed by two methods. TDEA may use either method. AES must only use the CMAC method. In the first method, check values are computed by encrypting an all binary zeros block using the key or component as the encryption key, using the leftmost n-bits of the result; where n is at most 24 bits (6 hexadecimal digits/3 bytes). In the second method the KCV is calculated by MACing an all binary zeros block using the CMAC algorithm as specified in ISO 9797-1 (see also NIST SP 800-38B). The check value will be the leftmost n-bits of the result, where n is at most 40 bits (10 hexadecimal digits). The block cipher used in the CMAC function is the same as the block cipher of the key itself. A TDEA key or a component of a TDEA key will be MACed using the TDEA block cipher, while a 128-bit AES key or component will be MACed using the AES-128 block cipher.

References[edit]

^ "Cryptography - Detecting incorrect key using AES/GCM in JAVA".
^ GPC_SPE_034, "GlobalPlatform Card Specification 2.3.1" , GlobalPlatform, March 2018, Section B5
^ "Remote Provisioning Architecture for Embedded UICC 3.1", GSMA, May 2016, Annex F
^ PCI PIN Security, requirements and testing procedures version 3.1, PCI, March 2021, Requirement 15-1
^ ANSI x9.24-1-2017 Retail Financial Services Symmetric Key Management Part 1, ASC X9, 2017, Annex A

[1] "Cryptography - Detecting incorrect key using AES/GCM in JAVA".

[2] GPC_SPE_034, "GlobalPlatform Card Specification 2.3.1" , GlobalPlatform, March 2018, Section B5

[3] "Remote Provisioning Architecture for Embedded UICC 3.1", GSMA, May 2016, Annex F

[4] PCI PIN Security, requirements and testing procedures version 3.1, PCI, March 2021, Requirement 15-1

[5] ANSI x9.24-1-2017 Retail Financial Services Symmetric Key Management Part 1, ASC X9, 2017, Annex A

[1]

[2]

[3]

[4]

[5]