Interoperable key exchange using industry standards
HSM 8000 Version 3.0 and payShield 9000 support the recently introduced ASC X9 TR-31 standard for secure key exchange. TR-31 brings compliance with ANSI X9.24 and provides a standardised mechanism for key exchange, eliminating the risks associated with the older ANSI X9.17 standard.
For many years, vendors of hardware security modules have recognized the weaknesses in the ANSI X9.17 approach to key management, especially with regards to key distribution. Unfortunately, there was no agreement on the best solution to the problem. Many vendors introduced proprietary techniques to reduce the risks associated with key exchange between their own equipment. As a consequence, when keys are exchanged between security modules of different vendors, the only option was to continue to use ANSI X9.17. In this case, the key being distributed is decoupled from its local (secure) environment, which means that all sorts of key manipulation attacks are possible.
The TR-31 format enhances security for HSM 8000 and payShield 9000 key exchange between different parties in the payment network, including those using other vendors' HSMs that support TR-31. TR-31 is specified in the latest MasterCard and Visa backed PCI security requirements for exchanging keys with point of sales devices and ATMs.