AS 2805.6.9:2022 pdf free download – Electronic funds transfers- Requirementsfor interfaces Part 6.9: Key management — AES Session keys – Node-to-node.
This document provides an interoperable method to transact within a node-to-node environment using the AES. It specifies management procedures applied in the authentication, encryption and decryption of electronic messages relating to financial transactions utilizing session keys.
This document —
(a) specifies the security interface methods between nodes:
(b) defines methods of interchange of the various encipherment keys used for securing transaction: and.
(c) ensures that nodes can only authenticate messages at their correct destination.
NOTE Principles concerning key management and physical security are dealt with In AS 2805.6.1.2 and
AS ISO 20038
1.2 Application
This document is intended for use in institutions where a node-to-node dialogue is required
using AES keys.
1.3 NormatIve references
The following documents are referred to in the text in such a way that some or all of their content constitutes the requirements of this document.
NOTE Documents referenced for Informative purposes are listed In the Bibliography. AS ISO 20038, Banking and related financial services — Key wrap using AES
1.4 Terms and definitions
For the purpose of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
JEC Electropedia: available at http://www.electropedia.org/
ISO Online browsing platform: available at httpf/www.iso.urgJobp
1.4.1
authentication
verification that a message was sent by the purported originator to the intended recipient and that the message was not changed In transit
4.2 Key confirmation
Before the first transmission of session keys, a node may confirm the correct Installation of its KBPK at the other end.
To accomplish this. Node A requesting confirmation shall generate a random value (RN). encipher It with the KBPKEAB and send to Node B (see Figureil). Node B shall decrypt the random value using KBPKDAR to obtain RN. Each bit of the RN shall be inverted to form a random complement value, —RN. The resultant —RN Is then enciphered using the Node H KBPKBA and returning this to the requester. Node A. Receipt of the original random value correctly inverted confirms that the Node A KBPKAB was correctly installed as KBPKDAB at Node B, and provides the necessary proof of end point.
4.3 Changing session keys
4.3.1 General
The session key change procedure consists of an initiation phase, followed by the processing of messages by node systems to generate and install new session keys.
The node initiating the key change generates a set of random session keys (KS) (i.e. Node A sends KSXAH to Node B). It sends them to the recipient in key block format protected by keys derived from KBPKs following AS ISO 20038. These keys will replace the receive session keys for the remote recipient node.
A change of scsslon keys In one direction does not require a modification of session keys In the other direction.
4.3.2 SessIon key change
The application entity of either node can initiate the key change procedure. Further transactions may be processed during the key change process, provided that the receiving node can unambiguously Identify the key set being used for any message.
