HSMs use key block structures as basic structures to achieve secure key management. This article introduces into the Atalla Key Block, explains its principle and details why protecting keys is so important.
The Atalla Key Block is linked to the history of its inventor, Dr. Mohamed Atalla (1924-2009), an Egyptian-American inventor. Dr. Atalla is internationally known for inventing the MOSFET (metal-oxide-semiconductor field-effect transistor) in 1959. However, he also created the Atalla Corporation in 1973 to commercialize the “Atalla Box,” a Hardware Security Module and other devices to encrypt PIN and ATM messages. Dr. Atalla is often referred to as “the father of the PIN” because of the pioneering work he performed regarding PIN authentication.
One of the main functions of the Atalla Box is the use of key blocks. Key blocks are needed to securely interchange symmetric keys or PINs with other actors of the banking industry. This secure interchange is done with what is known as the Atalla Key Block format (AKB).
The Atalla Corporation was merged and acquired by several companies, including Micro Focus. Utimaco acquired Micro Focus in October 2018.
In principle, HSMs use key block structures as basic structures to achieve secure key management. A key block (or key bundling) is a data structure used to store or exchange cryptographic keys within hostile environments.
As a minimal requirement:
The Atalla Key Block was the first implementation of a secure key block that met these requirements.
An Atalla Key Block securing a key consists of three parts:
Atalla Key Block was the origin of several standards. The Atalla key block format is; therefore, de facto integrated to the following standards:
To better understand what the Atalla Key Block is, and before detailing its principle in detail, we must first understand the problems it had to solve originally.
DES has been used for a long time as an encryption mechanism in the banking industry, especially in ATMs. The banking industry massively moved to 3DES when DES-breaking machines using key exhaustion attacks were successfully built. The first known DES-breaking machine was built in 1999 by the Electronic Frontier Foundation (Deep Crack). Later on, a second machine was built by the COPACABANA (Cost-Optimized Parallel Code Breaker) project.
3DES uses either 2 keys of 56-bit length or 3 keys of 56-bit length. The problem is that incorrectly stored and protected 3DES keys do not guarantee any better protection than using 56-bit DES keys.
Because of limitations, keys cannot always be stored in the memory of an HSM. But regardless of that, cryptographic keys must be protected throughout the cryptographic life of the data or process being protected. In the case of PIN protection in a consumer banking environment, the lifespan of the data or process may last for many years.
In addition, keys must be shared among HSMs at a host site and transmitted to other systems. This is the problem of secure key exchange – the transmission of cryptographic keys between disparate systems.
There are many scenarios in which attacks can be done against 3DES in the context of the banking industry. As per the ANSI X9.24 standards, 3DES key should be ciphered using 3DES encryption. Each of the 2 encryption keys K1 and K2  of length 56 bits each should be ciphered by 3DES, which keys will be stored in a database.
Let us suppose that an attacker, which could be a disgruntled employee or a rogue contractor or vendor, wants to target the 3DES keys stored per the ANSI X9.24 standards.
The 3DES key is (K1, K2).
K1 is ciphered by 3DES with keys (C1, C2) and K2 is also ciphered by 3DE with keys (C3, C4).
We suppose that the attacker can have the security module ciphering a text T with the key C1 as a single-DES operation, resulting in a ciphered text T’.
That attacker can break the cipher T’ and uncover the key C1 using, for example, a COPACABANA machine, as previously described. That technique could be repeated with C2, C3, and C4 to uncover the 3DES key (K1, K2). This is not exactly unrealistic because, in the banking industry, many HSMs must maintain single DES operations for legacy reasons.
Because of the control information header and the overall MAC, an attacker could not use that technique against 3DES keys protected by an Atalla block format. And this is exactly why the Atalla block format was invented.
Here we detail how the Atalla Key Block is being processed by a receiver to extract the key (or PIN) it protects.
First, the AKB is checked for integrity by computing the MAC and comparing it to the presented MAC field. If the MACs are the same, the operation continues. The key is then decrypted using the Control Field Initialization Vector I.V) and a first variant of the master file key. Keys are then resolved and used following the data from the control field. The control field is an 8-byte header which details all the information about the key within the block.
|0||Version number for the format|
|3||Mode of use|
|6||Special handling information|
As you can see, a lot of information is presented in the header which makes AKB very flexible for different use cases.
The key usage can be one of the following options:
The Key Block can handle the key for the following algorithms:
While the most frequent use in banking is 3DES, AES or RSA can also be secured by the key block.
The “Mode of Use” flag is usually: Encrypt, Decrypt, Generate, Verify or no restriction at all.
Other useful information will be conveyed in the next bytes of the control field.
The Atalla Key Block is a very important format, and is at the root of all cryptographic block formats found within PCI and ANSI standards. It solves important issues regarding the security of keys when they are in transit within a potentially hostile environment.
Read more about the Utimaco Atalla AT1000 Hardware Security Module (HSM), a payments security module for protecting sensitive data and associated keys. Or access more articles on the Utimaco Atalla AT1000