A Look at TR-31 & TR-34 Implementation


The payment security landscape is witnessing major transitions, especially within ATM and POS systems. This shift is largely due to the introduction of the PCI-PIN V3, an amalgamation of requirements set forth by the PCI SCC and X9 committee.

Understanding TR-31: The Secure Key Transfer Protocol

TR-31 emerged in response to the need for a more fortified method of transmitting encryption keys from host processors. Set to become a PCI mandate by January 1, 2025, it promises to overhaul the security protocols of ATM and POS device key transfers.

Key Insights into TR-31:

  • Defines the blueprint for key transportation using key blocks.
  • While not a mandatory storage format, all HSM vendors are expected     to supply a Key Block storage alternative. Legacy systems, however, can continue to deploy the Variant mode for key storage.
  • The implementation has been phased, with the first step initiated in 2019 focusing on HSM Key storage.
  • TR-31 is in alignment with the X9.24-1 norm, advocating for key block structuring in an open format.

The Key Block rollout will be done in three phases:

  • Phase 1 (June 1, 2019): Implement Key Blocks internally within service provider networks.
  • Phase 2 (January 1, 2023): Extend Key Blocks to external associations and networks.
  • Phase 3 (January 1, 2025): Comprehensive Key Block implementation across merchant hosts, POS systems, and ATMs.

You can learn more about TR-31 in our previous article: An Introduction to TR-31 and Thales Key Blocks

Diving into TR-34: The Epitome of Key Block Formats

TR-34 stands out in the cryptographic world, offering a cohesive methodology for constructing and storing the Terminal Master Key in ATMs and POS systems, a task previously fragmented across vendors.

Here we show a comparison between a TR-34 key block and a standard TR-31 key block.

One of the most significant differences between TR-31 and TR-34 key block formats is thatTR-34 doesn’t require a symmetric key to be exchanged between the Key Distribution Host (KDH) and the Key Receiving Device (KRD). TR-34 is used to exchange a TR-31 Key block protection key using asymmetric (RSA) encryption. ATR-34 key block includes a TR-31 compatible key block header. This header contains the usage and exportability information about the key. It is not encrypted and can also contain optional key header blocks as allowed by TR-31.

Another very specific difference with other key block formats is that the header is included twice within the TR-34 key block. One is in the clear text at the start of the key block, and other is in the encrypted envelope in the key block data. This allows the Key Receiving Device to validate that the deciphered key block data contains a copy of the key block header. This serves as an additional security precaution.

Key Highlights of TR-34:

  • A practical approach to symmetric key exchanges using asymmetric cryptography or the certificate-based Remote Key Loading (RKL) protocol.
  • Enforces a revamped dialogue mechanism between the KRD and the KDH switch.
  • Introduces certificates employing SHA-256 for MACing, necessitating the 3rd generation Terminal EPP.
  • Emphasizes anti-replay protocols, full CA support, and compatibility with PCI PIN Annex A and X9.24-2.
  • Unique dual inclusion of the header in TR-34 key blocks for  augmented security.

TR-34's complexity and robustness surpass other formats. It pre-emptively addresses potential security threats, integrating them into its design to bolster its defences.

As PCI SSC continues to amend its PIN requirements, EFTlab continues to enhance EFThub and EFTsim to accommodate these changes, so all users of these products can easily adapt to industry updates with minimal effort on their end.

Sources / Links to follow:

ASCX9 TR 31-2018 - Interoperable Secure Key Exchange Key Block Specification (2018), by American National Standards Institute (ANSI)

X9 TR34–2012 - Interoperable Method for Distribution of Symmetric Keys using Asymmetric Techniques: Part 1 –Using Factoring-Based Public Key Cryptography Unilateral Key Transport (August2012), by the American National Standards Institute

PIN Security Requirement - KeyBlocks (2019), by the PCI Security Standards Council

ANSI X9.24-1-2017 - Retail Financial Services Symmetric Key Management Part 1: Using Symmetric Techniques (2017), by the Accredited Standards Committee X9 (Incorporated Financial Industry Standards), American National Standards Institute

VISA PIN SECURITY BULLETIN 31 July 2020: Key Block Effective Dates Extended