Skip to content

Add Key Check Value operation#2661

Open
J8k3 wants to merge 1 commit into
gchq:masterfrom
J8k3:feat/kcv-op
Open

Add Key Check Value operation#2661
J8k3 wants to merge 1 commit into
gchq:masterfrom
J8k3:feat/kcv-op

Conversation

@J8k3

@J8k3 J8k3 commented Jul 11, 2026

Copy link
Copy Markdown

Summary

Adds a Key Check Value operation to the Hashing category. A KCV is a short public value derived from a symmetric key so two parties can verify they hold the same key without exposing it — widely used in payment HSM key management (TR-31 / ANSI X9.143 KC blocks) and general symmetric-key handling.

Three standard methods:

  • TDES-ECB (Zeros) — ANSI X9.24-1 legacy KCV
  • AES-ECB (Zeros) — AES analogue of the same construction
  • AES-CMAC (Empty) — RFC 4493 CMAC of the empty message, per TR-31

Returns the leading N hex characters of the resulting cryptogram (default 6, matching typical KCV length).

Notes

  • No new dependencies: uses existing node-forge and the in-tree CMAC operation.
  • 3 files changed / 215 lines added — one op file, one test file, one Categories.json entry.
  • Test vectors sourced from NIST SP 800-67 Rev 2 §B.1 (TDES) and NIST SP 800-38B Appendix D.1 (AES), and cross-corroborated against the existing CMAC test suite.

Test plan

  • npm test — all 7 KCV tests pass; no regressions in adjacent ops.
  • npx eslint — clean.
  • Op runs manually across each method and error path.

Verifies that two parties hold the same symmetric key without exposing
it. Supports the three standard forms: TDES-ECB (ANSI X9.24-1),
AES-ECB, and AES-CMAC of the empty message (RFC 4493 / TR-31 KC block).
Test vectors sourced from NIST SP 800-67 Rev 2 and NIST SP 800-38B.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant