Glossary

[ KCV ] PAYMENT CRYPTOGRAPHY

KCV — Key Check Value

A short hash-like fingerprint of a cryptographic key (typically 3 or 6 bytes) used to verify that two parties hold the same key without revealing it.

Standard:
ANSI X9.24 / ISO 9564
Origin:
ANSI

What is a Key Check Value?

A Key Check Value (KCV) is a short cryptographic digest of a key — typically the first 3 or 6 bytes of the result of encrypting a fixed all-zeros block under the key. Its purpose is exclusively verification: two parties can compare KCVs to confirm they hold the same key without ever revealing the key itself, since the KCV is a one-way function of the key.

KCVs are computed during every key ceremony, after every key injection, and on every key import. They appear in HSM command responses (e.g., the payShield A0 command returns the KCV of the generated key), in TR-31 key-block headers, and in audit logs as the canonical way to identify which key was used without compromising its confidentiality.

How KCVs Are Computed

The standard KCV for a 3DES key is the first 3 bytes (6 HEX characters) of: 3DES-Encrypt(Key, 0000000000000000). For AES keys, it is typically the first 3-6 bytes of: AES-Encrypt(Key, 0000000000000000_0000000000000000). Some HSM vendors and standards (notably TR-31) use slightly different conventions (e.g., a CMAC-based KCV for AES keys), so always check which KCV convention is in use before comparing.

A 3-byte (24-bit) KCV has a 1-in-16 million chance of collision with a random key, which is generally considered sufficient for operational identity. For higher-stakes ceremonies, a 6-byte KCV reduces collision probability to 1-in-281-trillion.

Frequently Asked Questions

Why use KCV instead of comparing full keys?
Comparing the full key would require exporting the key in clear from both HSMs, which violates basic key-protection principles. The KCV is a one-way digest that proves key equality without revealing the key.
Can two different keys have the same KCV?
Yes, by random collision (1-in-16M for 3-byte KCVs). KCVs are sufficient for operational identification but are not cryptographic proofs of identity. If an attacker could choose the keys, they could construct collisions; in practice, keys are random so collisions are negligible.
Where does the KCV appear?
In every HSM key-generation, key-import, and key-translation command response; in TR-31 key block headers; in printed key components after a key ceremony; and in operational logs to identify which key was used for a particular operation.

Related Terms

BDKKEKZMKZPK