Issue Number: 2016-2
Inside This Issue
- IRS Updates FATCA International Data Exchange Service (IDES) Encryption Mode
1. IRS Updates FATCA International Data Exchange Service (IDES) Encryption Mode
The Internal Revenue Service (IRS) maintains a high standard of confidentiality and continuously evaluates security protocols related to information technology. During a routine review, the IRS decided to update the cipher mode used for encryption from Electronic Code Book (ECB) to Cipher Block Chaining (CBC). The CBC cipher is a stronger algorithm for encrypting data that can be implemented in code or by your software of choice.
Update to CBC cipher mode
Beginning July 9, 2016, IDES will no longer accept data packets encrypted with the EBC cipher mode and all users are required to transmit data packets with the CBC cipher mode. The implementation date was carefully chosen to minimize disruption to users. The revised data packaging process improves the AES-256 key encryption and is summarized below. All other data packaging details, such as data padding, remain the same.
|
Current ECB Encryption Mode
|
Update to CBC Encryption Mode
|
|
Step 1: Create payload file –
Encrypt XML file with AES-256 key
- Cipher mode: ECB
- Initialization Vector (IV): no IV
- Key size: 256 bits/32 bytes
|
Encrypt XML file with AES-256 key and IV using CBC mode
- Cipher mode: CBC
- Initialization Vector (IV): 16 byte IV
- Key size: 256 bits/32 bytes
|
|
Step 2: Encrypt AES key and IV key file -
Encrypt AES key and IV key with public key of each recipient
|
Encrypt AES key and IV with public key of each recipient. The resulting 48 byte key includes the 32 byte AES key, plus the 16 byte IV.
|
Testing
You may participate in the next open test period from June 16-30, 2016 to test the security update. Data packets sent on or after July 9, 2016 using the current ECB cipher mode will be rejected as the IRS will no longer be able to decrypt the data packets. All data packets received from the IRS must follow the same process with the CBC cipher mode. For decryption, the data packaging process is reversed, with the 48 byte key file separated into a 32 byte AES key and a 16 byte IV.
A new decryption notification code of NKS (Incorrect AES key size) has been added. If you receive an NKS notification, check your file for the following common errors:
- Data packet transmitted with ECB cipher mode
- Data packet does not include IV in Key File
- Data packet key size is not 48 bytes
- Data packet does not contain the concatenated key and IV.
Online Resources
Please sign up to attend the next FATCA Global IT Forum hosted by the IRS. Our technical experts will be available to answer your questions. We will update all on-line documentation and web content for the cipher mode. The code samples on GitHub will reflect the specific implementation settings for CBC. The IRS released this code with an open source license and samples can be used as a step-by-step guide or modified to update your data packaging software. For more information, visit the IDES Resources web pages.
Back to top
Thank you for subscribing to FATCA News & Information, an IRS e-mail service. For more information on federal taxes please visit IRS.gov.
This message was distributed automatically from the FATCA News & Information mailing list. Please Do Not Reply To This Message.
|
