1 PIN Security Management and Concerns Susan Langford Sr. Cryptographer CACR Information Security Workshop.

Slides:

Advertisements

Similar presentations

What Are the Functions of ATM Machines?

Advertisements

Card Verification Support

Gareth Ellis Senior Solutions Consultant Session 5a Key and PIN Management.

Lecture 5: Cryptographic Hashes

Cryptography and Network Security

Sri Lanka Institute of Information Technology

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

Topic 7: Using cryptography in mobile computing. Cryptography basics: symmetric, public-key, hash function and digital signature Cryptography, describing.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

Chapter 10  ATM 1 Automatic Teller Machines. Chapter 10  ATM 2 Automatic Teller Machines  “…one of the most influential technological innovations of.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Apr 30, 2002Mårten Trolin1 Previous lecture – passwords Passwords for authentication –Storing hashed passwords –Use of salt Passwords for key generation.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Wireless Encryption By: Kara Dolansky Network Management Spring 2009.

1 Applications of Computers Lecture-3 2 E-Commerce 4 Almost all major companies have their homes on the web, mainly for advertising 4 Companies were.

Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

August 6, 2003 Security Systems for Distributed Models in Ptolemy II Rakesh Reddy Carnegie Mellon University Motivation.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

History and Background Part 1: Basic Concepts and Monoalphabetic Substitution CSCI 5857: Encoding and Encryption.

CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.

Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.

By: Piyumi Peiris 11 EDO. Swipe cards are a common type of security device used by many people. They are usually a business-card-sized plastic card with.

Programming Satan’s Computer

IP Addressing and Network Software. IP Addressing  A computer somewhere in the world needs to communicate with another computer somewhere else in the.

Secure Electronic Transaction (SET)

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 3: VPN and Encryption Technology.

ICT in Banking.

1 Why Cryptosystems Fail Ross Anderson University Computer Laboratory Cambridge

Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.

Cryptography, Authentication and Digital Signatures

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.

Checking data Chapter 7 Prepared by:Sir Mazhar Javed.

Cryptography and Network Security (CS435) Part Fourteen (Web Security)

Types of Electronic Infection

Strength of Cryptographic Systems Dr. C F Chong, Dr. K P Chow Department of Computer Science and Information Systems The University of Hong Kong.

API-Level Attacks on Embedded Systems By Mike Bond and Ross Anderson “… by presenting valid commands to the security processor, but in an unexpected sequence,

Encryption Questions answered in this lecture: How does encryption provide privacy? How does encryption provide authentication? What is public key encryption?

Middleware for Secure Environments Presented by Kemal Altıntaş Hümeyra Topcu-Altıntaş Osman Şen.

Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

Commercial Data Processing Credit. Management Information CDP makes it easier for managers to control and process the information that is needed in the.

CIS 325: Data Communications1 Chapter Seventeen Network Security.

DATA & COMPUTER SECURITY (CSNB414) MODULE 3 MODERN SYMMETRIC ENCRYPTION.

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

Computer Security By Duncan Hall.

Checking & Savings Accounts Economics What is a Checking Account?  Common financial service used by many consumers (a place to keep money)  Funds.

IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.

 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.

Software Security Seminar - 1 Chapter 10. Using Algorithms 발표자 : 이장원 Applied Cryptography.

Electronic Banking & Security Electronic Banking & Security.

Information Systems Design and Development Security Precautions Computing Science.

EMV Operation and Attacks Tyler Moore CS7403, University of Tulsa Reading: Anderson Security Engineering, Ch (136—138), (328—343) Papers.

By: Brett Belin. Used to be only tackled by highly trained professionals As the internet grew, more and more people became familiar with securing a network.

Chapter 40 Internet Security.

Key management issues in PGP

Why Cryptosystems Fail Ross Anderson University Computer Laboratory

Open, Manage, and Reconcile

Lecture 4 - Cryptography

Outline Using cryptography in networks IPSec SSL and TLS.

Operating System Concepts

Presentation transcript:

1 PIN Security Management and Concerns Susan Langford Sr. Cryptographer CACR Information Security Workshop

Atalla Security Products Why We Shouldn’t Study PINs Technology is decades olds –Long time for computers –Network is already built and tested Everyone knows what a PIN is –Personal Identification Number –Password made up of only numbers –Frequently written down There are a lot of new protocols to study - so why bother?

Atalla Security Products Why We Should Study PINs One of the few large scale implementations of cryptography in the commercial world. –Learn from mistakes and successes –New and the old systems use different mathematics, there will be new attacks, but the old attacks won’t go away. New Internet protocols need to inter-operate with the existing networks. People are trying to upgrade the existing network from single-DES to something stronger.

Atalla Security Products Talk Outline The existing network –Description –Defenses –Vulnerabilities Combining public key based networks with the existing infrastructure –Possible approaches –Vulnerabilities

Atalla Security Products The Existing Network

Atalla Security Products Early systems - No cryptography First systems didn’t even require a PIN Account number and PIN sent to bank in the clear Very little fraud protection. –Anyone that taps the line can steal from the account. –If no PIN, anyone that can write a magnetic stripe card can steal from the account. Acquiring Bank ABC Bank Account Number, PIN

Atalla Security Products Link Encryption Encrypt the traffic from the device to the bank. Bank verifies PIN in software. Better fraud protection. –Tapping the line does not provide useful information. –Vulnerable within the bank. Employees can see PIN. –Networks require banks to trust other’s employees. Acquiring Bank ABC Bank E [Account Number, PIN]

Atalla Security Products ABC Bank The Existing Network Acquiring Bank Regional or Acquiring Bank Issuing

Atalla Security Products The Existing Network PIN block always DES encrypted, under PIN key Track 2 may be DES encrypted under a general traffic key. –Track 2 contains 40 digits (0-9), 37 usable –Primary Account Number (PAN), digits –Exp. Date (4 digits) –Varying fields - service code, language indicator, member number –Data to verify PIN (ex. IBM 3624 offset) Usually only 4-5 digits. ABM (ATM) or POS device sends data to its bank

Atalla Security Products The Existing Network - transport If the transaction is “not on us”, Bank A’s customer using Bank B’s device, the bank forwards the transaction to a switch. The switch then routes the transaction to the correct bank or processor. At each stage, the PIN is translated - decrypted and re-encrypted in a key known by the recipient.

Atalla Security Products The Existing Network - Verification At the issuing bank, the PIN is verified. Verification is a DES-based function involving the PIN, a PIN verification key, and a verification string. The verification string is stored on the card, on the local database, or both. Verification returns a yes or no. It never returns the verification string. Two main types of verification (many others) –IBM 3624 offset –VISA PVV

Atalla Security Products IBM 3624 PIN Verification Algorithm Calculate a “natural PIN” by DES encrypting Account Number For customer selected PIN, calculate an offset –Customer PIN - Natural PIN The length of the verified PIN is limited to the length of the offset. Leftmost digits ignored. Bank can change the PIN key if offset is stored on the data base. ABC Bank Acct. No., Pad Natural PIN DES Decimalize PIN key Offset Subtract Customer PIN

Atalla Security Products VISA PIN Verification Value (PVV) 3DES encryption Verified PIN limited to 4 digits, ignore rightmost digits PIN Verification Key Indicator (PVKI) selects key from table of 6. Scan start at leftmost character and finds hex character 0-9. If fewer than 4 are found, create the rest of the PVV by decimalizing remaining characters starting at the left. ABC Bank Acct. No., PVKI, PIN PVV (4 digits) 3-DES Scan PIN key

Atalla Security Products Defenses PINs in the clear only within trusted hardware –Trusted entry devices are more difficult to tap. –No PIN decryption capability in system. Hardware only decrypts with one key and re- encrypt with another or verifies encrypted PIN with verification value. Make PIN search difficult –Clear PIN entry only possible manually. –Requires keyed, trusted device. –Velocity checks against account numbers. Protect the PIN

Atalla Security Products Defenses Encrypting a PIN under a known key is the same as decrypting the PIN into the clear. Clear Keys are entered only under split knowledge. Two or more people must collude to know the key. Keys exist in the clear only within secure hardware. No Key decryption, only translation. Less secure hardware (PIN pads) should limit the exposure from the compromise of a device key. –Devices should not share keys. –Limit exposure of previous transactions. Protect the Key that protects the PIN

Atalla Security Products Defenses Keep the system from being confused. –If the PIN looks like data, system will decrypt it. –If the PIN looks like a key, system will encrypt things with it. –Distinction must be cryptographic and quick. BER encoding will not help. Other –Change keys frequently to limit exposure. –Limit the amount that can be withdrawn per day.

Atalla Security Products Vulnerabilities - Physical Some of the attacks on the system are very basic –Pickup truck pulling out the ABM (ATM) –Pointing a gun at the customer These threats are not unique to this network. –Attacks against older systems are generally tried against the new systems. Defenses are physical, not cryptographic –This talk focusing on logical security. –Other defenses are equally important.

Atalla Security Products Vulnerabilities - Customer Customer reveals PIN and Account number directly –Security guard attack –Help at the ATM PIN is easily guessed or written on card Customer is watched entering PIN –“Shoulder-surfing” plus theft of card –Camera plus monitor the line –Card + PIN to get access to ATM Customer forgets PIN

Atalla Security Products Vulnerabilities - Network Rogue device –Fake ABM (ATM) –Altered PIN pad Attacker monitors the connection between device and bank. –PINs are encrypted – Account numbers & balances are often not encrypted, which may help social engineering attacks.

Atalla Security Products Vulnerabilities - Banks and Switches An attacker within a bank has the most opportunities to defeat the system. A single transaction may run through many systems. –Many different insiders have opportunity. –Exposure at one point can harm many other points. Insider fraud is the main danger. All other types of attacks are a subset of insider attacks.

Atalla Security Products Vulnerabilities - Cryptographic Most of the network uses single-DES encryption –Vulnerable to search –Key management is sometimes done with 3-DES –IBM 3624 PIN verification key can be recovered with about 6 known PINs and track 2 data. Verification values are frequently only 4 digits. Most systems only verify 4 digits of the PIN, even if the customer is using a longer PIN. With IBM 3624, if the PIN is compromised, changing the PIN does not help.

Atalla Security Products Combining Public Key Protocols with PIN Networks

Atalla Security Products Approach 1 - Home Banking Encrypt the traffic from the PC to the bank using SSL. Tapping the line does not provide useful information. Difficult to get track 2 data. PIN in the clear in software at the bank. Some banks use a separate password rather than a PIN. Issuing Bank E [Account Number, PIN] Link Encryption

Atalla Security Products Approach 1 - Vulnerabilities Easy to modify a PC to compromise PIN. PIN is in the clear within the Bank, which could compromise a PIN using this scheme. Bank systems have to be modified to allow verification of these PINs, allowing the possible compromise of the rest of the system. PIN search is very easy to implement, no good way to add velocity checks. Treating PINs like data.

Atalla Security Products Approach 2 - Treat the PC as a PIN Pad Create a standard PIN block at the PC by one of the following: –Software program with key to emulate a PIN pad. –Provide customer with low cost PIN pad. –Provide cryptogram. Track 2 data read by device or loaded in program. Sent by SSL or other protocol. Issuing PIN processing ignores the public key protocol

Atalla Security Products Approach 2 - Vulnerabilities Emulating the PIN pad in software –Easy to modify the PC to compromise the PIN. –PIN search is possible, but the bank can use velocity checks by key. PIN pads –Tamper-resistant, but not tamper-proof. People will modify these devices and recover keys. –Difficult to manage and support the PIN pads. Cryptogram –Could be copied and used by someone else.

Atalla Security Products Approach 3a: Public Key PIN Protocols Encrypt the PIN and the symmetric key with the public key. –Add PAN, Expiration date, etc. depending on space. Encrypt other parts of message with the symmetric key. Must have a way to know the PIN is within the public key envelope, and to tell which bits are part of the PIN. –Example: SET’s Block Content Public key block Other Data Within the public key block PIN, PAN, Exp. Date, Key Symmetric Block Key

Atalla Security Products Approach 3b: Public Key PIN Protocols Encrypt the symmetric key(s) with the public key. Encrypt other parts of message with symmetric key KEY1. Encrypt the PIN block with a second key, either KEY2 as sent, or KEY2 equals a function of KEY1. Must know the public key block has 2 keys, and which is which, or Must never compute KEY2 as data key. Public key block Add a separate PIN block KEY1, KEY2 Other Data Symmetric Block KEY1 PIN PIN Block KEY2

Atalla Security Products Approach 3 - Vulnerabilities Note that the two approaches have similar security properties –Both can be implemented fairly securely. –Both can be poorly implemented, revealing PINs. –Approach 2b, with KEY2 = function (KEY1) may be slightly easier to implement Still have the problem of not trusting the PC. –Easy to alter. –Many people know how to attack.

Atalla Security Products Vulnerabilities - PIN Search Machine Easy for attacker to use the Internet as a PIN search machine. –Automated attack. –Try lots of account number and different banks to avoid velocity checks. One possible solution is to require a signature, which includes the clear PIN value. –Public key must be tied to account number. –Still difficult to avoid internal PIN search.

Atalla Security Products Vulnerabilities - Known Keys The existing network was built on the assumption that no single person knows the clear value of a key. With public key cryptography, that assumption is wrong. Anyone can send a key encrypted under a public key. –Not a problem with a data encryption key. –Definite problem for PIN keys (Approach 3b). There are ways to implement this securely, but the problem is not widely understood.

Atalla Security Products Comment about cryptographic APIs Banking systems would like to use standard cryptographic APIs. Most of the current APIs were not designed to allow a banking system to work. –Need to have distinctions between PINs and data, PIN keys and Data keys. –PINs need to be exportable under trusted symmetric keys (only PIN keys, not data keys), but not under an untrusted public key. –Need a secure translation function for hundreds of PINs per second.