# Technical Report. Decimalisation table attacks for PIN cracking. Mike Bond, Piotr Zieliński. Number 560. February Computer Laboratory

Save this PDF as:

Size: px
Start display at page:

Download "Technical Report. Decimalisation table attacks for PIN cracking. Mike Bond, Piotr Zieliński. Number 560. February 2003. Computer Laboratory"

## Transcription

1 Technical Report UCAM-CL-TR-560 ISSN Number 560 Computer Laboratory Decimalisation table attacks for PIN cracking Mike Bond, Piotr Zieliński February JJ Thomson Avenue Cambridge CB3 0FD United Kingdom phone

2 c 2003 Mike Bond, Piotr Zieliński Technical reports published by the University of Cambridge Computer Laboratory are freely available via the Internet: Series editor: Markus Kuhn ISSN

4 is converted into hexadecimal, and the first four digits taken. Each digit has a range of 0 - F. In order to convert this value into a PIN which can be typed on a decimal keypad, a decimalisation table is used, which is a many-to-one mapping between hexadecimal digits and numeric digits. The left decimalisation table in Figure 1 is typical ABCDEF ABCDEF Figure 1: Normal and attack decimalisation tables This table is not considered a sensitive input by many HSMs, so an arbitrary table can be provided along with the account number and a trial PIN. But by manipulating the contents of the table it becomes possible to learn much more about the value of the PIN than simply excluding a single combination. For example, if the right hand table is used, a match with a trial pin of 0000 will confirm that the PIN does not contain the number 7, thus eliminating over 10% of the possible combinations. We first present a simple scheme that can derive most PINs in around 24 guesses, and then an adaptive scheme which maximises the amount of information learned from each guess, and takes an average of 15 guesses. Finally, a third scheme is presented which demonstrates that the attack is still viable even when the attacker cannot control the guess against which the PIN is matched. Section 2 of the paper sets the attack in the context of a retail banking environment, and explains why it may not be spotted by typical security measures. Section 3 describes PIN generation and verification methods, and section 4 describes the algorithms we have designed in detail. We present our results from genuine trials in section 5, discuss preventative measures in section 6, and draw our conclusions in section 7. 2 Banking Security Banks have traditionally led the way in fighting fraud from both insiders and outsiders. They have developed protection methods against insider fraud including double-entry book-keeping, functional separation, and compulsory holiday periods for staff, and they recognise the need for regular security audits. These methods successfully reduce fraud to an acceptable level for banks, and in conjunction with an appropriate legal framework for liability, they can also protect customers against the consequences of fraud. However, the increasing complexity of bank computer systems has not been accompanied by sufficient development in understanding of fraud prevention methods. The introduction of HSMs to protect customer PINs was a step in the right direction, but even in 2002 these devices have not been universally adopted, and those that are used have been shown time and time again not to be impervious to attack [1, 2, 5]. Typical banking practice seeks only to reduce fraud to an acceptable level, but this translates poorly into security requirements; it is impossible to accurately assess the security exposure of a given flaw, which could be an isolated incident or the tip of a huge iceberg. This sort of risk management conflicts directly with modern security design practice where robustness is crucial. There are useful analogues in the design of cryptographic algorithms. Designers who make just-strong-enough algorithms and trade robustness for speed or 4

5 export approval play a dangerous game. The cracking of the GSM mobile phone cipher A5 is but one example [3]. And as just-strong-enough cryptographic algorithms continue to be used, the risk of fraud from brute force PIN guessing is still considered acceptable, as it should take at least 10 minutes to guess a single PIN at the maximum transaction rate of typical modules deployed in the 80s. Customers are expected to notice the phantom withdrawals and report them before the attacker could capture enough PINs to generate a significant liability for the banks. Even with the latest HSMs that support a transaction rate ten times higher, the sums of money an attacker could steal are small from the perspective of a bank. But now that the PIN decimalisation table has been identified as an security relevant data item, and the attacks described in this paper show how to exploit uncontrolled access to it, brute force guessing is over two orders of magnitude faster. Enough PINs to unlock access to over 2 million can be stolen in one lunch break! A more sinister threat is the perpetration of a smaller theft, where the necessary transactions are well camouflaged within the banks audit trails. PIN verifications are not necessarily centrally audited at all, and if we assume that they are, the 15 or so transactions required will be hard for an auditor to spot amongst a stream of millions. Intrusion detection systems do not fare much better suppose a bank has an extremely strict audit system that tracks the number of failed guesses for each account, raising an alarm if there are three failures in a row. The attacker can discover a PIN without raising the alarm by inserting the attack transactions just before genuine transactions from the customer which will reset the count. No matter what the policies of the intrusion detection system it is impossible to keep them secret, thus a competent programmer could evade them. The very reason that HSMs were introduced into banks was that mainframe operating systems only satisfactorily protected data integrity, and could not be trusted to keep data confidential from programmers. So as the economics of security flaws like these develops into a mature field, it seems that banks need to update their risk management strategies to take account of the volatile nature of the security industry. They also have a responsibility to their customers to reassess liability for fraud in individual cases, as developments in computer security continually reshape the landscape over which legal disputes between bank and customer are fought. 3 PIN Generation & Verification Techniques There are a number of techniques for PIN generation and verification, each proprietary to a particular consortium of banks who commissioned a PIN processing system from a different manufacturer. The IBM CCA supports a representative sample, shown in Figure 2. We IBM 3624-Offset method in more detail as it is typical of decimalisation table use. 3.1 The IBM 3624-Offset PIN Derivation Method The IBM 3624-Offset method was developed to support the first generation of ATMs and has thus been widely adopted and mimicked. The method was designed so that offline ATMs would be able to verify customer PINs without needing the processing power and 5

6 Method IBM 3624 IBM 3624-Offset Netherlands PIN-1 IBM German Bank Pool Institution VISA PIN-Validation Value Interbank PIN Uses Dectables yes yes yes yes Figure 2: Common PIN calculation methods storage to manipulate an entire database of customer account records. Instead, a scheme was developed where the customer s PIN could be calculated from their account number by encryption with a secret key. The account number was made available on the magnetic stripe of the card, so the ATM only needed to securely store a single cryptographic key. An example PIN calculation is shown in Figure 4. The account number is represented using ASCII digits, and then interpreted as a hexadecimal input to the DES block cipher. After encryption with the secret PIN generation key, the output is converted to hexadecimal, and all but the first four digits are discarded. However, these four digits might contain the hexadecimal digits A - F, which are not available on a standard numeric keypad and would be confusing to customers, so they are mapped back to decimal digits using a decimalisation table (Figure 3) ABCDEF Figure 3: A typical decimalisation table Account Number Encrypted Accno 3F7C CA 8AB3 Shortened Enc Accno 3F7C ABCDEF Decimalised PIN 3572 Public Offset 4344 Final PIN 7816 Figure 4: IBM 3624-Offset PIN Generation Method 6

7 The example PIN of 3F7C thus becomes Finally, to permit the cardholders to change their PINs, an offset is added which is stored in the mainframe database along with the account number. When an ATM verifies an entered PIN, it simply subtracts the offset from the card before checking the value against the decimalised result of the encryption. 3.2 Hardware Security Module APIs Bank control centres and ATMs use Hardware Security Modules (HSMs), which are charged with protecting PIN derivation keys from corrupt employees and physical attackers. An HSM is a tamper-resistant coprocessor that runs software providing cryptographic and security related services. Its API is designed to protect the confidentiality and integrity of data while still permitting access according to a configurable usage policy. Typical financial APIs contain transactions to generate and verify PINs, translate guessed PINs between different encryption keys as they travel between banks, and support a whole host of key management functions. The usage policy is typically set to allow anyone with access to the host computer to perform everyday commands such as PIN verification, but to ensure that sensitive functions such as loading new keys can only be performed with authorisation from multiple employees who are trusted not to collude. IBM s Common Cryptographic Architecture [6] is a financial API implemented by a range of IBM HSMs, including the 4758, and the CMOS Cryptographic Coprocessor (for PCs and mainframes respectively). An example of the code for a CCA PIN verification is shown in Figure 5. Encrypted_PIN_Verify( A_RETRES, A_ED, // return codes 0,0=yes 4,19=no trial_pin_kek_in, pinver_key, // encryption keys for enc inputs (UCHAR*)"3624 " "NONE " // PIN block format " F" // PIN block pad digit (UCHAR*)" ", trial_pin, // encrypted_pin_block I_LONG(2), (UCHAR*)"IBM-PINO" "PADDIGIT", // PIN verification method I_LONG(4), // # of PIN digits = 4 " " // decimalisation table " " // PAN_data (account number) "0000 " // offset data ); Figure 5: Sample code for PIN verification in CCA The crucial inputs to Encrypted_PIN_Verify are the decimalisation table, the PAN_data, and the encrypted_pin_block. The first two are supplied in the clear and are straightforward for the attacker to manipulate, but obtaining an encrypted_pin_block that represents a chosen trial PIN is rather harder. 7

8 3.3 Obtaining chosen encrypted trial PINs Some bank systems permit clear entry of trial PINs from the host software. For instance, this functionality may be required to input random PINs when generating PIN blocks for schemes that do not use decimalisation tables. The appropriate CCA command is Clear_PIN_Encrypt, which will prepare an encrypted PIN block from the chosen PIN. It should be noted that enabling this command carries other risks as well as permitting our attacks. If there is not randomised padding of PINs before they are encrypted, an attacker could make a table of known trial encrypted PINs, compare each arriving encrypted PIN against this list, and thus easily determine its value. If it is still necessary to enable clear PIN entry in the absence of randomised padding, some systems can enforce that the clear PINs are only encrypted under a key for transit to another bank in which case the attacker cannot use these guesses as inputs to the local verification command. So, under the assumption that clear PIN entry is not available to the attacker, his second option is to enter the required PIN guesses at a genuine ATM, and intercept the encrypted PIN block corresponding to each guess as it arrives at the bank. Our adaptive decimalisation table attack only requires five different trial PINs 0000, 0001,0010, 0100, However the attacker might only be able to acquire encrypted PINs under a block format such as ISO-0, where the account number is embedded within the block. This would require him to manually input the five trial PINs at an ATM for each account that could be attacked a huge undertaking which totally defeats the strategy. A third and more most robust course of action for the attacker is to make use of the PIN offset capability to convert a single known PIN into the required guesses. This known PIN might be discovered by brute force guessing, or simply opening an account at that bank. Despite all these options for obtaining encrypted trial PINs it might be argued that the decimalisation table attack is not exploitable unless it can be performed without a single known trial PIN. To address these concerns, we created a third algorithm (described in the next section), which is of equivalent speed to the others, and does not require any known or chosen trial PINs. 4 Decimalisation Table Attacks In this section, we describe three attacks. First, we present a 2-stage simple static scheme which needs only about 24 guesses on average. The shortcoming of this method is that it needs almost twice as many guesses in the worst case. We show how to overcome this difficulty by employing an adaptive approach and reduce the number of necessary guesses to 22. Finally, we present an algorithm which uses PIN offsets to deduce a PIN from a single correct encrypted guess, as is typically supplied by the customer from an ATM. 4.1 Initial Scheme The initial scheme consists of two stages. The first stage determines which digits are present in the PIN. The second stage consists in trying all the possible pins composed of those digits. 8

9 Let D orig be the original decimalisation table. For a given digit i, consider a binary decimalisation table D i with the following property. The table D i has 1 at position x if and only if D orig has the digit i at that position. In other words, D i [x] = { 1 if D orig [x] = i, 0 otherwise. For example, for a standard table D orig = , the value of D 3 is In the first phase, for each digit i, we check the original PIN against the decimalisation table D i with a trial PIN of It is easy to see that the test fails exactly when the original PIN contains the digit i. Thus, using only at most 10 guesses, we have determined all the digits that constitute the original PIN. In the second stage we try every possible combination of those digits. Their actual number depends on how many different digits the PIN contains. The table below gives the details. Digits A AB ABC ABCD Possibilities AAAA(1) ABBB(4), AABB(6), AAAB(4) AABC(12), ABBC(12), ABCC(12) ABCD(24) The table shows that the second stage needs at most 36 guesses (when the original PIN contains 3 different digits), which gives 46 guesses in total. The expected number of guesses is, however, as small as about Adaptive Scheme The process of cracking a PIN can be represented by a binary search tree. Each node v contains a guess, i.e., a decimalisation table D v and a pin p v. We start at the root node and go down the tree along the path that is determined by the results of our guesses. Let p orig be the original PIN. At each node, we check whether D v (p orig ) = p v. Then, we move to the right child if yes and to the left child otherwise. Each node v in the tree can be associated with a list P v of original PINs such that p P v if and only if v is reached in the process described in the previous paragraph if we take p as the original PIN. In particular, the list associated with the root node contains all possible pins and the list of each leaf should contain only one element: an original PIN p orig. Consider the initial scheme described in the previous section as an example. For simplicity assume that the original PIN consists of two binary digits and the decimalisation table is trivial and maps 0 0 and 1 1. Figure 6 depicts the search tree for these settings. The main drawback of the initial scheme is that the number of required guesses depends strongly on the original PIN p orig. For example, the method needs only 9 guesses for p orig = 9999 (because after ascertaining that digit 0 8 do not occur in p orig this is the only 9

10 D 10 (p)? = 00 yes p = 11 no D 01 (p)? = 10 yes p = 10 no D 01 (p)? = 01 yes p = 01 no p = 00 Figure 6: The search tree for the initial scheme. D xy denotes the decimalisation table that maps 0 x and 1 y. possibility), but there are cases where 46 guesses are required. As a result, the search tree is quite unbalanced and thus not optimal. One method of producing a perfect search tree (i.e., the tree that requires the smallest possible numbers of guesses in the worst case) is to consider all possible search trees and choose the best one. This approach is, however, prohibitively inefficient because of its exponential time complexity with respect to the number of possible PINs and decimalisation tables. It turns out that not much is lost when we replace the exhaustive search with a simple heuristics. We will choose the values of D v and p v for each node v in the following manner. Let P v be the list associated with node v. Then, we look at all possible pairs of D v and p v and pick the one for which the probability of D v (p) = p v for p P v is as close to 1 2 as possible. This ensures that the left and right subtrees are approximately of the same size so the whole tree should be quite balanced. This scheme can be further improved using the following observation. Recall that the original PIN p orig is a 4-digit hexadecimal number. However, we do not need to determine it exactly; all we need is to learn the value of p = D orig (p orig ). For example, we do not need to be able to distinguish between 012D and ABC3 because for both of them p = It can be easily shown that we can build the search tree that is based on the value of p instead of p orig provided that the tables D v do not distinguish between 0 and A, 1 and B and so on. In general, we require each D v to satisfy the following property: for any pair of hexadecimal digits x, y: D orig [x] = D orig [y] must imply D v [x] = D v [y]. This property is not difficult to satisfy and in reward we can reduce the number of possible PINs from 16 4 = to 10 4 = Figure 7 shows a sample run of the algorithm for the original PIN p orig = PIN Offset Adaptive Scheme When the attacker does not know any encrypted trial PINs, and cannot encrypt his own guesses, he can still succeed by manipulating the offset parameter used to compensate for customer PIN change. Our final scheme has the same two stages as the initial scheme, so 10

11 No Possible pins Decimalisation table D v Trial pin p v D v (p orig )? p v = D v (p orig ) yes no no yes yes yes no no no yes no no no Figure 7: Sample output from adaptive test program our first task is to determine the digits present in the PIN. Assume that an encrypted PIN block containing the correct PIN for the account has been intercepted (the vast majority of arriving encrypted PIN blocks will satisfy this criterion), and for simplicity that the account holder has not changed his PIN and the correct offset is Using the following set of decimalisation tables, the attacker can determine which digits are present in the correct PIN. { D orig [x] + 1 if D orig [x] = i, D i [x] = D orig [x] otherwise. For example, for D orig = , the value of D 3 is He supplies the correct encrypted PIN block and the correct offset each time. As with the initial scheme, the second phase determines the positions of the digits present in the PIN, and is again dependent upon the number of repeated digits in the original PIN. Consider the common case where all the PIN digits are different, for example We can try to determine the position of the single 8 digit by applying an offset to different digits and checking for a match. Guess Guess Customer Customer Guess Decimalised Verify Offset Decimalisation Table Guess + Guess Offset Original PIN Result no yes no no Each different guessed offset maps the customer s correct guess to a new PIN which may or may not match the original PIN after it is decimalised using the modified table. This procedure is repeated until the position of all digits is known. Cases with all digits different will require at most 6 transactions to determine all the position data. Three 11

12 different digits will need a maximum of 9 trials, two digits different up to 13 trials, and if all the digits are the same no trials are required as there are no permutations. When the parts of the scheme are assembled, 16.5 guesses are required on average to determine a given PIN. 5 Results We first tested the adaptive algorithm exhaustively on all possible PINs. The distribution in Figure 8 was obtained. The worst case has been reduced from 45 guesses to 24 guesses, and the average has fallen from 24 to 15 guesses. We then implemented the attacks on the IBM Common Cryptographic Architecture (version 2.41, for the IBM 4758), and successfully extracted PINs generated using the IBM 3624 method. We also checked the attacks against the API specifications for the VISA Security Module (VSM), and found them to be effective. The VSM is the forerunner of a whole range of hardware security modules for PIN processing, and we believe that the attacks will also be effective against many of its successors Number of PINs Number of Attempts Figure 8: Distribution of guesses required using adaptive algorithm 12

13 6 Prevention It is easy to perform a check upon the validity of the decimalisation table. Several PIN verification methods that use decimalisation tables require that the table should be for the algorithm to function correctly, and in these cases the API need only enforce this requirement to regain security. However, PIN verification methods that support proprietary decimalisation tables are harder to fix. A checking procedure that ensures a mapping of the input combinations to the maximum number of possible output combinations will protect against the first two decimalisation table attacks, but not against the attack which exploits the PIN offset and uses only minor modifications to the genuine decimalisation table. To regain full security, the decimalisation table input must be cryptographically protected so that only authorised tables can be used. The only short-term alternative to the measures above is to use more advanced intrusion detection measures, and it seems that the long term message is clear: continuing to support decimalisation tables is not a robust approach to PIN verification. Unskewed randomly generated PINs stored encrypted in an online database such as are already used in some banks are significantly more secure. 7 Conclusions We are currently starting discussions with HSM manufacturers with regard to the practical implications of the attacks. It is very costly to modify the software which interacts with HSMs, and while update of the HSM software is cheaper, the system will still need testing, and the update may involve a costly re-initialisation phase. Straightforward validity checking for decimalisation tables should be easy to implement, but full protection that retains compatibility with existing mainframe software will be hard to achieve. It will depend upon the intrusion detection capabilities offered by each particular manufacturer. We hope to have a full understanding of the impact of these attacks and of the optimal preventative measures in the near future. Although HSMs have existed for two decades, formal study of their security APIs is still in its infancy. Previous work by one of the authors [5, 4] has uncovered a whole host of diverse flaws in APIs, some at the protocol level, some exploiting properties of the underlying crypto algorithms, and some exploiting poor design of procedural controls. The techniques behind the decimalisation table attacks do not just add another string to the bow of the attacker they further confirm that designing security APIs is one of the toughest challenges facing the security community. It is hard to see how any one methodology for gaining assurance of correctness can provide worthwhile guarantees, given the diversity of attacks at the API level. More research is needed into methods for API analysis, but for the time being we may have to concede that writing correct API specifications is as hard as writing correct code, and enter the traditional arms race between attack and defence that so many software products have to fight. 13

14 Acknowledgements We would like to thank Richard Clayton and Ross Anderson for their helpful contributions and advice. Mike Bond was able to conduct the research thanks to the funding received from the UK Engineering and Physical Research Council (EPSRC) and Marconi plc. Piotr Zieliński was supported by a Cambridge Overseas Trust Scholarship combined with an ORS Award, as well as by a Thaddeus Mann Studentship from Trinity Hall College. References [1] R. Anderson: Why Cryptosystems Fail Communications of the ACM, 37(11), pp32 40 (Nov 1994) [2] R. Anderson: The Correctness of Crypto Transaction Sets Proc. Cambridge Security Protocols Workshop 2000 LNCS 2133, Springer-Verlag, pp (2000) [3] A. Biryukov, A. Shamir, D. Wagner Real Time Cryptanalysis of A5/1 on a PC Proceedings of Fast Software Encryption 2000 [4] M. Bond, R. Anderson API-Level Attacks on Embedded Systems IEEE Computer Magazine, October 2001, pp [5] M. Bond: Attacks on Cryptoprocessor Transaction Sets Proc. Workshop Cryptographic Hardware and Embedded Systems (CHES 2001), LNCS 2162, Springer-Verlag, pp (2001) [6] IBM Inc.: IBM 4758 PCI Cryptographic Coprocessor CCA Basic Services Reference and Guide for the IBM , Release IBM, Armonk, N.Y. (1999) 14

### Hardware Security Modules: Attacks and Secure Configuration. Graham Steel

Hardware Security Modules: Attacks and Secure Configuration Graham Steel Graham Steel April 2014 Graham Steel - HSM Attacks and Secure Configuration April 2014-2/ 56 Secure Hardware History Military: WW2

### Model Checking Security APIs

Model Checking Security APIs Gavin Keighren E H U N I V E R S I T Y T O H F G R E D I N B U Master of Science Artificial Intelligence School of Informatics University of Edinburgh 2006 Abstract Devices

### Chip and PIN is Broken a view to card payment infrastructure and security

Date of Acceptance Grade Instructor Chip and PIN is Broken a view to card payment infrastructure and security Petri Aaltonen Helsinki 16.3.2011 Seminar Report Security Testing UNIVERSITY OF HELSINKI Department

### Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT

Part I Contents Part I Introduction to Information Security Definition of Crypto Cryptographic Objectives Security Threats and Attacks The process Security Security Services Cryptography Cryptography (code

### Why Cryptosystems Fail. By Ahmed HajYasien

Why Cryptosystems Fail By Ahmed HajYasien CS755 Introduction and Motivation Cryptography was originally a preserve of governments; military and diplomatic organisations used it to keep messages secret.

### Counter Expertise Review on the TNO Security Analysis of the Dutch OV-Chipkaart. OV-Chipkaart Security Issues Tutorial for Non-Expert Readers

Counter Expertise Review on the TNO Security Analysis of the Dutch OV-Chipkaart OV-Chipkaart Security Issues Tutorial for Non-Expert Readers The current debate concerning the OV-Chipkaart security was

### EMV and Small Merchants:

September 2014 EMV and Small Merchants: What you need to know Mike English Executive Director, Product Development Heartland Payment Systems 2014 Heartland Payment Systems, Inc. All trademarks, service

### The Misuse of RC4 in Microsoft Word and Excel

The Misuse of RC4 in Microsoft Word and Excel Hongjun Wu Institute for Infocomm Research, Singapore hongjun@i2r.a-star.edu.sg Abstract. In this report, we point out a serious security flaw in Microsoft

A Guide to EMV Version 1.0 May 2011 Objective Provide an overview of the EMV specifications and processes What is EMV? Why EMV? Position EMV in the context of the wider payments industry Define the role

### A Secure RFID Ticket System For Public Transport

A Secure RFID Ticket System For Public Transport Kun Peng and Feng Bao Institute for Infocomm Research, Singapore Abstract. A secure RFID ticket system for public transport is proposed in this paper. It

### Effective Secure Encryption Scheme [One Time Pad] Using Complement Approach Sharad Patil 1 Ajay Kumar 2

Effective Secure Encryption Scheme [One Time Pad] Using Complement Approach Sharad Patil 1 Ajay Kumar 2 Research Student, Bharti Vidyapeeth, Pune, India sd_patil057@rediffmail.com Modern College of Engineering,

White Paper Advanced Authentication Introduction In this paper: Introduction 1 User Authentication 2 Device Authentication 3 Message Authentication 4 Advanced Authentication 5 Advanced Authentication is

### CRYPTOGRAPHY IN NETWORK SECURITY

ELE548 Research Essays CRYPTOGRAPHY IN NETWORK SECURITY AUTHOR: SHENGLI LI INSTRUCTOR: DR. JIEN-CHUNG LO Date: March 5, 1999 Computer network brings lots of great benefits and convenience to us. We can

### Hardware Security Modules for Protecting Embedded Systems

Hardware Security Modules for Protecting Embedded Systems Marko Wolf, ESCRYPT GmbH Embedded Security, Munich, Germany André Weimerskirch, ESCRYPT Inc. Embedded Security, Ann Arbor, USA 1 Introduction &

### EMV and Restaurants: What you need to know. Mike English. October 2014. Executive Director, Product Development Heartland Payment Systems

October 2014 EMV and Restaurants: What you need to know Mike English Executive Director, Product Development Heartland Payment Systems 2014 Heartland Payment Systems, Inc. All trademarks, service marks

### Mitigating Server Breaches with Secure Computation. Yehuda Lindell Bar-Ilan University and Dyadic Security

Mitigating Server Breaches with Secure Computation Yehuda Lindell Bar-Ilan University and Dyadic Security The Problem Network and server breaches have become ubiquitous Financially-motivated and state-sponsored

### Security Failures in Smart Card Payment Systems: Tampering the Tamper-Proof

Security Failures in Smart Card Payment Systems: Tampering the Tamper-Proof Saar Drimer Steven J. Murdoch Ross Anderson www.cl.cam.ac.uk/users/{sd410,sjm217,rja14} Computer Laboratory www.torproject.org

### Relay attacks on card payment: vulnerabilities and defences

Relay attacks on card payment: vulnerabilities and defences Saar Drimer, Steven J. Murdoch http://www.cl.cam.ac.uk/users/{sd410, sjm217} Computer Laboratory www.torproject.org 24C3, 29 December 2007, Berlin,

### Today. Important From Last Time. Old Joke. Computer Security. Embedded Security. Trusted Computing Base

Important From Last Time A system is safety critical when its failure may result in injuries or deaths Verification and validation can dominate overall development effort Today Embedded system security

### Smart Cards for Payment Systems

White Paper Smart Cards for Payment Systems An Introductory Paper describing how Thales e-security can help banks migrate to Smart Card Technology Background In this paper: Background 1 The Solution 2

### EMV flaws and fixes: vulnerabilities in smart card payment systems

EMV flaws and fixes: vulnerabilities in smart card payment systems Steven J. Murdoch www.cl.cam.ac.uk/users/sjm217 OpenNet Initiative Computer Laboratory www.opennet.net COSIC seminar, 11 June 2007, ESAT,

### Erland Jonsson Department of Computer Science and Engineering Chalmers University of Technology

Erland Jonsson Department of Computer Science and Engineering Chalmers University of Technology The greatest threat: the Human Being Why is the Human Being the greatest threat?: The Human Being is an integrated

### The Encryption Technology of Automatic Teller Machine Networks

Software Engineering 4C03 Winter 2005 The Encryption Technology of Automatic Teller Machine Networks Researcher: Shun Wong Last revised: April 2nd, 2005 1 Introduction ATM also known as Automatic Teller

### Payment systems. Tuomas Aura T-110.4206 Information security technology

Payment systems Tuomas Aura T-110.4206 Information security technology Outline 1. Money transfer 2. Card payments 3. Anonymous payments 2 MONEY TRANSFER 3 Common payment systems Cash Electronic credit

### 2 Protocol Analysis, Composability and Computation

2 Protocol Analysis, Composability and Computation Ross Anderson, Michael Bond Security protocols early days The study of security protocols has been associated with Roger Needham since 1978, when he published

### A very short history of networking

A New vision for network architecture David Clark M.I.T. Laboratory for Computer Science September, 2002 V3.0 Abstract This is a proposal for a long-term program in network research, consistent with the

### Credit cards explained

Credit cards explained What is a credit card? As its name suggests, a credit card lets you buy things on credit meaning that you don t need to have the money upfront to pay for your purchases. If large,

### Lecture 3: One-Way Encryption, RSA Example

ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

### Consumer FAQs. 1. Who is behind the BuySafe initiative? 2. Why should I use a PIN? 3. Do all transactions need a PIN?

Consumer FAQs 1. Who is behind the BuySafe initiative? The Industry Security Initiative (ISI)/BuySafe initiative comprises representatives of ten Australian financial institutions including all of the

### The Merchant. Skimming is No Laughing Matter. A hand held skimming device. These devices can easily be purchased online.

1 February 2010 Volume 2, Issue 1 The Merchant Serving Florida State University s Payment Card Community Individual Highlights: Skimming Scam 1 Skimming at Work 2 Safe at Home 3 Read your Statement 4 Useful

### Security for Computer Networks

Security for Computer Networks An Introduction to Data Security in Teleprocessing and Electronic Funds Transfer D. W. Davies Consultant for Data Security and W. L. Price National Physical Laboratory, Teddington,

### Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

Plain English Guide To Common Criteria Requirements In The Field Device Protection Profile Version 0.75 Prepared For: Process Control Security Requirements Forum (PCSRF) Prepared By: Digital Bond, Inc.

### Cryptography and Network Security

Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 3: Block ciphers and DES Ion Petre Department of IT, Åbo Akademi University January 17, 2012 1 Data Encryption Standard

### Payment systems. Tuomas Aura T-110.4206 Information security technology. Aalto University, autumn 2012

Payment systems Tuomas Aura T-110.4206 Information security technology Aalto University, autumn 2012 Outline 1. Money transfer 2. Card payments 3. Anonymous payments 2 MONEY TRANSFER 3 Common payment systems

### IoT Security Concerns and Renesas Synergy Solutions

IoT Security Concerns and Renesas Synergy Solutions Simon Moore CTO - Secure Thingz Ltd Agenda Introduction to Secure.Thingz. The Relentless Attack on the Internet of Things Building protection with Renesas

### White Paper: Multi-Factor Authentication Platform

White Paper: Multi-Factor Authentication Platform Version: 1.4 Updated: 29/10/13 Contents: About zero knowledge proof authentication protocols: 3 About Pairing-Based Cryptography (PBC) 4 Putting it all

### IBM Crypto Server Management General Information Manual

CSM-1000-0 IBM Crypto Server Management General Information Manual Notices The functions described in this document are IBM property, and can only be used, if they are a part of an agreement with IBM.

### Extending Security Protocol Analysis : New Challenges

ARSPA 2004 Preliminary Version Extending Security Protocol Analysis : New Challenges Mike Bond 1,2 Computer Laboratory University of Cambridge Cambridge, UK. Jolyon Clulow 1,3 Computer Laboratory University

### Using EMV Cards to Protect E-commerce Transactions

Using EMV Cards to Protect E-commerce Transactions Vorapranee Khu-Smith and Chris J. Mitchell Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20 0EX, United Kingdom {V.Khu-Smith,

### Be*PINWISE Cardholder FAQs

Be*PINWISE Cardholder FAQs 1. Who is behind the BuySafe initiative? The Industry Security Initiative (ISI)/BuySafe initiative comprises representatives of ten Australian financial institutions including

### Fighting product clones through digital signatures

Paul Curtis, Katrin Berkenkopf Embedded Experts Team, SEGGER Microcontroller Fighting product clones through digital signatures Product piracy and forgery are growing problems that not only decrease turnover

### EMV-TT. Now available on Android. White Paper by

EMV-TT A virtualised payment system with the following benefits: MNO and TSM independence Full EMV terminal and backend compliance Scheme agnostic (MasterCard and VISA supported) Supports transactions

### PrivyLink Cryptographic Key Server *

WHITE PAPER PrivyLink Cryptographic Key * Tamper Resistant Protection of Key Information Assets for Preserving and Delivering End-to-End Trust and Values in e-businesses September 2003 E-commerce technology

### Research Article. Research of network payment system based on multi-factor authentication

Available online www.jocpr.com Journal of Chemical and Pharmaceutical Research, 2014, 6(7):437-441 Research Article ISSN : 0975-7384 CODEN(USA) : JCPRC5 Research of network payment system based on multi-factor

### Data Encryption A B C D E F G H I J K L M N O P Q R S T U V W X Y Z. we would encrypt the string IDESOFMARCH as follows:

Data Encryption Encryption refers to the coding of information in order to keep it secret. Encryption is accomplished by transforming the string of characters comprising the information to produce a new

### Guide to Data Field Encryption

Guide to Data Field Encryption Contents Introduction 2 Common Concepts and Glossary 3 Encryption 3 Data Field Encryption 3 Cryptography 3 Keys and Key Management 5 Secure Cryptographic Device 7 Considerations

### Security in Electronic Payment Systems

Security in Electronic Payment Systems Jan L. Camenisch, Jean-Marc Piveteau, Markus A. Stadler Institute for Theoretical Computer Science, ETH Zurich, CH-8092 Zurich e-mail: {camenisch, stadler}@inf.ethz.ch

### Patterns for Secure Boot and Secure Storage in Computer Systems

Patterns for Secure Boot and Secure Storage in Computer Systems Hans Löhr, Ahmad-Reza Sadeghi, Marcel Winandy Horst Görtz Institute for IT Security, Ruhr-University Bochum, Germany {hans.loehr,ahmad.sadeghi,marcel.winandy}@trust.rub.de

### Cyber Security Workshop Encryption Reference Manual

Cyber Security Workshop Encryption Reference Manual May 2015 Basic Concepts in Encoding and Encryption Binary Encoding Examples Encryption Cipher Examples 1 P a g e Encoding Concepts Binary Encoding Basics

### Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Lecture No. # 11 Block Cipher Standards (DES) (Refer Slide

### International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

FACTORING CRYPTOSYSTEM MODULI WHEN THE CO-FACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II Mohammedia-Casablanca,

### Risk mitigation for sensitive applets in a multi-application context. Marc Witteman, CTO Riscure Security Lab

Risk mitigation for sensitive applets in a multi-application context Marc Witteman, CTO Riscure Security Lab witteman@riscure.com Abstract: Modern Java Card platforms support co-existence of multiple applets

### Target Security Breach

Target Security Breach Lessons Learned for Retailers and Consumers 2014 Pointe Solutions, Inc. PO Box 41, Exton, PA 19341 USA +1 610 524 1230 Background In the aftermath of the Target breach that affected

### Protected Cash Withdrawal in Atm Using Mobile Phone

www.ijecs.in International Journal Of Engineering And Computer Science ISSN:2319-7242 Volume 2 Issue 4 April, 2013 Page No. 1346-1350 Protected Cash Withdrawal in Atm Using Mobile Phone M.R.Dineshkumar

### Visa Inc. PIN Entry Device Requirements

Visa Inc. PIN Entry Device Requirements The following information is applicable for Visa Inc. regions. Visa Inc. regions include Asia-Pacific (AP); Central and Eastern Europe, Middle East and Africa (CEMEA);

### The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems

The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems Becky Cutler Rebecca.cutler@tufts.edu Mentor: Professor Chris Gregg Abstract Modern day authentication systems

DATA SECURITY 1/12 Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0 Contents 1. INTRODUCTION... 3 2. REMOTE ACCESS ARCHITECTURES... 3 2.1 DIAL-UP MODEM ACCESS... 3 2.2 SECURE INTERNET ACCESS

### INTEGRATION OF DIGITAL SIGNATURES INTO THE EUROPEAN BUSINESS REGISTER. Abstract:

INTEGRATION OF DIGITAL SIGNATURES INTO THE EUROPEAN BUSINESS REGISTER Helmut Kurth Industrieanlagen Betriebsgesellschaft mbh Einsteinstr. 20 D-85521 Ottobrunn, Germany kurth@iabg.de Abstract: In the INFOSEC

### Enhancing Payment Card Security New Measures to be Phased in from 2 nd Quarter 2010 to 1 st Quarter 2011

Enhancing Payment Card Security New Measures to be Phased in from 2 nd Quarter 2010 to 1 st Quarter 2011 On 5 th March 2010, The Association of Banks in Singapore announced key measures to adopt a holistic

### PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker www.quotium.com 1/14 Summary Abstract 3 PCI DSS Statistics 4 PCI DSS Application Security 5 How Seeker Helps You Achieve PCI DSS

### Secure upgrade of hardware security modules in bank networks

In proceedings of ARSPA-WITS. Springer LNCS. Secure upgrade of hardware security modules in bank networks Riccardo Focardi and Flaminia L. Luccio Università Ca Foscari Venezia, {focardi,luccio}@dsi.unive.it

### Data Protection: From PKI to Virtualization & Cloud

Data Protection: From PKI to Virtualization & Cloud Raymond Yeung CISSP, CISA Senior Regional Director, HK/TW, ASEAN & A/NZ SafeNet Inc. Agenda What is PKI? And Value? Traditional PKI Usage Cloud Security

Aegis Padlock for business Problem: Securing private information is critical for individuals and mandatory for business. Mobile users need to protect their personal information from identity theft. Businesses

### Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance

Emerging Technology Whitepaper Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance For Transmissions of Cardholder Data and Sensitive Authentication Data Program Guide Version

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Purpose This paper is intended to describe the benefits of smart card implementation and it combination with Public

### Ky Vu DeVry University, Atlanta Georgia College of Arts & Science

Ky Vu DeVry University, Atlanta Georgia College of Arts & Science Table of Contents - Objective - Cryptography: An Overview - Symmetric Key - Asymmetric Key - Transparent Key: A Paradigm Shift - Security

### STANDARD SERIES GLI-18: Promotional Systems in Casinos. Version: 2.1

STANDARD SERIES GLI-18: Promotional Systems in Casinos Version: 2.1 Release Date: This Page Intentionally Left Blank ABOUT THIS STANDARD This Standard has been produced by Gaming Laboratories International,

### A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

A Database Security Management White Paper: Securing the Information Business Relies On November 2004 IPLocks, Inc. 441-A W. Trimble Road, San Jose, CA 95131 USA A Database Security Management White Paper:

### CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Secret Key Cryptography (I) 1 Introductory Remarks Roadmap Feistel Cipher DES AES Introduction

### Resource 3.9. A Guide to Online Payment Facilities

A Guide to Online Payment Facilities Resource 3.9 Online consumers expect a high level of service and a seamless shopping experience when they purchase goods and services over the Internet. One of the

### PCI and EMV Compliance Checkup

PCI and EMV Compliance Checkup ATM Security Jim Pettitt Director, ATM Security Diebold Incorporated Agenda ATM threats today Top of mind risk PCI Impact on Security U.S. EMV Migration Conclusions / recommendations

### Message Authentication Code

Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

### Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

### SCADA System Security, Complexity, and Security Proof

SCADA System Security, Complexity, and Security Proof Reda Shbib, Shikun Zhou, Khalil Alkadhimi School of Engineering, University of Portsmouth, Portsmouth, UK {reda.shbib,shikun.zhou,khalil.alkadhimi}@port.ac.uk

### Cryptography and Network Security 1. Overview. Lectured by Nguyễn Đức Thái

Cryptography and Network Security 1. Overview Lectured by Nguyễn Đức Thái Outline Security concepts X.800 security architecture Security attacks, services, mechanisms Models for network (access) security

### Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

### One Time Pad Encryption The unbreakable encryption method

One Time Pad Encryption The unbreakable encryption method One Time Pad The unbreakable encryption method One Time Pad encryption is a very simple, yet completely unbreakable cipher method. It has been

### One is happenstance; twice is coincidence; but three times is enemy action. Goldfinger Simplicity is the ultimate sophistication.

CHAPTER 18 API Attacks One is happenstance; twice is coincidence; but three times is enemy action. Goldfinger Simplicity is the ultimate sophistication. Leonardo Da Vinci 18.1 Introduction Many supposedly

### Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Introduction to Cryptography What is cryptography?

### Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015 Chapter 2: Introduction to Cryptography What is cryptography? It is a process/art of mangling information in such a way so as to make it

### CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

### Secure Hardware PV018 Masaryk University Faculty of Informatics

Secure Hardware PV018 Masaryk University Faculty of Informatics Jan Krhovják Vašek Matyáš Roadmap Introduction The need of secure HW Basic terminology Architecture Cryptographic coprocessors/accelerators

### Defeating Credit Card Fraud What Retailers Need to Know

What Retailers Need to Know - Credit Card Fraud is a Global Issue - Visa and MasterCard Take Steps to Address Device Tampering - How Vulnerable are You to Fraud? - Is Now the Time to Upgrade Your Equipment?

### Cryptography: Authentication, Blind Signatures, and Digital Cash

Cryptography: Authentication, Blind Signatures, and Digital Cash Rebecca Bellovin 1 Introduction One of the most exciting ideas in cryptography in the past few decades, with the widest array of applications,

### Message Authentication

Message Authentication message authentication is concerned with: protecting the integrity of a message validating identity of originator non-repudiation of origin (dispute resolution) will consider the

### Symmetric Key cryptosystem

SFWR C03: Computer Networks and Computer Security Mar 8-11 200 Lecturer: Kartik Krishnan Lectures 22-2 Symmetric Key cryptosystem Symmetric encryption, also referred to as conventional encryption or single

### ENHANCING ATM SECURITY USING FINGERPRINT AND GSM TECHNOLOGY

Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology IJCSMC, Vol. 3, Issue. 4, April 2014,

### YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 1 (rev. 1) Professor M. J. Fischer September 3, 2008 1 Course Overview Lecture Notes 1 This course is

### Video Intelligence Platform

Security Whitepaper Five Tips to Fight ATM Skimming ATM skimming is a global crime that incurs annual losses of \$1 billion. At the basic level, thieves seek to extract cash from bank accounts; however,

### How Smartcard Payment Systems Fail. Ross Anderson Cambridge

How Smartcard Payment Systems Fail Ross Anderson Cambridge The EMV protocol suite Named for Europay- MasterCard- Visa; also known as chip and PIN Developed late 1990s; deployed in UK ten years ago (2003

### 6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING The following is a general checklist for the audit of Network Administration and Security. Sl.no Checklist Process 1. Is there an Information

### Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography What Is Steganography? Steganography Process of hiding the existence of the data within another file Example:

### Handling of card data in conformance with PCI DSS

Handling of card data in conformance with PCI DSS Version 2 June 2010 Objective MasterCard, Visa, American Express, Diners and JCB have together created the framework PCI DSS (Payment Card Industry Data

### Making your web application. White paper - August 2014. secure

Making your web application White paper - August 2014 secure User Acceptance Tests Test Case Execution Quality Definition Test Design Test Plan Test Case Development Table of Contents Introduction 1 Why

### Cumberland Business Debit Card. Terms & Conditions

Cumberland Business Debit Card Terms & Conditions These Conditions apply to the use of business debit cards issued by Cumberland Building Society ( the Society ) by which you can: withdraw money, or obtain

### SECURITY IN NETWORKS

SECURITY IN NETWORKS GOALS Understand principles of network security: Cryptography and its many uses beyond confidentiality Authentication Message integrity Security in practice: Security in application,

### Meet The Family. Payment Security Standards

Meet The Family Payment Security Standards Meet The Family Payment Security Standards Payment Processing Electronic payments are increasingly becoming part of our everyday lives. For most people, it can