A New Dimension in
`Computer Data Security
`
`Carl H. Meyer Stephen M. Matyas
`
`]
`
`A Guide for the Design and
`Implementation of Secure Systems
`
`MasterCard, Exh. 1022, p. 1
`
`

`
`Copyright© 1982 by John Wiley & Sons, Inc.
`All rights reserved. Published simultaneously in Canada.
`
`Reproduction or translation of any part of this work
`beyond that permitted by Section 107 or 108 of the
`1976 United States Copyright Act without the permission
`of the copyright owner is unlawful. Requests for
`permission or further information should be addressed to
`the Permissions Department, John Wiley & Sons, Inc.
`
`This publication is designed to provide accurate and
`authoritative information in regard to the subject
`matter covered. It is sold with the understanding that
`the publisher is not engaged in rendering legal, accounting,
`or other professional service. If legal advice or other
`expert assistance is required, the services of a competent
`professional person should be sought. From a Declaration
`of Principles jointly adopted by a Committee of the
`American Bar Association and a Committee of Publishers.
`
`Library of Congress Cataloging in Publication Data :
`Meyer, Carl, Ph.D.
`Cryptography: a guide for the design and
`implementation of cryptographic systems.
`
`Bibliography: p.
`Includes index.
`1. Cryptography-Handbooks, manuals, etc.
`I. Matyas, Stephen. II. Title.
`
`001.54'36
`Z103.M55
`ISBN 0-4 71-04892-5
`
`82-2831
`AACR2
`
`Printed in the United States of America
`
`10 9 8 7 6 5 4 3 2
`
`MasterCard, Exh. 1022, p. 2
`
`

`
`~ld Diffie,
`:t Feistel,
`Christian
`ck, Albert
`nstructive
`
`·ovided by
`om which
`obtaining
`1 through
`ion of the
`omos, and
`many ex-
`
`e direction
`dng it pos-
`
`C.M.
`S.M.
`
`\
`
`Contents
`
`Abbreviations, XIX
`
`1. THE ROLE OF CRYPTOGRAPHY IN ELECTRONIC DATA
`PROCESSING
`
`Cryptography, Privacy, and Data Security, 1
`Attack Scenarios, 1
`Technical Implications of Privacy Legislation, 4
`
`The Data Encryption Standard, 6
`Demonstrating Effective Cryptographic Security, 8
`
`The Outlook for Cryptography, 10
`
`References, 11
`
`2. BLOCK CIPHERS AND STREAM CIPHERS
`
`13
`
`Cryptographic Algorithms, 14
`Enciphering and Deciphering, 14
`Work Factor, 18
`Types of Attacks, 20
`Designing an Algorithm, 20
`
`Block Ciphers, 23
`Conventional Algorithms, 26
`Public-Key Algorithms, 32
`RSA Algorithm, 33
`Trapdoor Knapsack Algorithm, 48
`
`Stream Ciphers, 53
`Block Ciphers with Chaining, 62
`Patterns Within Data, 62
`Block Chaining Using a Variable Key, 6 7
`Block Chaining Using Plaintext and Ciphertext Feedback, 69
`A Self-Synchronizing Scheme Using Ciphertext Feedback, 71
`Examples of Block Chaining, 73
`Short Block Encryption, 73
`
`Stream Ciphers with Chaining, 85
`A Chaining Method with the Property of Error Propagation, 86
`A Chaining Method with the Property of Self-Synchronization, 88
`Cipher Feedback Stream Cipher, 91
`Effects of Padding and Initializing Vectors, 98
`
`ix
`
`MasterCard, Exh. 1022, p. 3
`
`

`
`X
`
`CONTENTS
`
`Cryptographic Message Authentication Using Chaining Techniques, 100
`
`Comparison of Block Ciphers and Stream Ciphers, 105
`
`References, 111
`
`3. THE DATA ENCRYPTION STANDARD
`
`113
`
`Classes of Ciphers, 113
`
`Design Criteria, 118
`Breaking a System with Two Key-Tapes, 118
`Breaking a Key Auto-Key Cipher Using Linear Shift Registers, 121
`Breaking a Plaintext Auto-Key Cipher Using Linear Shift Registers, 129
`Designing a Cipher, 13 7
`
`Description of the Data Encryption Standard, 141
`Generation of Key Vectors Used for Each Round of DES, 143
`Weak and Semiweak Keys, 147
`Details of the DES Algorithm, 153
`Summary of the DES Procedure, 159
`Numerical Example, 160
`Some Remarks About the DES Design, 162
`Implementation Considerations for the S-Box Design, 163
`
`Analysis of Intersymbol Dependencies for the Data Encryption
`Standard, 165
`Interdependence Between Ciphertext and Plaintext, 168
`Interdependence Between Ciphertext and Key, 178
`Summary and Conclusions, 189
`
`References, 189
`
`4. COMMUNICATION SECURITY AND FILE SECURITY
`USING CRYPTOGRAPHY
`
`192
`
`Networks, 192
`
`Network Encryption Modes, 195
`
`Fundamentals of Link Encryption, 201
`Asynchronous,203
`Byte-Synchronous, 204
`Bit-Synchronous, 206
`
`An Overview of End-To-End Encryption, 206
`
`Cipher Key Allocation, 208
`Specification of Cipher Keys, 209
`An Example of the Encryption of Transmitted Data, 219
`An Example of the Encryption of a Data File, 222
`
`The Cryptographic Facility, 222
`
`MasterCard, Exh. 1022, p. 4
`
`

`
`~
`
`.. ;/
`
`--
`
`.
`. ..
`I~ •' \___j lJ-"":...t:......:
`
`•
`
`• •
`
`~
`
`r
`
`•
`
`1
`
`CONTENTS
`
`xi
`
`Cipher Key Protection, 226
`Protection of Terminal Keys, 226
`Protection of Host Keys, 228
`Hierarchy of Opher Keys, 232
`
`The Host Cryptographic System, 234
`
`Basic Cryptographic Operations, 237
`Cryptographic Operations at a Terminal, 239
`Cryptographic Operations at a Host, 243
`Key Parity, 249
`Partitioning ofOpher Keys, 250
`Cipher Macro Instruction, 253
`
`Key Management Macro Instructions, 260
`GENKEY and-RETKEY Macros, 260
`Using GENKEY and RETKEY, 265
`The Cryptographic Key Data Set, 267
`Summary, 269
`References, 269
`
`/
`
`5. THE HOST SYSTEM CRYPTOGRAPHIC OPERATIONS
`
`271
`
`Single-Domain Communication Security Using Pregenerated
`Primary Keys, 271
`
`Single-Domain Communication Security Using Dynamically Generated
`Primary Keys, 274
`Two Master Keys, 275
`Requirements, 278
`
`Single-Domain Communication Security and File Security Using
`Dynamically Generated Primary Keys, 278
`Problems Associated with Storing Enciphered Data, 278
`Three Master Keys, 280
`An Example of File Encryption, 283
`Requirements, 284
`
`Multiple-Domain Encryption, 284
`A Protocol for Communication Security, 285
`A Protocol for File Security, 288
`Transporting a New File, 288
`Transporting an Existing File, 289
`
`Additional Considerations, 291
`
`Extended Cryptographic Operations, 292
`Cryptographic Key Distribution Using Composite Keys, 293
`A Composite Key Protocol, 294
`Summary, 299
`References, 299
`
`MasterCard, Exh. 1022, p. 5
`
`

`
`xii
`
`CONTENTS
`
`6. GENERATION, DISTRIBUTION, AND INSTALLATION OF
`CRYPTOGRAPHIC KEYS
`
`300
`
`Generation of the Host Master Key, 301
`Tossing Coins, 301
`Throwing Dice, 302
`Random Number Table, 303
`
`Generation of Key-Encrypting Keys, 303
`A Weak Key-Generating Procedure, 304
`A Strong Key-Generating Procedure, 304
`An Alternate Approach for Generating Key-Encrypting Keys, 307
`Encipherment of Keys under the Master Key's Variants, 308
`Transforming Cryptographic Keys, 311
`
`Generation of Data-Encrypting Keys, 314
`An Approach for Generating Keys with the Cryptographic Facility, 315
`An Alternate Approach for Generating Data-Encrypting Keys, 316
`Entering a Master Key at the Host Processor, 31 7
`Hard-Wired Entry, 318
`Indirect Entry, 321
`
`Attack Via External Manipulations, 322
`Master Key Entry at a Terminal, 323
`On-Line Checking, 323
`OffLine Checking, 323
`
`Distribution of Cryptographic Keys, 326
`Lost Cryptographic Keys, 327
`Recovery Techniques, 328
`Summary, 329
`References, 330
`
`7.
`
`INCORPORATION OF CRYPTOGRAPHY INTO A
`COMMUNICATIONS ARCHITECTURE
`
`331
`
`Session-Level Cryptography in a Single-Domain Network, 333
`Transparent Mode of Operation, 333
`Nontransparent Mode of Operation, 339
`
`Private Cryptography in a Single-Domain Network, 339
`Session-Level Cryptography in a Multidomain Network, 343
`
`Application Program-to-Application Program Cryptography, 347
`Padding Considerations, 349
`References, 349
`
`MasterCard, Exh. 1022, p. 6
`
`

`
`CONTENTS
`
`xiii
`
`8. AUTHENTICATION TECHNIQUES USING CRYPTOGRAPHY
`
`350
`
`Fundamental Concepts, 350
`
`Handshaking, 351
`Message Authentication, 354
`Authentication of a Message's Origin, 354
`Authentication of a Message's Timeliness, 358
`Authentication of a Message's Contents, 359
`Authentication of a Message's Receiver, 364
`A Procedure for Message Authentication, 364
`
`Authentication of Time-Invariant Data, 367
`Authentication of Passwords, 368
`Authentication Using Test Patterns Generated from the Host
`Master Key, 371
`A Procedure for Authentication of Cryptographic Keys, 381
`Another A uthentication Method Using Test Patterns Generated from
`the Host Master Key, 382
`
`References, 385
`
`386
`
`9. DIGITAL SIGNATURES
`
`Significance of Signatures, 386
`Law of Acknowledgements, 387
`Law of Agency, 388
`Uniform Commercial Code, 388
`Contributory Negligence, 389
`Obtaining Digital Signatures, 390
`
`Universal Signatures, 391
`An Approach Using Public-Key Algorithms, 392
`An Approach Using Conventional Algorithms, 396
`
`Arbitrated Signatures, 409
`An Approach Using the DES Algorithm, 410
`An Example of Arbitrating a Signature, 412
`A Weak Approach, 414
`Additional Weaknesses, 416
`Using DES to Obtain Public-Key Properties, 417
`A Key Notarization System for Computer Networks, 417
`A Method Using Variants of the Host Master Key, 421
`
`Legalizing Digital Signatures, 423
`Initial Written Agreement, 424
`Choice of Law, 425
`Judicial Notice Recognized, 426
`
`References, 427
`
`MasterCard, Exh. 1022, p. 7
`
`

`
`xiv
`
`CONTENTS
`
`10. APPLYING CRYPTOGRAPHY TO PIN-BASED ELECTRONIC
`FUNDSTRANSFERSYSTEMS
`
`429
`
`Introduction, 429
`Section One-Basic PIN Concepts, 430
`Why PINs?, 430
`PIN Secrecy, 431
`PIN Length, 432
`Allowable PIN Entry Attempts, 433
`PIN Issuance, 434
`PIN Validation for Local Transactions, 440
`PIN Validation for Interchange Transactions, 441
`Conclusions, 443
`Section Two-EFT Fraud Threats, 444
`EFT Fraud Categories, 445
`Passive Fraud Threats, 446
`Relative Risks, 448
`Active Fraud Threats, 449
`Fraud and Liability, 451
`Conclusions, 453
`Section Three-Principles of Fraud Prevention, 454
`Cryptography, The Tool for Fraud Prevention, 454
`Preventing Passive Fraud Threats, 455
`Preventing Active Fraud Threats, 45 7
`Fraud Prevention in Interchange, 461
`Conclusions, 463
`Section Four-Implementation of Fraud Prevention Techniques, 464
`Suggested Characteristics of Hardware Security Module
`Implementation, 464
`Suggested Capabilities, 465
`PIN Validation, 46 7
`Key Management, 468
`MAC Generation, 469
`Utilization, 469
`Conclusions, 473
`References, 473
`
`11. APPLYING CRYPTOGRAPHY TO ELECTRONIC FUNDS
`TRANSFER SYSTEMS-PERSONAL IDENTIFICATION
`NUMBERS AND PERSONAL KEYS
`
`474
`
`Background, 474
`Security Exposures in EFT Systems, 478
`
`MasterCard, Exh. 1022, p. 8
`
`

`
`CONTENTS
`
`XV
`
`Communication Link Security, 478
`Computer Security, 478
`Terminal Security, 479
`Bank Card Security, 481
`Identification and Authentication of System Users, 482
`Transferable User Characteristics, 482
`Nontransferable User Characteristics, 482
`Requirements for Personal Verification and Message Authentication, 483
`Authentication Parameter, 484
`Personal Authentication Code, 486
`Personal Verification Using AP Only, 487
`Personal Verification Using AP and PAC, 488
`Message Authentication Using a MAC, 489
`EFT Security Requirements, 490
`Comments on the EFT Security Requirements, 499
`
`Personal Verification in the On-Line Mode, 499
`Personal Verification with Dependent PINs and Dependent
`Personal Keys, 500
`Personal Verification with Independent PINs and Independent
`Personal Keys, 502
`Minimizing Card Storage Requirements, 507
`
`Personal Verification in the Off-Line and Off-Host Modes, 511
`Personal Verification with System-Selected PINs Employing a
`PIN Generating Key, 512
`Personal Verification with User-Selected PINs Employing Offsets, 514
`Personal Verification with User~Selected PINs Employing PACs, 514
`
`Guidelines for Cryptographic Designs, 517
`Threats to PIN Secrecy, 520
`Key Management Requirements, 523
`Threats to the Secrecy of a Key Stored on a Magnetic Stripe Card, 526
`The PIN/System Key Approach, 530
`Key Management Considerations for PIN/System Key Approach, 535
`Defending Against the Misrouting Attack, 536
`A PIN/System Key Approach for Noninterchange, 541
`A PIN/System Key Approach for Interchange, 541
`Disadvantages of the PIN/System Key Approach, 544
`Advantages of the PIN/System Key Approach, 545
`
`The PIN/Personal Key Approach, 546
`Description of a PIN/Personal Key Approach Using a Magnetic
`Stripe Card, 546
`Key Management Considerations for PIN/Personal Key Approach, 548
`Advantages of the PIN/Personal Key Approach, 548
`Objections to the PIN/Personal Key Approach Using a Magnetic
`Stripe Card, 549
`Personal Key Approach with an Intelligent Secure Card, 551
`
`MasterCard, Exh. 1022, p. 9
`
`

`
`xvi
`
`CONTENTS
`
`The PIN/Personal Key/System Key (Hybrid Key Management) Approach
`Using an Intelligent Secure Card, 557
`Description of a Hybrid Key Management Approach, 558
`Key Management Considerations for the Hybrid Approach, 561
`Hybrid Key Management Approach for Noninterchc.nge, 562
`Hybrid Key Management Approach for Interchange, 566
`Cryptographic Considerations for an Intelligent Secure Card, 569
`Security Enhancements with Digital Signatures, 569
`Advantages, 5 76
`
`Key Management Considerations-Symmetric Versus Asymmetric
`Algorithms, 577
`Authentication With and Without Secrecy, 578
`Secrecy Without Authentication, 583
`
`A Cryptographic System Using an Intelligent Secure Card and a
`Public-Key Algorithm, 588
`Description of a Public Key Management Approach, 589
`Key Management Considerations for Asymmetric Algorithms, 593
`OffLine Use, 594
`On-Line Use in Interchange and Noninterchange, 596
`Concluding Remarks, 604
`
`Glossary, 604
`
`References, 605
`
`12. MEASURES OF SECRECY FOR CRYPTOGRAPHIC
`SYSTEMS
`
`607
`
`Elements of Mathematical Cryptography, 608
`Information Flow in a Conventional Cryptographic System, 608
`A Cipher with Message and Key Probabilities, 609
`The Random Cipher, 614
`Number of Meaningful Messages in a Redundant Language, 615
`
`Probabilistic Measures of Secrecy Using a Random Cipher, 618
`Probability of Obtaining the Key When Only Ciphertext Is Available
`for Analysis, 618
`An Example of Simple Substitution on English (Ciphertext Only), 621
`Probability of Obtaining the Key When Plaintext and Corresponding
`Ciphertext Are Available for Analysis, 624
`Probability of Obtaining the Plaintext, 625
`
`An Expansion of Shannon's Approach Using Information Theory, 627
`Information Measures, 628
`Unicity Distance for a Cipher When Only Ciphertext is Available
`for Analysis, 629
`Unicity Distance for a Cipher When Plaintext and Corresponding
`Ciphertext Are Available for Analysis, 631
`
`MasterCard, Exh. 1022, p. 10
`
`

`
`CONTENTS
`
`xvii
`
`Relationships Among H(XIY), H(K IY ), and H(K IX, Y ), 632
`Unicity Distance for the Data Encryption StandanC635
`
`Work Factor as a Measure of Secrecy, 636
`The Cost and Time to Break a Cipher, 636
`Simple Substitution on English-Some Preliminaries, 637
`Empirical Results for Simple Substitution on English Using a
`Digram Frequency Analysis, 640
`Empirical Results for Simple Substitution on English Using
`Single-Letter Frequency Analysis, 642
`Comparison of Results, 642
`References, 647
`
`APPENDIX A. FIPS PUBLICATION 46
`
`APPENDIX B. FURTHER COMPUTATIONS OF INTEREST
`
`649
`
`671
`
`Time-Memory Trade-Off, 671
`Birthday Paradox, 672
`References, 673
`
`APPENDIX C. PLASTIC CARD ENCODING PRACTICES AND
`STANDARDS
`
`675
`
`General Physical Characteristics, 675
`Track 1, 675
`Track 2, 676
`
`Track 3, 677
`References, 678
`
`APPENDIX D. SOME CRYPTOGRAPHIC CONCEPTS AND
`METHODS OF ATTACK
`
`679
`
`Further Discussion of Authentication Parameters, 679
`One-Way Functions, 679
`Attack Using Repeated Trials, 681
`Further Discussion of Authentication Parameters and
`Personal Authentication Codes, 687
`Implementation Examples, 687
`Attack Against a 16-Digit PIN, 688
`Attack Against a I2-Digit PIN, 688
`Proposals for Authentication Parameters and Personal
`
`MasterCard, Exh. 1022, p. 11
`
`

`
`xviii
`
`CONTENTS
`
`Authentication Codes, 689
`The Advantage of an AP that Depends on ID, 694
`Increasing Exhaustive Attack Work Factor by
`Implementation Methods, 696
`Multiple Encryption and Block Chaining, 696
`Reduction of Exhaustion Work Factor for Selected Plaintext
`Attack, 697
`The Meet-in-the-Middle Attack Against Double Encryption, 705
`Attack Against Triple Encryption with Three Independent
`Keys, 708
`Attack Against Triple Encryption with Two Independent
`Keys, 711
`References, 712
`
`APPENDIX E. CRYPTOGRAPHIC PIN SECURITY-PROPOSED
`ANSI METHOD
`
`713
`
`Storage of PINS, 713
`Transmission of PINS, 713
`Reversible PIN Encryption, 714
`Cleartext PIN Block Format, 714
`Ciphertext PIN Format, 715
`Received Ciphertext PIN, 716
`
`References, 716
`
`APPENDIX F. ANALYSIS OF THE NUMBER OF MEANINGFUL
`MESSAGES IN A REDUNDANT LANGUAGE
`
`717
`
`References, 727
`
`APPENDIX G. UNICITY DISTANCE COMPUTATIONS
`
`Transposition, 728
`Simple Substitution, 731
`Homophonic Substitution, 733
`
`References, 740
`
`APPENDIX H. DERIVATION OF p(u) AND p(SM)
`
`References, 746
`
`INDEX
`
`728
`
`741
`
`747
`
`MasterCard, Exh. 1022, p. 12
`
`

`
`mctions Using
`rce Record, 3,
`
`hentication of
`COM-29, No.
`
`, NBS Special
`r of Standards,
`
`curity in Elec(cid:173)
`(1979).
`FIPS) Publica(cid:173)
`e, Washington,
`
`\uthentication
`ITELCOM '80,
`
`ring/Decipher(cid:173)
`ical Disclosure
`
`, DOT HS-805
`
`6th ed., Foun-
`
`chnical Report
`;ity, Palo Alto.
`
`er Science, Re-
`
`CHAPTER TEN
`
`Applying Cryptography to Pin-Based
`Electronic Funds Transfer Systems1
`
`Today there are many cryptographic authentication techniques being used
`and evaluated by major flnancial institutions for electronic funds transfer
`systems. Therefore, due to the state-of-the-art, there are divergent opinions
`as to the order in which problems should be addressed and what method(cid:173)
`ologies should be used to achieve optimum solutions.
`To provide a balanced discussion between the authors' point of view
`(expressed in Chapter II) and that of others, permission has1 been obtained
`to reprint relevant sections from the PIN Manual: A Guide to the Use of
`Personal Identification Numbers for Interchange [I], which was prepared
`by the staff of MasterCard International, Inc. (formally Interbank Card
`Association) in cooperation with MasterCard International's Standing Com(cid:173)
`mittees. The material in this chapter, except for two indicated passages, was
`the first four sections of the PIN Manual. The views
`comprised from
`expressed and responsibility for the accuracy of the material lies with the
`originators of that manual.
`Helpful footnotes, annotations, and additional material was provided by
`the authors. (Material added by the authors appears in brackets.) In order to
`maintain consistency, the original notations for encipherment and decipher(cid:173)
`ment have been changed to conform with the notations used throughout the
`book.
`
`Pin Manual
`A Guide to the Use of
`Persrmal Identification Numbers
`in Interchange
`
`INTRODUCTION
`
`In the early 1970's, Interbank Card Association began to investigate the
`implications of the transition from an off-line paper based funds transfer
`
`1 By permission of MasterCard International, Inc. (formerly Interbank Card Association).
`Reprinted in part from PIN Manual: A Guide to the Use of Personalldenfljication Num(cid:173)
`bers in Interchange, September 1980 f 1 J.
`
`429
`
`MasterCard, Exh. 1022, p. 13
`
`

`
`430
`
`APPLYING CRYPTOGRAPHY
`
`system, exemplified by MasterCard, to an on-line, Electronic Funds Transfer
`(EFT) system. The investigation soon determined that this transition would
`present many problems relating to customer acceptance, economic justifica(cid:173)
`tion, and regulatory policy. However, the only unsolved technological prob(cid:173)
`lem was how to insure the system's security.
`Interbank soon realized that using secret Personal Identification Numbers,
`PINs, was the best technique for authenticating customers in EFT. A PIN
`serves the same role in an electronic system that a written signature serves in
`a conventional paper based system. While this did not solve the security
`problem, it did define one major aspect, the need to ensure PIN secrecy
`everywhere within the EFT environment Although the assurance of PIN
`secrecy was the first and foremost EFT security problem, it was not the only
`one. Insuring the authenticity and integrity of the transaction were also
`problems.
`Since it was apparent that EFT could not progress until these security
`problems were resolved. Interbank began. in the 1970's. what is believed to
`be the most extensive study of EFT security ever undertaken. The study,
`which lasted more than three years. uncovered and assembled a wealth of
`information regarding virtually every aspect of securing an EFT system.
`It considered, in detail, the possible fraud threats that could be perpetrated
`against such a system and developed countermeasures to prevent them. The
`implementation of each countermeasure was studied in detail to insure that
`its effectiveness would not detrimentally affect the cost or performance of
`the EFT system as a whole. The study considered many approaches to the
`issuance. management. validation. and interchange of PINs. and where choices
`were available to the financial institution, attempted to determine the pros
`and cons of the available alternatives. Since the study concluded that most
`of the required security techniques were cryptographic, considerable thought
`was given to the practical implementation of cryptography in a retail funds
`transfer environment. Given special study was the management of the secret
`keys that are a fundamental ingredient in any secure cryptographic system.
`
`SECTION ONE: BASIC PIN CONCEPTS
`
`Why PINs?
`
`The term PIN refers to personal identification number. It is a secret number
`assigned to. or selected by. the holder of a debit card or credit card used in
`an EFT (electronic funds transfer) system and serves to authenticate the
`cardholder to the EFT system. The PIN is basically the cardholder's elec(cid:173)
`tronic signature. and serves the same role in an EFT transaction as a written
`signature serves in a conventional financial transaction. The PIN is memorized
`by the cardholder and is not to be recorded by him in a manner that could
`be ascertained by another person. At the time that the cardholder initiates
`an EFT transaction. he enters his PIN into the EFT terminal using a key(cid:173)
`board provided for this purpose. Unless the PIN, as entered, is recognized by
`the EFT system as being correct for this particular account number (read by
`
`I
`
`MasterCard, Exh. 1022, p. 14
`
`

`
`SECTION ON Eo BASIC PIN CONCEPTS
`
`431
`
`the EFT terminal from the card's magnetic stripe). the EFT system refuses
`to accept the transaction. The purpose of all this is so that, should the card
`be lost or stolen. the finder or thief would be unable to use the card, not
`knowing the associated PIN. Similarly, it is to prevent someone who would
`be able to do so from making a usable counterfeit copy of the card. Even if
`he could make such a counterfeit card he could not use it. not knowing the
`PIN.
`
`PIN Secrecy
`
`In order for the PIN to serve its required function. it must be known to the
`cardholder, but to no one else. PIN secrecy is of the utmost importance.
`If the financial institution wishes the cardholder to be responsible for any
`compromise of his PIN, and, if a PIN is to be an effective signature substitute.
`thel1 the institution's own handling of the PIN must be above reproach. It
`must display to its cardholders extreme care in its PIN management proce(cid:173)
`dures. For example, if a cardholder is given the opportunity of selecting his
`own PIN and is asked to write the PIN of his choice on the application form
`containing information identifying him, he will quite likely realize that cer(cid:173)
`tain bank employees could ascertain his PIN from this form. This cannot
`help but influence his own attitude toward the importance of PIN secrecy.
`On the other hand, if he sees that the institution exercises extreme care to
`insure that no bank employee can possibly learn his PIN. he will be impressed
`with the importance of PIN secrecy on his own part.
`Some financial institutions tend to view PIN secrecy on a cost-effective
`basis. That is. they attempt to compare the cost of a certain degree of PIN
`security with the cost of the fraud losses that might otherwise occur. This is
`not really a valid comparison. because the impact of fraud due to the com(cid:173)
`promise of PIN secrecy greatly transcends the actual dollars lost. The most
`catastrophic type of fraud that can occur because PINs are compromised is
`the production and use of counterfeit cards, causing the accounts of unsus(cid:173)
`pecting cardholders to be fraudulently debited. This is not known until the
`cardholders find
`their accounts overdrawn or incorrect debits on their
`monthly statemenrs. Assuming that the fraud losses are not due to negligence
`on the cardholders' part, the institution must pay not only for the fraud but
`also for the clerical costs involved in processing cardholder complaints and
`making restitution. Undoubtedly such fraud would become publicized. and
`cardholders who had not actually experienced fraud but who could not
`recall making certain transactions appearing on their statements would sus(cid:173)
`pect that they had been defrauded, and file complaints with the institution.
`The institution would have no obvious way of distinguishing valid complaints
`of fraud from invalid ones. As a result, some dishonest cardholders would
`undoubtedly deny making certain of tl1eir transactions, knowing the institu(cid:173)
`tion could not prove them wrong. This secondary fraud could be of even
`greater consequence than the primary fraud. However. the greatest impact
`of fraud resulting from PIN compromise would probably be on customer
`relations. A number of honest cardholders would hesitate to trust their funds
`to such an institution any longer, and would move their accounts elsewhere.
`
`MasterCard, Exh. 1022, p. 15
`
`

`
`432
`
`APPLYING CRYPTOGRAPHY
`
`Thus, the net loss to an institution could be many times the loss directly due
`to PIN compromise.
`As electronic banking and other forms of EFT grow as a percentage of
`total financial transactions, the importance of the PIN. and hence of PIN
`secrecy. is expected to grow likewise. Only by stringent (though not neces(cid:173)
`sarily costly) security measures can a high degree of PIN secrecy be main(cid:173)
`tained.
`The PIN in its clear (comprehensible) form should never be transmitted
`over communications lines. because these lines could be tapped. The clear
`PIN should never reside, even momentarily, in any main frame or any data
`base, because a clever programmer or computer operator might devise some
`technique for ascertaining it. It should never be known to. or accessible by.
`any employee of the institution, not even during the PIN issuing process.
`(PIN mailers. if used, should be under strict dual control at all times to pre(cid:173)
`vent compromise.)
`As stringent as these security measures may be, they can be implemented
`at modest cost and without noticeable impact upon banking operations.
`Subsequent sections describe, in detaiL security techniques and their imple(cid:173)
`mentation.
`
`PIN Length
`
`In order to achieve its intended purpose, the PIN must contain enough digits
`so that a card finder. thief or counterfeiter would have little probability of
`hitting the correct PIN by chance. if he simply guessed at values. On the
`other hand it should not contain very many digits. or it will slow down the
`EFT transaction time. Therefore it is recommended that the PIN be four.
`five or six decimal digits in length. A four digit PIN allows ten thousand
`unique PINs. The criminal has no way of knowing which of these is the
`correct PIN value for any given stolen or counterfeit card in his possession.
`Assuming that the number of consecutive incorrect PIN entry attempts per
`card is limited to a small number (e.g .. ten or less). assuming that only one
`PIN value is usable with any given card. and assuming a best case situation
`from a card counterfeiter's point of view. namely. an unlimited supply of
`counterfeit cards (thousands). the unobserved exclusive use of an ATM for
`hours on end. and no other special system checks to ascertain trial and error
`PIN determination. he would still require more than forty continuous hours
`of trial and error (assuming four tries per minute), and nearly one thousand
`counterfeit cards, before he could determine the PIN for a single card. This
`is believed to be an unfeasible fraud technique. so a four digit PIN appears
`adequate. Of course this trial and error procedure would be ten or a hundred
`times longer for a five or a six digit PIN.
`It is assumed that in a properly designed EFT security system, it is impos(cid:173)
`sible for the card counterfeiter to construct an off-line system and use it for
`trial and error PIN determination. That is. it is assumed that he can attempt
`this trial and error method only on a tem1inal connected to the actual EFT
`network. This assumption is not valid for certain EFT security techniques
`that have been proposed. Were one of these techniques to be used. a PIN
`length of six or fewer digits would be extremely non-secure.
`
`I
`
`MasterCard, Exh. 1022, p. 16
`
`

`
`SECTION ONE: BASIC PIN CONCEPTS
`
`433
`
`Though there is no security disadvantage to having long PINs. there is a
`practical disadvantage. The longer the PI'\. the longer the time the cardholder
`will require to enter it. and the greater the probability of an entry requiring
`a repeat. The latter is of special concern in an interchange environment
`where the PIN must be sent to the card issuer for validation. Several seconds
`or more could elapse before the cardholder began reentering his Pl:\. During
`this time the EFT terminal would be unavailable for other use. and in POS
`environment. a clerk would also be kept waiting. ln addition. there is the
`delay and inconvenience to the cardholder. Thus long PI1\s. by increasing:
`the transaction time. are a detriment to the merchant, the cardholder and
`the financial institution 2
`
`Allowable PIN Entry Attempts
`
`It is customary to place a limit on the number of consecutive incorrect PIN
`entries a cardholder is allowed. This is done to further hinder fraudulent
`PIN determination by trial and error. Though desirable. this is not as impor(cid:173)
`tant as it is perilaps believed to be. and would appear unnecessary for all but
`four digit Pll\s. Determining a five digit PIN by triai and error would require
`an average of fifty thousand attempts without such a limit. and this appears
`unfeasible. Ira limit is imposed. it can be either an absolute limit. or a dail)..:
`limit. An absolute limit gives the cardholder a specified number of attempts
`to enter his PIN correctly, regardless of the time span. After the allowable
`attempts have been exhausted. the card is considered invalid. A daily limit
`restricts the cJrclholder to a specified number of consecutive incorrect
`attempts in any' one cl<ry, but the cardholder starts \vith a "clean slate'' the
`following day. Only when the number of consecutive incorrect PIN entries
`in an~..: one day exceeds the limit is the card considered invalld. Of these two
`approaches. the absolute limit appears preferable, since it more definitively
`limits criminal attempts at trial and error PIN determination. The benefits
`of this approach, for a four digit PIN. can be expressed quantitatively. lf we
`let '\ represent the absolute number of consecutive incorrect PI:\' entries
`ail owed. where N is small (e.g .. ten I relative to ten thousand. then the
`criminal would h3'it to make an average of about ten thousand tries for eacb
`PIN he successfully determined. During this time he would have used up ten
`thousand divided by N cards. That is. for every card's Pl)'.; he successfully
`determined. he wcnlld fail on ten tlwusand/N cards. Without any type of
`limit. he wouid require only a single cJrd. and an average of five thousand
`tries.
`When the PIN is validated using the technique of the American Banking
`/\,ssociation PIN Verification Standard. the statistics are somewhat different
`bec8use this technique uses 3
`''ncm-rcversibly' encrypted" Pl1\. which means
`that more than one PI)'; can generally be used with a given card. With this
`technique and an absolute limit. the criminal requires the avcmg:e of five
`thousand trials. and for every counterfeit card on which he succeeds he fails
`
`~It is only· fair to poim out !haL a: the time of this \Vfiling. th.:r:.:: are differing opinions
`as to what constitutes a reasonable and practic<Jble Pl"\ length_ Current lechnology will
`easiiy accommodate Pli\s of up to 16 digits.
`
`MasterCard, Exh. 1022, p. 17
`
`

`
`434
`
`APPLYING CRYPTOGRAPHY
`
`on 5 .000/N. Without any type of limit be requires a single card and the
`average of 3.6 79 tries.
`The siwation for a