`
`NETWORK SECURITY
`TECHNIQUES
`FOR FINANCI A l ,,
`INSTITUTIONS
`
`BANK ADMINISTRATION INSTITUTE
`Rolling Meadows, Illinois
`
`Page 1 of 124
`
`FIS Exhibit 1041
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`FIS Exhibit 1041
`
`Page 1 of 124
`
`

`

`THIS PUBLICATION IS A SOURCE OF INFORMATION ABOUT VARIOUS
`STANDARDS AND TECHNIQUES FOR DATA PROTECTION IT DOES
`NOT CONTAIN OFFICIAL INTERPRETATIONS OF THE STANDARDS AND
`IS NOT MEANT TO BE USED IN LIEU OF ACTUAL PUBLISHED
`STANDARDS DOCUMENTS. IMPLEMENTATION OF STANDARDS AND
`
`TECHNIQUES BASED SOLELY ON THIS PUBLICATION, WITHOUT
`ADHERENCE TO ACTUAL PUBLISHED STANDARDS DOCUMENTS,
`CARRIES NO ACTUAL OR IMPLIED WARRANTY.
`
`THE AMERICAN NATIONAL STANDARDS INSTITUTE (ANSI) HAS
`AUTHORIZED ONLY THE ACCREDITED X9 STANDARDS COMMITTEE TO
`PUBLISH OFFICIAL AND APPROVED "INTERPRETATIONS" OF
`ANSI STANDARDS.
`
`ALL OFFICIAL INTERPRETATIONS 0F ANSI X9 STANDARDS ARE
`AVAILABLE ONLY FROM THE ANSI X9 COMMITTEE.
`
`Library of Congress Catalog Card Number:
`
`Copyright © 1990 Bank Administration Institute, Rolling Meadows, Illinois.
`All rights reserved. This book or any parts of it may not be reproduced in any
`form without written permission from the publisher.
`Printed in the United States of America.
`
`NO. 608
`
`ISBN: 1-55520-133-4
`
`
`
`Page 2 of 124
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 2 of 124
`
`Page 2 of 124
`
`

`

`Contents
`
`FOREWORD
`
`EXECUTIVE SUMMARY
`
`1
`
`Providing Secrecy and Protection —Encryption
`What is encryption and cryptography?
`;
`How is encryption used in the wholesale banking
`environment?
`V
`Is encryption useful in the retail banking
`environment?
`
`'
`
`-
`
`2 Ensuring Integrity— Message Authentication
`What is message authentication, and what is it
`used for?
`What place does authentication have’in
`wholesale banking?
`How does retail banking employ authentication?
`
`3 Key-ManagementforEncmption and
`
`Authentication
`
`v
`
`ix
`
`1
`
`13
`
`17
`
`'20
`
`24
`33
`
`What is key management and why is it important?
`How is key management applied in wholesale
`46
`banking?
`What are key management issues for retail banking? _ 52
`
`37
`
`4 Involvement ofthe FederalReserve
`
`5 Future Considerations
`
`'
`
`60
`
`66
`
`iii
`
`
`
`Page 3 of 124
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 3 of 124
`
`Page 3 of 124
`
`

`

`Appendices
`
`A
`
`B
`
`Banking Circular on Information Security
`
`Security Standards Development
`American National Standards Institute—What is it?
`International Standards Organization—What is it?
`Technical Committees
`
`C
`
`US Government Activities
`
`National Institute for Standards and
`Technology (NIST)
`US Treasury Department
`Cryptographic Device Export Control
`
`D
`
`ANSI Standards for Key Protection
`
`REFERENCES
`
`Figures
`
`Electronic Codebook (ECB) Mode
`Cipher Block Chaining (CBC) Mode
`K-Bit Cipher Feedback (CFB) Mode
`K-Bit Output Feedback (OFB) Mode
`Link Encryption
`I
`End—to-End Encryption
`The Message Authentication Algorithm
`The MAC Process
`
`Clearing House Host MAC
`Bank Host MAC
`
`Network Level Authentication
`Node Components
`,
`Front-End Authentication
`Application Level Authentication
`Testing with the MVS
`Keying Relationships: Point-to—Point
`Keying Relationships: K‘ey Center
`Message Flow: Point-to-Point
`Message Flow: Key Center
`
`1
`2
`3
`4
`5
`6
`7
`8
`
`9
`10
`
`11
`12
`13
`14
`15
`16
`17
`18
`19
`
`iv
`
`75
`
`89
`
`101
`
`104
`
`Own-bx
`
`15
`15
`22
`
`26
`27
`
`27
`28
`
`31
`
`31
`
`32
`
`94
`107
`
`107
`108
`
`109
`
`
`
`
`
`Page 4 of 124
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 4 of 124
`
`Page 4 of 124
`
`

`

`Foreword
`
`Financial institutions have long dealt with issues concerning the
`privacy and integrity of the information entrusted to them by their
`customers. Manual methods of securing and controlling financial
`transactions were effective before the advent of the computer, and
`the tremendous growth in the use of networks. The fact that trans—
`actions were generated and controlled manually not only provided
`a certain level of security but also served to naturally limit their
`number. As automation increased processing capacities and be—
`came distributed throughout the workplace little reliance could be
`placed on the old manual controls. Technical security measures
`were and are needed to match the rigor of high-speed, high-volume
`processing.
`'
`Encryption has long been recognized as a sound security
`technique whose use has been primarily focused on defense-related
`' issues.
`I‘n-recent years the financial industry recognized that they
`could benefit significantly from the development of security stan—
`dards based on encryption. Subsequently a variety of sound, ef—
`fective security standards were developed by- financial industry
`directed standards-setting bodies and by US Government agencies.
`While the government standards are focused on a higher degree of
`secrecy than the somewhat less stringent requirements of financial
`institution standards both are applicable to the commercial business
`world.
`
`It is our hope that this publication will assist managers in the
`application of current’ cryptographic security standards and tech—
`niques to meet their data security needs.
`The Bank Administration Institute has called upon financial
`industry and government agency experts to document the business
`and technical approaches to financial
`institution data security
`through this publication. The authors of this publication speak from
`their firsthand knowledge of the security standards, and are mem-
`bers of the talented group of professionals that created those same
`standards.
`
`We thank them for making this publication possible, and
`encourage them to continue their work of expanding the develop-
`ment of data security standards.
`
`
`
`Page 5 of 124
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 5 of 124
`
`Page 5 of 124
`
`

`

`Acknowledgements
`
`Our thanks to the talented group ofprofessionals that have made this
`publication possible.
`
`PUBLICATION COORDINATORS:
`
`Glenda Inglish Barnes
`BankAmerica Corporation
`
`John B. Ptak, CPA
`Bank Administration Institute
`
`Daniel E. White
`Ernst & Young
`
`Kimberly]. Zotto
`Bank Administration Institute
`
`CONTRIBUTING AUTHORS:
`
`David Balenson
`Trusted Information Systems
`
`Glenda Inglish Barnes
`BankAmerica Corporation
`
`Daniel E. White
`Ernst & Young
`
`Sandra Lambert
`Security Pacific Corporation
`
`GerardARainville
`National Security Agency
`
`Joan Reynolds
`Chemical Bank
`
`Marty Ferris
`US Department of the Treasury
`
`Miles Smid
`National Institute of Standards Technology
`
`Bill Glover
`Consultant
`
`Blake Greenlee
`Blake Greenlee Associates
`
`Geoffrey W. Turner
`Stanford Raven-ch Institute
`
`Eddie L. Zeitler
`BankArnerica Corporation
`
`
`
`Page 6 of 124
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 6 of 124
`
`Page 6 of 124
`
`

`

`Executive Summary
`
`Introduction
`
`Data security is a concern usually associated with the military,
`federal government, and related agencies. Their view of security
`concentrates on the confidentiality ofdata, preventing outsiders (i.e.,
`foreign governments) from seeing certain information. As a result
`numerous government standards have been developed for ensuring
`the secrecy of data whether in computer files or when transmitted
`across communication lines. While the commercial business sector
`has concerns about confidentiality, it also places emphasis on data
`accuracy (integrity) due to the amount of financial
`information
`processed and transmitted. This is particularly true of financial
`institutions, whose business depends on accurate and timely pro—
`cessing of financial data.
`'
`
`The Business Environment
`
`The need for security over financial data transmission can be
`illustrated by a View of how environment businesses now operate
`within. Three major factors are part of this examination:
`
`1. Advances in technology have allowed wider access to com~
`munications networks.
`
`2. Demand is increasing for use of financial data transmission.
`
`3. There is continuing need to connect businesses using com-
`munications networks.
`
`Technology has changed more in the last few years than in the
`previous one hundred. This change is most evident in computer
`systems, which have made tremendous advances since universal
`acceptance in business in the early 19603. Today, the advanced
`technology of computer systems linked by various communications
`media such as fiber optics and satellites, is joined by the proliferation
`of microcomputers with capabilities equal
`to large mainframe
`processors of the 19603. These personal computer systems not only
`function quite well on their own, but easily connect to and use
`communications networks. The risks inherent in this environment
`are easily illustrated by the computer "hackers” about whom many
`
`ix
`
`t...ri,,..M....,.,
`
` ">MW$$¢ammwwwmaaaxial-amenmw
`
`Page 7 of 124
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 7 of 124
`
`Page 7 of 124
`
`

`

`stories have been written. Their threat to financial institutions is well—
`recognized;
`there are already in existence “hacker clubs" and
`electronic bulletin boards that specialize in exchanging data on
`financial institutions. Technology has armed more people with the
`capability to view, and possibly alter, financial data transmissions.
`As the range of available financial transmission services broad-
`ens, we see the demand for these services increasing. For example:
`
`0 Television ads have urged Social Security recipients to take
`advantage of Direct Deposit in lieu of check mailing. The
`promised reliability is packaged with convenience to make
`this an attractive option to most recipients.
`
`0 Corporate Treasurers move company funds via communica-
`tions networks on a regular basis; what was once a funds
`transfer method available only to the largest companies is
`now an accepted mode of business requiring reasonable
`levels of speed, accuracy, and security;
`
`0 Many corporations, banks, and vendors are involved in
`various forms of electronic data transfer (more formally
`referred to as electronic data interchange, or EDI), which
`allows these parties to combine order placement, shipping
`notification, invoicing, and payment transfer across com-
`munications networks. This use of computers and com-
`munications will allow many companies to operate portions
`of the business virtually paper-free, with dependence on
`technology for necessary reliability and accuracy.
`The many current and emerging services supported by commu-
`nications place connectivity, the ability to link many systems and
`locations together, as a major issue for business. The recent trend
`toward consolidation and growth through merger/acquisition has
`brought connectivity to the forefront. Melding diverse systems
`requires a common denominator, such. as a central processing
`site or compatible distributed sites. This establishes a more sub-
`stantial need to communicate over distances, a corresponding
`need to find standardized approaches to ensure effective commu-
`nication, and an increased awareness of security risks inherent
`in widening communications. While all
`industries and busi—
`ness sectors place an emphasis on security issues, some, such as
`the banking industry, have formalized information security
`requirements.
`
`
`
`
`
`Page 8 of 124
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 8 of 124
`
`Page 8 of 124
`
`

`

`Banking Requirements and Standards
`
`The Comptroller of the Currency Banking Circular 229 (BC-229),
`dated May 31, 1988, addresses requirements for protecting informa—
`tion. It recognizes that information within the banking system is an
`asset that must be protected, the same as if it were a tangible good.
`Specifically, security in the context ofBC—229 calls for assurances that
`both information accuracy and confidentiality are maintained, and
`that this level ofsecurity be supported for information in storage and
`when transmitted. The Circular suggests that hardware and software
`technologies can assist in information protection; encryption and
`message authentication are noted as prime technology controls.
`Understanding what these technologies are and what they are used
`for can establish a starting point to decide how B0229 requirements
`can be met.
`
`Encryption can be thought of as controlled scrambling, using an
`algorithm to encode data and hide its meaning. Control is provided
`by limiting ability to unscramble the data, through secrecy of a key
`value. For example, in data transmission the sender and intended
`receiver should be the only parties with knowledge of the key. The
`primary benefit is in ensuring data privacy, since only those who
`have the key can read the data while in storage and/or when
`transmitted.
`'
`,
`Authentication provides for the integrity ofdata by detecting and
`flagging unauthorized changes in message content. A message
`authentication code (MAC), formed by encrypting the entire mes-
`sage or selected fields in a message, is appended to the message; the
`message is then transmitted “in the clear" (unencrypted). Upon
`receipt of the transmission, the MAC is recomputed on the received
`message and compared to the transmitted MAC. Any discrepancy
`indicates an alteration to the message during transmission. This
`seCurity technique acts as a “shrinkwrap” around the message; if
`the “wrap" is broken the receiver is alerted that message tampering
`has occurred and that the integrity of the transmitted data is
`questionable.
`
`Numerous standards have been developed to establish a basis
`for consistency in applying encryption and authentication in the .
`banking world. While the various chapters in this text give detailed
`discussion on the standards and their application, a briefmentiOn of
`some key points can help put things into perspective.
`In 1977, the National Bureau of Standards (now called the
`
`xi
`
`
`
`Page 9 of 124
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 9 of 124
`
`Page 9 of 124
`
`

`

`National Institute of Standards and Technology, or NIST) published
`the Data Encryption Standard (DES), which was originally devel-
`oped by IBM and rigorously analyzed by the National Security
`Agency. DES became the federal standard for protection of unclas-
`sified data. In 1980, DES was approved by the American National
`Standards Institute (ANSI) under the acronym DEA (Data Encryption
`Algorithm); ANSI X392 established a standard encryption algorithm
`for use in the commercial sector. ANSI had formed the X9 Committee
`in 1974 for "standardization for facilitating banking operations"; the
`Official name is now ANSI X9, Financial Services. Through this
`committee, ANSI followed with development of various standards
`for banking application of DEA, such as:
`
`ANSI X98 (1982),
`
`Personnel Identification Number (PIN)
`
`Management and Security
`
`ANSI X9.9 (1986),
`
`Financial Institution Message Authentica-
`tion (Wholesale)
`
`ANSI X917 (1985), Financial Institution Key Management
`(Wholesale)
`
`ANSI X919 (1986), Financial Institution Retail Message
`Authentication
`
`ANSI X923 (1988), Financial Institution Encryption of
`Wholesale Financial Messages
`
`ANSI X9.24-DRAFT, Financial Services Retail Key Management
`
`NOTE: ALL OFFICIAL INTERPRETATIONS OF
`ANSI x9 STANDARDS ARE AVAILABLE ONLY FROM ma
`ANSI x9 COMMITTEE.
`
`The Federal Reserve has a current policy Of encrypting all of its
`traffic, including all computer—to—computer l1nks All devices used1n
`the Fed system must comply with Federal Standard (FS) 1027, which
`establishes minimum standards for cryptographic devices. Also, all
`hardware and software suggested for use in the Fed system must be
`certified by NIST as meeting DEA standard before the vendor is
`considered
`
`Finally, the US Treasury Directive (TD) 16-02, “Electronic Funds
`and Securities Transfer Policy—Message Authentication and En—
`hanced Security,” requires that all federal electronic funds transfer
`
`xii
`
`
`
`Page 10 of 124
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 10 of 124
`
`Page 10 of 124
`
`

`

`transactions be "properly authenticated.” TD 16-02 uses measures
`recommended by ANSI X99, ANSI X9.17, and FS 1027 to assure
`integrity of Treasury Department EFT data.
`
`Conclusion
`
`With these standards in place, the primary task remaining for the
`banking executive is deciding what level of security is necessary to
`meet business needs. For instance, encryption can be used to
`maintain the confidentiality of data, whereas message authentication
`ensures detection of any alteration of data. Both forms of protection
`can be applied to data while it is in storage as well as when it is
`transmitted across communication lines. The decision as to whether
`
`one or both techniques are appropriate depends on whether data
`privacy or data integrity are of an equal or higher priority, and what
`cost the organization is willing to pay to achieve the priority goal.
`Attention to the particulars of this publication can help executives
`evaluate and build effective data security in their organizations.
`
`xiii
`
`
`
`a
`
` 1
`
`:g,3
`
`Page 11 of 124
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 11 of 124
`
`Page 11 of 124
`
`

`

`1 P
`
`roviding Secrecy and
`Protection —Enc¢yption
`
`What Is Encryption and Cryptography?
`
`Overview
`
`Cryptography is a word that has been derived from the Greek words
`for “secret writing.” It generally implies that information that is secret
`or sensitive may be converted from an intelligible form to an
`unintelligible form. The intelligible form of information or data is
`called cleartext and the unintelligible form is called czpbenext. The
`process of converting cleartext to ciphertext is called encryption and
`the reverse process (converting ciphertext to cleartext) is called
`decryption. Most cryptographic algorithms make use of a secret
`value called the key. Encryption and decryption are easy when the
`key is known, but decryption is supposed to be virtually impossible
`without the key used to encrypt. Finding a short cut method, not
`envisioned by the designers for decrypting the ciphertext when the
`key is unknown is called “breaking the algorithm."
`Data encryption is achieved through the use of a cryptographic
`algorithm that transforms data from its intelligible cleartext form to
`ciphertext. An algorithm is a set of rules or steps for performing a
`desired operation. An algorithm can be performed by anything that
`can be taught, or programmed, to perform a specific and unambig—
`uous set of instructions. Computers and special purpose electronic
`devices are designed to perform algorithms millions of times more
`efficiently than humans; Therefore, modern cryptographic algo—
`’ rithms are implemented in computers and on special purpose
`electronic chips.
`
`
`
`Page 12 of 124
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 12 of 124
`
`Page 12 of 124
`
`

`

`The Data Encryption Standard and Data
`Encryption Algorithm
`
`In 1977, the National Bureau of Standards (NBS) now the National
`Institute of Standards and Technology (NIST) published a com-
`pletely defined cryptographic algorithm known as the Data Encryp—
`tion Standard (DES) that became a federal standard for the protec-
`tion of unclassified data‘. The International Business Machines
`Corporation had made the DES specifications available to NBS and
`had provided nondiscriminatory and royalty free licensing to US
`companies building DES devices. At the request of NBS, the National
`Security Agency had conducted an exhaustive technical analysis of
`the DES to confirm the soundness of the algorithm and its suitability
`to protect unclassified federal data.
`Although the DES was originally intended for government ap—
`plications, it has become widely used by US industry as well.
`In
`December 1980, the DES was approved by the American National
`Standards Institute (ANSI) under the name of Data Encryption
`Algorithm (DEA) 2. Today, five standards-making organizations (The
`American Bankers Association, the American National Standards
`Institute,
`the General Services Administration,
`the International
`Organization for Standardization,» and the National Bureau of Stan—
`dards) have produced several DES-based cryptographic standards to
`meet both government and industry requirements. DES is now
`widely accepted and used.
`’
`The DES algorithm is a basic building block for data protection.
`The algorithm provides the user with a set of functions each of which
`transforms a 64—bit input to a 64—bit output. The user selects which
`one of over 70 quadrillion functions is to be used by selecting a
`particular‘56-bit key. Anyone knowing the key can calculate both
`the function and its inverse, but without the key it is infeasible to
`determine which function was used, even when several inputs and
`corresponding outputs are provided.‘ Since an independent set of
`70 quadrillion functions would be impossible to support, the DES
`provides a simple means of simulating the family of functions.
`It is easy to see how the DES may be used to encrypt a 64—bit
`cleartext input to a 64-bit ciphertext output, but data is seldom
`limited to 64 bits. This simple block cipher mode of operation may
`be sufficient in some cases, but other situations may require the
`chaining of ciphertext in a manner that eliminates repetition in the
`ciphertext when there is a repetition in the cleartext. In order to use
`DES in a variety of cryptographic applications four modes of
`
`2
`
`
`
`
`
`
`
`
`
`Page 13 of 124
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 13 of 124
`
`Page 13 of 124
`
`

`

`operation were developed: Electronic Codebook (ECB), Cipher
`Feedback (CFB), Cipher Block Chaining (CBC), and Output Feed-
`back (OFB)3" (see Figures 1 thru 4). Each mode has its advantages
`and disadvantages. ECB is excellent for encrypting keys, CFB
`encrypts individual characters, OFB is often used for encrypting
`satellite communications, and both CBC and CFB can be used to
`authenticate data. These modes of operation permit the use of DES
`for interactive terminal
`to host encryption, cryptographic key
`encryption for automated key management applications, file en—
`cryption, mail encryption, satellite data encryption, and other
`applications. In fact, it is extremely difficult, if not impossible to find
`a cryptographic application where the DES cannot be applied.
`
`Financial Encryption Standards
`
`Encryption has been applied in both retail and wholesale banking
`applications to increase data security. Automatic teller machines
`and point-of-sale terminals identify customers by means of Per-
`sonal IdentificationNumbers (PINS) submitted by the customers at
`the time of a transaction. ANSI Standard X9.85 uses DES-based
`cryptography to generate the PINs as well as to protect them from
`disclosure. US banks collectively transfer more than 400 billion
`dollars daily, and single wholesale electronic funds transfers of
`2 million dollars are quite common. ANSI Standard X923 6 de-
`fines the functional and procedural characteristics of cryptographic
`operations that are used to protect the confidentiality of entire fi-
`nancial messages or encryption, elements within messages. This
`draft standard specifies the modes of operation, methods of data
`padding, techniques for whole and partial message encryption, and
`communications filters that'will be used by the Wholesale financial
`community.
`
`cryptographic Considerations
`
`Whenever implementing cryptography, several factors need to be
`considered.
`'
`
`APPLICATIONS
`
`The data security problem to be solved must be well defined. Will
`local file encryption be required? Will protected communications be
`required? Will the communications be via‘a dedicated line, dial up
`telephone, a local area network, or a wide area network? The
`
`3
`
`
`,.v..,_._.:;‘;,-;vra,n,.;-=~;;;i,.,,‘,',:'¢s'.¢<:;,'1:-"-‘"v
`.,__.....,.,-r-rv‘.‘y;.WLiar-"Lift‘rfl'gle-q'kg"Halal?":,_'.-,>4'v,i,'_,«:‘\-,V:,-‘“IRWHVMWMmmeM.2-.__...-s.__.'
`
`
`
`
`Page 14 of 124
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 14 of 124
`
`Page 14 of 124
`
`

`

`FIGURE 1
`
`ECB Encryption
`
`ECB Decryption
`
`Plain Text
`
`(D1, D2, .
`
`.
`
`.
`
`, D64)
`
`Cipher Text
`
`(C1, C2,. .
`
`.
`
`, C64)
`
`Input Block
`
`DES Encrypt
`
`Input Block
`
`DES Encrypt
`
`Output Block
`
`Output Block
`
`\
`
`Cipher Text
`
`Plain Text
`
`(C1,C2,...,C64)
`
`(D1,D2,...,D64)
`
`Electronic Codebook (ECB) Mode
`
`
`
`
`
`Page 15 of 124
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 15 of 124
`
`Page 15 of 124
`
`

`

`FIGURE 2
`
`DES Encrypt
`
`DES Encrypt
`
`c
`
`DES Decrypt
`
`DES Decrypt
`
`DES Decrypt
`
`LEGEND
`
`D - 0411ij
`I -lecamlupur8wcxj
`
`[Vi= Mun-non Vac-ma
`(.9 -Fxcumvn—0n
`
`Cipher Block Cbaining (CBC) Mode
`
`C-tCmmanch
`
`“LA"*2AM‘JW
`
`‘zfi“wings”;,.
`
` amwumwmk,Mr:I1:,”
`
`Page 16 of 124
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 16 of 124
`
`Page 16 of 124
`
`

`

`FIGURE 3
`
`_K-Bit Cipher Feedback (CFB) Mode
`
`Input Block
`
`Input Block
`
`(64—K)
`Bits
`
`(64-10
`Bits
`
`Vector (IV) Right Justified