United States Patent [19]
`Zeldler
`
`.
`
`[11] Patent Number:
`[45] Date of Patent:
`
`:1:
`
`4,578,530
`Mar. 25, 1986
`
`[54] END-TO-END ENCRYPTION SYSTEM AND
`METHOD OF OPERATION
`
`_
`[75] Inventor: Howard M. Zeidler, Palo Alt0,Cal1f-
`[73] Assignee: VISA U.S.A., 1110., San Mateo, Calif.
`-
`-
`-
`[ * ] Notice:
`The portion of the term of this patent
`Subsequent to Dec‘ 27, 2000 has been
`disclaimed.
`[21] Appl. No.: 558,916
`[22] Filed:
`Den 7, 1983
`
`[63]
`
`Related US Application Data
`_
`_
`.
`comguagig-gn-pm ofser-No- 278,001,111“ 24, 1981’
`Pat‘
`0' ’
`387‘
`[51] Int. Cl.4 ............................................. .. H04L 9/00
`[52] US. Cl. ............................ .. 178/22.09; 178/2208;
`340/825.34
`[58] Field Of Search ------------- '- 178/2208, 22-09, 22-01;
`340/325-34
`
`[56]
`
`References Cited
`U S PATENT DOCUMENTS
`
`4,193,131 3/1980 Lennon et al. ................. .. l78/22.09
`4,259,720 3/1981 Campbell
`340/825.34
`4,268,715 5/1981 Atalla .... ..
`340/825.34
`4,423,287 12/1983 Zeidler .............................. .. 235/379
`Primary Examiner-Salvatore Cangialosi
`Assistant Examiner-Aaron J. Lewis
`,
`_
`,
`Attorney, Agent, or Fzrm——L1mbach, Llmbach & Sutton
`[57]
`ABSTRACT
`An ef?cient end-to-end encryption system including
`key management procedures for providing secure, ?
`nancial data communication between a system user at
`one oi‘ a plurality oi‘ transaction terminals of one‘ of a
`plurality of acquirer 1nst1tut1ons and one of a plurality of
`issuer institutions, with selected elements of the data
`being encrypted, decrypted, and rocessed using a one
`'
`P
`tlme session key which is similarly encrypted with mas
`ter keys and efficiently sent along with the speci?c
`segments of the request and response messages. A ses
`sion key authentication code is utilized to prevent the
`replay of a previously used session key, thereby pre
`eluding undetected message replay or undetected mes
`sage or data element substitution or insertion.
`
`4,075,460 2/ 1978 Gorgens ....................... .. IMO/825.34
`
`12 Claims, 14 Drawing Figures
`
`ACQUIRER
`
`ISSUER _8
`
`TRANSACTION
`TERMINAL
`
`:
`
`(lo
`
`(12
`
`(is
`
`,20
`
`22
`
`TRANSACTION r“ _
`TERMINAL
`
`—>
`
`\
`
`NETWORK
`ACQU'RER "Tl; SWITCH ‘7TB’ 'SSUER ‘@ '
`i
`1
`i
`r____:___;1-14
`1 r'8
`r___:____.
`lSECURITY '
`SECURITY
`ISECURITY P--24
`:LMODULE i
`MODULE
`L MODULE J1
`
`TRTAQRSQAHQREN
`
`ACQUIRER
`
`ISSUER —@
`
`1
`
`EX 1017
`IPR of Pat. No. 6,892,304
`
`

`

`US. Patent Mar. 25, 1986
`
`Sheet 1 of 11
`
`4,578,530
`
`TRANsAcTIoNl
`
`TERMINAL
`
`I0
`:
`TRANsAcTIoN r"
`TERMINAL
`
`ACQUIRER
`
`IssuER ~63
`
`(I2
`
`(I6
`NETWORK
`ACQU'RER "TE SWITCH ‘Tl-9’ 'SSUER
`
`,20
`
`22
`
`TRANsAcTIoN
`TERMINAL
`
`i
`‘
`r---J'---R"4
`‘SECURITY '
`l
`I
`LMQDPEEJ
`
`I
`‘ F‘B
`SECURITY
`MODULE
`
`I
`r—--‘---R
`I SECURITY P~24
`.
`I
`L'LAQQLL-EJ
`
`AcouIRER
`
`IssuER 8
`
`F|G.___'|.
`
`r30
`
`DISPLAY
`
`/IO
`
`KEYBOARD 746
`{EDD
`ca’
`44<TE1UU d
`\UUD
`U
`DUE]
`El
`
`I
`
`26
`f
`
`(32
`H
`COMMUNICATION[
`INTERFACE
`
`28 L PROCESSOR
`
`34
`
`MEMORY
`
`,-42
`
`CARD
`READER
`
`1
`Lgééfk'e
`Mums)?
`
`p40
`
`i fse '
`
`r36‘
`
`PRINTER
`
`DISPENSER
`
`FlG._2.
`
`2
`
`

`

`US. Patent Mar. 25, 1986
`
`Sheet2 ofll
`
`4,578,530
`
`USER’S /48
`CARD
`
`TRANSACTION I
`
`I
`
`AMOUNT
`
`RgQIBER /4'2
`W50 L7 /52
`PRIMARY
`SUPPORTING
`ENcRYPTION '58
`ANCL‘I’I‘I’EE‘Il
`<'EN><F§§R"T%T'E% T® TYFFéIERI‘I‘R?
`—C9N—T-R—"P>
`'
`'
`)
`SPECS**
`/6,
`,
`LENGTH
`COUNTER “‘
`/26 | TN:
`
`‘
`
`KEYBOARD
`E1 [3 E1
`E1 /28
`III
`III Cl
`C!
`I
`U D U
`U
`E1| U U D
`,PINC
`(4-12 DIGITS)
`FILL * *
`CHAliQsCTERs
`\REQUIRED)
`l
`
`-->(:)
`V
`
`I
`
`TERMINAL
`PROCESSOR
`
`I
`
`'
`
`7
`
`'
`{ENCRYPTION}-
`FORMAT
`
`{ PIN }//
`L>®LENGTH
`/
`60
`
`l
`
`l
`
`'
`,
`
`’
`
`‘
`
`64 BITS
`
`‘I
`
`/56
`
`MEMORY
`
`'/34
`
`KSn _ ENCRYPTION
`T ALGORITHM
`
`PROGRAMS
`
`TERMINAL ID
`MASTER KEY KM
`’
`'
`OTHER INFO
`TABLES OF DATA UNIQUE TO
`EACH FINANCIAL INSTITUTION
`OR INTERCHANGE NETwORK
`
`'
`
`INSTITUTION #I DATA
`
`}——
`
`""TTT T — - T T T T‘—
`
`INSTITUTION #2 DATA
`- — — — — — — — — — — ——
`.
`
`'
`
`'
`
`I e[KSN](PINC) /'
`
`ENCEIYNPTED
`(64 BITS)
`
`OTHER
`
`MACI
`
`QNlféjRTs)
`l 62
`‘
`
`'
`
`MAC
`_ COMPUTATION
`
`HEADER _I
`
`(SEE F'G'B)
`
`INCLUDING
`(THE TERMINAL)
`IDENTIFIER,T|'D
`1
`
`,
`
`,
`
`MACl(24 BITS)
`NQN-ENCRYPTED
`INFORMATION ‘
`l
`64
`
`INTERCHANGE
`_ _ _- EEIW-QRE EAT-A *-*- - -
`ENCRYPTED CRYPTOGRAPHIC
`SESSION KEY e[KMI](KSn)
`
`_ _ _ _ _ _ _ _ _ _ _ _ _
`
`KEY COUNTER (_n)_ _ _
`
`_ _ _ E_NCBYP_TI9N_TY_PE_ _ __ _
`_ _F1N ENCR_YPllCEJ §ORMAT_ __
`FILL CHARACTERS,ETC.
`
`f 54 REO-B'ESJTQAMTEISDSJAGE
`I
`DECRYPTION
`ALGORITHM
`
`,
`
`_ To
`
`,65
`
`AcHQéIéRER
`
`** DATA UNIQUE TO THE
`INTERGHANGE NETwORK
`
`FIG_ 3
`
`3
`
`

`

`US. Patent Mar.25,1986
`
`Sheet3 Ofll
`
`4,578,530
`
`OPERATOR
`DISPLAY
`
`I
`
`l2 /
`
`‘
`
`G"
`
`HOST
`PROCESSOR
`
`’
`
`,
`
`I
`
`/68
`
`|______‘
`7O
`LOG
`TAPES
`
`/72
`
`OPERATOR
`KEYBOARD
`
`FIG._4.
`/94
`
`OPERATOR
`DISPLAY
`I
`
`I6
`/
`
`r84
`
`_
`
`_\S__Q\-\_ HOST ML“
`PROCESSOR
`I
`I g___
`,IS
`90
`
`/86
`
`92
`,
`
`OPERATOR
`KEYBOARD
`
`SECURITY
`MODULE
`
`LOG
`TAPES
`
`,
`
`F|G.__6.
`
`||6
`OSESPIIR ”
`l
`L
`
`[20
`
`L
`
`'9
`
`IF ----- _--,
`I
`N HOST _____ I SECURITY l/- 24
`
`PROCESSOR
`“'1 MODULE I
`L _____ ___}
`
`‘
`
`/IOB'
`
`I
`
`OPERATOR
`KEYBOARD
`
`/-IIO
`
`H2
`
`r||4
`
`LOG
`TAPES
`
`FOR FILES OF CARDHOLDER
`PINS (ENCRYPTED WITH DATA BASE KEYI
`FOR BUSINESS-DECISION ACCOUNT INFORMATION,
`F|G.__8. GENERAL DATA, PROGRAMS, AcTIvITY FILES, ETC.
`
`4
`
`

`

`U. S. Patent Mar. 25, 1986
`
`Sheet 40f 11
`
`4,5 78,5 30
`
`TRANSACTION REQUEST MESSAGE
`
`HEADER
`
`(PING)
`
`MACI
`
`TERMINAL I
`IDENTIFIER TX
`(TID)
`
`\
`T
`1\
`v
`J
`\ ENCRYPTED Y I COMPUTED J
`WITH sEssIoN KEY, Ksn
`
`76
`
`NON-ENCRYPTED
`MESSAGE INFO
`
`\
`64
`
`/66
`
`HOST
`IX PROCESSOR
`____I
`
`PRE-ENCRYPTED SESSION KEYS
`FOR
`
`78
`
`/8O
`TRANSACTION
`NIJITVIABCEER
`
`TTN 4
`
`TX
`
`I
`
`{8'
`
`ACTIvE
`TRANSACTION
`TABLE
`
`TTN_ T
`2
`78
`TTN-I TIs
`
`TTN“ "‘
`TTN
`+2 '-"'
`TTN+3 ___
`
`TERMINAL TX
`I
`l
`SESSION ‘KEYS
`I
`|
`PRE-ENCRYRTED WITH:
`I
`II I
`>g| SESSION KEY I’ TERMINAL I NETWORK‘
`52 I AUTHENTICATION MASTER KEY
`SWITCH
`~
`5
`CODE
`I
`KMI
`IMASTER KEY
`I
`I
`KMZ
`FA“ f
`j r
`|
`|
`I
`"-I
`I
`
`A
`
`---
`
`A
`
`‘I,
`I
`--- I
`
`A
`
`\
`
`——-
`
`(I1)
`
`I
`l
`
`(n'I'nI (n+2)I
`(n 3)
`+ |
`|
`ETC I
`
`.
`
`——-—
`“
`
`SKACn+| sKAcn+2
`
`SKACn+3
`ETC
`
`.
`
`I
`l
`
`I I
`
`:
`I
`
`-—- I
`
`(Ksn)
`
`__I
`
`(Ksn+|)‘ I IKSMI I
`
`III
`I
`I
`
`(K3n+3)
`ETC
`
`.
`
`
`
`(Ksn+|) IKSn+2I
`
`(K5n+3)
`E C
`
`T .
`
`& *2
`
`6
`0_
`
`'
`
`MN“
`
`HEADER
`
`(PING)
`
`NON-ENCRYPTED
`e[KM2](KSI-I)
`MESSAGE INFO
`MACI
`TRANSACTION REQUEST MESSAGE
`I
`'
`83
`FORWARDED TO THE
`’
`SECOND INTERMEDIATE
`STATION-THE NETWORK SWITCH
`
`TTN
`
`\82
`
`FIG._5
`
`5
`
`

`

`us. Patent Mar. 25, 1986
`
`SheetSofll
`
`4,578,530‘
`
`HEADER
`
`>
`IPINCI
`
`MACI
`
`(KSnI
`NON-ENCRYPTED
`MESSAGE INFO ENCRYPTED WITH KMZ TTN
`
`TRANSACTION REQUEST MESSAGE
`
`T _—_T—'* ka2
`[96
`IDENTIFICATION OF
`THE ACQUIRER
`
`PRIMARY ACCOUNT NO.
`
`'
`
`f IO4
`
`IDENTIFICATION OF
`THE ISSUER
`
`I
`
`I: P84
`
`HOST
`PROCESSOR
`
`MASTER KEY OF THE
`FIRST INTERMEDIATE
`STATION (ACOUIRERI
`r—-—J_\
`
`GEKSMIIKMZ'
`
`Y
`FILE OF
`MEMBER
`MASTER KEYS
`ENCRYPTED
`WITH SM
`MASTER
`KEY
`
`MASTER KEY OF
`THE DESTINATION
`STATION IISSUERI
`
`II eEKSMIIKM3)
`
`/I8
`’ ____ u. _______ “II'ZSII __________________ "T _“'T
`
`r106
`I
`rIOZ
`T A350
`K98
`r- DECRYPT KMZ DECRYPT
`"\ ENCRYPT KMS DECRYPT
`eLKM3'IIKSnI
`
`I
`SM
`MAEQER :
`E
`
`HEADER
`
`(PIN C I
`
`MACI
`
`NQAIE'SESIXCGFQYTNTFQ
`
`e[KM3](KSn)
`
`TTN
`
`TRANSACTION REQUEST MESSAGE
`
`FORWARDED To THE /IO9
`DEsTINATIoN STATION
`(ISSUER)
`
`FIG.__7.
`
`6
`
`

`

`U.S. Patent Mar. 25, 1986
`
`Sheet6ofll
`
`4,578,530
`
`HEADER
`
`(PINC)
`
`TRANSACTION REOUEST MESSAGE
`NON-ENCRYPTEO
`MESSAGE INFO
`
`AMAEI
`
`e[KM3](KSn)
`
`[I07
`
`TTN
`
`*7“ \
`
`Y
`
`A
`
`DECRYPT
`
`KM3
`
`COMPUTATION
`
`KI22
`
`rpAN
`
`/‘26
`
`MACI
`VALlDATlON
`TIRROGEEOI
`}
`f|28 KS
`
`DECRYPT
`
`"
`
`FETCH
`
`‘
`
`DATA
`BASE
`KEY
`K08
`
`-
`
`PINC
`F H34 KDB
`,BO
`ENCRYPT
`' eEKDBIHPIN) 7——' “e[KDB](PINc)
`,[36 e[KDB](PlN)
`IPINI/IPINCI O32
`VERIFICATION
`YES/NO
`AUTHORIZATION H34
`DECISION
`YES/NO
`DESIGNATION OF/‘38
`AUTHORIZATION
`OTHER INPUTS)
`
`BUSINESS
`/
`DESEIEN YES NO
`BASE
`
`A
`
`CODE I
`
`FOR MAC 2
`
`GOMRUTATION
`
`,
`
`i
`
`‘
`
`'
`
`fBS
`
`HEADER
`
`AUTHORIZATION
`CODE
`
`MACZ
`
`OTHER
`MESSAGE INFORMATION TTN
`
`TRANSACTION REQUEST MESSAGE
`
`TO BE FORWARDED
`TO THE NETWORK~|44
`SWITCH
`
`7
`
`

`

`U.S. Patent Mar. 25, 1986
`
`Sheet7 ofll
`
`4,578,530
`
`TRANSACTION RESPONSE MESSAGE
`
`HEADER
`
`AUTHORIZATION
`CODE
`
`MACZ
`
`OTHER
`MESSAGE INFORMATION
`
`MODIFICATION fl45
`OF HEADER
`
`\
`HEADER
`
`AUTHORIZATION
`CODE
`
`MACZ
`
`OTHER
`MESSAGE INFORMATION
`
`TRANSACTION RESPONSE MESSAGE
`
`TTN
`
`\l39
`
`/I4O
`
`'
`
`TTN
`
`TO BE FORWARDED
`TO THE FIRST
`INTERMEDIATE STATION
`(ACQUIRER)
`
`FIG._IO
`
`8
`
`

`

`U.S. Patent Mar. 25, 1986
`
`Sheet8of1l
`
`4,578,530
`
`HEADER
`
`AuTHORIzATION
`cOOE
`
`TRANSACTION RESPONSE MESSAGE
`OTHER
`MESSAGE INFORMATION
`
`MACZ
`
`TTN
`
`DATA
`PROCESSOR
`
`[78
`
`I
`
`PR - NCR P
`E E
`Y TFEgRsEssION KEYs
`TERMINAL TX
`:
`SESSION KEYs
`I
`I
`PRE-ENCRYETED wITH:
`,1 |
`>% I SESSION KEY I
`TERMINAL I NETWORK
`5E IAUTHENTICATION MAsTER KEY| swITcH
`3
`CODE
`I
`KM|
`MASTER KEY
`Z I
`A
`I
`A
`:
`KAMZ
`
`4
`
`,
`ACTIVE ‘
`TRANSACTION
`TABLE
`TTN-2 T78
`8|\TTN_| T's
`TTN
`TX
`TTN“ T5‘
`TTN+2 --
`TTN“, ___
`
`,
`
`‘ A
`TID
`
`I’
`
`'
`
`___I
`
`___
`
`‘ '
`
`:
`
`‘ T
`
`‘
`
`___
`
`I
`
`___ __
`
`<-TX
`
`“" "' I
`
`“- ' "_
`
`\Ts
`
`__ _ I
`
`_ _ _
`
`>
`I
`(‘HUI
`(n+2) |
`(n+3)l
`ETC. I
`
`SKACI’HI
`SKACn+2
`SKACn+3
`ETC.
`
`I
`
`'
`
`v
`
`_ _ _
`
`(KSl'H-l)
`(KsrH-z)
`(KSn+3)
`ETC.
`
`I
`
`|
`|
`|
`'
`:
`
`_ v_ _
`
`(K5n+I)
`(KsrH-z) ‘1
`(KSn+3)
`LE
`ETC.
`(2)’
`
`[L
`
`if
`
`HEADER
`
`f
`AUTHORIZATION
`
`MACZ
`
`OTHER
`
`,
`
`I
`:NEeII[IKgAE']s(sKO5NH'E)Y FOR
`SKACMI ' NEXT TlRANgAcTIoN
`: ENCRYPTED WITH KMI
`'
`TRANSACTION RESPONSE MESSAGE
`
`V
`TO BE FORWARDED /'48
`TO TERMINAL TX
`
`9
`
`

`

`US. Patent Mar. 25, 1986
`
`Sheet 9 Of 11
`
`4,578,530
`
`AUTHORIZATION
`
`TRANSACTION RESPONSE MESSAGE
`OTHER
`
`/|4|
`
`OTHER
`TO MAC2 1
`
`INPUTS
`
`1*
`
`I?
`
`‘r
`
`J
`
`I
`
`II
`II
`MAC2
`SESSION KSI'L
`KEY
`T COMPUTATION
`
`'50
`
`MASTER
`KEY
`
`I’
`I
`MAC2
`VALIDATION
`‘A2
`
`I53
`f
`I
`= DECRYPT
`-
`
`KMI
`
`'54]
`INCREMENTED
`COUNTER
`
`(n)->(n+I)
`
`I
`
`TID
`
`TX
`I
`
`Ksn+|
`
`SKACl"I~I-l
`COMPUTATION
`
`Ilss
`
`II
`
`I
`
`.
`SKACHH
`VERIFICATION
`
`/|56
`
`I57 YES
`I
`REPLACEMENT
`OF PREVIOUS
`e[KM|](KSn)
`WITH
`e[KM|](KSn+I)
`
`NO
`
`I59
`/ 4
`I
`
`II
`REQUEST
`FOR ANOTHER
`SESSION KEY - --I
`FROM
`ACQUIRER
`
`I
`
`v
`TERMINAL’S
`EXECUTION OF
`TRANSACTION FUNCTION
`
`I
`
`_|58
`
`l-_,
`
`FIG._I2
`
`10
`
`

`

`U.S. Patent Mar. 25, 1986
`
`Sheet 10 ofll 4,578,530
`
`
`
`JAWTOEMNazmvA29A29
`
`EMIPO_
`
`
`
`
`
`<._.<n_m=>:._.m._.<o
`
`Jill!!!
`
`{{Jllllel
`oooooo_mmmmmmmmmmm_m_mw
`
`0N<o¢mmmmmm®mmmommv_Nmfimmwmmmm_¢v_mm._.<
`
`\02
`
`mt
`
`ON.mtmvm0200mmmtmvmEmmimm.
`
`ZO_._.n_>m_OZm.
`
`ZO_._.a>mozm
`
`ZO_._.a>mozm
`
`wt
`
`mm.
`
`moum>_m3|_oxm
`
`Zorrozzu,
`
`mt
`
`mg
`
`V¢
`m.
`
`11
`
`HXMHKMIEU
`
`.Emvw
`
`m_!o_n_
`
`mv_.
`
`oz_n_owkm>mozmOZHZDOOO<>m<_2_m_n_DE.un_>._.
`
`
`
`
`
`
`
`Axmxw:20:AzmvAZ\<E
`
`
`
`m0<mmm=2
`
`11
`
`
`
`
`
`
`

`

`U. S. Patent Mar.25,1986
`
`Sheet 11 of 11 4,578,530 I
`
`/'90
`
`GENERATION
`OF A
`SEQUENCE
`OF
`RANDOM NUMBERS
`
`PARITY SET
`
`COMPAIZI?gN WITH
`
`/|92
`
`,IOG
`
`I94
`/
`mg;
`
`REJECTION OF ‘_.I ..
`ANY wEAK KEYS
`WEAK KEYS
`I
`
`(ZOI
`sEssION
`KEY
`COUNTER
`n
`
`TERMINAL
`IDENTIFIER
`(TID)
`l
`
`/,99
`
`‘
`coMPLéTrATIoN
`sEssION KEY ‘
`AUTHEC%BEAT'ON
`(SKACn)
`
`sEssION KEY
`KSn
`1 [I98
`
`64 BITS
`
`l /2OO
`
`'
`TERMINAL
`ENGRYPTION
`MASTEQI KEY _’ ALGORITHM
`
`INTERGHANGE
`SWITCH
`ENCRYPTION
`ALGORITHM ‘_ MASLEIJIQ KEY
`2
`
`/2O2
`
`STOORFAGE
`ENORYPTCION PAIRs
`.SESSION KEYS
`AND
`KEY NUMBERS
`WITH THEIR
`AuTHENTIcATION CODES
`ACQUIRER I-IIIgST MEMORY
`SUVBSEQUEN'IFOO'KI-LINE USE
`TIMES OF TIIEQTANSACTIONS
`
`12
`
`

`

`1
`
`END-TO-END ENCRYPTION SYSTEM AND
`METHOD OF OPERATION
`
`This Application is a continuation in part of US.
`application Ser. No. 278,001, ?led June 24, 1981 and
`now US. Pat. No. 4,423,287, issued Dec. 27, 1983.
`
`5
`
`5
`
`20
`
`25
`
`BACKGROUND ART
`This invention relates to encryption systems and
`more particularly to an encryption system for use with
`transaction terminals such as automated teller machines
`(ATM), cash dispensers (CD), and point of sale (POS)
`devices. Such machines are typically accessed by means
`of a card issued by the customer’s bank. Within the past
`twelve years the number of teller machines and cash
`dispensers has grown from a few scattered units to a
`’ worldwide total of almost 50,000 units. In many areas,
`groups of institutions have begun to cooperate in the
`establishment of local, regional, and national shared
`ATM/CD networks in order to extend the customer
`convenience represented by electronic fund transfer
`services beyond the local area. In the near future, it is
`expected that many everyday transactions will be car
`ried out through point of sale devices.
`In these systems, a holder of a card issued by one
`?nancial institution (the “issuer”) can transact business
`with the issuer through the transaction terminal of a
`different ?nancial institution (the “acquirer”). This in
`vention applies primarily to this type of transaction
`where security of one or more message elements must
`be provided throughout an interchange network com
`munications system, as differentiated from security in a
`more restricted system not involving many institutions.
`It is also not limited to ?nancial institutions.
`Such networks typically rely on the use of some stan
`dardized identifying token which is presented by the
`user of such services. Such a token would be, for exam
`ple, a user’s plastic card with a magnetizable stripe on
`the card which is encoded with a particular set of data.
`It is necessary, however, to provide for the security and
`privacy of some of the data which is sent by such a user
`from the transaction terminal through intermediate
`stations, to the issuer’s data processing center. These
`security provisions must meet needs for economical
`data transmission, preclude unauthorized access to criti
`cal customer related information, and provide a level of
`privacy that conforms to governmental regulations as
`they may be formulated. This level of protection must
`include the entry, transmission, storage, and veri?cation
`procedures which are used by the various components
`of the interchange network.
`Among the data elements of the transaction terminal
`message, the most critical requiring some form of pro
`55
`tection are:
`(a) the cardholder’s personal identi?cation number
`(PIN);
`(b) the cardholder’s primary account number (PAN);
`(c) the cash advance or disbursement amount;
`(d) the date and time of the transaction; and
`(e) a terminal identi?er number (T ID).
`There are cryptographic techniques in existence
`which provide the means by which data elements such
`as these can be protected. Such a technique will be
`discussed in greater detail hereinafter. However, for the
`present purpose, it is suf?cient to know that in the case
`of the PIN, for example, protection can be achieved by
`using a cryptographic process called “encryption” by
`
`4,578,530
`2
`which a PIN of “9725” might, for example, “be con
`verted temporarily to a disguised value of “B*7@” for
`transmission from an acquirer through an interchange
`network to the issuer. In this sense, the word “acquirer”
`would be the ?nancial institution operating the transac
`tion terminal, while the issuer would be, for example,
`the destination ?nancial institution providing ?nancial
`services to the user. At the destination of the message
`this disguised value would be converted to the original
`“9725” value by a reverse cryptographic process called
`“decryption” for further processing to verify the valid
`ity of the PIN.
`For other critical message elements, such as the
`amount of the cash advance or disbursement, secrecy
`may not be required, only protection against alteration.
`Therefore, instead of encryption, a well-known crypto
`graphic process called “message authentication” is
`used. This process uses each of the critical data elements
`in a sequential encryption-like computation that results
`in a “message authentication code, MAC” to be in
`cluded, along with the protected data elements, in a
`message which is transmitted to the destination (inter
`mediate or ?nal).
`At the destination, the MAC computation process is
`repeated on the same data elements. If any one or a
`combination of these elements has been modi?ed while
`being transmitted through the interchange network, the
`resulting MAC would not, with reasonable probability,
`be identical to the MAC value received, and the mes
`sage would be rejected because of probable fraud.
`For an interchange encryption-decryption process to
`work, a standard for data protection must be used. In
`the United States, the American Bankers Association
`(ABA) Bank Card Standards Committee and the Amer
`ican National Standards Institute (ANSI) have adopted
`the standard published by the National Bureau of Stan
`dards (NBS) of the US. Government as the basis for
`this type of security. A brief description of the NBS
`concept is presented here for reference. The elements of
`the concept include an algorithm called the data en
`cryption standard (DES) algorithm and a secret key.
`The DES is a set of complex mathematical transforma
`tions that has been published and is known to everyone,
`including potential adversaries. The secret key consists
`of 64-bits of data, known only to the system partici
`pants, that make the use of the published algorithm
`unique and secure.
`The DES has the property of “reversibility”; i.e. the
`DES and the secret key can be used to “encrypt” the
`input data for protection. They can also be used to
`“decrypt” or reverse the protected data back to its
`original form with the same key that was used for the
`encryption process. A secret 64-bit key establishes secu
`rity of the encryption system. The input can be any
`desired 64-bit combination of data. On command, the
`DES system subjects the input to sixteen complex trans
`formations and presents the 64 resultant “ciphertex ”
`bits at the output register. By ciphertext is meant that
`the text would be enciphered and not intelligible when
`reading or computer-based analysis were attempted.
`As long as potential adversaries are prevented from
`learning the key, data for the typical cash advance or
`disbursement can generally be assumed to be secure.
`There are no known methods of attacking the system
`analytically. For a known input/ output pair, solving for
`the key through “exhaustive” sequential testing of all
`possible (approximately) 72,000,000,000,000,000 values
`of the key does not appear to be practical within the
`
`60
`
`35
`
`45
`
`65
`
`13
`
`

`

`3
`near future. Use of two or more sequential encryption
`processes with corresponding different keys would
`require millions of years of processing by the fastest
`computers forexhaustive testing, thereby making any
`such attack completely infeasible.
`As described above, a DES key consists of 64 bits
`which can be interpreted as 16 hexadecimal characters
`(0-9, and A-F). The security of any system based on
`DES processing is dependent upon the integrity of key
`generation and distribution as well as upon the human
`related management and operational procedures estab
`lished for the system. While there are a number of such
`keys to be used in this type of system, the two types of
`such keys which have relevance to the present discus
`sion are a data-encryption or session key, and a key
`encryption or master key.
`A session key is a one-time key only used for the life
`of one transaction. In some manner, the session key
`must be sent from the sender to the receiver and the
`sending of the transaction must convey to the receiver
`the speci?c session key which was used for encrypting
`the transaction. No matter what method for informing
`the receiver is used, the session key must be protected
`during the transmittal process by encryption using a
`master key. Because the session key is used for only one
`transaction, the potential for compromise is reduced.
`The key-encryption key, or master key, however, is
`used for encrypting a session key being transmitted over
`normal data communication lines or stored in a host
`data processor. These master keys must be generated,
`distributed, and loaded under greater security control
`than that normally used for other types of keys. Because
`of the high level of security under which these keys are
`handled, master keys are typically used for longer peri
`ods of time that could extend into many months.
`35
`In an extensive network, with a large plurality of
`acquirers and a large plurality of issuers, a switch sta
`tion (“network switch”) is used to route and coordinate
`the transaction requests and responses between the vali
`ous acquirers and issuers. In such systems, it is simply
`not economically feasible to separately send session
`keys in special network messages. Also, the time re
`quirements would be prohibitive.
`The problems facing the operation of such ATM/ CD
`networks are, then, to provide maximum-feasible secu
`45
`rity for the transaction data by encryption and decryp
`tion processes, and to securely, ef?ciently, and econom
`ically store, retrieve, and transmit the keys necessary to
`perform these processes.
`
`25
`
`SUMMARY OF THE INVENTION
`The foregoing problems of how to operate an inter
`change transaction execution system of the type having
`multiplicities of transaction-source terminals and desti
`nation (issuer) data processors which store account
`information for a plurality of accounts, a plurality of
`acquirer stations each connected to one or more trans
`action terminals, and at least one network switch con
`nected between the acquirer stations and the issuer
`stations, are solved by carrying out the steps to be de
`scribed hereinafter. Transaction information and a per
`sonal identi?cation number, PINc, are received from
`the user at the transaction terminal. A ?rst session key
`encrypted with a ?rst master key is retrieved from the
`terminal’s memory and is decrypted with the ?rst mas
`ter key that is also stored in the memory. In the pre
`ferred embodiment, the PINc is encrypted with the ?rst
`session key KS1 and the encrypted PINc and selected
`
`20
`
`4,578,530
`4
`elements of the transaction data are concatenated. The
`concatenated data are processed with the ?rst session
`key, according to an arbitrarily-speci?ed procedure to
`form a ?rst message authentication code, MACl. A
`network/ interchange request message comprised of the
`encrypted PINc, the MAC] and other transaction data
`are transmitted from the transaction terminal to the
`acquirer station connected to said terminal.
`The acquirer ?nancial institution, retransmits the
`message along with the same session key, but now en
`crypted in a second master key, to the network switch.
`The second master key is known to the network switch
`as the decoding element to use for that particular ac
`quirer. The network switch, after determining for
`which issuer the request is intended, retransmits the
`message to that issuer along with the session key which
`it translates from second master key encryption to a
`third master key encryption. The third master key is
`known to the network switch as the coding element to
`use for that particular issuer.
`At the issuer, the session key is decrypted with the
`third master key, and the PINc is decrypted with the
`session key. The MACl is recomputed and veri?ed
`with the received MACl using the encrypted PINc, the
`selected data elements, and the session key. The data
`base within the issuer’s data processor is then accessed
`for the account speci?ed in the transaction data. The
`PINc is compared and veri?ed with the corresponding
`PIN stored in the data base for that account.
`At the issuer’s data processor, after the PINc and the
`MACl have been veri?ed, and the account balance for
`the user's PAN has been checked for adequacy, an
`authorization code is generated to either authorize or
`deny the requested transaction. A second message au
`thentication code, MAC2, using the session key is com
`puted. The authorization code and the MAC2 are then
`included in the response message transmitted back to
`the acquirer through the network switch.
`As will be explained further herein, at the acquirer, a
`new second encypted session key is added to the re
`sponse message to be relayed to the orginal transaction
`terminal, i.e., the ATM/CD. In addition, a session key
`authetication code (SKAC) may also be added to the
`repaly message. At the terminal, the MAC2 is recom
`puted and veri?ed using the ?rst session key. Assuming
`that the MAC2 is properly veri?ed, the transaction
`terminal acts on the authorization code to respond to
`the transaction terminal user. As discussed below, if the
`system is operating with session key authentication
`codes, the SKAC will also be computed and veri?ed.
`In the preferred embodiment of the invention the
`acquirer peiodically generates and stores a plurality of
`session keys in encrypted pairs, the key of each pair
`being encrypted in a ?rst master key and also in a sec
`ond master key. With each return message from the
`host data processor, a new, or second session key, en
`crypted in the ?rst master key, is appeneed to the return
`message. At the transaction terminal, the second en
`crypted session key, at the conclusion of the transac
`tion, replaces the ?rst session key and is stored for use
`with the next transaction. As discussed below, if the
`session key is to be authenticated, a SKAC will be gen
`erated for each encryption pair of a keys.
`For each transaction request message received from
`the terminal, the acquirer relays a modi?ed message to
`the network switch. By keeping track of the identifying
`number of the terminal, the acquirer is also able to re
`cover from storage the second master key encryption of
`
`55
`
`65
`
`14
`
`

`

`5
`the same session key used to encrypt the PINc at the
`transaction terminal. It then transmits this latter key,
`i.e., the session key which is encrypted in the second
`master key to the network switch, as described above.
`One of the signi?cant advantages of an end-to-end
`encryption system, as opposed to other types of encryp
`tion, is that the one time session keys guarantee that all
`encrypted data and MACs will be different even for
`identical transactions. Therefore, data-substitution, PIN
`substitution, and message-replay types of adversary
`attacks are precluded. Also, potentially more security is
`offered against statistical analysis types of attack. A
`primary advantage of the present end-to-end encryption
`system is the ease and economy with which these ses
`sion keys are securely and efficiently distributed. No
`special key-request or key-transmission messages are
`required. Another signi?cant advantage is that the sys
`tem also eliminates the requirements for encryption and
`re-encryption of critical data, and recomputation of
`MACs at all intermediate nodes. Therefore, the poten
`20
`tial vulnerability to in-house sophisticated attacks is
`lessened, the messageprocessing and computer-time
`requirements are minimized, and the requirement for
`any on-line security processing at the acquirer installa
`tion is eliminated, thereby precluding the need for a
`special “Security-Module” peripheral at the acquirer.
`In other, less desirable embodiments the MAC fea
`ture can be omitted, however the level of security for
`the transaction diminishes accordingly.
`In the areas of ef?ciency and growth, in the subject
`system, only one security module access is required per
`transaction as opposed to ?ve with a link-encryption
`system. By security module access is meant access into
`a secured, hardware/software unit in which encryption
`and/or decryption processing can be securely executed.
`Any such access requires signi?cant amounts of proces
`sor and host to security module communication time. In
`the subject end-to-end system, approximately only 15
`real time encryption and/or decryption cycles are re
`quired per transaction, as opposed to approximately 56
`for a link-encryption type of system. The relative ef?
`ciency of end-to-end systems increases substantially for
`operations requiring double-key encryption for maxi
`mum security.
`As pointed out above, one of the advantages of the
`subject invention is that no security module access is
`necessary at the acquirer when retransmitting the mes
`sage to the network switch. Rather, all cryptographic
`security functions can be done in an off-line, batch man
`ner with most of the encrypted keys being stored on a
`disc. Groups of encrypted keys can be accessed from
`the disks periodically, as needed.
`The decision as to whether the issuer utilizes a secu
`rity module is typically left to the issuer. However, if
`the issuer does not use a security module, there exists a
`remote possibility that the system could be compro
`mised. This method of attack relates to the replay of
`session keys as discussed below. The present invention
`is intended to prevent this mode of attack.
`The message replay type of attack requires a passive
`tap hooked into the processor located at the issuer. In
`addition, an active tap would have to be installed be
`tween the automatic teller machine and the acquirer
`station.
`The attack sequence would then be carried out in the
`following manner. A reply message from the acquirer
`to the ATM would be recorded in order to obtain the
`encrypted session key which is appended to the mes
`
`4,578,530
`6
`sage. The following transaction initiated at the terminal
`will be encrypted using the session key which had just
`been recorded. When the latter transaction information
`reaches the issuer, the passive tap would then be utilized
`to detect the session key while it was in clear text form
`in the processor. This information would then be re
`layed to the active tap.
`During a subsequent transmission of a reply from the
`acquirer to the terminal, the active tap would strip off
`the new encrypted session key which had been ap
`pended to the reply by the acquirer. The active tap will
`replace the legitimate encrypted key with the stolen,
`known encrypted session key. The criminal will then
`initiate a request for cash at the ATM. This request will
`be encrypted under the known session key. Accord
`ingly, the active tap can intercept the response to this
`request and construct a suitable approval reply message,
`utilizing the known session key. This scenario could
`then be continuously replayed until the cash in the teller
`machine was emptied with cash.
`As can be appreciated, the above attack scenario is
`relatively complex, requires a number of players and the
`timing must be accurately coordinated. However, it
`would be desirable to eliminate any possible modes of
`attack in an encryption system. One method of obviat
`ing this form of attack is to require the issuer to utilize
`a security module. By this arrangement, access to the
`session keys in clear text form is prevented. However,
`as in most fund transfer systems, it is desirable to permit
`each bank to have control over its own level of security.
`Furthermore, each bank should not have to rely on
`remote banks to supply security. Accordingly, it would
`be desirable to develop a system which would prevent
`the above discussed mode of attack and yet not require
`issuer cooperation. The latter object is solved in accor
`dance with the new disclosure contained in the subject
`application.
`Briefly, this attack scenario is prevented by insuring
`that a session key can never be used more than once.
`Session key uniqueness is guaranteed utilizing a session
`key authentication code. A session key authentication
`code SKAC is generated for each encryption pair of a
`session keys at the acquirer station. The SKAC is gener
`ated in a manner similar to a MAC, except that different
`inputs are used.
`In use, when the acquirer station relays a message
`from the issuer, not only is a new session key appended
`to the message but, in addition, the SKAC is added.
`Prior to dispensing cash, the terminal will recompute
`and verify the SKAC to determine if a new and unique
`session key has been transmitted. If the SKAC is veri
`fled, the transaction will be completed and the new key
`will be used to replace the old key. If the SKAC is not
`veri?ed, the terminal will request a new session key
`from the acquirer. If a properly authorized new session
`key is not received, the terminal will not complete the
`transaction.
`Applicant’s copending parent application can be re
`ferred to for a full disclosure of the preferred implemen
`tation of an end-to-end encryption system which does
`not utilize session key authentication codes. The re
`mainder of this speci?cation will be limited to an em
`b