Presentation on theme: "Lecture 9 e-Banking. Introduction The most used methods to pay for a service or merchandise are: –The real money (so called “cash”) –cheque (or check."— Presentation transcript:
Lecture 9 e-Banking
Introduction The most used methods to pay for a service or merchandise are: –The real money (so called “cash”) –cheque (or check in US) –Credit cards –On line payments Nowadays the last two banking instruments begin to replace the classical ones in direct relation with the level of economic development of each country. It is clear that so called knowledge base society that is expected to globally extend into the future will use something similar but probably more complex Anyhow in all transactions the security problem is inevitable
Tamper Resistant/Responding Security Module TRSM Host Security Module (HSM) Hardware Security Module (HSM) Crypto Coprocessor –Provides a secure, trusted environment to perform sensitive operations –Detects and responds to physical, electronic (or other) attempts to recover key material or sensitive data. Typical measures include: physical tamper envelope/membrane temperature, radiation sensors power supply monitoring and filtering –Trigger causes erasure of protected data
PIN Encryption e.g. PIN is 1234, Key is ABCDEF 1.Start with an empty PIN block 2.Insert PIN 3.Pad 4.Encrypt the clear PIN block FFFFFFFFFFFF 2580D0D6B489DD1B
DUPKT management DUKPT is specified in ANSI X9.24 part 1. Here the receiver has a master key called the Base Derivation Key (BDK). The BDK is supposed to be secret and will never be shared with anyone. This key is used to generate keys called the Initial Pin Encryption Key (IPEK). From this a set of keys called Future Keys is generated and the IPEK discarded. Each of the Future keys is embedded into a PED by the device manufacturer, with whom these are shared. This additional derivation step means that the receiver does not have to keep track of each and every key that goes into the PEDs. They can be re-generated when required. The receiver shares the Future keys with the PED manufacturer, who embeds one key into each PED.
APACS-40, 70 standard APACS - 40 also use the coding of transaction key. To do it the information from previous and current transaction is used to generate: –Key to code the PIN –The code of authentication message for current transaction Each keys are changed on each transaction and are unique for each terminal In APACS 70 the UK card issuers have agreed to use static data authentication (SDA) initially. Dynamic data authentication (DDA) or combined dynamic data authentication (CDA) should not be used except with higher specification cards incorporating a dedicated cryptographic processor. The use of cards with Chinese remainder theorem is also likely to be a necessity and is thus recommended.
PIN Verification (Offsets) 1.Validation data is encrypted under PIN generation (verification) key. 2.Ciphertext is ‘decimalised’ to form IPIN by means of a table. 3.Calculate the offset as OFFSET = PIN-IPIN (where ‘-’ is subtraction modulo 10)
PIN Verification (Offsets) IBM PIN Offset Algorithm Allows user to choose own PIN (also to change it easily) Validation data is typically customer and financial institution specific (e.g. PAN) ‘Decimalization’ by means of a table ABCDEF
Transaction flow example
ANSI X9.8 (ISO-0) Attack –Attacks the PIN translate/reformat function
ANSI X9.8 Attack Q: What happens if (P x) is a decimal digit? A: The call passes. Q: What happens if (P x) is not a decimal digit? A: Typically, the call FAILS! We have a test for (P x) < 10. Building a simple algorithm to identify P 1.Try all possible values of x, yielding a unique * pattern of ‘passes’ and ‘fails’ allowing you to identify P. 2.A decision tree
The Decimalization Attack –Attacks the PIN Verification using offsets function
Decimalization Attack Input Parameters Encrypted PIN Block (EPB) Validation Data Decimalization Table Offset Encrypted Key Attack Strategy: –In an iterative manner, we make a single change to an entry in the decimalization table and observe the effects
what 3-D Secure Password is.. It is an E-Commerce Application for Payment System To know about the 3-D Secure password we need to know about 3-D and then 3-D Secure. 3-D Stands for Three Domains here. 3-D Secure is XM L Based Protocol to implement the better security to the Credit and Debit card Transactions. So The Password formed by 3-D Secure Protocol is called 3-D Secure Password.
Performance It was officially launched in 2007and now most of the banks are working with this. ICICI and more Banks are working on implementing on 3-D Secure. As Now more than 100 vendors are developing 3-D Secure. Current Version is running with high Performance.