Blunting Differential Attacks on PIN Processing APIs

Focardi, Riccardo; Luccio, Flaminia L.; Steel, Graham

doi:10.1007/978-3-642-04766-4_7

Riccardo Focardi¹⁹,
Flaminia L. Luccio¹⁹ &
Graham Steel²⁰

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5838))

Included in the following conference series:

Nordic Conference on Secure IT Systems

1159 Accesses
5 Citations

Abstract

We propose a countermeasure for a class of known attacks on the PIN processing API used in the ATM (cash machine) network. This API controls access to the tamper-resistant Hardware Security Modules where PIN encryption, decryption and verification takes place. The attacks are differential attacks, whereby an attacker gains information about the plaintext values of encrypted customer PINs by making changes to the non-confidential inputs to a command. Our proposed fix adds an integrity check to the parameters passed to the command. It is novel in that it involves very little change to the existing ATM network infrastructure.

Work partially supported by Miur’07 Project SOFT: “Security Oriented Formal Techniques”.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Hackers crack cash machine PIN codes to steal millions. The Times online, http://www.timesonline.co.uk/tol/money/consumer_affairs/article4259009.ece
PIN Crackers Nab Holy Grail of Bank Card Security. Wired Magazine Blog Threat Level, http://blog.wired.com/27bstroke6/2009/04/pins.html
Verizon Data Breach Investigations Report (2009), http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf
Adida, B., Bond, M., Clulow, J., Lin, A., Anderson, R., Rivest, R.L.: On the security of the EMV secure messaging API (2008)
Google Scholar
Anderson, R.: Why cryptosystems fail. Commun. ACM 37(11), 32–40 (1994)
Article MathSciNet Google Scholar
Anderson, R.: What we can learn from API security. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2003. LNCS, vol. 3364, pp. 288–300. Springer, Heidelberg (2005)
Chapter Google Scholar
Berkman, O., Ostrovsky, O.M.: The unbearable lightness of PIN cracking. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 224–238. Springer, Heidelberg (2007)
Chapter Google Scholar
Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. J. Cryptology 4(1), 3–72 (1991)
Article MathSciNet MATH Google Scholar
Bond, M.: Understanding Security APIs. PhD thesis, University of Cambridge, England (2004), http://www.cl.cam.ac.uk/~mkb23/research.html
Bond, M., Zielinski, P.: Decimalization table attacks for pin cracking. Technical Report UCAM-CL-TR-560, University of Cambridge, Computer Laboratory (2003), http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf
Centenaro, M., Focardi, R., Luccio, F.L., Steel, G.: Type-based Analysis of PIN Processing APIs. In: 14th European Symposium on Research in Computer Security, ESORICS 2009. LNCS (to appear, 2009)
Google Scholar
Clulow, J.: The design and analysis of cryptographic APIs for security devices. Master’s thesis, University of Natal, Durban (2003)
Google Scholar
IBM Inc. CCA Basic Services Reference and Guide for the IBM 4758 PCI and IBM 4764 PCI-X Cryptographic Coprocessors. Technical report. Releases 2.53–3.27 (2006), http://www-03.ibm.com/security/cryptocards/pcicc/library.shtml
Mannan, M., van Oorschot, P.: Reducing threats from flawed security APIs: The banking PIN case. Computers & Security 28(6), 410–420 (2009)
Article Google Scholar
Myers, A.C., Sabelfeld, A., Zdancewic, S.: Enforcing robust declassification and qualified robustness. Journal of Computer Security 14(2), 157–196 (2006)
Article Google Scholar
Steel, G.: Formal Analysis of PIN Block Attacks. Theoretical Computer Science 367(1-2), 257–270 (2006)
Article MathSciNet MATH Google Scholar

Download references

Author information

Authors and Affiliations

Università Ca’ Foscari Venezia, Italy
Riccardo Focardi & Flaminia L. Luccio
Laboratoire Spécification et Vérification, CNRS & INRIA & ENS de Cachan, France
Graham Steel

Authors

Riccardo Focardi
View author publications
You can also search for this author in PubMed Google Scholar
Flaminia L. Luccio
View author publications
You can also search for this author in PubMed Google Scholar
Graham Steel
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

University of Oslo, University Graduate Center, Kjeller, Norway
Audun Jøsang
Norwegian Defence Research Establishment, Kjeller, Norway
Torleiv Maseng
Norwegian University of Science and Technology, Centre for Quantifiable Quality of Service in Communication Systems, Trondheim, Norway
Svein Johan Knapskog

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Focardi, R., Luccio, F.L., Steel, G. (2009). Blunting Differential Attacks on PIN Processing APIs. In: Jøsang, A., Maseng, T., Knapskog, S.J. (eds) Identity and Privacy in the Internet Age. NordSec 2009. Lecture Notes in Computer Science, vol 5838. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04766-4_7

Download citation

DOI: https://doi.org/10.1007/978-3-642-04766-4_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-04765-7
Online ISBN: 978-3-642-04766-4
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics