Madrock

Hi,

Recently I a questing was asked on another post relating to DUKPT. Given I have lots of material on the subject I thought I would create this thread. Link

I will come back at some stage and expand on this when I get time.

Transaction Process narrative:

The diagram describes a mobile terminal/ATM is described using the a AS2805 (‘2805′) message type and 3DES DUKPT and dual direction auth SSL from the terminal to the aquirer (transaction switch).

A good explanation of DUKPT can also be found at Wikipedia.

Diagram of the flow

Background notes:

• The terminal or ATM firstly encrypts the user entered pin (may be a unique DUKPT key or static, depending on the design and banks involved) prior to incorporating it into the AS 2805 transaction message.
• the message is then encrypted again using the DUKPT key which has been established through the merchant logon process within the aquirer Host Security Module (HSM) i.e. the user entered pin is encrypted separately and encapsulated within the DUKPT encrypted 2805 message to provide full message encryption.
• In the diagram a separate dual authenticating SSL session is also used between the terminal/ATM and the aquirers infrastructure. This allowing the transaction including the pin to traverse the external Wired/GPRS/LAN within 2 primary independent layers of encryption, with a 3^rd protecting the PIN.
• When the transaction enters the aquirer environment the message encapsulation layer provided by SSL is removed.  This leaving the DUKPT’ed 2805 message which also encapsulates the separately encrypted PIN.
• This encrypted message is passed to the aquirer switch engine through to the aquirer’s HSM for decryption of the 2805 message excluding the user entered pin.
• This is when transactional information necessary for aquirer’s merchant reporting (truncated card number, transaction amount, transaction type, etc.) and fraud management data is collected.
• The aquirer switch then passes the encrypted PIN to the aquirer HSM requesting that the PIN be decrypted using the aquirer’s PIN encryption and translated to the next banks (Bank 1)  PIN Encryption Key (Pin translation only occurs within the aquirer HSM) This is then sent back to the aquirer Switch engine as the Bank 1 encrypted PIN.
• The aquirer switch engine then send the decrypted 2805 message with the newly encrypted PIN back to aquirer HSM to be encrypted with the Bank 1 MAC key.
• The resultant Bank 1 key encrypted message is then sent to Bank 1 for processing and/or passing to the card issuer (using a similar process as described above).
• When the result is received back from the issuing bank it is encrypted with the Bank 1 MAC key (the pin will not be present in the result message).
• This is then decrypted by the aquirer HSM, the transaction fate result stored into the aquirer merchant reporting system and the transaction fate re-encrypted with the original aquirer DUKPT key (should be different per terminal/merchant instance) and the result sent back to the terminal through the original established SSL encrypted terminal connection.

The aquirer may terminate the the SSL connection on a hardware device such as a CISCO Content Service Switch (CSS), or equivalent instead of the design described in the diagram which terminates onto a SSL session server/gateway (Possibly including a Certificate Authority) or on the aquirer transaction switch.

When PIN blocks are received by the aquirer processing centre, the PIN encryption is translated from the terminal key to the Local Master Key (LMK) by the Host Security Modules (HSM).

When the message is sent on the upstream bank interchange link to the issuer or gateway , the aquirer HSM translates the encrypted PIN block from the LMK to the Zone Master Key (ZMK) of the aquirer interchange link. The PIN block is always encrypted using DEA3 (3DES) whenever outside of the Terminal or ATM.

HSM-8000-User Guide V2.2

When considering Mobile Banking security and the associated risk, the an assessment approach depends greatly on the solution being created or provided.
Generally the approach is based on layered standards supporting and surrounding the technologies and techniques used.

Here are some things to consider.

Security assessments generally focuses on two main things.

1/ Sensitivity of the data
What is being sent. eg. Pin, credit card numbers, account balance, home address, bank account number, etc.
Data may not be sensitive to the bank, but may be considered by the client as sensitive.
etc……….

2/ Opportunity to access the data.
What medium is being used?
Is it easy to hack?
What encryption is being used?
Are all data paths secure (client and back end)?
Is there a 3rd party involved in the switching of the transactions?
etc………

Things to consider:

• Pin resets sent via SMS to client, should not be used as the only method of accessing accounts. An additional client specific (possibly static) pass word/phrase should be used in addition to a dynamically generated pin. SMS can be sniffed (depending on mode and location).
• If WAP is used, are all devices capable of encryption? If devices are not capable of encryption, do we deny access to these devices? If client side JAVA or intelligent device (win CE, etc), ensure this can not be compromised by a Trojan’s and other key logging techniques.
• Has the organisation considered client side certificates to verify the device prior to transactions being accepted? Consider multiple device and user identification methods (very solution dependant).
• Most mobile POS terminals encrypt the client entered Pin number, but do not encrypt everything within the transaction. If the transmission medium is compromised, we should consider if the encryption can be cracked and if unencrypted data is sensitive. Consider additional data encryption encapsulation i.e. use of all of message encryption (SSL, IPSEC) or use a terminal that utilises Derived Unique Key Per Transaction (DUKPT).
• Many banking applications have been affected by typical hacks such as session hijacking, SQL injection, non random session keys (client side and server side), etc… These typical hacks should be considered in your Secure SDLC and QA Processes once you are aware of the technology used and/or deployed.
• PBX systems and cabling distribution frames can have devices connected to collect transactions. Wireless devices are now being connected to these systems. The attacker sits in their car in the car park outside. This is often done in super markets.
• Wireless transaction gateways if not encrypted are easily collected by anyone within wireless range. 802.11 and other wireless/infra-red mediums are being used (assess the technology and medium being used).
• Has the organisation considered dynamic keys for mobile users? There are some very low cost SecureID type solutions available today, but customers need to have these devices on them when they want to do a transaction.

I have been recently working inside one of the larger Banks in Australia.
Through this work I have been looking at the controls and mechanisms surrounding the processing of credit and debit cards around the Asia Pacific.

I get perform many security architecture and payment systems assessments.
Over the years I have always considered the protection of the card data as one of the key considerations.

Until yesterday I had never seen an CVV or PVV decryption tools. I think some scripted use of these tools could be very interesting.
The site hziggurat29.com

Many of the other tools on this site are also very unique and worth a look.
Big thanks to ziggurat29 for providing such awesome tools.

As many of these sites are of this nature are difficult to find and often seem to vanish over the years, I have chosen to replicate the the text from this page and provide local copies on the files.
It is worth periodically visiting the ziggurat29 site every now and again to see if any additional tools have been posted.

One of the more extraordinary files is the Atalla Hardware Security Module (HSM)  and BogoAtalla for Linksys emulation (simulation) tools. So I wonder if Eracom and Thales are shaking in their boots. Some how I don’t think so. ;-)

——– ziggurat29 Text ———

These are all Windows command-line utilities (except where noted); execute with the -help option
to determine usage.

DUKPT Decrypt (<- the actual file to download)

This is a utility that will decrypt Encrypted PIN Blocks that have been produced via the DUKPT triple-DES method.  I used this for testing the output of some PIN Pad software I had created, but is also handy for other debugging purposes.

VISA PVV Calculator (<- the actual
file to download)

This is a utility that will compute and verify PIN Verification Values that have been produced using the VISA PVV technique.  It has a bunch of auxiliary functions, such as verifying and fixing a PAN (Luhn computations), creating and encrypting PIN blocks, decrypting and extracting PINs from encrypted PIN blocks, etc.

VISA CVV Calculator (<- the actual file to download)

This is a utility that will compute Card Verification Values that have been produced using the VISA CVV technique.  MasterCard CVC uses the CVV algorithm, so it will work for that as well.  It will compute CVV, CVV2, CVV3, iCVV, CAVV, since these are just variations on service code and the
format of the expiration date.  Verification is simply comparing the computed value with what you have received, so there is no explicit verification function.

Atalla AKB Calculator (<- the actual file to download)

This is a utility that will both generate and decrypt Atalla AKB cryptograms.  You will need the plaintext MFK to perform these operations.  When decrypting, the MAC will also be checked and the results shown.

BogoAtalla (<- the actual file to
download)

This is an Atalla emulator (or simulator).  This software emulation (simulation) of the well-known Atalla Hardware Security Module (HSM) that is used by banks and processors for cryptographic operations, such as verifying/translating PIN blocks, authorising transactions by verifying
CVV/CSC numbers, and performing key exchange procedures, was produced for testing purposes.  This implementation is not of the complete HP Atalla command set, but rather the just
portions that I myself needed.  That being said, it is complete enough if you are performing acquiring and/or issuing processing functions, and are using more modern schemes such as Visa PVV and DUKPT, and need to do generation, verification, and translation.

This runs as a listening socket server and handles the native Atalla command set.  I have taken some liberties with the error return values and have not striven for high-fidelity there (i.e., you may get a different error response from native hardware), but definitely should get identical positive
responses.  Some features implemented here would normally require purchasing premium commands, but all commands here implemented are available.  Examples are generating PVV values and encrypting/decrypting plaintext PIN values.

BogoAtalla for Linksys (<- the actual file to download)

This is the Atalla emulator ported to Linux and build for installation on an OpenWRT system.  Makes for a really cheap ($60 USD) development/test device.

 

Local Files

bogoatalla002
atallaakbcalc
bogoatalla_10-1_mipsel
dukptdecrypt
visacvvcalc
visapvvcalc