Immediately I want to replace the article written not by me and not carders from various forums.article this I have long read and kept it on my hard drive, I think many it will be interesting.
Introduction The purpose of this document is to provide understandable information about cryptography and technology as it applies to magnetic cards in the financial industry. Usually this topic is perceived with some trepidation, but everything turns out to be simple if one only understands the simple principles.
Cryptography is complex, but its practical application is much easier. You don’t have to know math to successfully use cryptography in a financial environment.
Because of the security measures applicable to card cryptography, it is very difficult to find information in any form that gives anything in a practical sense other than another document shrouded in secrecy.
While other, more secure encryption methods are being introduced, the magnetic card is much cheaper than other alternatives and magnetic stripe cards are the most common card type. Magnetic card security methods are slowly but surely improving, and when properly applied, can provide excellent protection for financial transactions at low cost.
The use of cryptography in cash magnetic cards The most common use of cryptography is to provide a Personal Identification Number, or PIN, for magnetic card use in places where the legitimacy of access cannot be controlled, such as ATMs, or in other situations where the provision of a conventional paper signature is impossible. All of these apply to credit cards, d*** cards and ATM cards. There are not many money cards today that do not have a PIN.
The second most common use of cryptography is to provide mechanisms to control the originality of magnetic tape . The purpose is to prevent fraudulent card creation when a value is written to the tape that cannot be derived from the visible information contained on the card. When the card is verified online, this value can be verified to confirm the authenticity of the card. There are several different standards for this, the most used being Visa Card Verification Value (CVV) or, the Mastercard analogue, CVC. In this document I will refer to the CVV mechanism as it is the most commonly used.
Other uses of cryptography do not directly relate to cards, they usually relate to the encryption of PINs and messages transmitted in the financial environment to prevent them from being intercepted or counterfeited. This will be discussed in more detail in the following subsections.
Simple encryption Understanding common encryption mechanisms is essential to understanding the contents of this document.
Most magnetic card encryption is based on the Data Encryption Algorithm (DEA) called DES or Standard Data Encryption. The idea behind this algorithm is that the original (unencrypted) value is sent to the DES algorithm which can be executed either in software or in hardware. DES then encrypts the pure value using a key (secret, 64-bit) and outputs the encrypted value.
The input unencrypted information is usually called Cleartext, while the encrypted result is called Ciphertext. The mechanism of processing Cleartext into Ciphertext, according to DES terms is called `encipher operation.
Take note of the following:
The DES Algorithm IS NOT secret. It is available for general use. However, the key is secret.
This process is reversible. The DES decipher function, using the same key, will recycle the encrypted information into the public (original) information.
The security and integrity of the entire encryption process depends on the secrecy of the key used. The key is a random value that is very tightly protected. Most of the complexities associated with DES encryption systems involve the protection, storage and transmission of keys, and these activities are called key management.
It should also be noted that the encipher operation, as described above, is not exactly robust. Theoretically, a large number of concurrent processes can pick up the key in a matter of days. This peculiarity has been extensively discussed in discussions about improving security, but additional methods may limit the application of this algorithm.
A simple example for demobilization: passwords on computer system logins.
Passwords used on computer systems are often encrypted after they have been set and stored in a file in encrypted form. When user is logged on, the password is entered into the hidden field, in clear text. It is important to understand that this value is NOT compared to the value that is decrypted from the password file. The plaintext is encrypted with the same key and compared to the encrypted value found in the password file. The plaintext encrypted with a similar key will always give the same result and almost all cryptographic systems compare the encrypted text with the encrypted value to avoid accessing the plaintext values in computer systems because those can be compromised by memory dumping, hacking, etc.
However, in this situation, the password user can always make a claim that their password can be exposed by decrypting the encrypted value, and this is beyond the user’s control – this is true.
Dynamic key exchange Many financial systems are implementing dynamic key exchange. While this is not directly related to magnetic cards, it is relevant enough to pay attention to it.
In dynamic key exchange, 2 parties exchange keys “on the fly” so that one key is not used for a long time due to the risk of decryption. This is typically used in a financial environment where two parties exchange financial authorization (confirmation) messages – for example, the payee’s bank and the sender’s bank. When the beneficiary bank transmits the PIN to the sending bank for confirmation, the message must be encrypted. The sending bank will need access to the key with which the PIN was encrypted in order to decrypt the message on receipt. The parties have pre-agreed on these keys and the keys can be changed by dynamic key exchange where the keys are provided (encrypted with the old encryption keys) and changed in real time for added security.
It should be emphasized that no encryption system is completely secure. There are always weaknesses in the system, both on the technical side and operationally, where human and opaque procedures can be compromised.
Practical Application of Cryptography in Magnetic Cards The purpose of this section is to demonstrate how encryption principles are (usually) applied to magnetic cards from a practical perspective.
PIN processing The PIN principle is based on the fact that no one except the legitimate cardholder knows it. Therefore, when the PIN is provided to the customer:
PIN must not be stored anywhere in plain sight
It must not be possible to reverse-engineer the PIN from information on the magnetic tape or from a centrally held database
Normally, a PIN is a 4-digit number. Other schemes exist but we will use this format for illustration as it is a commonly accepted standard.Normally, a PIN is a 4-digit numeric value. Other schemes exist, but we will use this format for illustration as it is a common standard.
When a PIN is issued, the sequence of events is as follows:
The 4-digit number generated is the PIN
The PIN is combined with other information, such as account number, to create a block of data for the encryption process
The input block is triple encrypted using working PIN keys
The digits from the encrypted result are selected. They become Pin Verification Value or Pin Offset
PIN offset stored
PIN envelope is printed
The memory is cleared with zeros to hide all traces of the presence of a clean PIN
At this point, the only place where the PIN value is located is in the envelope. The PIN cannot be derived from the PIN offset.
When a card is used and a PIN is entered, the PIN offset is calculated based on the entered PIN using the PIN work keys and compared to the stored PIN offset to determine if the PIN was entered correctly. This means that when the PIN is verified, the verifying system needs access to the PIN workkeys used to generate or change the PIN.
Once again, it should be emphasized that the offset includes the digits selected from the encrypted data. Typically, it is 4-6 digits. It is not possible to reconstruct keys or PINs using this value.
I. In some cases, the PIN offset is stored on a magnetic strip. This is used in those terminals that can verify the PIN locally. However, this is becoming increasingly rare.
II. When the user is given the opportunity to change the PIN, the new offset is calculated in real time and written to the database. Note that if the PIN is forgotten, it cannot be re-created.
III. The method described above is standard. However, there are many variants, such as IBM3624 Method-A, Diebold Method, etc., but the principles are the same everywhere.
IV. In many methods, the basic principle of using different keys is based on an index value, usually written to the magnetic strip. This is a single digit indicating the index of the key pair used. The purpose is a) the same keys are not used for the entire base and b) new keys can be used on a new issue without affecting old cards.
CVV processing It has quickly become clear that the proliferation of cash cards has put financial institutions at risk from fraudsters. In the credit card world, it’s to the production of cards with or without a magnetic stripe, forging names and logos. In the ATM card arena, attackers observed PIN entry “over the shoulder,” matched PINs to information on receipts, and created their own magnetic strips on card dongles.
These and other threats have led to the introduction of Card Verification Value, an impossible to obtain sequence of digits created by the encryption process and recorded on the card’s magnetic tape. This means that electronic transaction information collection (ATM or POS) is effectively protected from fraudsters.
A combination of static data, such as an account number, is encrypted three times using a special Card Verification key pair. The digits selected from the result are used to create a CVV and are written to a magnetic tape.
CVV refers to the same thing as Pin Offset. Because CVV consists of multiple digits, and triple encryption is used, CVV keys and values are well protected and the presence of CVV provides an additional level of assurance that the card is not counterfeit.
It should be noted that CVV is just an additional protection method, it is not 100% reliable either. It does not, for example, protect against fraudulent magnetic card data collection, such as at counterfeit ATMs.
A further development of CVV, CVV2, is used for telephone authorization. Approximately the same calculation scheme as for CVV, the digits selected from the result are printed on the back of the card. These digits can be requested to confirm the legitimacy of the transaction. Again, this is just an additional verification.
Key handling Key handling involves the storage, protection, and transfer of keys. A single financial organization can have many DES keys, and they require proper handling. One of the worst cases of debugging computer errors is debugging programs related to data encryption. since memory dumps make no sense, and it can be very difficult to detect that the wrong encryption key is being used.
Keys are normally managed in order of priority. Keys used for computation, such as PIN verification (working keys) are stored in an encrypted format. There are other sets of keys used to transfer keys from one place to another, for example between two nodes in a network. These are called transport keys.
In good systems, working keys are never stored in an unencrypted format. Even when they are created, it is often automatic so that the keys are never known to humans.
When initialization keys are created, 64 bits are shared between two or more people who “flip a coin” for each bit. Since everyone works with one of the key segments, the whole key is unknown to anyone, which is usually how the initial creation of the master key is done.
Despite the simple concept, key management can become quite complex in practice.
In a simple ATM network, for example, the terminal master key is used to encrypt the operation keys during transmission. A Terminal Master Key (TMK) is generated for each terminal, divided into 2 parts and printed (or sometimes encrypted on a special magnetic card). Each MCK is then installed in the ATM.
The system then uploads the terminal work keys encrypted with the terminal master key to each ATM. The terminal work keys are then used to encrypt the PIN data when transmitted to the host during processing. If required, the terminal work key can be changed at intervals, or dynamically, but this process requires special care and approach.
It should be noted that key exchange is the weakest point of DES systems, so key management must be carefully considered.
Physical application Encrypted processing and key management is usually done on dedicated secure hardware. DES can also be embedded into software (using products such as IBMs PCF), but this is less secure, and the DES algorithm can use processor resources heavily.
There are companies that specialize in dedicated encryption objects, like Racal and Atalla. They are usually called HSM (Secure Host Module), but Racal decides what to call the object.
Using these devices, all encryption/decryption takes place in a locked device and the keys never leave in their pure form.
Physically, HSMs are tamper-proof and are typically installed in secure computer rooms. Attempts to open them will destroy the keys in the device.
Some applications use a physical telecommunication line for additional security and there are many vendors of this type of device. They are a “black box” and require no special knowledge.
Examples ATM withdrawal encryption Typical ATM transaction:
The customer inserts the card into the ATM
Customer enters his PIN
Client requests cash
Transaction confirmed, cash released
There are a lot of ciphers involved in this process. For simplicity, let’s assume that the receiver’s bank and the sender’s bank are the same.
1. The customer inserts the card into the ATM
Magnetic tape is read and stored in the ATM buffer.
2. Customer enters his PIN
The PIN is entered into the secure pads. The saved PIN is entered into the secure hardware module.
3. Customer requests cash
The message is created in ATM. The PIN (and possibly something else) is encrypted with the Terminal key.
The message is sent to the host, possibly hardware-encrypted.
Upon receipt by the host, the hardware message is decoded. The CVV is calculated and compared to the value on the magnetic tape. The PIN encrypted by the Terminal key is decrypted. PIN offset or PVV is calculated. The PVV is compared to the entry in the PVV database.
4. Transaction confirmed, cash disbursed
Note: All host encryption functions normally occur in the Protected Module. No pure values are passed to application programs or outside the protected environment.
Cryptography in an EFTPoS transaction CVV from a magnetic stripe can be verified on the host system to track down counterfeit cards. This only works in online systems because CVV verification requires some encryption calculations on the host.
Note: Some manufacturers support local key storage on EFTPoS devices and terminals. Due to the complexity of key management, these devices are not considered here.
A more typical use of cryptography in EFTPoS (and, increasingly in ATM and other systems) is MAC (Message Authentication Code). MAC verification can be represented as a value computed from the content of the critical message fields (card number, amount of money, etc.) and then passed through an encryption algorithm. Although the message is transmitted in the clear, the recipient will determine the validity of the fields by checking the MAC value. Technically speaking the MAC is the LRC encrypted field. The MAC size is defined in ISO8583 as 16 bytes.
Other encryption applications in finance As well as common uses of encryption as described above, interbank networks (e.g. SWIFT) have historically been active users of encryption techniques.
The plethora of new delivery methods and the even wider spread of advanced technologies has increased the interest and use of encryption.
In cases where cryptography is required for widespread public distribution (e.g. PC-based home banking), conventional DES is too difficult to manage securely. More suitable and secure algorithms such as RSA (public key encryption system) are implemented in such systems.
Some enterprise applications use well secured DES, combining it with other algorithms – MAC, physical encryption, dynamic key exchange, etc.
Copyright (C) 2004 unnamed
dark web sites to buy cc