Software Engineering 4C03 Winter 2005

The Encryption Technology of Automatic Teller Machine Networks

Researcher: Shun Wong Last revised: April 2nd, 2005

Introduction

ATM also known as Automatic Teller Machine is a simple and yet security banking service. The basic concept is that an ATM allows an authorized cardholder to conduct banking transaction without visiting a branch. They are well known for its convenience to the customers, cost-effectiveness to the bank and most importantly it is an extremely secure banking method. ATMs rely on authorization of a transaction by the bank via a secure communications network. Encryption methods are built into the communication network to prevent unauthorized transactions that could result in loses. This report focuses on Data Encryption Standard and Advanced Encryption Standard, these are the encryption standards presently adopted by banks across the globe.

1.1

Hardware and Software

ATMs contain secure crypto-processors, generally within an IBM PC compatible host computer in a secure enclosure. The security of the machine relies mostly on the integrity of the secure crypto-processor: the host software often runs on a commodity operating system. In-store ATMs typically connect directly to their ATM Transaction Processor via a modem over a dedicated telephone line, although the move towards Internet connections is under way. In addition, ATMs are moving away from custom circuit boards (most of which are based on Intel 8086 architecture) and into fullfledged PCs with commodity operating systems such as Windows 2000 and Linux. Other platforms include RMX 86, OS/2 and Windows 98 bundled with Java. The newest ATMs with Microsoft technology use Windows XP or Windows XP embedded. [Lockergnome Encyclopedia 2004]

ATM Encryption Methods

ATM transactions are usually encrypted with DES (please refer to the next section) but most transaction processors will require the use of the more secure Triple DES by 2005. There are also many "phantom withdrawals" from ATMs, which banks often claim are the result of fraud by customers. Many experts ascribe phantom withdrawals to the criminal activity of dishonest insiders. Ross Anderson, a leading cryptography researcher, has been involved in investigating many cases of phantom withdrawals, and has been responsible for exposing several errors in bank security. There have also been a number of incidents of fraud where criminals have used fake machines or have attached fake keypads or card readers to existing machines. These

have then been used to record customers' PINs and bank account details in order to gain unauthorized access to their accounts. [Lockergnome Encyclopedia 2004] 2.1 Data Encryption Standard

The Data Encryption Standard (DES) is an approved cryptographic algorithm selected as an official Federal Information Processing Standard (FIPS) for the United States. [Lockergnome Encyclopedia 2004] In DES, data are encrypted in 64-bit blocks using a 56-bit key. The algorithm transforms 64-bit input in a series of steps into a 64-bit output. [William Stallings 2003]. For further details of DES encryption and decryption, please refer to Cryptography And Network Security, Principle and Practice 3rd ed. by William Stallings. FIPS PUB 81, DES Modes of Operation, describes four different modes for using the algorithm described in this standard. These four modes are called the Electronic Codebook (ECB) mode, the Cipher Block Chaining (CBC) mode, the Cipher Feedback (CFB) mode, and the Output Feedback (OFB) mode. ECB is a direct application of the DES algorithm to encrypt and decrypt data; CBC is an enhanced mode of ECB which chains together blocks of cipher text; CFB uses previously generated cipher text as input to the DES to generate pseudorandom outputs which are combined with the plaintext to produce cipher, thereby chaining together the resulting cipher; OFB is identical to CFB except that the previous output of the DES is used as input in OFB while the previous cipher is used as input in CFB. OFB does not chain the cipher. [Federal Information Processing Standards Publication 46-2 1993]

2.2

Advanced Encryption Standard

There are cases where ATMs using DES has been breached within 24 hours. The most recent solution is to adopt a new encryption standard known as the Advanced Encryption Standard. The Advanced Encryption Standard (AES) feature adds support for the new encryption standard AES, with Cipher Block Chaining (CBC) mode, to IP Security (IPSec). The National Institute of Standards and Technology (NIST) has created AES, which is a new Federal Information Processing Standard (FIPS) publication that describes an encryption method. AES is a privacy transform for IPSec and Internet Key Exchange (IKE) and has been developed to replace the Data Encryption Standard (DES). AES is designed to be more secure than DES: AES offers a larger key size, while ensuring that the only known approach to decrypt a message is for an intruder to try every possible key. AES has a variable key

lengththe algorithm can specify a 128-bit key (the default), a 192-bit key, or a 256-bit key. [Cisco Systems, Inc. 2004]

Conclusion

Behind the friendly appearance of the Automatic Teller Machines, they are actually protected by some of the most advanced encryption technologies. However, ATM security requires progressively improving methods to keep up with smart intruders. A clear example is the upgrade from the Data Encryption Standard to the Advanced Encryption Standard, which is almost three times as powerful. In the near future, a new method will be adopted to protect ATMs from intruders with better technologies. Although, this is a constant battle between intruders and the bank, ATMs are still a very convenient, cost-effective and secure banking method provided to customers today.

References 1. Automatic Teller Machine, Lockergnome Encyclopedia 2004 [Retrieved from web March 25th, 2005] http://encyclopedia.lockergnome.com/ 2. Cryptography And Network Security, Principle and Practice 3rd ed., William Stallings 2003 [Retrieved from text March 20th, 2005] 3. Data Encryption Standard (DES), Federal Information Processing Standards Publication 46-2 1993 [Retrieved from web March 25th, 2005] http://www.itl.nist.gov/fipspubs/fip46-2.htm 4. Advanced Encryption Standard (AES), Cisco Systems, Inc. 2004 [Retrieved from web March 25th, 2005] http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/ 122t13/ft_aes.htm