Checking PIN code of bank cards
In connection with the appearance of the article “Travels of a banking transaction” , in which questions about the PIN verification mechanism began to appear, I would like to clarify this issue somewhat. This article will consider only the issue of checking a so-called. online PIN, i.e. PIN, which is entered on the terminal and is transmitted for further verification to the system that authorizes the transaction.
Before proceeding directly to the question of scrolling a PIN of a card, let us dwell on some theoretical questions.
At the moment, the basic encryption algorithm for all actions with bank cards is the DES algorithm (and not 3DES, which is used only for encryption operations, mainly the transport layer). Without going into the terminology and classification of encryption algorithms, just say that this is a block encryption algorithm with a block size of 8 bytes and a key of 56 bits (7 bytes). In practice, it is customary to represent the DES key as a block of 8 bytes, where in each byte the highest 7 bits are significant, and the last bit is insignificant. It can be used to control the integrity of the key (more on that later).
Since, currently, a 56-bit key is insufficient from a security point of view, instead of the DES algorithm for encryption, use the 3DES algorithm in EDE mode (hereinafter, the 3DES designation will mean the use of the EDE scheme). Usually, the 3DES algorithm with a double-length key (112 bits, 16 bytes) is used in the banking environment, in which the same key is used in the first and third steps (see the description of the algorithm).
')
At the moment, basically, the following 2 PIN verification algorithms are used: Visa PVV and IBM 3624 PIN offset.
This algorithm was originally developed by the Visa payment system, but is currently the recommended PIN verification algorithm for both Visa and MasterCard. This algorithm is based on the PINV value (PIN verification value), which is a cryptogram derived from the following values:
To obtain a PVV, a block is formed from PAN (last 11 digits, except for the control number of the card), PVKI, PIN (strictly, the first 4 digits), which is encrypted using PVK, then a 4-digit is extracted from it using a special function the number that is the PVV value [1]. This PVV value is a reference for verifying the PIN code. Those. when receiving an operation with the entered PIN to check it on the basis of PAN, PVKI, PVK, a new PVV value is generated and compared with the reference PVV for the card. If the values match, then the PIN is considered valid, if they do not match, it is incorrect.
The features of this algorithm include the following "limitations":
This algorithm was originally developed by IBM for use in IBM 3624 ATMs. How it was planned to use it, history is silent, and the author does not know the article, but in this case, it does not matter. Currently, this algorithm is considered obsolete, but is used quite successfully for several reasons:
This algorithm is based on the PIN offset value (PIN verification value), which is a cryptogram derived from the following values:
For simplicity, the further description under the PIN verification key in the case of the IBM 3624 PIN offset method will be a combination of the PVK key and the DT decimalization table value.
To obtain the PIN offset, the control value VD is encrypted using the PVK key, after which a block of 16 decimal digits is obtained from the obtained value using the DT decimalization table.
The first N digits are taken from the received block, where N is the PIN length (the IBM 3624 method allows you to check the PIN with a length of up to 16 digits), then the corresponding digit of the received block is subtracted from each PIN of the modulo 10 module. The resulting value will be the PIN offset value.
HSM - hardware security module, a hardware-software complex designed to perform cryptographic operations in a secure environment. The HSM itself must be protected to prevent unauthorized access to the data stored in it. Its functions include performing various cryptographic checks, including checking the card, PIN, cryptographic signature of messages ( MAC ), and various encryption operations in such a way as to prevent access to meaningful information (keys, PIN code values). It is worth explaining here that when using HSM, the key value itself, in the general case, in open form (ie, in the form, one for performing operations in accordance with the DES / 3DES algorithm) is present only inside the HSM at the time of performing this operation. How this is achieved depends on the specific HSM. For the most popular HSM card systems (SafeNet and Thales HSM), 2 mechanisms are used:
At the same time, the very principle of performing an operation on HSM does not depend on which method of key storage is used.
Everywhere below, if this is not explicitly stated, we will assume that the key is transmitted in a protected HSM form (ie, encrypted under the HSM Master Key or as an identifier).
To simplify the further description, we introduce some terms:
In the PIN verification part, you can specify the following:
As we have already decided, to verify the PIN, we need the following data:
With PIN, everything is quite simple. As already mentioned above, we cannot get an open PIN value under any circumstances. Thus, we are left with only an encrypted PIN block. In addition to it, we need a key to decrypt it. Name this PPK key (PIN protection key, term taken from SafeNet HSM documentation).
Next, you need to decide on the PIN verification value and additional data.
The first option is to store the test value on the magnetic stripe of the card after the Service Code field. A modified version of ISO 7813, indicating where the PVV is stored, can be found here . According to the description of the track format, it is worth adding that the 5-character PVV value means the following sequence: 1 PVKI symbol and 4 PVV symbols, and for PIN offset - the PIN offset value for a 5-digit PIN. If the PIN is of a length other than 5 digits, then the size of the PIN offset, respectively, will change. What are the advantages of this method. Certainly - the ability to check the PIN for anyone who will have the necessary keys for verification. Here it is worth noting that when you launch a new card product into the payment network, usually, the keys that the card is issued are transferred to. Thus, when using this method, the PIN verification option appears both on the card issuer and on the payment network. The disadvantages of this method include the fact that this option makes the PIN card static until the card is reissued.
The second option is to store the check value in some storage, usually the database of the system responsible for performing checks when authorizing the card. In this case, when checking the PIN, it is necessary to extract the test value from this store, and only then, to check using this value. As a result, when using this method, it is impossible to complete the PIN check in the external system (in the same payment system) and it can be. performed only on the system that has access to the storage of test values. However, such a system allows you to change the PIN code of the card without any costs for changing the plastic (what it is for, what needs to be done and what after that there may be problems, I will not describe, because it is beyond the scope of this articles).
Regardless of how and by whom (the card issuer or the payment network) all the necessary information was received, the PIN check itself is performed on the HSM, which receives a PPK key in a protected form, the PIN check key in a protected form, an encrypted PIN block, PIN verification value and additional verification data, in response to which only the verification result is returned: valid PIN, incorrect PIN, other error. Those. During the verification process, the system responsible for authorization does not touch the open value of the PIN code itself.
Materials used:
[1] Visa Payment Technology Standards Manual, 5 years ago, on the Internet, it was possible to find the version of this document for 2007, now, with fluent machinations, only the version from 2004 is available.
Before proceeding directly to the question of scrolling a PIN of a card, let us dwell on some theoretical questions.
Applied Cryptography
DES algorithm
At the moment, the basic encryption algorithm for all actions with bank cards is the DES algorithm (and not 3DES, which is used only for encryption operations, mainly the transport layer). Without going into the terminology and classification of encryption algorithms, just say that this is a block encryption algorithm with a block size of 8 bytes and a key of 56 bits (7 bytes). In practice, it is customary to represent the DES key as a block of 8 bytes, where in each byte the highest 7 bits are significant, and the last bit is insignificant. It can be used to control the integrity of the key (more on that later).
Since, currently, a 56-bit key is insufficient from a security point of view, instead of the DES algorithm for encryption, use the 3DES algorithm in EDE mode (hereinafter, the 3DES designation will mean the use of the EDE scheme). Usually, the 3DES algorithm with a double-length key (112 bits, 16 bytes) is used in the banking environment, in which the same key is used in the first and third steps (see the description of the algorithm).
')
PIN verification algorithms
At the moment, basically, the following 2 PIN verification algorithms are used: Visa PVV and IBM 3624 PIN offset.
Visa PVV
This algorithm was originally developed by the Visa payment system, but is currently the recommended PIN verification algorithm for both Visa and MasterCard. This algorithm is based on the PINV value (PIN verification value), which is a cryptogram derived from the following values:
- Card number (hereinafter PAN)
- PIN verification key index (PIN verification key, further, PVKI)
- PIN verification key (PIN verification key, further, PVK)
- PIN card code itself
To obtain a PVV, a block is formed from PAN (last 11 digits, except for the control number of the card), PVKI, PIN (strictly, the first 4 digits), which is encrypted using PVK, then a 4-digit is extracted from it using a special function the number that is the PVV value [1]. This PVV value is a reference for verifying the PIN code. Those. when receiving an operation with the entered PIN to check it on the basis of PAN, PVKI, PVK, a new PVV value is generated and compared with the reference PVV for the card. If the values match, then the PIN is considered valid, if they do not match, it is incorrect.
The features of this algorithm include the following "limitations":
- Principal impossibility of recovering PIN from PVV value
- Using a PIN code is strictly 4 digits
IBM 3624 PIN offset
This algorithm was originally developed by IBM for use in IBM 3624 ATMs. How it was planned to use it, history is silent, and the author does not know the article, but in this case, it does not matter. Currently, this algorithm is considered obsolete, but is used quite successfully for several reasons:
- Card systems of the “old” regions (Western Europe, North America) are quite conservative and, in many respects, work on “sufficient” old systems, which suits them
- This algorithm allows you to restore the PIN code value from the verification value (see below), which may be. very useful under certain conditions
This algorithm is based on the PIN offset value (PIN verification value), which is a cryptogram derived from the following values:
- The reference value (Validation data, further VD) - some value (usually - part of the card number, but this is not necessary)
- Decimalization table (Decimalization table, further DT)
- PIN verification key (PIN verification key, further, PVK)
- PIN card code itself
For simplicity, the further description under the PIN verification key in the case of the IBM 3624 PIN offset method will be a combination of the PVK key and the DT decimalization table value.
To obtain the PIN offset, the control value VD is encrypted using the PVK key, after which a block of 16 decimal digits is obtained from the obtained value using the DT decimalization table.
The first N digits are taken from the received block, where N is the PIN length (the IBM 3624 method allows you to check the PIN with a length of up to 16 digits), then the corresponding digit of the received block is subtracted from each PIN of the modulo 10 module. The resulting value will be the PIN offset value.
HSM
HSM - hardware security module, a hardware-software complex designed to perform cryptographic operations in a secure environment. The HSM itself must be protected to prevent unauthorized access to the data stored in it. Its functions include performing various cryptographic checks, including checking the card, PIN, cryptographic signature of messages ( MAC ), and various encryption operations in such a way as to prevent access to meaningful information (keys, PIN code values). It is worth explaining here that when using HSM, the key value itself, in the general case, in open form (ie, in the form, one for performing operations in accordance with the DES / 3DES algorithm) is present only inside the HSM at the time of performing this operation. How this is achieved depends on the specific HSM. For the most popular HSM card systems (SafeNet and Thales HSM), 2 mechanisms are used:
- Key encryption under the so-called. Master key HSM in various versions. In this case, the key value itself is stored in encrypted form on an external medium (usually in the processing system) and transmitted to the HSM during the operation. In this case, when performing an HSM operation, it first decrypts the key using the Master Key, after which it performs, directly, the operation that was requested
- Key storage in a secure HSM internal storage. In this case, usually, the key identifier is supplied to the input, through which the HSM retrieves it from the internal storage.
At the same time, the very principle of performing an operation on HSM does not depend on which method of key storage is used.
Everywhere below, if this is not explicitly stated, we will assume that the key is transmitted in a protected HSM form (ie, encrypted under the HSM Master Key or as an identifier).
PIN check
Terminology
To simplify the further description, we introduce some terms:
- PIN block - the value of the PIN code of the card, in some special way packaged in a block of 8 bytes. It should be clarified that no encryption is used in this process. Packing methods, in this case, are different, but it does not matter.
- Encrypted PIN block - the PIN block value, encrypted using the DES / 3DES algorithm using a key (terminal key, bank, payment network, etc.), specifically allocated for encrypting the PIN block.
- The PIN verification value is PVV or PIN offset depending on which PIN verification method is used.
- Additional PIN verification data - data, except PIN and PIN verification value, necessary for PIN verification in accordance with Visa PVV / IBM 3624 PIN offset algorithms in accordance with the list given in the description of the algorithms (see above).
Payment system requirements
In the PIN verification part, you can specify the following:
- Open PIN and PIN block values should not be transferred, stored or processed in any way outside specially allocated software and hardware systems (HSM on the side of processing systems or EPP and some other scary abbreviations on the side of terminal devices (ATMs, POS terminals, etc.)).
- The encrypted PIN block should not be stored after the completion of the operation in systems responsible for online / offline processing of transactions (there are also systems responsible for issuing the cards themselves, this requirement does not apply to them).
PIN check
As we have already decided, to verify the PIN, we need the following data:
- The PIN itself, which we will check
- PIN verification value
- Additional PIN verification details
With PIN, everything is quite simple. As already mentioned above, we cannot get an open PIN value under any circumstances. Thus, we are left with only an encrypted PIN block. In addition to it, we need a key to decrypt it. Name this PPK key (PIN protection key, term taken from SafeNet HSM documentation).
Next, you need to decide on the PIN verification value and additional data.
The first option is to store the test value on the magnetic stripe of the card after the Service Code field. A modified version of ISO 7813, indicating where the PVV is stored, can be found here . According to the description of the track format, it is worth adding that the 5-character PVV value means the following sequence: 1 PVKI symbol and 4 PVV symbols, and for PIN offset - the PIN offset value for a 5-digit PIN. If the PIN is of a length other than 5 digits, then the size of the PIN offset, respectively, will change. What are the advantages of this method. Certainly - the ability to check the PIN for anyone who will have the necessary keys for verification. Here it is worth noting that when you launch a new card product into the payment network, usually, the keys that the card is issued are transferred to. Thus, when using this method, the PIN verification option appears both on the card issuer and on the payment network. The disadvantages of this method include the fact that this option makes the PIN card static until the card is reissued.
The second option is to store the check value in some storage, usually the database of the system responsible for performing checks when authorizing the card. In this case, when checking the PIN, it is necessary to extract the test value from this store, and only then, to check using this value. As a result, when using this method, it is impossible to complete the PIN check in the external system (in the same payment system) and it can be. performed only on the system that has access to the storage of test values. However, such a system allows you to change the PIN code of the card without any costs for changing the plastic (what it is for, what needs to be done and what after that there may be problems, I will not describe, because it is beyond the scope of this articles).
Regardless of how and by whom (the card issuer or the payment network) all the necessary information was received, the PIN check itself is performed on the HSM, which receives a PPK key in a protected form, the PIN check key in a protected form, an encrypted PIN block, PIN verification value and additional verification data, in response to which only the verification result is returned: valid PIN, incorrect PIN, other error. Those. During the verification process, the system responsible for authorization does not touch the open value of the PIN code itself.
Materials used:
[1] Visa Payment Technology Standards Manual, 5 years ago, on the Internet, it was possible to find the version of this document for 2007, now, with fluent machinations, only the version from 2004 is available.
Source: https://habr.com/ru/post/229527/
All Articles