1997-01-15 - Re: The Upcoming DES Challenge

Header Data

From: Bodo_Moeller@public.uni-hamburg.de (Bodo Moeller)
To: coderpunks@toad.com
Message Hash: 2bf452f8e11379203bbacb4b0ab7e780ec1f0389a582363535d6e10b9350eb8b
Message ID: <m0vkbTU-0003bqC@ulf.mali.sub.org>
Reply To: <199701081028.LAA23370@nirvana.uni-muenster.de>
UTC Datetime: 1997-01-15 21:22:44 UTC
Raw Date: Wed, 15 Jan 1997 13:22:44 -0800 (PST)

Raw message

From: Bodo_Moeller@public.uni-hamburg.de (Bodo Moeller)
Date: Wed, 15 Jan 1997 13:22:44 -0800 (PST)
To: coderpunks@toad.com
Subject: Re: The Upcoming DES Challenge
In-Reply-To: <199701081028.LAA23370@nirvana.uni-muenster.de>
Message-ID: <m0vkbTU-0003bqC@ulf.mali.sub.org>
MIME-Version: 1.0
Content-Type: text/plain


On cryptography@c2.net, cypherpunks@toad.com, and coderpunks@toad.com,
Ulrich Kuehn <kuehn@ESCHER.UNI-MUENSTER.DE> wrote:

> Liz Taylor:

>> [...] I don't know anything about bank ATMs and the protocols they
>> use, but I presume the PIN is stored on the card single DES
>> encrypted.

> As far as I know, here in Germany (maybe also somewhere else) there is
> not the pin stored on the card. Instead, it is regenerated by the ATM
> every time using a secret key of the bank. In order to be able to
> use the ATM card even with ATMs of different banks, there are offsets
> stored on the card that relate to some commonly used pool keys.

These "offsets" on (German) eurocheque ATM cards can be regarded as
the PIN encrypted with some variant of DES CFB[*], using the account
number (including the five trailing digits of the "Bankleitzahl", an
eight-digit code that identifies the bank that hosts the account, and
a single digit card number) as IV.  The same encryption key ("pool
key") is used for all cards from all banks.

  [*] (It's an extremely stupid variant of CFB and introduces
       additional weaknesses, but that is irrelevant in the context
       of key search.)

In fact, the system allows for three pool keys.  They correspond to
three "offsets" on each ATM card: Offset number 1 is the PIN encrypted
under pool key number 1, and so on.  I guess this design was chosen to
allow changing the pool keys: While pool key number 2 is in use, the
other two keys can be replaced by new ones.  If there were just one
pool key, changing it would immediately invalidate all PINs currently
in use.  I don't know how many pool keys are used today, and I also
don't know whether one of them has have ever been changed.

(PIN generation is similar to PIN encryption, but the bank uses its
own encryption key.  The PIN is computed directly from the DES result,
i.e. DES is used in ECB mode.)


For a key search, the attackers would need about four or five
Eurocheque cards (that is, the data stored on their magnetic stripes)
and their PINs.  Each attempted PIN decryption results in only four
decimal digits, so the attackers would obtain lots of plausible DES
keys if they just checked with a single card.  When a DES key seems to
work for the first card, one must doublecheck if it also works for the
second one (usually it won't), etc., which costs some time.  One the
other hand, because there are several pool keys, the attackers can
save a significant amout of time if they just want to find any one of
the pool keys.  Note that once they know one of the keys, they can
easily compute the PIN to any stolen ATM card, which might allow them
to buy faster hardware for the rest of the search.  (Their bank
probably wouldn't lend them money for such a project.)

All that is illegal, of course, but it is suspected by some that there
are already organizations that have somehow obtained the pool keys (or
some of them) -- either by key search, or the keys somehow leaked out.
(Not so long ago these pool keys were stored in every ATM, thus there
are many possible points of failure.)  Each year, there are thousands
of cases in Germany where someone claims that his ATM card was stolen
and immediately used for large withdrawals.  The banks usually claim
that either the client is lying (and did the withdrawals himself),
or he wrote his PIN down (e.g., on his ATM card).

Bodo Moeller
<Bodo_Moeller@public.uni-hamburg.de>





Thread