Blunting Differential Attacks on PIN Processing APIs (bibtex)
by Riccardo Focardi, Flaminia L. Luccio, Graham Steel
Abstract:
We propose a countermeasure for a class of known attacks on the PIN processing API used in the ATM (cash machine) network. This API controls access to the tamper-resistant Hardware Security Modules where PIN encryption, decryption and verification takes place. The attacks are differential attacks, whereby an attacker gains information about the plaintext values of encrypted customer PINs by making changes to the non-confidential inputs to a command. Our proposed fix adds an integrity check to the parameters passed to the command. It is novel in that it involves very little change to the existing ATM network infrastructure.
Reference:
Blunting Differential Attacks on PIN Processing APIs (Riccardo Focardi, Flaminia L. Luccio, Graham Steel), In Proceedings of the 14th Nordic Workshop on Secure IT Systems (NordSec'09) (Audun Jøsang, Torleiv Maseng, Svein Johan Knapskog, eds.), Springer, volume 5838, 2009.
Bibtex Entry:
@inproceedings{FLS-nordsec09,
  abstract =      {We~propose a countermeasure for a class of known
                   attacks on the PIN processing API used in the ATM
                   (cash machine) network. This API controls access to
                   the tamper-resistant Hardware Security Modules where
                   PIN encryption, decryption and verification takes
                   place. The~attacks are differential attacks, whereby
                   an attacker gains information about the plaintext
                   values of encrypted customer PINs by making changes
                   to the non-confidential inputs to a command.
                   Our~proposed fix adds an integrity check to the
                   parameters passed to the command. It~is novel in that
                   it involves very little change to the existing ATM
                   network infrastructure.},
  address =       {Oslo, Norway},
  author =        {Focardi, Riccardo and Luccio, Flaminia L. and
                   Steel, Graham},
  booktitle =     {{P}roceedings of the 14th {N}ordic {W}orkshop on
                   {S}ecure {IT} {S}ystems ({NordSec}'09)},
  DOI =           {10.1007/978-3-642-04766-4_7},
  editor =        {J{\o}sang, Audun and Maseng, Torleiv and
                   Knapskog, Svein Johan},
  month =         oct,
  pages =         {88-103},
  publisher =     {Springer},
  series =        {Lecture Notes in Computer Science},
  title =         {Blunting Differential Attacks on {PIN} Processing
                   {API}s},
  volume =        {5838},
  year =          {2009},
  acronym =       {{NordSec}'09},
  nmonth =        {10},
  url =           {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/FLS-nordsec09.pdf},
  PDF =           {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/FLS-nordsec09.pdf},
  lsv-category =  {intc},
  wwwpublic =     {public and ccsb},
}
Powered by bibtexbrowser