Bank card PIN code verification
In connection with the appearance of the article “Banking Transaction Travels” , within the framework of which questions began to appear on the mechanism of PIN verification, I would like to clarify this issue somewhat. This article will only consider the issue of checking the so-called online PIN, i.e. PIN, which is entered at the terminal and transmitted for further verification to the system that authorizes the transaction.
Before proceeding directly to the issue of PIN card verification, let us dwell on some theoretical issues.
At the moment, the basic encryption algorithm for all operations with bank cards is the DES algorithm (and not 3DES, which is used only for encryption operations, mainly of the transport layer). Without going into the terminology and classification of encryption algorithms, I just say that it is a block encryption algorithm with a block size of 8 bytes and a key of 56 bits (7 bytes). In practice, it is customary to represent a DES key as a block of 8 bytes, where in each byte the high 7 bits are significant and the last bit insignificant. It can be used to control key integrity (more on this later).
Since, at present, a 56-bit key is insufficient from a security point of view, instead of using the DES algorithm for encryption, accept using the 3DES algorithmin EDE mode (hereinafter, under the designation 3DES, I will mean the use of the EDE scheme). Typically, in a banking environment, the 3DES algorithm is used with a double-length key (112 bits, 16 bytes), in which the first and third steps (see the description of the algorithm) use the same key.
At the moment, the following 2 PIN verification algorithms are mainly used: Visa PVV and IBM 3624 PIN offset.
This algorithm was originally developed by the Visa payment system, but, at present, it is the recommended PIN verification algorithm for both Visa cards and MasterCard. This algorithm is based on the PVV (PIN verification value), which is a cryptogram obtained on the basis of the following values:
To receive PVV, a block is formed of PAN (the last 11 digits, except for the control number of the card), PVKI, PIN (strictly, the first 4 digits), which is encrypted using PVK, after which a 4-digit value is extracted from it using a special function number, which is the value of PVV [1]. This PVV value is a reference for checking the PIN code. Those. upon receipt of an operation with the entered PIN to verify it based on PAN, PVKI, PVK, a new PVV value is generated and compared with the reference PVV for the card. If the values match, then the PIN is considered correct; if they do not match, it is considered incorrect.
The following “limitations” can be attributed to the features of this algorithm:
This algorithm was originally developed by IBM for use in IBM 3624 ATMs. How it was planned to be used, history is silent, and the author of the article does not know, but, in this case, this is not important. Currently, this algorithm is considered obsolete, but has been used quite successfully for several reasons:
The basis of this algorithm is the PIN offset value (PIN verification value), which is a cryptogram obtained on the basis of the following values:
For simplicity of the further description, under the PIN verification key in the case of the IBM 3624 PIN offset method, we will have the combination of the PVK key and the decimalization table value DT.
To obtain a PIN offset, the control value VD is polished using the PVK key, after which a block of 16 decimal digits is obtained from the obtained value using the decimalization table DT.
The first N digits are taken from the received block, where N is the PIN length (the IBM 3624 method allows checking PINs up to 16 digits long), then the corresponding digit of the received block is subtracted from each PIN digit modulo 10. The resulting value will be the PIN offset value.
HSM - hardware security module, a software and hardware system designed to perform cryptographic operations in a secure environment. HSM itself must be protected to prevent unauthorized access to the data stored in it. Its functions include performing various cryptographic checks, including card verification, PIN, cryptographic message signature ( MAC)) and various encryption operations in such a way as to prevent access to significant information (keys, PIN code values). It is worth explaining here that when using HSM, the key value itself, in the general case, in the open form (i.e., in the form suitable for performing operations in accordance with the DES / 3DES algorithm) is present only inside the HSM at the time this operation is performed. How this is achieved depends on the particular HSM. For the most common HSM card systems (HSM manufactured by SafeNet and Thales), 2 mechanisms are used:
At the same time, the principle of performing operations on HSM itself does not depend on which of the key storage methods is used.
Everywhere below, if this is not explicitly stated, we will assume that the key is transmitted in a secure HSM form (i.e., encrypted under the Master HSM key or as an identifier).
To simplify the further description, we introduce some terms:
In the PIN verification part, you can specify the following:
As we have already determined, to verify the PIN we need the following data:
With PIN, everything is quite simple. As already mentioned above, we can not get open PIN values under any circumstances. Thus, we only need the encrypted PIN block. In addition to it, we need a key to decrypt it. We call this key PPK (PIN protection key, the term is taken from the SafeNet HSM documentation).
Next, you need to determine the PIN verification value and additional data.
The first option is to store the test value on the magnetic strip of the card after the Service Code field. A modified version of ISO 7813 indicating where the PVV is stored can be viewed here.. According to the description of the format of the tracks, it’s worth adding that the 5-character PVV value means the following sequence: 1 PVKI character and 4 PVV characters, and for PIN offset, the PIN offset value for PIN of 5 digits. If the PIN has a length other than 5 digits, then the PIN offset size will change accordingly. What are the advantages of this method. Of course - the ability to verify PIN for anyone who will have the keys necessary for verification. It is worth noting here that when a new card product is launched, the keys on which the card is issued are usually transferred to the payment network. Thus, when using this method, the ability to verify the PIN appears both at the card issuer and the payment network. The disadvantages of this method include the fact that this option makes PIN cards static until
The second option is to store the verification value in some storage, usually the database of the system responsible for performing checks during authorization of the card. In this case, when checking the PIN, you need to retrieve the verification value from this repository, and only then, perform the verification using this value. As a result, when using this method, it is impossible to perform PIN verification in an external system (in the same payment system) and it may be. executed only in the system that has access to the store of test values. However, such a system allows you to change the PIN code of the card without any costs for changing the plastic (for what it is necessary, what should be done and what kind of problems after this, I will not describe, because this is beyond the scope of this articles).
Regardless of how and by whom (the card issuer or the payment network) all the necessary information was received, the PIN check itself is performed on the HSM, which receives the PPK key in a secure form, the PIN check key in a secure form, an encrypted PIN block, PIN verification value and additional verification data, in response to which only the verification result is returned: correct PIN, incorrect PIN, other error. Those. during the verification process, the system responsible for authorization does not come into contact with the open PIN code value.
Materials used:
[1] Visa Payment Technology Standards Manual, about 5 years ago, on the Internet you could find a version of this document for 2007, now, with a quick search, only the version from 2004 is available
Before proceeding directly to the issue of PIN card verification, let us dwell on some theoretical issues.
Applied Cryptography
DES Algorithm
At the moment, the basic encryption algorithm for all operations with bank cards is the DES algorithm (and not 3DES, which is used only for encryption operations, mainly of the transport layer). Without going into the terminology and classification of encryption algorithms, I just say that it is a block encryption algorithm with a block size of 8 bytes and a key of 56 bits (7 bytes). In practice, it is customary to represent a DES key as a block of 8 bytes, where in each byte the high 7 bits are significant and the last bit insignificant. It can be used to control key integrity (more on this later).
Since, at present, a 56-bit key is insufficient from a security point of view, instead of using the DES algorithm for encryption, accept using the 3DES algorithmin EDE mode (hereinafter, under the designation 3DES, I will mean the use of the EDE scheme). Typically, in a banking environment, the 3DES algorithm is used with a double-length key (112 bits, 16 bytes), in which the first and third steps (see the description of the algorithm) use the same key.
PIN verification algorithms
At the moment, the following 2 PIN verification algorithms are mainly used: Visa PVV and IBM 3624 PIN offset.
Visa PVV
This algorithm was originally developed by the Visa payment system, but, at present, it is the recommended PIN verification algorithm for both Visa cards and MasterCard. This algorithm is based on the PVV (PIN verification value), which is a cryptogram obtained on the basis of the following values:
- Card Number (hereinafter PAN)
- PIN verification key index (hereinafter, PVKI)
- PIN verification key (PIN verification key, hereinafter, PVK)
- Card PIN code itself
To receive PVV, a block is formed of PAN (the last 11 digits, except for the control number of the card), PVKI, PIN (strictly, the first 4 digits), which is encrypted using PVK, after which a 4-digit value is extracted from it using a special function number, which is the value of PVV [1]. This PVV value is a reference for checking the PIN code. Those. upon receipt of an operation with the entered PIN to verify it based on PAN, PVKI, PVK, a new PVV value is generated and compared with the reference PVV for the card. If the values match, then the PIN is considered correct; if they do not match, it is considered incorrect.
The following “limitations” can be attributed to the features of this algorithm:
- Fundamental impossibility to restore PIN from PVV value
- Using a PIN code strictly 4 digits in size
IBM 3624 PIN offset
This algorithm was originally developed by IBM for use in IBM 3624 ATMs. How it was planned to be used, history is silent, and the author of the article does not know, but, in this case, this is not important. Currently, this algorithm is considered obsolete, but has been used quite successfully for several reasons:
- the card systems of the "old" regions (Western Europe, North America) are quite conservative and, in many ways, work on the "enough" old systems, which suits them well
- This algorithm allows you to restore the PIN code value from the verification value (see below), which may very useful under certain conditions
The basis of this algorithm is the PIN offset value (PIN verification value), which is a cryptogram obtained on the basis of the following values:
- The control value (Validation data, hereinafter VD) is a certain value (usually a part of the card number, but this is not necessary)
- Decimalization table (Decimalization table, further DT)
- PIN verification key (PIN verification key, hereinafter, PVK)
- Card PIN code itself
For simplicity of the further description, under the PIN verification key in the case of the IBM 3624 PIN offset method, we will have the combination of the PVK key and the decimalization table value DT.
To obtain a PIN offset, the control value VD is polished using the PVK key, after which a block of 16 decimal digits is obtained from the obtained value using the decimalization table DT.
The first N digits are taken from the received block, where N is the PIN length (the IBM 3624 method allows checking PINs up to 16 digits long), then the corresponding digit of the received block is subtracted from each PIN digit modulo 10. The resulting value will be the PIN offset value.
Hsm
HSM - hardware security module, a software and hardware system designed to perform cryptographic operations in a secure environment. HSM itself must be protected to prevent unauthorized access to the data stored in it. Its functions include performing various cryptographic checks, including card verification, PIN, cryptographic message signature ( MAC)) and various encryption operations in such a way as to prevent access to significant information (keys, PIN code values). It is worth explaining here that when using HSM, the key value itself, in the general case, in the open form (i.e., in the form suitable for performing operations in accordance with the DES / 3DES algorithm) is present only inside the HSM at the time this operation is performed. How this is achieved depends on the particular HSM. For the most common HSM card systems (HSM manufactured by SafeNet and Thales), 2 mechanisms are used:
- Key encryption for the so-called HSM master key in various options. In this case, the key value itself is stored in encrypted form on an external medium (usually in a processing system) and transmitted to the HSM during the operation. In this case, when performing the operation, the HSM first decrypts the key using the Master key, after which it already performs, directly, the operation that was requested
- Key storage in HSM secure internal storage. In this case, usually, the key identifier is supplied to the input, by which the HSM retrieves it from the internal storage.
At the same time, the principle of performing operations on HSM itself does not depend on which of the key storage methods is used.
Everywhere below, if this is not explicitly stated, we will assume that the key is transmitted in a secure HSM form (i.e., encrypted under the Master HSM key or as an identifier).
PIN check
Terminology
To simplify the further description, we introduce some terms:
- PIN block - the value of the PIN code of the card, in some special way packed in a block of 8 bytes. It is worth explaining that no encryption is used in this process. The packaging methods, in this case, are different, but this is not important.
- Encrypted PIN block - the value of the PIN block encrypted using the DES / 3DES algorithm using a key (terminal key, bank key, payment network, etc.) specially allocated for encryption of the PIN block.
- The PIN verification value is PVV or PIN offset, depending on which PIN verification method is used.
- Additional PIN verification data - data, except for PIN and PIN verification value, required for PIN verification in accordance with Visa PVV / IBM 3624 PIN offset algorithms in accordance with the list given in the description of the algorithms (see above).
Payment system requirements
In the PIN verification part, you can specify the following:
- Open values of the PIN and PIN of the unit should not be transmitted, stored or processed in any way outside specially designated hardware and software systems (HSM on the side of processing systems or EPP and some other terrible abbreviations on the side of terminal devices (ATMs, POS terminals, etc.)).
- The encrypted PIN block should not be stored after the operation is completed in the systems responsible for online / offline transaction processing (there are also systems responsible for issuing the cards themselves, this requirement does not apply).
PIN check
As we have already determined, to verify the PIN we need the following data:
- PIN itself, which we will check
- PIN verification value
- Additional PIN verification data
With PIN, everything is quite simple. As already mentioned above, we can not get open PIN values under any circumstances. Thus, we only need the encrypted PIN block. In addition to it, we need a key to decrypt it. We call this key PPK (PIN protection key, the term is taken from the SafeNet HSM documentation).
Next, you need to determine the PIN verification value and additional data.
The first option is to store the test value on the magnetic strip of the card after the Service Code field. A modified version of ISO 7813 indicating where the PVV is stored can be viewed here.. According to the description of the format of the tracks, it’s worth adding that the 5-character PVV value means the following sequence: 1 PVKI character and 4 PVV characters, and for PIN offset, the PIN offset value for PIN of 5 digits. If the PIN has a length other than 5 digits, then the PIN offset size will change accordingly. What are the advantages of this method. Of course - the ability to verify PIN for anyone who will have the keys necessary for verification. It is worth noting here that when a new card product is launched, the keys on which the card is issued are usually transferred to the payment network. Thus, when using this method, the ability to verify the PIN appears both at the card issuer and the payment network. The disadvantages of this method include the fact that this option makes PIN cards static until
The second option is to store the verification value in some storage, usually the database of the system responsible for performing checks during authorization of the card. In this case, when checking the PIN, you need to retrieve the verification value from this repository, and only then, perform the verification using this value. As a result, when using this method, it is impossible to perform PIN verification in an external system (in the same payment system) and it may be. executed only in the system that has access to the store of test values. However, such a system allows you to change the PIN code of the card without any costs for changing the plastic (for what it is necessary, what should be done and what kind of problems after this, I will not describe, because this is beyond the scope of this articles).
Regardless of how and by whom (the card issuer or the payment network) all the necessary information was received, the PIN check itself is performed on the HSM, which receives the PPK key in a secure form, the PIN check key in a secure form, an encrypted PIN block, PIN verification value and additional verification data, in response to which only the verification result is returned: correct PIN, incorrect PIN, other error. Those. during the verification process, the system responsible for authorization does not come into contact with the open PIN code value.
Materials used:
[1] Visa Payment Technology Standards Manual, about 5 years ago, on the Internet you could find a version of this document for 2007, now, with a quick search, only the version from 2004 is available