CONTINUE TO SITE »
or wait 15 seconds

Article

Keeping the keys unique

It seems obvious that burglary rates would skyrocket if thieves could gain entry to every house in a neighborhood with a single key. The same principle applies to cars in a parking garage, display cases in a jewelry store - and ATMs.

September 4, 2003

It seems obvious that burglary rates would skyrocket if thieves could gain entry to every house in a neighborhood with a single key. The same principle applies to cars in a parking garage, display cases in a jewelry store - and ATMs.

In the ATM world, keys - or sets of binary numbers - are used to protect PIN secrecy. To reduce the risk of fraud, several EFT networks require deployers to use a unique key for each ATM; no two machines in a network should have the same key.

The use of unique keys was first suggested in standards produced by an X9committee (namely X9.24 - Financial Services Retail Key Management) in the early '90s. Led by the American National Standards Institute (ANSI) and the American Bankers Association (ABA), X9 develops and publishes voluntary technical standards for the financial services industry. As with many ANSI standards, it was then adopted by at least some of the major EFT networks.

Another ANSI standard requires deployers to use a security concept called dual control -- in essence, having two people each inject separate components of a key into an ATM. This team approach results in what is called split knowledge -- no single person knows the entire key.

Industry experts agree that requirements for unique key per ATM and dual control enhance PIN security. "Every time you use a key at more than one location, you increase the value of compromising that key," said Beth Lynn, Star System's senior vice president of network administration.

Star has required its members to use unique keys since 2000, with a deadline of January 2002 for most members. While Lynn couldn't give an exact figure, she said a significant number of Star members applied for an extension in January.

The problem, Lynn said, is that sending two people to ATMs to load key components can be a complex and costly exercise in logistics - especially for those with large networks.

"(Extensions) occur anytime a network mandates a technical change," she said. "The more ATMs you have, the more difficult it is to get there. The most important thing, from our perspective, is that members have an action plan and are actively working toward achieving compliance."

It's a jungle out there

Dennis Abraham, president of Trusted Security Solutions, said that networks and others have not aggressively enforced unique key per ATM requirements. Many deployers have based their key management programs on "the gazelle theory," Abraham said. "If I'm in the middle of a bunch of other gazelles running like hell, how fast do I have to run to avoid getting eaten?"

"If I'm in the middle of a bunch of other gazelles running like hell, how fast do I have to run to avoid getting eaten?"

Dennis Abraham
President of Trusted Security Solutions

According to Abraham, who has conducted independent audits for clients like Visa, two of the most common violations of unique key policies are single-control installation of keys into ATMs and use of the same key in multiple machines.

"In general, nobody's been doing it," agreed Bud Beattie, lead technologist for EDS'Consumer Network Services.

EDS decided last year to spearhead an effort to help deployers install unique keys in the approximately 15,000 ATMs EDS drives - including the relatively small number of machines that were already in compliance. "We decided it would just be easier to do them all rather than trying to figure out which ones were compliant," Beattie said.

To streamline the process, EDS purchased A98, Trusted Security's key management system. While implementing the system was not inexpensive, Beattie said it makes key management a less labor-intensive process for EDS.

Factory inlet

While the A98 approach simplifies key management at the host, it still requires two people to visit each ATM to inject the key components. Another approach, recently introduced by transaction processor Core Data Resources, removes the need for these visits by pre-installing keys at ATMs.

Core Data is working with the three leading retail ATM manufacturers - Tidel, Triton and Tranax Technologies - to have the manufacturers inject key components at their factories, following ANSI standards for dual control. Core Data's software uses the serial number to identify which key is in which ATM when a machine is brought online.

This mimics the approach used by the manufacturers of point-of-sale terminals, which have been injecting keys into PIN pads at their manufacturing facilities for several years.

"Somebody has to assume the responsibility for key management," said Campbell Burgess, Core Data's chief executive officer. "We believe we can control the process much better through the processor and manufacturer than through multiple technicians in the field."

To learn more about
keys and cryptography:

http://www.rsasecurity.com/rsalabs/faq/

http://world.std.com/~franl/crypto.html

Tranax became the first manufacturer to begin shipping its ATMs with the pre-loaded keys in late February. Tidel and Triton are expected to follow suit soon. While most of the 35,000 machines driven by Core Data are manufactured by these three companies, Burgess said his company is willing to work with any manufacturer.

"We'll bring anybody on board who wants to participate in the program," he said.

Tranax President Hansup Kwon believes that improving unique key compliance is an important opportunity for ISOs to prove they can play by the rules.

"If we want to make industry more reputable, we need to follow these regulations," Kwon said. "If it's a requirement, we shouldn't argue over when and why we have to do it. Instead we need to find a way that will minimize the cost and let us do it quickly."

Burgess said the Core Data program is a first step toward removing human hands from key management all together. The company, which was recently acquired by Concord EFS, is tweaking its software so that when a machine is brought online it will sync with the host which will then generate a unique key and send it to the ATM.

Remote control

Nearly all in the industry agree that the ability to remotely send keys to an ATM would improve compliance with unique key requirements and enhance PIN security.

"Automated key management will help ensure enforcement of unique key, which is a good policy," said Jim Shaffer, a senior products manager at ACI Worldwide. "You're going to quickly achieve a significant jump in security with a unique key at each ATM."

An X9 working group (X9F WG6 - Cardholder Authentication and ICC Cards) in March began reviewing a proposal that would create standards for remote key management. Cryptographic security consultant Jeanne Fagan, who is leading the group, has written a draft that proposes the use of public key cryptography that would allow for the remote automated distribution of the "secret" or symmetric keys that are installed manually into ATMs today.

Cryptographic security consultant Jeanne Fagan is leading a group that hopes to establish new standards for remote management of keys at the ATM.

Fagan, president of Fagan & Associates, LLC and formerly a director of risk management for Visa International, said the use of public key cryptography would help simplify the key management process, which is so involved that EDS' Beattie jokes about "donning the black robes for the key management ceremony."

Crash course in crypto

In secret (or symmetric) cryptography, both the sender and receiver of a message use the same secret key to encrypt and decrypt, respectively. Because of the need to maintain secrecy at all times, secure key management is crucial - thus the elaborate ANSI guidelines and also the move to Triple DES, which makes it more difficult for interlopers to decrypt a key.

In public/private (or asymmetric) cryptography, both sender and receiver have their own respective pair of keys. Each pair includes one public and one private key. Data encrypted with a public key can only be decrypted with its corresponding private key (and vice versa). Only public keys are exchanged in the clear, so the need for secrecy is greatly reduced. The focus shifts to public key validation and mutual authentication of the sender and receiver of the keys, Fagan said.

Symmetric (or secret) keys can be established at remote devices like ATMs with one of two protocols: the key transport protocol or the key agreement protocol.

According to Fagan, the key transport protocol in its simplest form is used by the host to generate a symmetric key, encrypt it under the ATM's public key and send it to the ATM. Alternatively, both can generate symmetric keys and send them to each other encrypted under each other's public keys. The exchanged symmetric keys are decrypted by the receivers using their respective private keys. The symmetric keys are then combined to create a shared symmetric key.

Using a key agreement protocol, Fagan said, both the host and the ATM exchange information that is used to derive the shared symmetric key. Both sides must contribute information that is used by both to derive the shared key.

One approach at the ATM

ATM manufacturer Diebold has already introduced a method of remote key management. Under the Diebold scheme, the host and the ATM will each generate a private/public key pair. The devices exchange public keys, which are used to encrypt the symmetric DES keys. When DES keys are received at the ATM, they are decrypted using the ATM's private key. The ATM will not have pre-installed keys; rather it will send a message to the host when it comes online requesting a key. Digital certificates are used at both ends to authenticate the host and the ATM to each other.

Diebold's Dean Stewart said the manufacturer's approach to remote key management at the ATM is similar to the Secure Sockets Layer protocol widely used on the Internet.

Dean Stewart, Diebold's director product planning and management, said his company's approach is similar to the Secure Sockets Layer protocol that is widely used to transmit private documents over the Internet. "We like this method because like SSL it's very scalable," he said.

Stewart said that all of Diebold's new machines are equipped with both an encrypting PIN pad (to satisfy new Triple DES requirements) and the capability for remote key management. Most already-installed Diebold ATMs, including the popular ix line, can be upgraded for remote key, he added. Diebold is also working with host software providers like ACI to help implement necessary changes at the host end.

Another bonus to remote key management is that it will encourage deployers to change their ATMs keys on a regular basis, Stewart said. ANSI recommends that keys should be changed every time there is a suspected security compromise. In addition, some ATMs require new keys when certain repairs are made.

Doubling up with DES?

Some vendors and deployers see pending Triple DES encryption requirements as an opportunity to also implement new key management methods. In most cases, vendors have made changes to their hardware to meet an April 2002 Triple DES deadline imposed by MasterCard. In many cases - like Diebold - they've also built in the capability for remote key management.

Bruce Sussman, director of internal audit for the NYCEnetwork, said, "Several years from now, when you're asking each financial institution to put a Triple DES key at each ATM, it would be more readily accepted if you could provide a secure and economical way of getting the keys to the ATMs."

Sussman noted that many deployers are already trying to combine the upgrades necessary for Triple DES and for expected changes to the Americans with Disabilities (ADA) requirements.

However, Trusted Security's Abraham, who serves on the X9 working group with Fagan, said it will likely be at least two more years before any new standards for remote key management are adopted by ANSI. Even then, he believes it will take some time for the industry to use them.

"Remote key isn't necessarily cheaper," he said. "It will require hardware and software changes at the host. It all goes back to numbers - what's the cost of sending people out in field versus the cost of making the changes necessary to implement remote key management."

EDS' Beattie confirmed that a major hardware upgrade and related software tweaks, including changes to the message protocols of the terminal driving application, would be required at the host end to support a public key infrastructure.

"Public key is widely used on the Internet - but it's built into that infrastructure," Beattie said. "ATM legacy environment host systems aren't set up to support it."

Included In This Story

Triton Systems

Triton FI based products • NO Windows 10™ Upgrade • Secured locked down system that is virus/malware resistant • Flexible configurations - Drive-up and Walk-up • Triton's high security standards • NFC, anti-skim card reader, IP camera and level 1 vaults are all options • Triton Connect monitoring • Lower cost

Request Info
Learn More
Diebold Nixdorf

As a global technology leader and innovative services provider, Diebold Nixdorf delivers the solutions that enable financial institutions to improve efficiencies, protect assets and better serve consumers.

Request Info
Learn More

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf
Recent Posts
SEC accuses former ATM businessman Daryl Heller of funneling $185M from investors
Fifth Third named as top veteran friendly employer
DC AG sues Bitcoin ATM operator Athena Bitcoin for allegedly exploiting scam victims
NCR Atleos earns #5 rank in fintech rankings
SEC to revamp cryptocurrency policies amid Trump's pro crypto push


©2025 Networld Media Group, LLC. All rights reserved.
b'S2-NEW'