Cryptography Reference
In-Depth Information
verify PINs and approve payment card transactions. The advantages of a UKPT
scheme all apply to this scenario:
1. Terminals have limited security controls, since they must be cheap enough
to deploy widely. In addition, they are typically located in insecure public
environments such as stores and restaurants. They are also portable, so that
they can easily be moved around, hence easily stolen. (This what we will refer
to as a Zone 1 key storage environment in Section 10.5.3.) It is thus undesirable
that they contain important top-level keys.
2. Transactions should be processed speedily to avoid delays, hence efficiency is
important.
3. Terminals may be managed and operated by unskilled staff, hence full
automation of the key establishment process is a necessity.
EXAMPLE UKPT SCHEMES
Consider a UKPT scheme operating between a merchant
terminal
and a
host
(a
bank or card payment server). The terminal maintains a
key register
, which is
essentially the running 'key' that will be updated after every transaction. We will
describe a generic UKPT scheme in terms of the protocol that is run between the
terminal and the host during a transaction. Note:
• We assume at the start of the protocol that the terminal and the host share an
initial value that is stored in the terminal key register. This may or may not be a
secret value (it might just be a seed designed to initiate the process).
• We will describe a simple protocol that uses a single
transaction key
to compute
MACs on the exchanged messages. In reality, such protocols may be slightly
more complex since, for example, an encryption key might also be needed to
encrypt the PIN of the card.
Figure 10.5 illustrates our generic UKPT scheme:
1. The terminal derives the transaction key using the contents of the key register
and shared information that will be available to the host.
2. The terminal sends a
request
message to the host. The transaction key is used
to compute a MAC on the request message.
3. The host derives the transaction key (the technique for doing this varies
between schemes, as we will shortly illustrate).
4. The host validates the MAC on the request message.
5. The host sends a
response
message to the terminal. The transaction key is used
to compute a MAC on the response message.
6. The terminal validates the MAC on the response message.
7. The terminal updates the contents of the key register.
In order to produce a real UKPT scheme from the generic UKPT scheme of
Figure 10.5, we need to answer three questions:
1. What is the initial value in the terminal key register?
