Banking security standards (ANSI, ISO)

This section considers banking security standards developed by ANSI and by ISO. Banking security standards are typically divided into wholesale and retail banking (see Table 15.5). Wholesale banking involves transactions between financial institutions. Retail banking involves transactions between institutions and private individuals, including automated teller machine (ATM) and point-of-sale (POS) transactions, and credit authorizations.

category

transaction volume

average transaction value

retail

wholesale

high (millions per day) low (thousands per day)

$50

$3 million

Table 15.5: Retail vs. wholesale banking characteristics.

(i) ANSI encryption standards

The American National Standards Institute (ANSI) develops standards through various Accredited Standards Committees (ASCs). Accreditation implies that standards developed un?der a particular committee become ANSI standards. Accredited committees include ASC X3 - Information Processing Systems; ASC X9 - Financial Sendees; and ASC X12 - Electronic Business Data Interchange. Table 15.6 lists selected ANSI encryption and banking security standards developed under X3 and X9.

ANSI X3.92: This standard specifies the DES algorithm, which ANSI standards refer to as the Data Encryption Algorithm (DEA). X3.92 is technically the same as FIPS 46.

ANSI X3.106: This standard specifies DES modes of operation, or DEA modes of operation as referred to in ANSI standards. X3.106 is technically the same as FIPS 81 (cf.ISO 8372). An appendix in FIPS 81 contains additional background information on the various modes.

(ii) ANSI banking security standards

ASC X9 subcommittee X9F develops information security standards for the financial services industry. Banking security standards include cryptographic and operational requirements, with a heavy emphasis on controls, audit, sound business practices, and interoperability. Among the working groups under X9F, most of the cryptographic work is in X9F1 (public key cryptography and cryptographic tools) and X9F3 (security in wholesale financial telecommunications).

ANSI#

Subject

Ref.

X3.92

data encryption algorithm (DEA)

[33]

X3.106

data encryption algorithm (DEA) modes

[34]

X9.8

PIN management and security

[35]

X9.9

message authentication (wholesale)

[36]

X9.17

key management (wholesale; symmetric)

[37]

X9.19

message authentication (retail)

[38]

X9.23

encryption of messages (wholesale)

[39]

X9.24

key management (retail)

[40]

X9.26

sign-on authentication (wholesale)

[41]

X9.28

multi-center key management (wholesale)

[42]

X9.30-1

digital signature algorithm (DSA)

[43]

X9.30-2

secure hash algoritlmi (SHA) for DSA

[44]

X9.31-1

RSA signature algorithm

[45]

X9.31-2

hashing algorithms for RSA

[46]

X9.42

key management using Diffie-Hellman

[47]

X9.45

attribute certificates and other controls

[49]

X9.52

triple DES and modes of operation

[50]

X9.55

certificate extensions (v3) and CRLs

[51]

X9.57

certificate management

[52]

Table 15.6: ANSI encryption and banking security standards.

ANSI X9.8: This standard addresses PIN management and security. It consists of ISO 9564 reproduced in its entirety, with clearly marked “X9 Notes” added where required to adapt the text for use as an ANSI X9 standard. A standard means for interchanging PIN data is specified. Annex A of 9564 (procedures for the approval of an encipherment algorithm) is included; the only currently specified approved algorithm is DES. Annex В (general principles for key management) is also retained from 9564, but noted as superseded by X9.24 (retail key management).

ANSI X9.9: This standard specifies a DES-based message authentication code (MAC) algorithm for wholesale banking as summarized below (cf. X9.19 for retail banking). If data is protected by both authentication and encryption mechanisms, a different key is required for each purpose. Message replay is precluded by use of date and message identifier fields. Appendix В includes sample MAC computations. X9.9 requires key management in accordance with ANSI X9.17, and also addresses implementation issues including coded character sets and representations, field delimiters, and message normalization (e.g., replacing carriage returns or line feeds by space char acters, and multiple spaces by single spaces), and notes other practical concerns such as escape sequences beyond the scope of a MAC causing over-writing of authenticated data fields on display devices.

The X9.9 MAC algorithm may be implemented using either the cipher-block chaining (CBC) or 64-bit cipher feedback (CFB-64) mode, initialized to produce the same result (see Note 15.1). Final data blocks with fewer than 64 bits are left-justified and zero-bits are appended to complete the block before processing. The MAC result is specified to be the leftmost 32 bits of the final DES output. X9.9 states that the capability to generate 48-bit and 64-bit MAC values should also exist.

  • 15.1 Note (CBC-MAC and equivalent CFB-64 MAC) For data blocks D,... . Dt and a fixed MAC key K, equivalent MACs may be generated using either the CBC or 64-bit cipher feedback (CFB-64) modes. In the CBC case, the MAC Ct is defined by C, = En{Di®Ci-1) for 1 < i < t and Co = IV = 0. For the CFB-64 case, let O, = Ek(I,) be the output from the block encryption at stage i for 1 < i < t, where /, = for
  • 2 < i < t and ij = D (the first 8 data bytes serve as IV). Note Ot = Ct from above. (A block Dt+1 = 0 may be introduced if the CFB implementation interface requires the final output Ot be XORed to a data block before release.)

ANSI X9.17: This standard, which was the basis for ISO 8732, specifies manual and automated methods (symmetric-based) for wholesale banking key management, including key establishment techniques and protection of keys in key management facilities. A key management hierarchy is defined consisting of manually-distributed key-encrypting keys, electronically-distributed key-encrypting keys, and electronically-distributed data or transaction keys for authentication or encryption. Key management techniques include the use of key counters, key offsetting, and key notarization. Key establishment settings include direct exchange between two nodes (point-to-point), and both key distribution centers (KDCs) and key translation centers (KTCs).

ANSI X9.19: This standard specifies a DES-based message authentication code (MAC) algorithm for retail banking (cf. X9.9 for wholesale banking). Implementation and other issues are addressed as per X9.9, and the MAC algorithm itself is essentially the same as X9.9, differing in that the MAC result is the leftmost m bits of the final 64-bit output, where m is to be specified by the application. An optional X9.19 procedure using a second key K' is specified for increased protection against exhaustive key determination: the (previously) final output is decrypted using K' and then re-encrypted under the original key. The resulting algorithm is widely referred to as the retail MAC; see Figure 9.6.

ANSI X9.23: This standard addresses message formatting and representation issues related to the use of DES encryption in wholesale banking transactions. These include field delimiting and padding, as well as filtering methods required to prevent ciphertext bit sequences from interfering with communications protocols when inadvertently interpreted as control characters (e.g., end-of-transmission).

ANSI X9.24: This standard, which motivated ISO 11568, specifies manual and automated methods for retail key management, addressing authentication and (DES-based) encryption of PINs, keys, and other data. Guidelines include protection requirements at various stages in the key management life cycle. Appendices provide additional information, including (Appendix D) methods providing unique per-transaction keys, updated after each transaction as a one-way function of the current key and transaction-specific details; and (Appendix E) how to derive a large number of different terminal keys (for distinct terminals) from a common base key, simplifying key management for servers which must communicate with all terminals. Such derived keys may be combined with the unique per-transaction key methods.

ANSI X9.26: This standard specifies two main classes of entity authentication mechanisms of use for access control. The first involves user passwords. The second involves cryptographic keys used in DES-based challenge-response protocols (e.g., a time-variant parameter challenge must be ECB-encrypted). The latter class is subdivided, on the basis of granularity, into user-unique and node-unique keys.

ANSI X9.28: This standard extends X9.17 to allow the distribution of keying material (using X9.17 protocols) between entities (subscriber nodes) which neither share a common key, nor share a key with a common central server (KDC or KTC). Two or more key centers form a multiple-center group to provide a more general key distribution service allowing the establishment of keying material between any two subscribers sharing a key with at least one center in the group. As there are no known or proposed implementations of this standard, it appears destined to be withdrawn from the ANSI suite.

ANSI X9.30: The first in a suite of ANSI public-key standards, X9.30-1 and X9.30-2 specify DSA and SHA for the financial services industry, as per FIPS 186 and FIPS 180, respectively.

ANSIX9.31: The (draft) standardX9.31-l parallels X9.30-1, and specifies a signature mechanism based on an RSA signature algorithm, more specifically the ISO/IEC 9796 variant combined with a hashing algorithm. The (draft) standard X9.31-2 defines hash functions for use with Part 1, including MDC-2.

ANSI X9.42: This (draft) standard specifies several variations of unauthenticated Diffie-Helhnan key agreement, providing shared symmetric keys for subsequent cryptographic use.

ANSI X9.45: This (draft) standard employs a particular type of attribute certificate (§13.4.2) called an authorization certificate, and other techniques from ANSI X9.57, to allow a party to determine whether a received message or signed document is authorized with respect to relevant rules or limits, e.g., as specified in the authorization certificate.

ANSI X9.52: This (draft) standard for encryption offers improvements over DES security by specifying a number of modes of operation for triple-DES encryption, including the four basic modes of ISO 8372, enhanced modes intended to provide additional protection against advanced cryptanalytic attacks, and message-interleaved and pipelined modes intended to allow increased throughput in multi-processor systems.

ANSI X9.55: This (draft) standard specifies extensions to the certificate definitions of ANSI X9.57 corresponding to, and aligned with, ISO certificate extensions for ITU-T X.509 Version 3 certificates (see page 660).

ANSI X9.57: This (draft) certificate management standard includes both technical specifications defining public-key certificates (based on ITU-T X.509) for electronic commerce, and business controls necessary to employ this technology. The initial version is defined for use with DSA certificates, in conjunction with ANSI X9.30-1.

(iii) ISO banking security standards

ISO banking security standards are developed under the ISO technical committee TC68 - Banking and Related Financial Services. TC68 subcommittees include TC68/SC2 (whole?sale banking security) and TC68/SC6 (retail banking security and smart card security). Table 15.7 lists selected ISO banking security standards.

ISO#

Subject

Ref.

8730

message authentication - requirements (W)

[575]

8731-1

message authentication - CBC-MAC

[576]

8731-2

message authentication - MAA

[577]

8732

key management/symmetric (W)

[578]

9564

PIN management and security

[579]

9807

message authentication - requirements (R)

[581]

10126

message encipherment (W)

[582]

10202-7

key management for smart cards

[584]

11131

sign-on authentication

[585]

11166-1

key management/asymmetric - overview

[586]

11166-2

key management using RSA

[587]

11568

key management (R), in 6 parts

[588]

Table 15.7: ISO banking security standards (W-wholesale; R-retaU).

ISO 8730: Together with ISO 8731, this wholesale banking standard for message authentication code (MAC) algorithms forms the international equivalent of ANSI X9.9. ISO 8730 is algorithm-independent, and specifies methods and requirements for the use of MACs including data formatting and representation issues, and a method by which specific algorithms are to be approved.

ISO 8731: ISO 8731-1 and 8731-2 specify particular MAC algorithms complementary to the companion standard ISO 8730. 8731-1 specifies a DES-based CBC-MAC with m = 32 (cf. ISO/IEC 9797). 8731-2 specifies the Message Authenticator Algorithm, MAA (Algorithm 9.68).

ISO 8732: This standard for key management in wholesale banking was derived from ANSI X9.17, and is its international equivalent.

ISO 9564: This standard, used as the basis for ANSI X9.8, specifies minimum measures for the management and security of Personal Identification Numbers (PINs). Part 1 specifies principles and techniques to protect against disclosure of PINs to unauthorized parties during the PIN life cycle. Part 2 specifies encipherment algorithms approved to protect PINs.

ISO 9807: This standard for message authentication in retail banking is analogous to ANSI X9.19 (cf. ISO 8730/8731-1 vs. ANSI X9.9), but does not address data representation issues, and names two approved algorithms in Annex A - the CBC-MAC of 8731-1 (allowing optional final processing as per X9.19), and the MAA of 8731-2.

ISO 10126: This multi-part standard is the international equivalent of X9.23 addressing confidentiality protection of (parts of) financial messages. ISO 10126-1 provides general principles; 10126-2 defines a specific algorithm - DES.

ISO 10202: This eight-part standard addresses security architecture issues for integrated circuit cards (chipcards) used for financial transactions. In particular, ISO 10202-7 specifies key management aspects.

ISO 11131: This standard for sign-on authentication is the international (non-DES specific) analogue of ANSI X9.26.

ISO 11166: This multi-part standard for banking key management specifies asymmetric techniques for distributing keys for symmetric algorithms. It was developed from ISO

8732, which uses symmetric techniques only. Part 1 specifies general principles, procedures, and formats, including background regarding key protection during its life cycle, certification of keying material, key distribution by either key exchange (e.g., Diffie-Hellman) or key transport, and cryptographic service messages. Further parts are intended to define approved algorithms for use with the procedures of Part 1. Part 2 specifies the RSA algorithm for both encipherment and digital signatures; RSA formatting differs from both ISO/IEC 9796 and PKCS #1.

ISO 11568: This multi-part standard addresses retail key management and life cycle issues. It originated from X9.24, but is generalized for international use (e.g., it is no longer DES-specific), and addresses both symmetric and public-key techniques.

 
Source
< Prev   CONTENTS   Source   Next >