Automated teller machines: their history and authentication protocols

详细信息    查看全文

• 作者：Alan G. Konheim
• 关键词：API ; ATM ; Banking ; Cryptography ; Hardware Security Module ; Horst Feistel ; PED ; IBM
• 刊名：Journal of Cryptographic Engineering
• 出版年：2016
• 出版时间：April 2016
• 年：2016
• 卷：6
• 期：1
• 页码：1-29
• 全文大小：2,430 KB
• 参考文献：1.Bellis, M.: Automatic Teller Machines—ATM. http://​inventors.​about.​com/​od/​astartinventions​/​a/​atm.​htm/​
  2.McRobbie, L.R.: The ATM is dead. Long live the ATM! smithsonian.com, pp. 1–11 (January 8, 2015)
  3.Miller, A.: Who invented the ATM machine? http://​www.​atminventor.​com/​
  4.Campbell-Kelley, M.: John Sheperd-Barron Obituary. In: The Guardian (May 23, 2010)
  5.Bátez-Lazlo, B., Reid, R.J.K.: The development of cash dispensing technology in the UK. IEEE Ann. Hist. Comput. 33(3), 32–45 (2011)
  6.Bátez-Lazlo, B., Reid, R.J.K.: Evidence from the Patent Record on the Development of Cash Dispensing Technology History of Telecommunications Conference, pp. 110–114 (2008)
  7.Shimjian, L.G.: US Patent # 3,039,58. Subscriber controlled apparatus (April 9, 1959)
  8.Simjian, L.: US Patent 3,038,157. Deposit exchange machine including image recording means, pp. 1–14 (Filed February 26, 1960)
  9.Davies, A.I.O., Goodfellow, J.: US Patent 3,905,461. Access control equipment, pp. 1–8 (Filed May 1, 1967)
  10.Constable, G.E.P.: US. Patent 3,673,571. Credit-and access-control equipment, pp. 1–7 (Filed November 17, 1970)
  11.Constable, G.E.P.: US. Patent 3,892,948. Accesses or transaction control equipment, pp. 1–10 (Filed February 23, 1973)
  12.Allison, D.K.: NMAH interview with Mr. Don Wetzel, pp. 1-30. http://​americanhistory.​si.​edu/​comphist/​wetzel.​htm#B (September 21, 1, 1995)
  13.Kansas City Federal Reserve: A guide to the ATM and debit card industry, pp. 1–140. https://​www.​kansascityfed.​org/​publicat/​PSR/​BksJournArticles​/​ATMPaper.​pdf (2003)
  14.Langford, S.: PIN Security: Management and Concerns. In: 1st CACR Information Security Workshop Secure Provision of Cryptographic Services Centre for Applied Cryptographic Research (CACR) University of Waterloo, Waterloo, Ontario, Canada (November 24, 1998)
  15.Konheim, A.G.: The impetus to creativity (to appear in Cryptologia) (October 2015)
  16.Konheim, A.G.: The early life of Horst Feistel (to appear in Cryptologia) (January 2016)
  17.Feistel, H.: Cryptography and computer privacy. Sci. Am. 228(5), 15–23 (1973)
  18.Smith, J.L.: US Patent #3,796,830. Recirculating block cipher cryptographic system (Filed November 1971)
  19.Sorkin, A.: LUCIFER: a cryptographic algorithm. Cryptologia 8(1), 22–41 (1984)
  20.National Bureau of Standards “ Federal Information Processing Standards Publication 46–1, “Data Encryption Standard (DES)”, National Bureau of Standards, January 22, 1988; superseded by Federal Information Processing Standards Publication 46–2, December 30, 1993, and reaffirmed as FIPS PUB 46–3, October 25, 1999
  21.IBM Corporation z/OS Cryptographic Services ICSF Application Programmer’s Guide: IBM PIN Algorithms SA22-7522-16b
  22.Anderson, R.: Why cryptosystems fail. In: Proceedings of the 1993 ACM conference on computer and communication security. 37(11), pp. 33–40 (1993)
  23.Arthur, C.: How ATM Fraud Nearly Brought Down British Banking: Phantoms and Rogue Banks, pp. 1–9. http://​www.​theregister.​co.​uk/​2005/​10/​21/​phantoms_​and_​rogues/​ (2005)
  24.Cox, E.B.: Developing an Electronic Funds Transfer System: Incentives and Obstacles, pp. 15–45. https://​www.​bostonfed.​org/​economic/​conf/​conf13/​conf13c.​pdf (1974)
  25.Sienkiewicz, S.: The Evolution of EFT Networks from ATMs to New On-Line Debit Payment Products Workshop of the Payment Cards Center of the Federal Reserve Bank of Philadelphia on the evolution of the electronic funds transfer (EFT) industry, pp. 1–12. http://​philadelphiafed.​org/​consumer-credit-and-payments/​payment-cards-Center/​publications/​discussion-papers/​2002/​EFTNetworks_​042002 (June 2001)
  26.Konheim, A.G.: Cryptography: Primer. Wiley, New York (1981)
  27.American National Standards Institute: ANSI X9.8-1:2003 Banking–Personal Identification Number Management and Security—Part 1: PIN protection principles and techniques for online PIN verification in ATM & POS systems
  28.National Institute of Standards: Federal Information Processing Standards Publication 140-2. Security requirements for cryptographic modules. May 25, 2001; updated December 3, 2002
  29.Snouffer, R., Lee, A., Oldehoeft, A.: A Comparison of the Security Requirements for Cryptographic Modules in FIPS 140–1 and FIPS 140–2. NIST Special Publication 800-29, pp. 1–291 (June 2001)
  30.Jpos.org: Some HSM basics and how they work. http://​jpos.​org/​wiki/​HSM_​basics . September 24 (2005)
  31.Demaertelaere, F.: Hardware security modules. Atos worldwide, pp. 1–53. http://​secappdev.​org/​handouts/​2010/​Filip%20​Demaertelaere/​HSM.​pdf (2010)
  32.Hines, L., Hopkins, D., Kalibjian, J., Langford, S., Wierenga, S.: Hardware Security Module Use in Banking and Electronic Commerce Applications. Hewlett Packard Corporation http://​www.​openmpe.​com/​cslproceed/​HPW04CD/​papers/​3327.​pdf (2004)
  33.Anderson, R., Bond, M., Clulow, J., Skorobogatov, S.: Cryptographic processor—a survey. Cambridge University Computer Laboratory Technical Report #641, pp. 1–19 (August 2005)
  34.American National Standards Institute: ANSI X9.24-1: Retail financial services symmetric key management part 1: using symmetric techniques (10/13/09)
  35.Tiwari, D.: How ATM plastic PIN money works. http://​devesh-tiwari.​blogspot.​com/​ (2005)
  36.Marvis.com: Derived unique key per transaction, DUPKT. www.​maravis.​com/​library/​derived-unique-key-per-transaction-dukpt/​ (June 2009)
  37.Chulow, J.: The design and analysis of cryptographic application programming interfaces for security devices. Master of Science in Mathematics Dissertation, University of Natal, Durham (South Africa) (2003)
  38.RSA Laboratories, PKCS #11: Cryptographic Token Interface Standard, Version 2.2, pp. 1–407 (June 2004)
  39.International Standards Organization: ISO 9564, ISO 9564—Banking Personal Identification Number Package (ISO 9564-1 (Banking) 2002; ISO 9564-3(Banking) 2003; ISO 9564-4(Banking) 2004; ISO 9564-1(Financial) 2011; ISO 9564-2(Financial) 2012)
  40.Payment Card Industry (PCI): Security Council Standards Hardware Security Module (HSM) Security Requirements Version 1.0, pp. 26 (April 2009)
  41.Visa.com: Visa Best Practices for Tokenization Version 1.0, pp. 1–4. http://​usa.​visa.​com/​download/​merchants/​tokenization_​best_​practices.​pdf (July 2010)
  42.MasterCard: Transaction Processing Rules. In: Cryptographic Algorithms and Their Uses, Eracom Workshop 2004, 11 December 2014, pp. 1–246 (2004). http://​www.​mastercard.​com/​us/​merchant/​pdf/​TPR-Entire_​Manual_​public.​pdf
  43.Bond, M., Zelinski, P.: “Decimalisation Table Attacks for PIN Cracking. Cambridge University Computer Laboratory Technical Report #540, pp. 1–14 (2003)
  44.Focardi, R., Luccio, F., Steel, G.: Blunting differential attacks on PIN processing APIs. In: Proceedings NordSec ’09 Proceedings of the 14th Nordic conference on secure IT systems: identity and privacy in the internet age, pp. 88–103 (2009)
  45.Steel, G.: Formal analysis of PIN block attacks. Theor. Comput. Sci. 367(1–2), 257–270 (2006)
  46.Coppersmith, D.: The Data Encryption Standard (DES) and its strength against attacks. IBM J. Res. Dev. 38(3), 243–250 (1994)
  47.Bilham, E., Shamir, A.: Differential Cryptanalysis of DES-Like Cryptosystems Advances in Cryptology—CRYPTO ’90. Springer-Verlag, Berlin (1990)
  48.Bond, M., Chulow, J.: Encrypted? Randomized? Compromised? Cryptogr. Algorithms Uses Eracom Workshop 2004, 140–151 (2004)
  49.Kelsey, J., Schneier, B., Wagner, D.: Key-schedule cryptanalysis of IDEA, G-DES, GOST, SAFER, and triple-DES. International cryptology conference—CRYPTO, pp. 237–251 (1996)
  50.Bond, M.: Extracting a 3DES key from an IBM 4758. http://​www.​cl.​cam.​ac.​uk/​~rnc1/​descrack/​
  51.Bond, M.: Attacks on cryptoprocessor transaction sets. In: Proceedings of the CHES 2001 workshop, Paris 2001, pp. 220–234. Springer Verlag LNCS 2162 (2001)
  52.Federal Reserve System: The 2013 Federal Reserve Payments Study, pp. 1–43. https://​www.​frbservices.​org/​files/​communications/​pdf/​research/​2013_​payments_​study_​summary.​pdf (December 19, 2013)
  
• 作者单位：Alan G. Konheim (1)
  
  1. Emeritus Department of Computer Science, University of California at Santa Barbara, Santa Barbara, CA, 93106, USA
  
• 刊物类别：Computer Science
• 出版者：Springer Berlin / Heidelberg
• ISSN：2190-8516

文摘

Luther Simjian filed a patent in 1959 for perhaps the first ATM; he convinced the City Bank of New York (now Citibank) to run a 6-month field test of his Bankmatic. The test was, however, not extended due to lack of demand. Simjian suggested that the only customers using the machine were a small number of prostitutes and gamblers who did not want to deal with bank tellers face to face. Nature abhors a vacuum and is also the mother of invention; John Shepherd-Barron (OBE), managing director of London’s De La Rue Instruments succeeded in 1964 with help from Barclay’s Bank. The DACS (De La Rue Automatic Cash System) was installed at their branch in Enfield, North London, on June 27, 1967. Since banks are guardians of your money, it was necessary to institute controls on who could get the moolah or lolly! JSB and his many successors required an ATM user to provide two identifiers: the first, a PAN—proof of the existence of a bank account—though not necessary well funded—and the second, a PIN—proof of identity, the creation of James Goodfellow of Chubb’s Integrated System. The PAN in time would ultimately be recorded magnetically on an ATM bankcard, the PIN entered at the ATM’s keyboard. Goodfellow’s invention was followed by ATM inventions of Geoffrey Constable (also of Chubb) and in the US by Donald C. Wetzel. He was former baseball player (shortstop) for a farm team of the San Francisco (née New York) Giants, IBM sales person and then vice president of Docutel. Since pickpockets were plentiful in London, a substantial part of the security rested with knowledge of the PIN. But how were the PAN and PIN related and how was this tested during an ATM transaction? These remained to be discovered. The IBM Corporation entered the scene in 1968 with a contact to design an ATM. Horst Feistel working at their Yorktown Research Center developed the first cryptographic algorithm to relate the PIN and PAN. Feistel’s algorithm LUCIFER was modified and affirmed in 1976 as the Data Encryption Standard (DES) in the US by the National Bureau of Standards. It evolved into Triple DES (3DES), currently the guardian of most PINs today. This paper is a summary of the achievements of the inventors, the problems encountered and the necessary technical enhancements needed and introduced.