Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

Misrouting Attack Protection

IP.com Disclosure Number: IPCOM000047396D
Original Publication Date: 1983-Nov-01
Included in the Prior Art Database: 2005-Feb-07
Document File: 3 page(s) / 38K

Publishing Venue

IBM

Related People

Lennon, RE: AUTHOR [+3]

Abstract

This article discloses alternative methods to enforce proper routing of personal verification information through various nodes in an interchange network. In an electronic funds transfer (EFT) application, personal verification often involves a user-remembered, secret personal identification number (PIN). The user provides the PIN at an entry point in the system together with additional information, e.g., the user's primary account number (PAN) and the issuer bank identifier (BID), on a plastic, embossed, magnetic stripe bank card. Good security requires that the PIN never appear in the clear except in secure hardware. Therefore, it is necessary to encrypt the PIN when it is routed through the network. Fig. 1 illustrates an EFT network involving a multiplicity of institutions.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 45% of the total text.

Page 1 of 3

Misrouting Attack Protection

This article discloses alternative methods to enforce proper routing of personal verification information through various nodes in an interchange network. In an electronic funds transfer (EFT) application, personal verification often involves a user-remembered, secret personal identification number (PIN). The user provides the PIN at an entry point in the system together with additional information, e.g., the user's primary account number (PAN) and the issuer bank identifier (BID), on a plastic, embossed, magnetic stripe bank card. Good security requires that the PIN never appear in the clear except in secure hardware. Therefore, it is necessary to encrypt the PIN when it is routed through the network. Fig. 1 illustrates an EFT network involving a multiplicity of institutions. Each EFT terminal and its owning bank share a unique terminal key (TK) and each bank and the EFT switch share a unique interchange key (IK) for cryptographic communications between them. Thus, a PIN encrypted under TK will be decrypted at host Hi and re-enciphered under interchange key IKi shared with the switch SW, via a TRANSLATE operation. At SW, the encrypted PIN will be decrypted and re-enciphered under interchange key IKj, shared with host Hj, via another TRANSLATE operation. In such an environment, secure key translations are required to route the PIN from the domain host Hi to that of domain host Hj. To identify the intended destination node, BID read from the bank card is converted to a network address and placed in the control portion of the transaction request message or, alternatively, in the message data itself. BID may also be used as a key identifier, i.e., if BIDj equates to bank j, then IKj is identified as the interchange key used by SW to encrypt PIN for transmission to bank j. Fig. 2 illustrates one method of operation in which the translate keys are stored in the clear in secure hardware and are used directly during execution of the TRANSLATE operation. Thus, the PIN value enciphered under control of the interchange key IKi is represented by the notation EIKi(PIN), where E represents the encryption function, IKi the interchange key and PIN the data to be protected. The enciphered PIN value is deciphered under control of IKi to obtain the PIN value in the clear. The BIDj portion of the transaction message is used as an index to the key table to obtain IKj which is used to control the encipherment of the PIN value to obtain the translated result EIKj(PIN). Fig. 3 illustrates another method of operation in which the translate keys are stored in enciphered form outside the secure hardware and are thus supplied to the TRANSLATE operation as additional parameters. Thus, the enciphered PIN value, i.e., EIKi(PIN), is again deciphered under control of IKi to obtain the PIN value in the clear. BIDj is used as an index to the external key table to obtain the IKj value which, in this case, is enciphered under a variant o...