In financial cryptography and PCI standards, a Key Block is an encrypted key stored with its metadata in a cryptographically secure way. That means that the key's usage information and other parameters can't be altered by an attacker by tampering with the encrypted key. To understand why they are useful, and why their adoption is now a big deal in the financial services industry, we have to look at a little history.
A Brief History of PINs
We all have experience of using PIN codes at ATMs (cash machines) to authenticate ourselves to our bank and withdraw money. How does the issuing bank check we used the correct PIN? Likely we would imagine all the customer PINs being stored hashed in a database, somewhat like passwords, but in fact for historical reasons the system is quite different.After PINs were first introduced, banks wanted a way to check PINs were correct even at offline ATMs. In 1972, Mohammed M. Atalla invented a way to do this that involved using a computer hardware box to encrypt non-secret information (in the case of ATMs, the customer account number) to derive the PIN. This way, any box with the right cryptographic key in it could check a customer had entered the correct PIN. At the time of his invention, commercial cryptography was in its infancy, and the original patent describes a hand-rolled encryption algorithm. After the emergence of the DES algorithm, the method became standardised around DES encryption. The key that calculates a PIN from an account number is known as a PIN Derivation Key (PDK). For customers to be able to use different banks ATMs, they needed to be able to exchange PDKs without revealing them. This is where encrypted key blocks first appear. However, several competing manufacturers developed hardware security modules (HSMs) for the rapidly growing market, each with a slightly different method for encrypting keys.
A Holy Grail for Hackers
Fast-forward to the early 2000s. Banks are slowly upgrading to triple DES (3DES) encryption, and more and more PINs are verified online rather than offline, since global connectivity has vastly improved. Verifying online PINs still uses the same HSM hardware, but now as well as PDKs, HSMs must be able to use PIN-encryption keys to protect the guess at the PIN the customer made while it is sent over the network. This works using the same DES encryption as the PDKs.This additional functionality poses an interesting question: what if I could trick the HSM into using a PIN derivation key to encrypt some data instead of a PIN encryption key? Then I could enter a customer's account number and obtain their PIN. Of course this shouldn't be possible, but then an academic paper by Mike Bond, then a PhD student at the University of Cambridge, showed how for some manufacturers' HSMs in particular cases, this could indeed happen.Over the next few years, several research teams published new attack methods on HSM PIN processing APIs. Then in 2009, news broke that some of these methods were actually being exploited. In a Wired magazine article PIN Crackers Nab Holy Grail of Bank Card Security, Kim Zetter interviewed Bryan Sartin, an investigator at Verizon, who revealed that they were now seeing "entirely new attacks that a year ago were thought to be only academically possible". It's here that I have a small part in the story, since the article also features Kim's interview with me to explain some of these attacks, and why they are hard to fix. I was working as a researcher at INRIA at the time, trying to systematise these attacks and figure out ways to prevent them.
PCI PIN Standard 3.0
These days the way PINs are protected falls under the remit of the PCI (Payment Card Industry) standards. Version 3.0 of their specific standard for PIN protection includes many mitigations for these kinds of attacks, including mandatory use of Key Blocks that bind usage information to the encrypted key in a cryptographically secure way - preventing the kinds of key-misuse attacks we discussed above. Indeed, the PCI published an information supplement on Key Blocks, explaining the changes, and referencing the Wired article to understand the need to switch.Migrating from the old "variant key blocks", or other deprecated methods, to the new "TR-31" format (one of the interoperable key block formats PCI recommend), will be complicated, just like any cryptographic migration. Legacy applications may need to be changed. If you're involved in such a project, you might find our Cryptography Analyzer tooling helpful to understand exactly what legacy applications are doing with their keys. Even if not, I'd love to chat to understand if we can help get this done: I have a personal interest in seeing secure Key Blocks adopted successfully!
Awesome. I didn’t know that, thanks for letting me know.
— Kim Zetter (@KimZetter) June 20, 2019