Personal identification number processing using control vectors

Abstract

Cryptographic PIN processing is achieved in an improved manner by associating control vectors with the PIN generating (verification) keys and PIN encrypting keys which provide authorization for the uses of the keys intended by the originator of the keys. The originator may be the local cryptographic facility (CF) and a utility program under the control of a security administrator, or the originator may be another network node which uses the key management methods described in the above-referenced copending patent applications to distribute said keys. Among the uses specified by the control vector are limitations on the authority to use the associated key with certain PIN processing instructions, such as PIN generation, verification, translation and PIN block creation. Furthermore, the control vector may limit the authority of certain instructions to process clear PIN inputs (such as in PIN verification). The control vector may contain information identifying and, possibly restricting, PIN processing to a particular PIN format or particular processing algorithm. The control vector implementation provides a flexible method for coupling format, usage, and processing authorization to keys. The system administrator can exercise flexibility in changing the implementation of his security policy by selecting appropriate control vectors in accordance with the invention. Furthermore, a method is provided for the security administrator to restrict certain PIN format translations.

Claims

What is claimed is:

1. In a data processing system which outputs cryptographic service requests for management of cryptographic keys which are associated with control vectors defining the functions which each key is allowed by its originator to perform, an apparatus for validating that PIN processing functions requested for a cryptographic key have been authorized by the originator of the key, comprising:

a cryptographic instruction storage coupled to an input path;

a cryptographic facility characterized by a secure boundary through which passes said input path for receiving said cryptographic service requests, cryptographic keys and their associated control vectors, and an output path for providing responses thereto, there being included within said boundary a control vector checking means and a cryptographic processing means coupled to said instruction storage, and a master key storage coupled to said processing means, for providing a secure location for executing PIN processing functions in response to said received service requests;

said cryptographic instruction storage receiving over said input path a cryptographic service request for performing a PIN processing function with a cryptographic key;

said control vector checking means having an input coupled to said input path for receiving a control vector associated with said cryptographic key and an input connected to said cryptographic instruction storage, for receiving control signals to initiate checking that said control vector authorizes the PIN processing function which is requested by said cryptographic service request;

said control vector checking means having an authorization output coupled to an input of said cryptographic processing means, for signalling that said PIN processing function is authorized, the receipt of which by said cryptographic processing means initiates the performance of the requested PIN processing function with said cryptographic key.

2. The apparatus of claim 1, which further comprises:

a cryptographic key storage means coupled to said cryptographic facility over said input and output paths, for storing said cryptographic key in an encrypted form in which said cryptographic key is encrypted under a storage key which is a logical product of said associated control vector and a master key stored in said master key storage.

3. The apparatus of claim 1, wherein said PIN processing is achieved by associating said control vector with a PIN generating key, to provide authorization for the use of the key intended by the originator of the key.

4. The apparatus of claim 1, which further comprises said PIN processing being achieved by associating control vectors with PIN verification keys, said control vectors providing authorization for the uses of the keys intended by the originators of the keys.

5. The apparatus of claim 1, which further comprises said PIN processing being achieved by associating control vectors with PIN encrypting keys, said control vectors providing authorization for the uses of the keys intended by the originator of the keys.

6. The apparatus of claim 1, wherein said control vector specifies limitations on the authority to use the associated key with certain PIN processing instructions.

7. The apparatus of claim 1, wherein said control vector places limitations on the authority to use the associated key for PIN generation functions.

8. The apparatus of claim 1, which further comprises said control vector placing limitations on the authority to use the associated key in PIN verification functions.

9. The apparatus of claim 1, wherein said control vector places limitations on the authority to use the associated key in PIN translation functions.

10. The apparatus of claim 1, wherein said control vector places limitations on the authority to use the associated key in PIN block creation functions.

11. The apparatus of claim 1, wherein said control vector places limitations on the authority to use the associated key to process clear PIN inputs.

12. The apparatus of claim 1, wherein said control vector places limitations on the authority to use the associated key for PIN processing functions having a particular PIN format.

13. The apparatus of claim 1, which further comprises

a working key storage within said cryptographic facility coupled to said cryptographic processing means, for providing a secure location for the storage of working keys.

14. The apparatus of claim 13, which further comprises:

said working key storage storing a plurality of working keys and their associated control vectors in clear text form.

15. The apparatus of claim 14, which further comprises:

said cryptographic facility receiving over said input path a cryptographic service request for performing PIN processing function;

said control vector checking means checking the associated control vector accessed from said working key storage and outputting an authorization signal to said cryptographic processing means that said cryptographic service request is authorized using the respective key accessed from said working key storage.

16. The apparatus of claim 14, which further comprises:

said working keys being stored in said working key storage as the exclusive-OR product of each key with its respective control vector.

17. The apparatus of claim 16, which further comprises:

said cryptographic facility receiving over said input path a cryptographic service request for performing a PIN processing function and also receiving the corresponding associated control vector which undergoes control vector checking in said control vector checking means;

said control vector checking means outputting an authorization signal to said cryptographic processing means that said cryptographic service request is authorized, said corresponding exclusive-OR product of the control vector and its respective key then being exclusive-ORed with said control vector in order to recover the key for the requested cryptographic operation.

18. The apparatus of claim 1, which further comprises:

a working key storage within said cryptographic facility, for storing working keys in clear text form and for storing their respective associated control vectors;

said cryptographic instruction storage receiving over said input path a cryptographic service request for performing a PIN processing function which includes accessing said cryptographic key and said associated control vector from said working key storage and said control vector checking means outputting in response thereto, an authorization signal to said cryptographic processing means that the requested PIN processing function is authorized;

said cryptographic processing means operating in response to said authorization signal, to complete performing the requested PIN processing function with said cryptographic key.

19. The apparatus of claim 1, which further comprises:

a working key storage within said cryptographic facility coupled to said cryptographic processing means, for storing the exclusive-OR product of working keys and their associated control vectors;

said cryptographic instruction storage receiving over said input path a cryptographic service request and the corresponding associated control vector, for performing a PIN processing function;

said control vector checking means checking said control vector and outputting in response thereto, an authorization signal to said cryptographic processing means that the requested PIN processing function is authorized;

said cryptographic processing means operating in response to said authorization signal, to perform an exclusive-OR operation between said control vector and said product which has been accessed from said working key storage, yielding said working key in clear text form;

said cryptographic processing means further operating in response to said authorization signal, to complete performing the requested PIN processing function with said cryptographic key.

20. In a data processing system which outputs cryptographic service requests for PIN processing using cryptographic keys which are associated with control vectors defining the functions which each key is allowed by its originator to perform, a method for validating that PIN processing functions requested for a cryptographic key have been authorized by the originator of the key, comprising the steps of:

receiving a cryptographic service request for performing a PIN processing function on a cryptographic key in a cryptographic facility characterized by a secure boundary through which passes an input path and an output path;

receiving a control vector associated with said cryptographic key and checking that said control vector authorizes the PIN processing function which is requested by said cryptographic service request;

signalling that said PIN processing function is authorized and initiating the performance of the requested PIN processing function with said cryptographic key.

21. The method of claim 20, which further comprises the steps of:

storing in a storage means said cryptographic key in an encrypted form in which said cryptographic key is encrypted under a storage key which is a logical product of said associated control vector and a master key.

22. The method of claim 20, wherein said PIN processing is achieved by associating said control vector with a PIN generating key, to provide authorization for the use of the key intended by the originator of the key.

23. The method of claim 20, which further comprises said PIN processing being achieved by associating control vectors with PIN verification keys, said control vectors providing authorization for the uses of the keys intended by the originators of the keys.

24. The method of claim 20, which further comprises said PIN processing being achieved by associating control vectors with PIN encrypting keys, said control vectors providing authorization for the uses of the keys intended by the originator of the keys.

25. The method of claim 20, wherein said control vector specifies limitations on the authority to use the associated key with certain PIN processing instructions.

26. The method of claim 20, wherein said control vector places limitations on the authority to use the associated key for PIN generation functions.

27. The method of claim 20, which further comprises said control vector placing limitations on the authority to use the associated key in PIN verification functions.

28. The method of claim 20, wherein said control vector places limitations on the authority to use the associated key in PIN translation functions.

29. The method of claim 20, wherein said control vector places limitations on the authority to use the associated key in PIN block creation functions.

30. The method of claim 20, wherein said control vector places limitations on the authority to use the associated key to process clear PIN inputs.

31. The method of claim 20, wherein said control vector places limitations on the authority to use the associated key for PIN processing functions having a particular PIN format.

32. The method of claim 20, wherein said control vectors define node linkages to be allowed by said originator.

33. The method of claim 20, which further comprises:

storing a plurality of working keys and their associated control vectors in clear text form in a working key storage within said cryptographic facility.

34. The method of claim 33, which further comprises:

receiving over said input path a cryptographic service request for performing a PIN processing function;

checking the associated control vector accessed from said working key storage and outputting an authorization signal that said cryptographic service request is authorized using the respective key accessed from said working key storage.

35. The method of claim 33, which further comprises:

said working keys being stored in said working key storage as the exclusive-OR product of each key with its respective control vector.

36. The method of claim 35, which further comprises:

receiving over said input path a cryptographic service request for performing a PIN processing function and also receiving the corresponding associated control vector which undergoes control vector checking;

outputting an authorization signal that said cryptographic service request is authorized, said corresponding exclusive-or product of the control vector and its respective key then being exclusive-ORed with said control vector in order to recover the key for the requested cryptographic operation.

37. The method of claim 20, which further comprises:

storing working keys in clear text form and storing their respective associated control vectors in a working key storage within said cryptographic facility;

receiving over said input path a cryptographic service request for performing a PIN processing function which includes accessing said cryptographic key and said associated control vector from said working key storage and outputting in response thereto, an authorization signal that the requested PIN processing function is authorized;

performing the requested PIN processing function with said cryptographic key in response to said authorization signal.

38. The method of claim 20, which further comprises:

storing the exclusive-OR product of working keys and their associated control vectors in a working key storage within said cryptographic facility;

receiving over said input path a cryptographic service request and the corresponding associated control vector, for performing a PIN processing function;

checking said control vector and outputting in response thereto, an authorization signal that the requested PIN processing function is authorized;

operating in response to said authorization signal, to perform an exclusive-OR operation between said control vector and said product which has been accessed from said working key storage, yielding said working key in clear text form;

further operating in response to said authorization signal, to complete performing the requested PIN processing function with said cryptographic key.

39. The method of claim 20, wherein said control vector selectively limits the authority of said PIN processing function to process clear PIN inputs.

40. The method of claim 20, wherein said control vector selectively limits the authority of said PIN processing function to process a predetermined PIN format.

41. The method of claim 20, wherein said control vector selectively limits the authority of said PIN processing function to use as a predetermined processing algorithm.

42. The method of claim 20, wherein said control vector selectively limits the authority of said PIN processing function to use said cryptographic key in PIN generation.

43. The method of claim 20, wherein said control vector selectively limits the authority of said PIN processing function to use said cryptographic key in PIN verification.

44. The method of claim 20, wherein said control vector selectively limits the authority of said PIN processing function to use said cryptographic key in PIN translation.

45. The method of claim 20, wherein said control vector selectively limits the authority of said PIN processing function to use cryptographic key in PIN block creation.

46. The apparatus of claim 14, which further comprises:

said working keys being stored in said working key storage as a product of a combining function F of each key with its respective control vector.

47. The apparatus of claim 46, which further comprises:

said cryptographic facility receiving over said input path a cryptographic service request for performing a PIN processing function and also receiving the corresponding associated control vector which undergoes control vector checking in said control vector checking means;

said control vector checking means outputting an authorization signal to said cryptographic processing means that said cryptographic service request is authorized, said corresponding product of the control vector and its respective key then being operated upon by an inverse combining function F.sup.-1 with said control vector in order to recover the key for the requested cryptographic operation.

48. The apparatus of claim 1, which further comprises:

a working key storage within said cryptographic facility coupled to said cryptographic processing means, for storing a product of a combining function F of working keys and their associated control vectors;

said cryptographic instruction storage receiving over said input path a cryptographic service request and the corresponding associated control vector, for performing a PIN processing function;

said control vector checking means checking said control vector and outputting in response thereto, an authorization signal to said cryptographic processing means that the requested PIN processing function is authorized;

said cryptographic processing means operating in response to said authorization signal, to perform an operation with an inverse combining function F.sup.-1 between said control vector and said product which has been accessed from said working key storage, yielding said working key in clear text form;

said cryptographic processing means further operating in response to said authorization signal, to complete performing the requested PIN processing function with said cryptographic key.

49. The method of claim 20, which further comprises:

storing a plurality of working keys and their associated control vectors in a working key storage as a product of each key and its respective control vector, using a combining function F.

50. The method of claim 49, which further comprises:

receiving over said input path a cryptographic service request for performing a PIN processing function and also receiving the corresponding associated control vector which undergoes control vector checking;

outputting an authorization signal that said cryptographic service request is authorized, said corresponding product of the control vector and its respective key then being operated upon by an inverse combining function F.sup.-1 with said control vector in order to recover the key for the requested cryptographic operation.

51. The method of claim 20, which further comprises:

storing a product of a combining function F of working keys and their associated control vectors in a working key storage within said cryptographic facility;

receiving over said input path a cryptographic service request and the corresponding associated control vector, for performing a PIN processing function;

checking said control vector and outputting in response thereto, an authorization signal that the requested PIN processing function is authorized;

operating in response to said authorization signal, to perform an operation with an inverse combining function F.sup.-1 between said control vector and said product which has been accessed from said working key storage, yielding said working key in clear text form;

further operating in response to said authorization signal, to complete performing the requested PIN processing function with said cryptographic key.

Description

BACKGROUND OF THE INVENTION

1. Technical Field

The invention disclosed broadly relates to data processing technology and more particularly relates to cryptographic applications in data processing.

2. Background Art

References--The following copending patent applications are related to this invention and are incorporated herein be reference:

B. Brachtl, et al., "Controlled Use of Cryptographic Keys via Generating Stations Established Control Values", Ser. No. 55,502, filed March 1987 and assigned to IBM Corporation, and incorporated herein by reference.

S. M. Matyas, et al., "Secure Management of Keys Using Control Vectors", filed August 1988, and assigned to IBM Corporation, and incorporated herein by reference.

S. M. Matyas, et al., "Data Cryptography Operations Using Control Vectors", filed August 1988 and assigned to IBM Corporation, and incorporated herein by reference.

Introduction--Every day electronic funds transfer (EFT) systems electronically transfer billions of dollars between institutions and individuals. Such transactions cannot be processed safely unless user identities can be validated securely and the correct, unaltered transmission of messages between network nodes can be assured.

A personal identification number (PIN) is a secret number assigned to, or selected by, the holder of a debit or credit card used in an electronic funds transfer (EFT) or point of sale (POS) system. The PIN serves to authenticate the cardholder to the system. Cryptography is employed in EFT and POS systems to insure the confidentiality and integrity of PINs and other EFT transactions.

Cryptography is the transformation of intelligible information into apparently unintelligible form in order to conceal the information from unauthorized parties. Cryptography is the only known practical method to protect information transmitted through communications networks that use land lines, communications satellites and microwave facilities. It can also be used not only to protect the privacy of data, but also the integrity of data.

The cryptographic transformation of data is ordinarily defined by a selected algorithm, or procedure, under the control of a key. Since the algorithm is normally public knowledge, protection of the transformed, or enciphered, data depends on secrecy of the key. Thus, the key must be kept secret to prevent an opponent from simply using the known algorithm and key to recover the enciphered data. The protection of the data therefore hinges on protection of secret keys.

A new approach to Key Management is described in the above-mentioned copending application by S. M. Matyas, et al, which also provides a good background for this invention. The invention disclosed herein deals with cryptography PIN processing which has as its objective the application of cryptographic keys and methods to protecting the confidentiality and integrity of PINs during generation, translation, distribution, and verification whereas the S. M. Matyas, et al. copending patent application deals with the generation, distribution and management of the keys themselves.

In order for the PIN to function properly, it must be known only to the cardholder and to the financial institution or institutions capable of authenticating the cardholder, but to no one else.

The PIN must contain enough digits so that an adversary (cardfinder, thief or counterfeiter) would have little chance of finding a correct PIN via repeated guesses (or trial and error). But the PIN should not contain too many digits, otherwise it will slow down the transaction time. The longer the PIN the more difficult it is to remember and the greater the probability of an entry error. Four to six decimal digit PINs are the industry standard, although longer PINs are sometimes employed as a customer-selected option.

It is customary to place a limit on the number of consecutive incorrect PIN entries that a cardholder is allowed. Ordinarily, transactions are aborted after three incorrect PIN entries. This makes it difficult for an adversary to guess a correct PIN via PIN exhaustion. Card retention is also sometimes employed as a means to discourage unauthorized card usage.

The Bank Card and PIN as a Means for User Authentication

A user is normally provided with an embossed, magnetic stripe identification card (bank card) containing an institution identification number, the card's expiration date, and a primary account number (PAN). The institution at which the customer opens his/her account and which provides the user with a bank card, is called the issuer. At an entry point to the system, information on the user's bank card is read into the system and the user enters a secret quantity called the personal identification number (PIN). If the cardholder has supplied the correct PIN and if the balance in the account is sufficient to permit the transaction and if that type of transaction is allowed for that account, the system authorizes the funds transfer.

Electronic Funds Transfer and Point of Sale Environment

Consider a network configuration as shown in FIG. 1. The entry point at which transaction requests are initiated, such as a point of sale (POS) terminal or an automated teller machine (ATM), is defined as an EFT terminal. An institution's computer facility, which also happens to manage the connected EFT terminals, is referred to as a host processing center (HPC). The three HPCs shown in FIG. 1 are interconnected via an intelligent switch. The switch, which can be another HPC, establishes connections between the HPCs so that information can be routed in the network efficiently. A communications control unit (CC), an independent device positioned in the path between an HPC and its associated EFT terminals and between an HPC and adjacent network nodes, is responsible for managing data transmissions over the communications links. Similarly, EFT terminals are assumed to provide complementary support for link management functions. The CC has the capacity to verify systems users and data.

The HPC that first acts on information entered at an EFT terminal is the acquirer (acquiring HPC). A user who initiates a transaction at an EFT terminal may be a customer of a local institution (HPC X, in which case the acquirer is also the issuer) or a remote (distant) institution (HPC Y or HPC Z). If a user can initiate transactions at an entry point not controlled by the issuer, the supporting network is called an interchange system.

EXAMPLE WITHOUT CRYPTOGRAPHY

Consider a simple transaction in which cryptography is not employed. This is illustrated in FIG. 2. A customer wishes to use a bank card to pay a grocery bill of $35.00 and to receive an additional $50.00 in cash. The grocer's account is with institution X and the customer's account is with institution Y. The customer's card is inserted into the EFT terminal, either by the customer or by an employee of the retailer attending the EFT terminal, and the customer enters in PIN via a suitable entry device such as a keyboard or a PIN pad, which looks and operates much like a hand-held calculator. Similarly, the grocer enters a transfer request for $85.00 to be transferred from the customer's account to the grocer's account ($35.00 for the groceries plus the $50.00 to be given to the customer).

For purposes of transmission and processing, the PIN is stored as a 16 decimal digit PIN block (8 bytes). Several PIN block formats have been standardized, or through use are now de facto standards.

The information entered at the EFT terminal is assembled into a debit request message. This message or transaction request, which includes the customer's PIN (i.e., the 8 byte PIN block), his account number (PAN), and suitable routing information, is then sent via the acquirer (HPC X) and switched to the issuer (HPC Y).

Upon receiving the debit request, the HPC Y verifies that the PIN correlates properly with the customer's PAN, and that the customer's account balance is sufficient to cover the $85.00 transfer. If the PIN check fails, the user is normally given at least two more chances to enter the correct PIN. If after the additional tries the PIN is still rejected, HPC Y sends a negative reply to HPC X. If the PIN is correct but the account balance is insufficient to cover the transfer, HPC Y denies the debit request by sending a negative reply or debit refusal (insufficient funds) message to HPC X. A message is then sent via the network to the grocer's EFT terminal indicating to the grocer that the funds transfer has been disapproved.

If the debit request is approved, HPC Y records the debit request, reduces the customer's account balance by $85.00, and transmits a positive reply or debit authorization message back to HPC X. Upon receiving the debit authorization HPC X takes two actions. A message is sent to the grocer's EFT terminal, indicating to the grocer that the funds transfer has been approved. Then HPC X credits the grocer's account with $85.00. This completes the transaction.

When the cardholder is authenticated by the issuer's HPC or the HPC of another designated node, the process is said to operate in the on-line mode. If the cardholder is authenticated by the terminal, the process is said to operate in the off-line mode.

EXAMPLE WITH CRYPTOGRAPHY

Consider now the same simple transaction in which cryptography is employed. This is illustrated in FIG. 3. In this case, the PIN block derived from the customer entered PIN (and, in some cases, other data) is encrypted with a secret PIN encrypting key PEK1. For sake of discussion, the PIN block format is assumed to be IBM encrypting PIN pad format. The PIN encrypting key is shared between the EFT terminal and the acquirer (HPC X).

At the acquirer (HPC X), the encrypted PIN block is translated from encipherment under PIN encrypting key PED1 to encipherment under PIN encrypting key PEK2. PEK2 is a PIN encrypting key shared between the acquirer (HPC X) and the switch. Likewise, at the switch, the encrypted PIN block is translated from encipherment under PEK2 to encipherment under PEK3. PEK3 is a PIN encrypting key shared between the switch and the issuer (HPC Y). The cryptographic PIN translation operation is accomplished via a PIN Translate instruction.

At the issuer (HPC Y), the encrypted PIN block is reformatted from IBM encrypting PIN pad format to IBM 3624 format. This cryptographic operation is also performed via a PIN Translate instruction, except here the input and output PIN encrypting keys can be the same. The operation consists of decrypting the PIN block under PEK3, reformatting the PIN block from the IBM encrypting PIN pad format to the IBM 3624 format and reencrypting the resultant PIN block under PEK3. (It is also possible to reencrypt the resultant PIN block under a different key PEK4.) The reformatted PIN block is then verified using a Verify PIN instruction. The Verify PIN instruction accepts as inputs the encrypted PIN block (in 3624 PIN block format), the PAN, the encrypted value of PEK3, and an encrypted system-defined PIN Generating Key PGK (also called a PIN validation key). Internally, the customer's PIN is recovered from the decrypted PIN block. This PIN is compared for equality with a similar system generated PIN derived from the customer's PAN, the decrypted PIN Generating Key (PGK), and other algorithm dependent data supplied to the instruction, which is unimportant to the discussion. The Verify PIN instruction returns a "1" if the entered PIN and internally computed PIN values are equal, otherwise it returns a "0".

The same algorithm used in PIN validation to create the internally computed PIN value is also used to generate PINs. Generated PINs can be output in clear or encrypted form.

In summary, four cryptographic instructions are required to properly support PIN processing functions: Create PIN Block, PIN Translate, Verify PIN, and Generate PIN. The Create PIN Block instruction creates a PIN block, in one of several formats from a customer entered PIN and other user and system dependent data, and encrypts the PIN block under a supplied encrypted PIN encrypting key (PEK). The PIN Translate instruction provides two functions. It can be used to reencipher a PIN block from encipherment under a first PIN encrypting key to a different second PIN encrypting key. It can also be used to reformat the PIN block, i.e., from a first PIN format to a second PIN format. The Verify PIN instruction is used in validating system generated PINs, i.e., PINs originally generated from a system PIN Generating Key (PGK). Clear PINs are ordinarily sent to respective cardholder using PIN mailers (special envelopes allowing the PINs to be printed on the inside of the envelope but such that the PIN does not appear on the outside of the envelope). The Generate PIN instruction is used in generating system supplied PINs. In those cases where customers select their own PINs, an offset value is recorded on the customer's bank card. The offset, when combined with the entered PIN value, produces a value (called the derived PIN) which can be compared for equality with the system generated PIN. Thus, the Verify PIN instruction is employed even in situations where customers select their own PIN values.

FIG. 4 shows two methods whereby a customer enters a personally selected PIN, i.e., via a non-encrypting PIN pad or via an encrypting PIN pad. The output in either case is sent to the PIN generating system. See FIG. 5. The PIN generating system optionally accepts a customer selected PIN (CSPIN), internally generates a PIN from the PAN and other data, then outputs either the internal PIN or its Offset from CSPIN, if CSPIN is provided. Offsets are written to the customer's new bank card. If CSPIN is not provided, the internally generated PIN is printed on a PIN mailer and mailed to the customer. The bank card with magnetically encoded PAN and optional Offset is also mailed to the customer. PIN Mailer printers and bank card writers may be located at remote sites.

PIN Processing Requirements

PIN processing requirements can be summarized as follows:

1. Generate PINs both in encrypted and clear form suitable for the preparation of PIN mailers.

2. Generate PIN offsets both in encrypted and clear form suitable for the preparation of bank cards.

3. Create a formatted PIN block from a customer entered clean PIN and encrypt the PIN block with a supplied PIN encrypting key.

4. Translate PINs from encipherment under a first encrypting key (PEK1) to encipherment under a different second encrypting key (PEK2).

5. Reformat PINs from one PIN block format to another PIN block format. But provide a controlling mechanism so that some translations are permitted and some can be denied.

6. Verify PINs using one or more algorithms (i.e., do the comparison using a clear customer entered PIN and a clear system generated PIN).

7. Verify PINs using a database of encrypted PINs (i.e., do the comparison using an encrypted customer entered PIN and an encrypted system stored PIN).

PINs Versus Keys, a Comparison

PINs are uniquely different from keys in several respects, which makes PIN management uniquely different from key management.

PINs, typically 4 digits in length, have far fewer combinations than do 56 bit keys. Consequently, PINs are particularly susceptible to dictionary attacks. In such an attack, the system interfaces and cryptographic instructions are manipulated to construct a dictionary of clear and encrypted PINs, where the PINs are stored in a single PIN block format and are encrypted under a fixed PIN encrypting key. If an intercepted encrypted PIN can be reformatted and translated to encryption under the same PIN encrypting key, then the unknown clear PIN value can be easily deduced by locating its encrypted value in the dictionary. With 4 digit PINs, the processing and storage requirements to carry out such an attack are negligible. However, since keys have 2**56 combinations, they are not susceptible to the same sort of dictionary attack. PINs are stored and transmitted in PIN blocks consisting of 16 decimal digits (or 8 bytes). Several PIN block formats have been standardized or have become industry-accepted de facto standards. They include:

ANSI 9.8

ISO FORMAT 0

VISA FORMAT 1 (least significant account number)

VISA FORMAT 4 (most significant account number)

IBM 4736

ECI FORMAT 1

ISO FORMAT 1

ECI FORMAT 4

VISA FORMAT 2

VISA FORMAT 3 (PIN can only be 4 digits)

IBM ENCRYPTING PIN PAD (4704 EPP)

IBM 3624

IBM 3621 and 5906

ECI FORMAT 2

ECI FORMAT 3

ANSI 9.8x

IBM NON-ENCRYPTING PIN PAD

DIEBOLD, DOCUTEL, NCR

BURROUGHS

A significant portion of PIN processing consists of PIN block creation, reformatting from one PIN block format to another, and PIN recovery (extracting the PIN from the PIN block). On the other hand, keys are always stored as 64 bits, consisting of 56 independent key bits and 8 bits that can be used for parity. Unlike PIN management, which must recognize several PIN block formats, key management processes keys in only one format.

In simple terms, PINs exist so that they can be verified. Keys can also be verified, but their primary reason for existence is to provide confidentiality and integrity to data (and keys) via cryptographic means. Several industry-accepted PIN Verification Algorithms are available for authenticating PINs.

PINs appear in clear form at the point of entry to the system (i.e., when a PIN related transaction is requested) and when generated for the purpose of issuing PIN mailers. Personal keys may appear in clear form at the entry point to the system, but system keys will appear in clear form at the entry point only during installation. Thus, PINs and keys are managed differently.

PINs Versus Data, a Comparison

PINs are an integral part of the EFT and POS financial transactions, and must be used in accordance with a pre-estabilished agreement which defines the liability imposed on each party to the agreement for loss of money resulting from a discovered PIN. Consequently, once encrypted, the PIN is never decrypted. All PIN verification is performed with the encrypted PIN, or with the clear PIN inside the secure boundary of the cryptographic facility.

Data, on the other hand, is encrypted by a sender (device or application program) and decrypted by a receiver (device or application). Otherwise, received data would be of no use. This defines a fundamental difference in the management of PINs and the management of data.

PIN Security and PIN Processing

It is important to recognize that PINs have their own unique security and processing requirement, distinct from keys and data.

Options are needed for both system specified and user specified PINs. Standards exist which define PIN block formats, to which the implementer must conform. Proprietary modes of PIN processing also exist. Extra defenses are necessary to prevent electronic speed attacks which can accumulate a dictionary of clear and encrypted PINs.

It is important for new equipments and methods for managing and handling PINs to be compatible with existing equipments and methods for managing and handling PINs. However, new equipments can offer enhanced PIN security without jeopardizing compatibility with existing equipments.

Prior art methods for handling various PIN formats and providing compatibility with clear PIN interfaces have been inadequate from security, complexity, and useability standpoints. With the proliferation of PIN formats, methods to associate PIN format to PIN encrypting key for cryptographic separation have become unwieldy. Methods to associate PIN Verification algorithm to PIN generating key for cryptographic separation have likewise become complex and unmanageable. PIN format translation has been inadequately controlled to prevent conversions from PIN formats of a given cryptographic strength to ones of lesser strength. Compatibility with older systems employing clear PIN interfaces has been been satisfied with similar clear PIN interfaces which expose systems to attack wherein clear PIN inputs permit construction of dictionaries of clear and encrypted PINs. Furthermore, prior art methods to cryptographically separate clear and encrypted PIN interfaces have been inadequate from a system complexity and useability standpoint. Prior art methods do not provide the security administrator with flexible, secure methods for configuring the PIN processing systems to support compatibility requirements.

OBJECTS OF THE INVENTION

It is an object of the invention to provide an improved method of cryptographic PIN processing.

It is another object of the invention to provide an improved method of cryptographic PIN processing which is more flexible than in the prior art.

It is another object of the invention to provide an improved method of cryptographic PIN processing which controls the use of clear PIN interfaces in accordance with a security policy established by the system manager.

It is another object of the invention to provide an improved method of cryptographic PIN processing which restricts the translation of PINs from one format to another format based on the security policy established by the system manager.

It is another object of the invention to provide a method of cryptographic PIN processing which builds into the storage of a PIN encrypting key the authority to encrypt a selected PIN block format.

It is another object of the invention to provide an improved method of cryptographic PIN processing which builds into the storage of a PIN generating key the authority to use that key with a selected PIN verification algorithm.

SUMMARY OF THE INVENTION

These and other objects, features and advantages are accomplished by the invention disclosed herein. Cryptographic PIN processing is achieved in an improved manner by associating control vectors with the PIN generating (verification) keys and PIN encrypting keys which provide authorization for the uses of the keys intended by the originator of the keys. The originator may be the local cryptographic facility (CF) and a utility program under the control of a security administrator, or the originator may be another network node which uses the key management methods described in the above-referenced copending patent applications to distribute said keys.

Among the uses specified by the control vector are limitations on the authority to use the associated key with certain PIN processing instructions, such as PIN generation, verification, translation and PIN block creation. Furthermore, the control vector may limit the authority of certain instructions to process clear PIN inputs (such as in PIN verification). The control vector may contain information identifying and, possibly restricting, PIN processing to a particular PIN format or particular processing algorithm.

The control vector implementation provides a flexible method for coupling format, usage, and processing authorization to keys. The system administrator can exercise flexibility in changing the implementation of his security policy by selecting appropriate control vectors in accordance with the invention. Furthermore, a method is provided for the security administrator to restrict certain PIN format translations.

The control vector implementation also provides an improved level of security by isolating clear and encrypted PIN processing and by coupling PIN formats to generating and encrypting keys.

BRIEF DESCRIPTION OF THE FIGURES

These and other objects, features and advantages of the invention will be more fully appreciated with reference to the accompanying figures.

FIG. 1 illustrates an EFT network configuration which supports interchange.

FIG. 2 shows a non-cryptographic PIN processing transaction in an EFT network.

FIG. 3 shows a cryptographic PIN processing transaction in an EFT network.

FIG. 4 shows two methods for entering a customer selected PIN into a PIN generating (or card issuing) system.

FIG. 5 shows a PIN generating system for the card issuer. PIN Offsets, PANs and other data are written to new bank cards at local or remote stations. PINs are printed on secure PIN mailers at local or remote printer stations.

FIG. 6 is the control vector format for PIN-Encrypting Keys.

FIG. 7 is the control vector format for PIN-Generating Keys.

FIG. 8 is a block diagram of the Create Pin Block instruction.

FIG. 9 is a block diagram of the Generate IBM 3624 PIN instruction.

FIG. 10 is a block diagram of the Verify IBM 3624 PIN instruction.

FIG. 11 is a block diagram of the PIN Translate instruction.

FIG. 12 is a block diagram of the data processing system with the cryptographic facility.

DESCRIPTION OF THE BEST MODE FOR CARRYING OUT THE INVENTION

Reference is made to the copending patent application by S. M. Matyas, et al, referred to above for an overall description of the principles underlying the invention disclosed herein.

Cryptographic PIN processing is achieved in an improved manner by associating control vectors with the PIN generating (verification) keys and PIN encrypting keys which provide authorization for the uses of the keys intended by the originator of the keys. The originator may be the local cryptographic facility (CF) and a utility program under the control of a security administrator, or the originator may be another network node which uses the key management methods described in the above referenced copending patent application to distribute said keys.

Among the uses specified by the control vector are limitations on the authority to use the associated key with certain PIN processing instructions, such as PIN generation, verification, translation, and PIN block creation. Furthermore, the control vector may limit the authority of certain instructions to process clear PIN inputs (such as in PIN verification). The control vector may contain information identifying and, possibly restricting, PIN processing to a particular PIN format or particular processing algorithm.

The control vector implementation provides a flexible method for coupling format, usage, and processing authorization to keys. The system administrator can exercise flexibility in changing the implementation of his security policy by selecting appropriate control vectors in accordance with the invention. Furthermore, a method is provided for the security administrator to restrict certain PIN format translations.

The control vector implementation also provides an improved level of security by isolating clear and encrypted PIN processing and by coupling PIN formats to generating and encrypting keys.

The following are some of the PIN processing instructions and the salient security features provided by the control vector implementation.

1. Create PIN Block

The create PIN block (CPINB) instruction illustrated in FIG. 8, creates a PIN block in one of several possible PIN block formats and encrypts the PIN block with a specified PIN encrypting key. The PIN block is created from a clear PIN and, as necessary, other user or system specific data specified as inputs to the CPINB instruction.

2. Generate IBM 3624 PIN

The generate PIN (GPIN) instruction illustrated in FIG. 9 produces a formatted PIN block from a generated PIN or a PIN offset from a generated PIN and a specified customer-selected PIN. The GPIN instruction generates PINs using one of several possible PIN generation algorithms. The desired PIN generation algorithm is specified via a parameter input to the GPIN instruction. Each PIN generation algorithm generates PINs from a common, secret PIN generating key and other user-, system-and algorithm-specific data supplied as inputs to the GPIN instruction.

3. Verify IBM 3624 PIN

The verify PIN (VPIN) instruction illustrated in FIG. 10, produces a 1 (yes) or 0 (no) indicating whether a specified input PIN is equal to an internally generated PIN. The VPIN instruction supports both clear and encrypted modes for the input PIN, although these modes can be further restricted via the control vector of the PIN generating key. The input PIN is always formatted and must conform to the allowed PIN block formats permitted by the VPIN instruction. When encrypted, the PIN block is encrypted using a PIN encrypting key. Internally, the VPIN instruction generates PINs using one of several possible PIN generation/verification algorithms. The desired PIN generation/verification algorithm is specified via a parameter input to the VPIN instruction. Each PIN generation/verification algorithm generates PINs from a common, secret PIN generating key and other user-, system-and algorithm-specific data supplied as inputs to the VPIN instruction.

4. PIN Translate

The PIN translate (PINT) instruction illustrated in FIG. 11 causes an input formatted PIN block enciphered under a first PIN encrypting key to be reenciphered under a second PIN encrypting key, or to be reformatted to a different PIN block format and then encrypted under the same PIN encrypting key, or to be reformatted to a different PIN block format and then reencrypted under a second PIN encrypting key.

FIG. 12 gives a block diagram representation of the data processing system with the cryptographic facility therein. In FIG. 12, the data processing system 2 executes a program such as crypto facility access programs and application programs. These programs output cryptographic service requests for PIN management using cryptographic keys which are associated with control vectors. The general format for a control vector is shown in FIG. 6. Control vectors define the function which the associated key is allowed by its originator to perform. The cryptographic architecture invention herein is an apparatus and a method for validating that PIN processing functions requested for a cryptographic key by the program, have been authorized by the originator of the key.

As is shown in FIG. 12, contained within or associated with the data processing system 2 is a cryptographic facility 4 which is characterized by a secure boundary 6. An input/output path 8 passes through the secure boundary 6 for receiving the cryptographic service request, cryptographic keys and their associated control vectors from the program. The input/out path 8 outputs responses to those cryptographic requests from the cryptograhic facility. Included within the secure boundary 6 is a cryptographic instruction storage 10 which is coupled by units of the bus 12 to the input/output path 8. A control vector checking units 14 is coupled to the instruction in storage 10 and a cryptographic processing units 16 is also coupled to the instruction storage 10. A master key storage 18 is coupled to the cryptographic processing unit 16. The cryptographic facility 4 provides a secure location for executing PIN processing functions in response to the received service request.

The cryptographic instruction storage 10 receives over the input/output path 8 a cryptographic service request for performing a PIN processing function with a cryptographic key. The control vector checking unit 14 has an input coupled to the input/output path 8, for receiving a control vector associated with the cryptographic key. The control vector checking unit 14 also has an input connected to the cryptographic instruction storage 10, for receiving control signals to initiate checking that the control vector authorizes the key management function which is requested by the cryptographic service request.

The control vector checking unit 14 has an authorization output 20 which is connected to an input of the cryptographic processing unit 16, for signalling that PIN processing function is authorized, the receipt of the authorization signal by the cryptographic processing unit 16 initiates the performance of the requested PIN processing function with the cryptographic key. A cryptographic key storage unit 22 is coupled to the cryptographic facility 14 over the input/output path 8. The cryptographic key storage unit 22 stores the cryptographic key in an encrypted form in which the cryptographic key is encrypted under a storage key which is a logical product of the associated control vector and the master key stored in the master key storage 18.

An example of recovering an encrypted key from the cryptographic key storage 22 occurs when the cryptographic instruction storeage 10 receives over the input/output path 8 a cryptographic service request for recovering the cryptographic key from the cryptographic key storage units 22. The control vector checking unit 14 will then output in response thereto, an authorization signal on line 20 to the cryptographic processing unit 16 that the function of recovering the cryptographic key is authorized. The cryptographic processing unit 16 will then operate in response to the authorization signal on line 20, to receive the encrypted form of the cryptographic key from the cryptographic key storage 22 and to decrypt the encrypted form under the storage key which is a logical product of the associated control vector and the master key stored in the master key storage 18.

The storage key is the exclusive-OR product of the associated control vector and the master key stored in the master key storage 18. Although the logical product is an exclusive OR operation in the preferred embodiment, it can also be other types of logical operations.

The associated control vector, whose general format is shown in FIG. 6, is stored with the encrypted form of its associated cryptographic key in the cryptographic key storage 22. Since all keys stored on a cryptographic storage encrypted under the master key, a uniform method for encryption and decryption of encrypted keys thereon can be performed.

The associated control vector, whose general format is shown in FIG. 6, includes fields defining the authorized types of cryptographic functions, including key management functions, data encryption/decryption functions and personal identification numbers (PIN) processing functions. In the PIN processing applications, the PIN processing functions type is designated for the type field. The associated control vector also includes additional fields which can define export control for the keys and associated encrypted information and the usage of the keys and associated encrypted information.

    ______________________________________
    Notation - The following notation is used herein:
    ECB      Electronic code book
    CBC      Cipher block chaining
    KM       128 bit Master key
    KEK      128 bit Key encrypting key
    K        64 bit key
    *K       128 bit key
    (*)K     64 or 128 bit key
    KD       64 bit data encrypting key
    KK       64 bit Key encrypting key
    *KK      128 bit Key encrypting key
    KKo      offset 64 bit Key encrypting key
    *KKo     offset 128 bit Key encrypting key
    (*)KKo   offset 64 or 128 bit Key encrypting key
    *KKNI    128 bit partial notarizing Key encrypting
             key
    *KN      128 bit notarizing key, equivalent to
             *KKNIo
    cx       64 bit control vector
    CxL      64 bit left control vector
    CxR      64 bit right control vector
    XOR or xor
             exclusive or operation
    or       logical or operation
    X '0'    Hex notation
    11       concantentation operation
    [x]      optional parameter x
    not =    not equal
    E or e   single encryption
    D or d   single decryption
    EDE or ede
             triple encryption
    DED or ded
             triple decryption
    Equations
             The function of each instruction is
             mathematically denoted in the form:
             Il, I2, I3, I4,... --- 01, 02, 03,...
             where Il, I2, I3,... are the inputs to the
             function and 01, 02, 03,... are the outputs
             from the function.
    KM.Cx        (KML XOR Cx) 11 (KMR XOR Cx) =
                 KMY 11 KMX
                 where, KML = Left 64 bits of the master key
                 KM,
                 KMR = right 64 bits of the master key KM,
                 KMY = KML XOR Cx
                 KMX = KMR XOR Cx
    e*KM.Cx(key) e*KM.Cx(key) = eKMY(dKMX(eKMY(key)))
                 where, KMY = KML XOR Cx
                 KMX = KMR XOR Cx
                 key = 64 bit key
    e*KEKn.CX(key)
                 e*KEKn.Cx(key) = eKEKY(dKEKX(eKEKY(key)))
                 where, KEKY = KEKnL XOR CxL
                   KEKX = KEKnR XOR CxR
                   key = 64 bit key
    e*KM.CxL(KEKnL)e*KM.CxL(KEKL) = eKMY)dKMX(eKMY(KEKnL)))
               where, KEKL = left 64 bits of KEK
                   KMY = KML XOR CxL
                   KMX = KMR XOR CxL
    e*KM.CxR(KEKnR)e*KM.CxR(KEKR) = eKMY(dKMX(eKMY(KEKnR)))
               where, KEKR = right 64 bits of KEK
                   KMY = KML XOR CxR
                   KMX = KMR XOR CxR
    e*KEKo(key)  e*KEKo(key) = eKEKLo(dKEKRo(eKEKLo(key)
                 where, KEKLo = KEKL XOR cntr
                   KEKRo = KEKR XOR cntr
                   cntr = implicit 64-bit key-message
                   counter for KEK
                   key = 64 bit key
    ______________________________________

    ______________________________________
    Equation:
    e*KM.C1(KPE),PIN,format-out,
    pad-in,seq-in,pan,a-pin-len,C1
    --eKPE(PIN BLOCK)
    Inputs:
    e*KM.C1(KPE)
               KPE is the 64 bit PIN encrypting key triple
               encrypted under KM with a control vector C1 and
               used to encrypt the input PIN.
    PIN        1 to 16 decimal digits in clear.
    format-out 4 bit code indicating the PIN format to be used
               for the pin block.
               0000: IBM 3624 format
               0001: IBM 3621 format
               0010: ANSI format
               0011: 4704 format (encrypting key pad)
               0100: Docutel, Diebold, NCR
               0101: Burroughs
               0110: ISO format
               0111: not used
               lXXX: not used
    pad-in     This is a pad-in character, a 4 bit value from
               X'0]to X]F], to be used to format a PIN
               according to the PIN format. The pad character
               and the number of padding characters depend upon
               the type of format.
    seq-in     A two byte Sequence number. If the PIN format
               requires only a one byte sequence number, then
               the least significant byte of seq-in will be
               used. Seq-in may or may not be required
               depending upon the format.
    pan        Twelve 4-bit digits representing the "rightmost"
               least significant 12 digits of the primary
               account number. Pan may or may not be required
               depending upon the format.
    a-pin-len  Cl is the control vector for the input pin
               encrypting key.
    Outputs:
    eKPE(PIN BLOCK The formatted PIN Block encrypted under the
    pin encrypting key KPE.
    ______________________________________

    ______________________________________
    Equation:
    e*KM.C1(KPG,[e*KM.C2(KD)]
    e*KM.C3(KPE),out-mode,eKPE(CPIN,[CPIN]
    dec-tab,val-data,a-pin-len,pad,cpin-mode,c1,[C2],C3
    --PIN        (Out-mode=0)
    --eKD(PIN)   (Out-mode=1)
    --Offset     (Out-mode=2)
    --eKD(Offset)
                 (Out-mode=3)
    Inputs:
    e*KM.Cl(KPG)
               KPG is the 64 bit Pin generating key, triple
               encrypted under KM with a control vector C1.
    e*KM.C2(KD)
               KD is the 64 bit data key, triple encrypted
               under KM with a control vector C2 and used to
               encrypt the generated PIN or the generated
               Offset. This optional parameter must be
               provided for out-mode =1 or out-mode =3.
    e*KM.C3(KPE)
               KPE is the 64 bit Pin encrypting key, triple
               encrypted under KM with a control vector C3 and
               used to encrypt the customer PIN.
    out-mode   Output mode indicates the form of output
               required.
               0: Clear PIN output
               1: eKD(PIN)
               2: Offset
               3: eKD(Offset)
    eKPE(CPIN) CPIN is a 64 bit (16 decimal coded digits),
               customer selected PIN. Used to generate the
               Offset, this is an encrypted form of the
               customer selected PIN under the PIN encrypting
               key. The default is encrypted customer selected
               PIN to this function. (CPIN is a formatted PIN
               in IBM 3624 format.)
    CPIN       CPIN is a 64 bit (16 decimal coded digits),
               customer selected PIN in clear form. This
               optional input must be provided if cpin-mode = 0
               is specified to the function. The clear
               customer PIN will be only permitted if the PIN
               generating key permits clear PINs to the
               function. The clear customer PINs are permitted
               by the CCA to be compatible with the existing
               system requirements.
    dec-tab    Decimalization TABLE is a 64 bit plain input
               which represents 16 decimal digits to be used in
               the PIN generation process.
    val-data   Validation data is a 64 bit plain user's data,
               padding included. Ordinarily it will be the
               user's PAN.
    a-pin-len  a-pin-len is a 4 bit number (1-16) indicating
               how many digits of the generated PIN are
               assigned to the customer, and represents the
               number of digits in the intermediate PIN.
    pad        This is a pad character, a 4 bit value from X'A'
               to X'F', to be used to format a PIN according to
               IBM 3624 PIN format. There could be 0-15 pad
               characters (16 - number of pin characters = pad
               characters).
    cpin-mode  cpin-mode specifies whether a clear customer PIN
               or encrypted customer PIN is passed to the
               function. The control vector checking is
               enforced on the pin generating key to insure the
               security of using encrypted pins from the clear
               pins.
               0: clear CPIN
               1: encrypted CPIN
    C1,C2,C3   C1, C2 and C3 are the control vectors for KPG,
               KD and KPE respectively. C2 is an optional
               control vector which must be supplied if the
               output-type specified is either 1 or 3.
    Outputs:
    PIN:       This is a 64 bit IBM 3624 formatted PIN output
               in the clear. Padding and formatting is done
               internal to the hardware.
    eKD(PIN)   eKD(PIN) is the 64 bit formatted PIN encrypted under
               data key KD. Decipher data instruction can be used
               to decipher the PIN in some other node for PIN
               mailing purposes. (A secure PC can be used to
               decrypt these encrypted PINs and print for mailing).
               No decryption of PINs are allowed in the generating
               node.
    Offset     Offset is a 64 bit data, representing 1-16
               decimal digits, used by the PIN verification
               process if the PIN was user selected. The
               offset data reflects the difference between the
               PIN that is selected by the customer (denoted
               CPIN) and the PIN that is generated by the
               verification (denoted PIN).
    ______________________________________

    ______________________________________
    Equation:
    e*KM.C1(KPV), e*KM.C2(KPE), eKPE(PIN) [PIN]
    dec-tab,val-data,a-in-len,p-chk-len,offset,pin-mode,C1,C2
    -- PIN OK or PIN NOT OK
    Inputs:
    e*KM.C1(KPV)
               KPV is the 64 bit PIN validation key, triple
               encrypted under KM with a control vector C1.
               PIN generating key (KPG) and the PIN validation
               key (KPV) have to be one and the same keys to
               verify the PIN. The key names KPV and KPG are
               used for the notation only.
    e*KM.C2(KPE)
               KPE is the 64 bit PIN encrypting key, triple
               encrypted under KM with a control ector C2.
    eKPE(PIN)  eKPE(PIN) is the 64 bit formatted PIN encrypted
               under PIN input protection key. Create PIN
               block is used to encrypt the formatted PIN. PIN
               is a 64 bit formatted PIN in IBM 3624 format.
               This s a standard input to the verify pin
               function.
    PIN        PIN is a 64 bit (16 decimal coded digits), input
               PIN in clear form. This optional input must be
               provided if pin-mode = 0 is specified to the
               function. The clear input PIN will be only
               permitted if the IN verification key permits
               clear PINs to the function. The clear input
               PINs are permitted by the CCA to be compatible
               with the existing system requirements.
    dec-tab    decimalization table is a 64 bit plain input
               which represents 16 decimal digits to be used in
               the PIN verification process.
    val-data   valid data is a 64 bit users data, padding
               included. Ordinarily it will be the user's PAN.
    a-pin-len  a-pin-len is the number (1-16) indicating how
               many digits of the generated PIN is assigned to
               the customer; this is the number of digits of
               the intermediate PIN.
    p-chk-len  p-chk-len is the number (1-16) indicating how
               many digits of the PIN assigned to the customer
               are checked in the verification process. These
               digits are selected from right to left from the
               Intermediate pin and customer entered PIN.
    offset     offset is a 64 bit data, representing 1-16
               decimal digits, used by the PIN verification
               process if the PIN was user selected. The
               offset data reflects the difference between the
               PIN that is selected by the customer and the
               intermediate PIN that is generated by the
               validation procedure.
    pin-mode   pin-mode indicates the PIN entered is in clear
               or encrypted.
               0: clear
               1: encrypted
    C1,C2      C1 and C2 are the control vectors for KPV and
               KPE
    Outputs:   PIN-OK or PIN-NOT-OK
    ______________________________________

    ______________________________________
    Equation:
    e*KM.C1(KPE1),[e*KM.C2(KPE2)],eKPE1(PIN),format-in,format-out,
    pad-in,pad-out,seq-in,seq-out,pan,kp2-mode,C1,C2
    -- eKPE2(PIN .sub.-- Block) or
    eKPE3(PIN .sub.-- Block), e*KM.C2(KPE3)
    Inputs:
    e*KM.C1(KPEl)
                 KPE1 is the 64 bit PIN encrypting key, triple
                 encrypted under KM with a control vector C1 and
                 used to encrypt the formatted PIN inputs.
    e*KM.C2(KPE2)
                 KPE2 is an optional 64 bit PIN encrypting key,
                 triple encrypted under KM with a control vector
                 C2, used to encrypt the translated PIN for
                 output. KPE2 may or may not be equal to KPE1.
                 If KPE2 is not supplied, a randomly generated
                 KPE3 will be used to encrypt the translated PIN.
    eKPE1(PIN)   This is a 64 bit encrypted formatted 1/2IN under
                 KPE1 key.
    format-in    This is a 64 bit encrypted formatted PIN under
                 KPE1 key.
    format-in    This is a 64 bit encrypted formatted PIN under
                 KPE1 key.
                 0000: IBM 3624 format
                 0001: IBM 3621 format
                 0010: ANSI format
                 0011: 4704 format (encrypting key pad)
                 0100: Docutel, Diebold, NCR
                 0101: Burroughs
                 0110: ISO format
                 0111: not used
                 1XXX: not used
    format-out   4 bit code indicating the PIN format output.
                 0000: IBM 3624 format
                 0001: IBM 3621 format
                 0010: ANSI format
                 0011: 4704 format (encrypting key pad)
                 0100: Docutel, Diebold, NCR
                 0101: Burroughs
                 0110: ISO format
                 0111: not used
                 1XXX: not used
    pad-in       This is a pad-in character, a 4 bit value from
                 X'0' to X'F', to be used to format a PIN
                 according to the PIN format. The pad character
                 and the number of padding characters depend upon
                 the type of format input.
    pad-out      This is a pad-out character, a 4 bit value from
                 X'0' to X'F', to be used to format a PIN
                 according to the PIN format. The pad character
                 and the number of padding characters depend upon
                 the type of format output.
    seq-in       A two byte Sequence number. If the input PIN
                 format requires only a one byte sequence number,
                 then the least significant byte of seq-in will
                 be used. Seq-in may or may not be required
                 depending upon the format-in.
    seq-out      A two byte Sequence number. If the output PIN
                 format requires only a one byte sequence number,
                 then the least significant byte of seq-out will
                 be used. Seq-out may or may not be required
                 depending upon the format-out.
    pan          Twelve 4-bit digits representing the "rightmost"
                 (least significant) 12 digits of the primary
                 account number. Pan may or may not be required
                 depending upon the format (Check digits not
                 included.)
    kp2-mode     kp2-mode indicates whether a key encrypting key
                 is supplied or has to be randomly generated
                 securely. When KPE2 is supplied, it is supplied
                 in encrypted form e*KM.C2(KPE2), so that the key
                 is not exposed in clear outside the crypto
                 facility.
                 0: KPE2 supplied
                 1: KPE3 has to be generated randomly
                 When KPE3 is generated randomly, it has to be
                 generated in the crypto facility and implies
                 that any reformat combination is allowed. When
                 KPE2 is supplied, certain translation
                 combinations must be disallowed based on an
                 implementation dependent, secure mapping table.
                 See Note under Description below.
    C1,C2        C1 and C2 are the control vectors for KPE1, KPE2
                 respectively. KPE2 is supplied or output
                 depending on kp2-mode equal to '0' or '1'. C2
                 is always supplied to the function.
    Outputs:
    eKPE2(PIN .sub.-- Block)
                 e(KPE2(PIN .sub.-- Block) is the 64 bit translated PIN
                 encyrpted under PIN encrypting key KPE2; the PIN
                 is translated according to the output format
                 specification.
    eKPE3(PIN .sub.-- Block),
                 eKPE3(PIN) .sub.-- Block) is the 64
    e*KM.C2(KPE3)
                 bit translated PIN encrypted under PIN
                 encrypting key KPE3; the PIN is translated
                 according to the output format specification.
                 e*KM.C2(KPE3) is a randomly generated triple
                 encrypted key, KPE3, under KM with a control
                 vector C2.
    ______________________________________

• Inventors
  Matyas, Stephen M.; Abraham, Dennis G.; Johnson, Donald B.; Karne, Ramesh K.; Le, An V.; Prymak, Rostislaw; Thomas, Julian; Wilkins, John D.; Yeh, Phil C.; Smith, Ronald M.;
• Assignee
  International Business Machines Corporation (Armonk, NY)
• Published
  May-8-1990
• Current US Classes:
  380/280
  380/45
  705/71
  705/72
• Application #
  398300
• International Classes
  H04L 009/02
• Field of Search
  380/21 380/23-25 380/45 380/49
• Examiner
  Gangialosi; Salvatore
• Agent
  Hoel; John E.
• US Patent References:
  4218738
  4223403
  4227253
  4386233
  4500750
  4503287
  4578530
  4633037
  4683968
  4713753
  4723283
  4723284
  4747050
  4755940