January 05, 2004

What is Triple DES?

What is Triple DES anyway?

Article below plus there was a nice whitepaper [pdf] by Ann All on Triple DES that can be
Triple DES Compliance

What is Triple DES?

Triple DES (Data Encryption Standard) is the new encryption standard being mandated by Visa and MasterCard. It replaces the existing standard simply known as DES or Single DES. Triple DES refers to the encryption or scrambling of the Personal Identification Number (PIN) that the ATM user enters during the ATM transaction process. This encryption is done after the PIN number is entered, but before the ATM requests transaction authorization at the ATM network. The name Triple DES was given to the new encryption standard because the PIN number entered by the ATM user is encrypted three times. The first encryption takes place using the first half of an assigned double length key (series of numbers or letters) to encrypt the PIN. The second operation required as part of the new standard calls for de-encryption of the previously encrypted PIN using the second half of the assigned double length key. The third operation requires the reuse of the first half of the double length key to re-encrypt the PIN. This encryption process may also be referred to as two-key triple encryption.

The new requirement is for the Triple DES encryption to occur inside the keyboard/encryptor, and subsequently the newly encrypted PIN is not available to the network or ATM application software until the PIN is fully encrypted. The new keyboard and encryptor combination device is called an Encrypting Pin Pad or EPP, and is different than the encryptors offered on previous ATMs. On previous ATMs, the encryptor board and the keyboard were separate components, making them less secure than the new EPP.

Why is it Required?

Concerns have grown over the vulnerability of the present standard, DES. In 1999, an industry approved academic project called DESCHALL 111 successfully used a network of computers to crack the DES encryption code. This was accomplished in less than 24 hours, showing that this type of attack was possible and affordable (the hardware used to do this cost $250,000), although it has never been accomplished in the real world. As a result of this study and the ever increasing access to more and more powerful computers for fewer and fewer dollars, Visa and MasterCard are mandating that all PIN numbers be encrypted using the more advanced Triple DES Standard to prevent the potential theft of PIN numbers.

When do I have to Comply?

(Tentative Dates)

April 1, 2002-All newly installed ATMs, newly installed merchant terminals that accept PINs, and Cardholder Activated Terminals must be Triple DES capable by this date. That is, they must be capable of adhering to the Triple DES at the point of transaction. Newly installed refers to new ATM placements, ATMs being replaced at an existing location, and ATMs relocated from another location. This also includes POI terminals.

April 1, 2003-All member processor host systems (networks) must use Triple DES compliant in accordance with Triple DES.

April, 2005-All ATMs must be Triple DES compliant.

Triple DES

What is "ADA" and "ADAAG" and how does it affect Triple DES?

The Americans with Disabilities ACT (ADA) or "ADAAG" was set up by the Government to ensure that anyone would be able to use an ATM regardless of physical capabilities or handicap. The Triple DES keyboard has a change in the color and position of the "CLEAR", "CANCEL", and "ENTER" keys. When you see a new Triple DES keyboard installed, it will look similar to the one shown in the diagram below. Thus, in addition to being Triple DES ready, the keyboards are meeting the new ANSI standards for ADA as well.

Private Audio Feature

In Addition to new Keyboard standards, the NEW ADA requirements will include some form of AUDIO lead through. The final ruling has not been made by the Government, but it is anticipated there will be a public and private AUDIO requirement for your ATMs. NCR has been marketing AUDIO capable machines for over a year. Your existing machine base may or may not have to be upgraded to meet these POTENTIAL new requirements. If you choose to go ahead and upgrade your AUDIO along with your Triple DES upgrade, the requirements for Audio are listed below.

Hardware Requirements:

*

Digitized Audio Services enabled on all new units
*

DAS functionality enabled under NDC 5.04.02
*

56XX or older 58XX can be upgraded
*

Pentium Processor with Warp 4, 32 MB RAM,
*

10 MB of free disk space are minimums for DAS audio

What do I need to do?

If you are upgrading an existing machine to Triple DES, you must decide on whether or not you have the processing power to meet the AUDIO requirements

The legislation is not finalized, and we do not know if existing units will be "Grandfathered" in. If not, you nay have to go back and upgrade those processors that met the minimum requirements for Triple DES (486 66), to a Pentium based processor. The kit price for an audio upgrade is Call (K521) This will get you the hardware you need to be compliant. It will NOT make your ATM talk. This will require custom Audio tracks to match your machine download. These Audio "*.WAV" files will have to be installed on your machine, at an additional cost, in order for it to "talk".

For right now, you have to decide if you want to upgrade an existing unit to "audio capable", or do you want to wait and see how the final legislation plays out.

If you are upgrading the processor for Triple DES purposes anyway, you may want to go ahead and add the audio hardware as well

Article Link

Posted by Craig at January 5, 2004 09:57 PM