In June 2002, HP’s Atalla Security Products group ‘placed a bet’ that in offering innovative technology in the form of a new key block to protect cryptographic keys in financial interchange networks, , the group could gain market share for HP with products optimized for the new AKB. On June 24, 2008, the final payment on that bet paid out with the awarding of US patent number 7,392,384, specifically to the late Dale Hopkins, Susan Langford, Larry Hines, and Ching Chen, all of HP Atalla Security Products. The AKB and resulting products reaffirmed HP Atalla, the pioneer in commercial cryptography, as the technological and market leader in securing the bank payments network.
A little background
Since 1998, single-length DES (Data Encryption Standard) had been proven vulnerable to a brute force attack in less than 3 days. The cryptographic algorithm which had been the cornerstone of ATM security since the 1970’s had finally been overtaken by Moore’s Law. Since the most important asset of any financial institution is ‘trust’, this problem had to be addressed. The finance industry decided to migrate to the Triple DES algorithm (three DES operations with either two or three DES keys) because of the billions of dollars invested in a DES-based infrastructure.
HP Atalla changes the industry’s direction
In their studies, HP Atalla cryptographers determined that ANSI industry standards prescribing Triple DES implementation, particularly storing or transmitting keys, provided only a very small increment of security over single-length DES. To illustrate the problem, the group privately shared as many as fifteen different ways to break Triple DES key management with leading industry customers and respected cryptographers.
Indeed, in 2001 a University of Cambridge website illustrated how a knowledgeable adversary could break Triple DES in less than two days. The good folks at HP Atalla knew they had to act quickly before the worldwide bank payments network became imperiled by the widespread use of un-protected Triple DES keys. They decided to use the faster computers promised by Moore’s Law to design a more secure Triple DES implementation around the construct of the Atalla Key Block (AKB). Read more about the Atalla Key Block in a datasheet and white paper at www.atalla.com.
Placing the bet
HP Atalla introduced the AKB to hundreds of customers in a webinar given at the ACI BASE24 user group conference in September 2001. But the ‘placing of the bet’ was in offering the Atalla Key Block to the financial industry and in providing a new product set optimized for this technology to the industry. Atalla presented the AKB technology to the ANSI X9F6 committee and it influenced in the following documents:
- ASC X9.24: Symmetric Key Management of Symmetric Keys
- ASC X9 TR-31: Interoperable Secure Key Exchange Key Block Specification for Symmetric Algorithms
- ASC X9.102: Symmetric Key Cryptography For the Financial Services Industry— Wrapping of Keys and Associated Data
The standards process can be a very slow and time-consuming one, but the validity of the Atalla Labs claims were clear. In a ‘scant’ 18 months, ANSI had inserted the security requirements for a secure key block in Part One of X9.24. These requirements can be simply described as follows:
- Attacker cannot change any attribute of any key
- Attacker cannot change any bits of any key
- Attacker cannot use part of a key as entire key
- Attacker cannot rearrange any part of a key
- Attacker cannot substitute parts of a key into another key
- Attacker cannot identify single-length keys
These ‘benefits’ are worded as ‘requirements’ in the latest ASC X.9 standards documents. See link to the ANSI sight here
http://webstore.ansi.org/ansidocstore/product.asp?sku=ANSI+X9%2E24+%28Part+1%29%2D2002
Doubling down
Although marshalling the AKB through the standards process was an intense effort, it fell to the small group of inventors mentioned above. It was the entire HP Atalla organization that ‘doubled down’ on the AKB bet by designing new hardware and software products and conducting a marketing campaign around the AKB.
In June 2002, for customers to use the more compute-intense AKB key management, HP Atalla announced the faster HP Atalla Ax100 Network Security Processor (NSP) product line optimized for the AKB. The Atalla Ax100 NSP product included the Atalla Cryptographic Engine (ACE) which received FIPS 140-2 level three validation from NIST and assured robust physical security and strong key management.
In October 2006, the Ax100 evolved into the even faster HP Atalla Ax150 NSP product line whose Atalla Cryptographic Subsystem (ACS) recently received FIPS 140-2 level four validation, the highest level of certification attainable for a cryptographic product. Today, HP Atalla security appliance products, optimized for the AKB, secure the ATM, POS, and EFT transactions for all of the top ten banks and switches in the US, specialty retailers and oil and gas companies and over a thousand financial institutions worldwide.
Back on the standards front
When the AKB’s security requirements were accepted by the ANSI committees, the standards effort was not done. It now fell on the AKB inventors to prove to the standards bodies that the Atalla Key Block was the best key block implementation to secure bank’s Triple DES implementations. Out of fifteen key block contestants, one would be crowned as standards bearer. One by one, the HP Atalla team would show that the Atalla Key Block offered cryptographic security, in performance, and in the flexibility to meet future, perhaps unknown, requirements. In the end, only formatting changes were made from the AKB to create a new ANSI Key Block.
Now the de facto standard, AKB-based key management products from HP protect the many thousands of unique ATM keys in a financial institution from even a knowledgeable insider. This means nothing to cryptographers who tend to see the glass as half empty. Talk of migration of the bank payments network to the AES symmetric algorithm, stronger and faster than Triple DES, is rampant. But the AKB will still be there to allow these new technologies to perform as advertised.
|
Versija spausdinimui
