A clarification on encrypted PIN blocks and the recent US Target breach

There is a lot of FUD around with the recent Target breach in the US.

It seems that criminals were able to access the Point Of Sale (POS) registers at Target locations throughout America over the recent holidays.

They were able to capture 40-million transactions which included full magnetic track data and Encrypted PIN Blocks.

A Basic Retail Transaction Flow

Retail Transaction Flow
  1. Clerk scans items into the POS and selects card for transaction. POS then tells terminal to start transaction
  2. PIN Terminal prompts customer to swipe card and enter PIN/signature
  3. PIN Terminal extracts account number of track data of card, formats this and the PIN into a PIN block and generates Encrypted PIN Block (EPB) using current PIN Key
  4. PIN Terminal sends track data, EPB and transaction details to POS Terminal
  5. POS Terminal reformats data to suit merchant gateway/payment servers.
  6. Gateway sends data to the acquiring bank (the payment processor)
  7. acquiring bank sends EPB to their HSM. HSM decrypts the EPB, re-encrypts the PIN Block under its own key and sends result to issuing bank to check PIN.
  8. Acquirer then confirms PIN correct.
  9. Gateway tells POS that PIN is correct
  10. Customer leaves with purchases.

What is the Point Of Sale (POS)?

The POS is normally just a consumer OS with a custom applications for retail. Usually this is a version of windows (very frequently just Windows XP). The POS is most likely remotely administrated using the a VNC or RDP client. Naturally this has been where a significant number of breaches have occurred for example:

The POS is connected to the PIN terminal normally using a serial connection. It controls the PIN terminal through API commands through the serial connection and instructs the PIN terminal to start a transaction.

It's function is to provide the retailer with an interface to enter purchases and handle the cash register functions.

What is a PIN Terminal?

The PIN Terminal is a tamper resistant device expressly designed for the protecting of the PIN. It contains a number of cryptographic keys, most importantly the PIN encryption key.

PIN Terminals are certified under a number of different standards.

The most common one is the PCI - PIN Transaction Security (PCI-PTS) standard.

Terminals certified support the following key management schemes:

Fixed Key - PIN Key loaded and stored as a fixed value into the terminal.

Master Key / Session key (MK/SK) - PIN Key is loaded encrypted under a Master Key. PIN Key may be updated for each new transaction, or every day depending on the acquiring bank.

Derived Unique Key Per Transaction (DUKPT) - a unique PIN Key is generated for each new transaction. Transaction data is sent with the encrypted PIN block to allow for the Acquirer HSM to generate the PIN key for that transaction.

In terms of security DUKPT > MK/SK > Fixed

Target have not stated what key management they were using at this stage.

Terminals contain a number of protections against attacks on PINs and PIN blocks. These include ensuring that PIN Keys cannot be extracted from the terminal, PIN Keys are 112-bits long or greater and that only a maximum of 120 Encrypted PIN Blocks can be generated per hour. The standards also mandate that PIN Keys are at a minimum unique per terminal.

Okay how is the Encrypted PIN Block generated?

The PIN Terminal then prompts the customer to swipe the card, then enter their PIN. The account number is then copied from the card track data, combined with the PIN to form the plain-text PIN block.

The plain-text PIN block is then encrypted using the PIN terminals PIN Key to form the Encrypted PIN Block. (EPB)

The transaction data, plain-text track data and the EPB are then sent to the POS.

The plain-text PIN block formed into a fixed field as specified in the ISO 9564 standard, see this post by Matthew Green on further details of this.

The formed PIN block is then encrypted using the chosen PIN Key by the terminal in Electronic Code Book (ECB) mode.

So why are the PIN Blocks from the Target attack safe?

The Target attackers appear to have been able to grab the data sent from the POS system to the merchant gateway (Step 5 above). So this has given them a lot of sensitive data like track data and the Encrypted PIN Blocks.

Target has stated that the PIN Blocks were encrypted using Triple DES keys, so a brute force attack is out of the question.

Each PIN Block has been encrypted using the unique PIN Key on that POS's PIN Terminal. An attacker would have had to extract the PIN Key of the terminal where the PIN block originates from. This requires at a minimum physical access to that terminal. It is not feasible to extract the plain-text PIN keys remotely.

The Encrypted PIN Blocks combine both the account number and the entered PIN making it impossible to create a PIN dictionary with just the PIN numbers, you must have the corresponding account number.

Creating a PIN dictionary with the known account numbers is infeasible. It takes a maximum of 83.3 hours (10,000 blocks) to generate a 4 digit PIN dictionary IF the attacker has access to the PIN terminal that generated the encrypted PIN Block for 1 account number. Note that this is for ONE account number. Terminals usually rotate keys at least once a day for this reason and most likely Target have rolled all keys at the stores since the breach. 

So are you safe?

If you've shopped at target in the US over the the holidays I would suggest you order a new card from your bank. It also wouldn't be amiss to change your PIN as well just to be sure. Once thats done you should be fine.

Even if you didn't shop at Target make sure you keep track of your financial statements for any unknown transactions, this is just common sense.