blog-utimaco-atalla-at1000-and-pin-translation

Utimaco Atalla AT1000 and PIN Translation

Here we will explain the different environments that may exist around pin translation and answer such questions as:

  • What are they used for?
  • What are the other actors in the banking industry exchanging information with the Utimaco Atalla AT1000?
  • What is the ecosystem around the Utimaco offering?

PIN Translation: What is It?

One of the main reasons for using an Utimaco Atalla AT1000 like the Utimaco Atalla HSM is PIN Translation. This is the process of encrypting, deciphering, and converting ISO PINBlocks between different encryption keys.

utimaco-atalla-at1000-and-pin-translation


In the ecosystem described by the illustration, ISO PIN blocks are being transmitted from one network to another network for various reasons where the keys that are used on one network cannot be used on another network. Encrypted PINs that are transmitted across these networks must be securely “translated” from one encryption to another encryption. 

For example, a bank customer who is outside his country of residence is withdrawing money from an ATM. The ATM needs to access the customer's bank account in his country of residence. The PIN that is entered at the ATM is encrypted locally and then sent through various financial networks until it reaches the customer’s home bank. The home bank must verify the PIN (“online PIN”) and return authorization before the ATM can allow access. 

During the transit on intermediate systems (between networks), the different parties can use the PIN translation service to re-encrypt a PIN block from one key to another. The PIN Translation service ensures that PINs never appear in the clear and that the keys for encrypting the PIN are isolated on their own networks.

Overview of the Cryptographic Protocol Used for PIN Translation

The way the keys to decrypt and encrypt are communicated between the parties is relatively complex. It involves a ZMK (Zone Master Key) and a ZPK (Zone Pin Key). The ZPK is what will encrypt or decrypt the PIN blocks during the transfers.

A typical PIN translation will convert between different formats, for example, conversion from an ISO-1 to an ISO-2 format.

Here we represent a typical PIN translation from one zone to another:

utimaco-atalla-at1000-and-pin-translation

Key Exchange in a PIN Translation flow

Here we represent how encryption (and decryption) keys are exchanged between the actors of a PIN verification flow. The minimal flow consists of the:

  1. Acquiring bank
  2. Processor (here Visa)
  3. Issuing bank

All keys used for PIN Translation are exchanged between the zone HSMs via a common key, the Zone Master Key ( ZMK)

utimaco-atalla-at1000-and-pin-translation

The Zone 1:  ATM -> Acquiring bank will use a common key: the ZPK (Zone Pin Key ) or the BDK (base Derivation key found inside the DUKPT).

The Zone 2: Acquiring bank -> Processor will use a common key: the AWK, Acquirer Working Key.

The Zone 3: Processor -> Issuing bank will use a common key: the IWK , Issuer Working Key.

utimaco-atalla-at1000-and-pin-translation

Here we can see that the PIN block is ciphered between the HSMs of the different zones so that it never transits in clear outside the security modules.

Atalla HSMs and PIN Translation

Atalla HSMs are usually very good at PIN translation (Mohamed Atalla pioneered the use of the PIN in the banking industry).

Depending on the model, Utimaco Atalla HSMs have the following capacities:

10,000, 1060, 280, and 80 TPS (Visa PIN translates per second)

The Atalla AT-100 allows robust PIN translation via the following commands:

Translate PIN

Translate PIN – Visa DUKPT

Translate PIN – ANSI to PIN/Pad

Translate PIN – ANSI to PLUS and PLUS to ANSI

Translate PIN – IBM 3624 to IBM 3624

Translate PIN – IBM 3624 to PIN/Pad

Translate PIN – IBM 4731 to IBM 4731

Translate PIN – IBM 4731 to PIN/Pad

Translate PIN – PIN/Pad or Docutel to IBM 4731

Translate PIN – PIN/Pad or Docutel to PIN/Pad

Translate PIN – Double-Encrypted Input or Output

PIN Translate (ANSI to PIN/Pad) and MAC Verification

Translate PIN (ANSI to PLUS) and Verify MAC

Translate PIN and Generate MAC

PIN and PIN-Block Translate

PIN Translate – DUKPT to 3DES and Verify MAC

PIN Translate – DUKPT to 3DES and Generate MAC

Conclusion

The PIN Translation mechanism is essential for ensuring that PIN blocks are securely ciphered during transmission through the different zones of the PIN verification process. The Utimaco Atalla AT1000 has efficient PIN translation capacity.

Read more about the Utimaco Atalla AT1000 Hardware Security Module (HSM), a payments security module for protecting sensitive data and associated keys. Or access more articles on our blog. 

About the author

Martin Rupp is a cryptographer, mathematician and cyber-scientist. He has been developing and implementing cybersecurity solutions for banks and security relevant organizations for 20 years. Martin currently researches the application of Machine Learning and Blockchain in Cybersecurity.

To find more blog posts related with below topics, click on one of the keywords:

How can we help you?

Talk to one of our specialists and find out how Utimaco can support you today.