Here we will explain the different environments that may exist around pin translation and answer such questions as:
- What are they used for?
- What are the other actors in the banking industry exchanging information with the Utimaco Atalla AT1000?
- What is the ecosystem around the Utimaco offering?
PIN Translation: What is It?
One of the main reasons for using an Utimaco Atalla AT1000 like the Utimaco Atalla HSM is PIN Translation. This is the process of encrypting, deciphering, and converting ISO PINBlocks between different encryption keys.
In the ecosystem described by the illustration, ISO PIN blocks are being transmitted from one network to another network for various reasons where the keys that are used on one network cannot be used on another network. Encrypted PINs that are transmitted across these networks must be securely “translated” from one encryption to another encryption.
For example, a bank customer who is outside his country of residence is withdrawing money from an ATM. The ATM needs to access the customer's bank account in his country of residence. The PIN that is entered at the ATM is encrypted locally and then sent through various financial networks until it reaches the customer’s home bank. The home bank must verify the PIN (“online PIN”) and return authorization before the ATM can allow access.
During the transit on intermediate systems (between networks), the different parties can use the PIN translation service to re-encrypt a PIN block from one key to another. The PIN Translation service ensures that PINs never appear in the clear and that the keys for encrypting the PIN are isolated on their own networks.
Overview of the Cryptographic Protocol Used for PIN Translation
The way the keys to decrypt and encrypt are communicated between the parties is relatively complex. It involves a ZMK (Zone Master Key) and a ZPK (Zone Pin Key). The ZPK is what will encrypt or decrypt the PIN blocks during the transfers.
A typical PIN translation will convert between different formats, for example, conversion from an ISO-1 to an ISO-2 format.
Here we represent a typical PIN translation from one zone to another:
Key Exchange in a PIN Translation flow
Here we represent how encryption (and decryption) keys are exchanged between the actors of a PIN verification flow. The minimal flow consists of the:
- Acquiring bank
- Processor (here Visa)
- Issuing bank
All keys used for PIN Translation are exchanged between the zone HSMs via a common key, the Zone Master Key ( ZMK)
The Zone 1: ATM -> Acquiring bank will use a common key: the ZPK (Zone Pin Key ) or the BDK (base Derivation key found inside the DUKPT).
The Zone 2: Acquiring bank -> Processor will use a common key: the AWK, Acquirer Working Key.
The Zone 3: Processor -> Issuing bank will use a common key: the IWK , Issuer Working Key.
Here we can see that the PIN block is ciphered between the HSMs of the different zones so that it never transits in clear outside the security modules.
Atalla HSMs and PIN Translation
Atalla HSMs are usually very good at PIN translation (Mohamed Atalla pioneered the use of the PIN in the banking industry).
Depending on the model, Utimaco Atalla HSMs have the following capacities:
10,000, 1060, 280, and 80 TPS (Visa PIN translates per second)
The Atalla AT-100 allows robust PIN translation via the following commands:
Translate PIN |
Translate PIN – Visa DUKPT |
Translate PIN – ANSI to PIN/Pad |
Translate PIN – ANSI to PLUS and PLUS to ANSI |
Translate PIN – IBM 3624 to IBM 3624 |
Translate PIN – IBM 3624 to PIN/Pad |
Translate PIN – IBM 4731 to IBM 4731 |
Translate PIN – IBM 4731 to PIN/Pad |
Translate PIN – PIN/Pad or Docutel to IBM 4731 |
Translate PIN – PIN/Pad or Docutel to PIN/Pad |
Translate PIN – Double-Encrypted Input or Output |
PIN Translate (ANSI to PIN/Pad) and MAC Verification |
Translate PIN (ANSI to PLUS) and Verify MAC |
Translate PIN and Generate MAC |
PIN and PIN-Block Translate |
PIN Translate – DUKPT to 3DES and Verify MAC |
PIN Translate – DUKPT to 3DES and Generate MAC |
Conclusion
The PIN Translation mechanism is essential for ensuring that PIN blocks are securely ciphered during transmission through the different zones of the PIN verification process. The Utimaco Atalla AT1000 has efficient PIN translation capacity.
Read more about the Utimaco Atalla AT1000 Hardware Security Module (HSM), a payments security module for protecting sensitive data and associated keys. Or access more articles on our blog.
About the author
Martin Rupp ist Kryptograph, Mathematiker und Cyber-Wissenschaftler. Seit 20 Jahren entwickelt und implementiert er Cybersicherheitslösungen für Banken und sicherheitsrelevante Organisationen. Martin erforscht derzeit die Anwendung von Machine Learning und Blockchain in der Cybersicherheit.