Breaking Legacy Banking Standards with Special-Purpose Hardware

  • Tim Güneysu
  • Christof Paar
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5143)


In the field of eCommerce, online-banking is one of the major application requiring the usage of modern cryptography to protect the confidentiality and integrity of financial transactions between users and the banking system. In banking applications of some countries, the authorization of user transactions is performed with support of cryptographic One-Time-Password (OTP) tokens implementing ANSI X9.9-based challenge-response protocols.

The legacy ANSI X9.9 standard is a DES-based authentication method on which we will demonstrate an attack based on a special-purpose hardware cluster. In this work we show how to break such an OTP-token with little effort in terms of costs and time. With an investment of about US $ 10,000 we are able to perform an attack which computes the key of a DES-based OTP token in less than a week having only three challenge-response pairs. Our attack can even be scaled linearly according to the budget of the attacker resulting in even faster breaking times. With this work, we want to point out once more that the immediate migration from legacy products using the DES algorithm is absolutely mandatory for security critical applications.


ANSI X9.9 Banking Cryptanalysis Special-Purpose Hardware 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Accredited Standards Committee X3. American National Standard X3.92: Data Encryption Algorithm (DEA) (1981)Google Scholar
  2. 2.
    Accredited Standards Committee X9. American National Standard X9.9: Financial Institution Message Authentication (1994)Google Scholar
  3. 3.
    ActivIdentity. Token-based Identity Systems (OTP Tokens) (2007),
  4. 4.
    Blaze, M., Diffie, W., Rivest, R.L., Schneier, B., Shimomura, T., Thompson, E., Wiener, M.: Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security: A Report by an Ad Hoc Group of Cryptographers and Computer Scientists. Technical report (January 1996),
  5. 5.
    Coppersmith, D., Knudsen, L.R., Mitchell, C.J.: Key recovery and forgery attacks on the macDES MAC algorithm. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, p. 184. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Diffie, W., Hellman, M.E.: Exhaustive cryptanalysis of the NBS DES. Computer 10(6), 74–84 (1977)CrossRefGoogle Scholar
  7. 7.
    Electronic Frontier Foundation. Cracking DES: Secrets of Encryption Research, Wiretap Politics & Chip Design. O’Reilly & Associates Inc. (July 1998)Google Scholar
  8. 8.
    International Organization for Standardization (ISO). ISO 8730/8731:1990 – Banking – Requirements for message authentication (1990)Google Scholar
  9. 9.
    International Organization for Standardization (ISO). ISO 16609:2004 – Banking – Requirements for message authentication using symmetric techniques (2004)Google Scholar
  10. 10.
    Kumar, S., Paar, C., Pelzl, J., Pfeiffer, G., Schimmler, M.: Breaking Ciphers with COPACOBANA - A Cost-Optimized Parallel Code Breaker. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 101–118. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  11. 11.
    National Institute for Standards and Technology (NIST). FIPS PUB 113: Standard for computer data authentication (May 1985)Google Scholar
  12. 12.
    National Institute for Standards and Technology (NIST). FIPS PUB 46-2: Data Encryption Standard (DES) (1993)Google Scholar
  13. 13.
    National Institute for Standards and Technology (NIST). FIPS PUB 46-3: Data Encryption Standard (DES) and Triple DES (TDES) (1999)Google Scholar
  14. 14.
    National Institute for Standards and Technology (NIST). FIPS 197: Advanced Encryption Standard (AES) (2001)Google Scholar
  15. 15.
    National Institute of Standards and Technology. Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher (May 2004),
  16. 16.
    Preneel, B., Van Oorschot, P.C.: Key recovery attack on ANSI X9.19 retail MAC. In: Electronics Letters, vol. 32(17), pp. 1568–1569. IEEE, Dept. of Electr. Eng., Katholieke Univ, Leuven (1996)Google Scholar
  17. 17.
    Rouvroy, G., Standaert, F.-X., Quisquater, J.-J., Legat, J.-D.: Design Strategies and Modified Descriptions to Optimize Cipher FPGA Implementations: Fast and Compact Results for DES and Triple-DES. In: Cheung, Y.K.P., Constantinides, G.A. (eds.) FPL 2003. LNCS, vol. 2778, pp. 181–193. Springer, Heidelberg (2003)Google Scholar
  18. 18.
    RSA - The Security Division of EMC2. RSA SecurID (2007),
  19. 19.
    Sciengines GmbH. COPACOBANA - A Codebreaker for DES and other Ciphers. project and company website (2008),
  20. 20.
  21. 21.
    Wiener, M.J.: Efficient DES Key Search. In: Stallings, W.R. (ed.) Practical Cryptography for Data Internetworks, pp. 31–79. IEEE Computer Society Press, Los Alamitos (1996)Google Scholar
  22. 22.
    Wiener, M.J.: Efficient DES Key Search: An Update. CRYPTOBYTES 3(2), 6–8 (1997)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Tim Güneysu
    • 1
  • Christof Paar
    • 1
  1. 1.Horst Görtz Institute for IT SecurityRuhr University BochumGermany

Personalised recommendations