Blunting Differential Attacks on PIN Processing APIs

  • Riccardo Focardi
  • Flaminia L. Luccio
  • Graham Steel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5838)


We propose a countermeasure for a class of known attacks on the PIN processing API used in the ATM (cash machine) network. This API controls access to the tamper-resistant Hardware Security Modules where PIN encryption, decryption and verification takes place. The attacks are differential attacks, whereby an attacker gains information about the plaintext values of encrypted customer PINs by making changes to the non-confidential inputs to a command. Our proposed fix adds an integrity check to the parameters passed to the command. It is novel in that it involves very little change to the existing ATM network infrastructure.


Security APIs Financial Cryptography PIN Verification 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Hackers crack cash machine PIN codes to steal millions. The Times online,
  2. 2.
    PIN Crackers Nab Holy Grail of Bank Card Security. Wired Magazine Blog Threat Level,
  3. 3.
  4. 4.
    Adida, B., Bond, M., Clulow, J., Lin, A., Anderson, R., Rivest, R.L.: On the security of the EMV secure messaging API (2008)Google Scholar
  5. 5.
    Anderson, R.: Why cryptosystems fail. Commun. ACM 37(11), 32–40 (1994)MathSciNetCrossRefGoogle Scholar
  6. 6.
    Anderson, R.: What we can learn from API security. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2003. LNCS, vol. 3364, pp. 288–300. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  7. 7.
    Berkman, O., Ostrovsky, O.M.: The unbearable lightness of PIN cracking. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 224–238. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  8. 8.
    Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. J. Cryptology 4(1), 3–72 (1991)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Bond, M.: Understanding Security APIs. PhD thesis, University of Cambridge, England (2004),
  10. 10.
    Bond, M., Zielinski, P.: Decimalization table attacks for pin cracking. Technical Report UCAM-CL-TR-560, University of Cambridge, Computer Laboratory (2003),
  11. 11.
    Centenaro, M., Focardi, R., Luccio, F.L., Steel, G.: Type-based Analysis of PIN Processing APIs. In: 14th European Symposium on Research in Computer Security, ESORICS 2009. LNCS (to appear, 2009)Google Scholar
  12. 12.
    Clulow, J.: The design and analysis of cryptographic APIs for security devices. Master’s thesis, University of Natal, Durban (2003)Google Scholar
  13. 13.
    IBM Inc. CCA Basic Services Reference and Guide for the IBM 4758 PCI and IBM 4764 PCI-X Cryptographic Coprocessors. Technical report. Releases 2.53–3.27 (2006),
  14. 14.
    Mannan, M., van Oorschot, P.: Reducing threats from flawed security APIs: The banking PIN case. Computers & Security 28(6), 410–420 (2009)CrossRefGoogle Scholar
  15. 15.
    Myers, A.C., Sabelfeld, A., Zdancewic, S.: Enforcing robust declassification and qualified robustness. Journal of Computer Security 14(2), 157–196 (2006)CrossRefGoogle Scholar
  16. 16.
    Steel, G.: Formal Analysis of PIN Block Attacks. Theoretical Computer Science 367(1-2), 257–270 (2006)MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Riccardo Focardi
    • 1
  • Flaminia L. Luccio
    • 1
  • Graham Steel
    • 2
  1. 1.Università Ca’ Foscari VeneziaItaly
  2. 2.Laboratoire Spécification et VérificationCNRS & INRIA & ENS de CachanFrance

Personalised recommendations