[plug] Banks Online

[Christian]

On Sun, Jul 02, 2000 at 11:09:55PM +0000, navarre at plug.linux.org.au wrote:
 
> As far as general electronic banking information, when I was doing the 
> Quallity Control at Intelect (the pin pad makers) I was using the 
> Australian Standards 2805 documentation that told me how the encryption 
> was to be done. In testing the pin pad applications there were many 
> different mechanisums be used that all adhered to the standard. A user 
> PIN as used with the swipe card could be from 4 to 12 digits long, this 
> data was packed into a pin block and encrypted under the session pin key, 
> generally a derived key from a 128 bit non exposed master key, and 
> transmitted to the acquirer for verification. My memory fails me as to 
> what happens to the card data, I was doing this over ten years ago. The 
> PIN encryption key can be derived from data supplied by the acquirer at 
> the end of each transaction thus may be unique for each transaction, 
> successful or not. This would vary from each implementation of the 
> clients pin pad application.

The details here are a little sketchy (understandable since you say you
read this document over 10 years ago!) but at the end of the day the
amount of maximum possible entropy in the PIN is still the same
regardless of how it's derived.  The method of derivation from the
master key also sounds interesting but it also sounds like the session
key would either be fixed (i.e., more of a sub-key than a session key)
or would be changing in a non-random manner, neither of which sounds
secure.  Anyway, it all sounds interesting and I might take a look at
the standard (presuming it's still current) and read all the details.

Regards,

Christian.