Encryption Transaction with 3DES

1
Encryption Transaction with 3DES

• Team W2
• Yervant Dermenjian (W21)Taewan Kim (W22)
• Evan Mengstab (W23)
• Xiaochun Zhu (W24)

Objective To implement a secure credit card
transaction using 3DES encryption using
Kerberos-style authentication.
Team Manager Rebecca Miller
Current Stage Design Proposal 01/21/2004
2
Whats Wrong with Credit Purchases?

• Point-of-sale terminals transmit your name,
  credit card number, and expiration dates in the
  clear (unencrypted).

• Using Kerberos-style authentication, we can
  transmit encrypted information that can be
  verified by the card authorizer without actually
  containing sensitive information.

3
Triple Data Encryption Standard

• Difficult to decipher for large encryption keys
• Symmetric Key Cipher encryption decryption
  use same key
• Based on DES a very trusted cipher
• Encryption utilized in new ATMs
• Free to use
• Accepted as the
• new standard for
• federal agencies
• in 1999

4
Kerberos-style Authentication

• Provides authentication without transmitting
  sensitive information.

• Encrypt card expiration date using credit card
  number and secret PIN as encryption key.

• The data payload is arbitrary. Only the
  cardholder and card acquirer have the key.

5
How It Works

• Transmit name, merchant, price, encrypted
  expiration date
• Card company has cc and PIN to decrypt packet
• If expiration date matches, purchase is approved
• CC and PIN are never transmitted, but essential
  to authenticate

6
Security In Making Purchases

• Identity theft is a growing problem
• Sensitive information never transmitted
• Uses existing cards and phone network
• Credit and charge card fraud costs cardholders
  and issuers hundreds of millions of dollars each
  year

7
Design Diagram
Input
100
Name Reg b100
CC Reg b54
68
Output
Concatenate
3DES encryption of Expiration Date using PINCC
Key
PIN Reg b14
11
Package Packager
PinCC Encryption Key
ExpDate Reg b11
MerchID-Name-Payload-Price
11
25
MerchID b25
12
MerchPrice b12
8
Current Status

• Block Diagram breakdown of functions
• Decisions on packet encryption (100)
• Analysis of 3DES algorithm (10)
• C Language software implementation of encryption
  and decryption (0)
• Verilog HDL (0)
• Verilog Gate-level design (0)
• Schematic Representation (0)
• Chip Layout (0)
• SPICE Simulation (0)

9
Design Decisions

• Cardholders name encoded in shortened ASCII,
  only 32 letters (4 bytes).
• Merchant ID shortened to 5 letters.
• Merchandise Cost capped at 4,096 (12 bits)
• Credit Card number and PIN concatenated as key.
  Longer key -gt Stronger encryption.
• Transmitted data
• Unencrypted Cardholders name, Merchants ID,
  purchase amount
• Encrypted expiration date

10
Design Alternatives

• Rijndael (AES) encryption algorithm
• Does not comply with standard for ATMs
• Larger silicon area
• Clock-synchronized random number key
• Incompatible with current credit cards
• Difficult to keep smart chip in card synchronized
  with server

11
Problems and Questions

• Should sensitive data (PIN and CC) be the
  encrypted data or the encryption key?
• Less secure to encrypt purchase price, creating
  variable encrypted messages using the same key?
• Need a rough transistor count.
• Is this encryption difficult to crack but still
  manageable to realize in hardware?