We study the secure upgrade of critical components in wide networked systems, focussing on the case study of PIN processing Hardware Security Modules (HSMs). These tamper-resistant devices, used by banks to securely transmit and verify the PIN typed at the ATMs, have been shown to suffer from API level attacks that allow an insider to recover user PINs and, consequently, clone cards. Proposed fixes require to reduce and modify the HSM functionality by, e.g., sticking on a single format of the transmitted PIN or adding MACs for the integrity of user data. Upgrading HSMs worldwide is, of course, unaffordable. We thus propose strategies to incrementally upgrade the network so to obtain upgraded, secure subnets, while preserving the compatibility towards the legacy system. Our strategies aim at finding tradeoffs between the cost for special “guardian” HSMs used on the borderline between secure and insecure nodes, and the size of the team working in the upgrade process, representing the maximum number of nodes that can be simultaneously upgraded.
Secure upgrade of hardware security modules in bank networks
FOCARDI, Riccardo;LUCCIO, Flaminia
2011-01-01
Abstract
We study the secure upgrade of critical components in wide networked systems, focussing on the case study of PIN processing Hardware Security Modules (HSMs). These tamper-resistant devices, used by banks to securely transmit and verify the PIN typed at the ATMs, have been shown to suffer from API level attacks that allow an insider to recover user PINs and, consequently, clone cards. Proposed fixes require to reduce and modify the HSM functionality by, e.g., sticking on a single format of the transmitted PIN or adding MACs for the integrity of user data. Upgrading HSMs worldwide is, of course, unaffordable. We thus propose strategies to incrementally upgrade the network so to obtain upgraded, secure subnets, while preserving the compatibility towards the legacy system. Our strategies aim at finding tradeoffs between the cost for special “guardian” HSMs used on the borderline between secure and insecure nodes, and the size of the team working in the upgrade process, representing the maximum number of nodes that can be simultaneously upgraded.File | Dimensione | Formato | |
---|---|---|---|
FL-ArspaWits.pdf
non disponibili
Tipologia:
Documento in Post-print
Licenza:
Accesso chiuso-personale
Dimensione
294.06 kB
Formato
Adobe PDF
|
294.06 kB | Adobe PDF | Visualizza/Apri |
I documenti in ARCA sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.