Chapter 11 Page 2 of 7

“I don’t think so,” I replied. I wasn’t sure if X9.17 had an ISO equivalent or not.

“Got all of ISO,” he muttered petulantly as he went back to work. “Got ISO on micro-fiche… Got ISO on CD-ROM… You want X9 you say?”

I nodded.

“Says here that X9 is also published by ABA, does that sound like what you want?”

“Yes, that’s the one.” ABA stood for the American Bankers Association.

Ellary announced that they had X9.3, X9.9, X9.17, X9.24, and X9.26, but that they were missing X9.2 and X9.32. He added that X3.92 was listed along with the X9 documents and asked if I wanted that one too. I answered that I would look at all the ones they had. He turned and headed back across the room, beckoning me to follow him. We went back into a private room with row upon row of shelves filled with brown cardboard magazine boxes. They appeared to contain unusual conference proceedings and standards documents. Ellary walked right into the middle of the shelves and had no trouble locating the box containing the X9 documents. He pulled the box off the shelf and put it in my arms. He hesitated before letting go of the box and explained that I couldn’t take them out of the library. Again, he seemed to stare right through me as he spoke. He had an almost haunted look in his eyes. I had no intention of taking the documents with me (I’d brought more than one roll of quarters for the copy machine) but if I did have any inclination to take the documents, Ellary’s haunted stare would have chased away any such thoughts. I thanked Ellary and carried the box to a reading table in the main room of the library.

I approached the nearest table, where a young Asian woman was already sitting on the far end of the table. It was a large enough table that I did not feel I was imposing by using the other end, and set the box down with a thud. I felt as if I was unwrapping a Christmas present as I took out the documents one by one and set them on the table in front of me. The woman at the other end of the table did not look up from her work. She was taking notes on a yellow pad of paper as she slowly flipped the pages of a thick, brown, somewhat tattered, book.

I started with X3.92. It is the DES standard, entitled, American National Standard for Information Systems — Data Encryption Algorithm. I had come to the library in search of clues to the money mill forgeries. While it is true that the millwright may have discovered a flaw in DES, the far more likely explanation was a flaw in one of the EFT protocols. Cracking DES would be a serious breakthrough in cryptanaysis. DES has enjoyed great popularity over the last twenty years. It has been incorporated into numerous products and has been applied to a large number of wide-spread applications. Every cryptanalyst in the world has studied DES. It is hard to imagine a flaw that could have escaped all of this scrutiny. Protocols, on the other hand, are far less general. They are closely tied to the application and the trust model. For this reason, the set of cryptanalysts interested in any particular protocol is a much smaller group of people than those interested in DES. Protocols have a much narrower audiance than do cryptographic functions and algorithms.

I decided not to bother copying X3.92 and instead turned to the X9 documents. The X9 family of standards is used for all American banking applications. Because all banks in the country follow these standards for all inter-bank financial services, interoperability is ensured between cryptographic equipment and facilities.

X9.9 is entitled Financial Institution Message Authentication (Wholesale). It describes the algorithm used to compute the MAC’s. It confirmed what I already knew: the MAC’s are based on DES. I copied that one, using four of my quarters.

In among the X9 documents was a NIST document. Numbered FIPS-171, it was entitled Key Management Using ANSI X9.17. It was dated 1992. Apparently NIST recommended that ANSI X9.17 be used for all government applications. FIPS-171 listed various guidelines for how X9.17 should be used for government applications. I put this one aside to be photocopied later and looked through the other documents for X9.17.

Financial Institution Key Management (Wholesale) (aka X9.17), covers the distribution of cryptographic keys used to calculate EFT MAC’s. It covers both the manual and automated management of keying material. It is designed to prevent unauthorized disclosure, modification, or substitution of keys. For those situations where loss of integrity is suspected, the standard includes provisions to regain security.

In the forward to the document it states that while the protocol specified in X9.17 is designed to protect the security and integrity of keys, it in no way guarantees that a particular implementation of the standard is secure.