Chapter 17 – Page 5 of 6 – The Electronic Money Mill

To start things off, the attacker, X, impersonates A requesting a key from the key distribution center. In the request, X claims that A wishes to communicate with the attacker (X). Request messages of this type (RSI) do not contain any authentication codes and are easily forged.

X_A ->S_d: RSI | S_d | A | X | SVRThe key distribution center responds by generating a data-encrypting key. That key is encrypted using the key-encrypting key associated with A and included in the KD field. Also, the same key is encrypted and notarized using the key associated with X. Because KDU_AX is encrypted using X’s secret key, X can obtain the plaintext for KDU_AX.

S_d ->X_A: RTR | A | S_d | X | KD_A | KDU_AX | CTX | CTA | MACX now sends an RFS message to the Key Translation Center, asking for a key translation. It is easy for X to forge this message, despite the MAC, because X knows the value of the key used to compute the MAC — it is the same key as is encrypted in KD_A and KDU_AX, the latter of which X can decrypt.

X_A ->S_t: RFS | S_t | A | B | KD_A | CTA | MACIn response to this last message the key translation center notarizes and encrypts the session key using B’s key-encrypting key and returns that ciphertext to X (thinking that X is A).

S_t ->X_A: RTR | A | S_t | B | KDU_AB | CTB | MACThe attacker now has a notarized and encrypted version of the session key he originally obtained from S_d. Impersonating A, the attacker can pass this notarized key on to B.

X_A ->B: KSM | B | A | S_t | KDU_AB | CTB | MACAt this point, X can fool B into executing a session with X where B believes that B is communicating with A. Or, X can go on to inform A of the new key and allow both A and B to believe they share a secret key when in fact X knows the key. If X chooses the latter version of the attack then X impersonates the key distribution center and sends the following message to A.

X_Sd ->A: RTR | A | S_d | B | KD_A | KDU_AB | CTB | CTA | MACI twirled my pencil between my fingers and leaned back in the chair. I pursed my lips and whistled silently to myself. Let’s see now… X can either send this message to A as an unsolicited RTR message or X can wait until A requests a key for use with B. After sending this message, X then intercepts the response from A to B and discards it.

At this point A and B believe that they share a secret key known only to them (and the trusted key server). However, the key is also known to X.

Hot damn! This was it! This attack works! I leaned forward and let the front legs of the chair hit the floor with a loud thud. I took a deep breath. I reminded myself that this attack requires some preliminary setup by the attacker. It cannot be used to learn keys already in use. Nonetheless, with minimal effort, an attacker can obtain the session keys used by any communicating pair in the network. Thus, the use of separate keys for each communicating pair is overkill — the protocol might just as well use a single key shared by the entire network. There is no additional security obtained by the use of separate keys.

I walked over to the window. What are my assumptions? First of all, the attacker needs to have access to somebody’s key-encrypting key…

Whoa! My blood ran cold. In a sudden fit of paranoia I glanced at the door, confirming that it was closed and the chain drawn. I slowly laid my pencil on the desk and walked over to the window. A shiver ran down my spine. Staring at the street below, I allowed myself to come to grips with the realization that the millwright definitely was an insider, but not necessarily at Bendix. The easiest way to meet my assumption is to assume that the attacker was part of the EFT network — i.e. a member bank, any member bank. We had always assumed that if the money mill was an inside job at all, then the insider was probably at either First Chicago or Bendix. Strangely, I found it far more disturbing that the mill was being run by an insider with access to all X9.17 keys than if the millwright were a lone hacker that had figured a way to crack DES. A banker with the cleverness and Computer Science know-how to devise the mill was a very dangerous adversary. Quite probably with powerful allies. I shuddered and ran a hand through my already disheveled hair as I continued to stare at the dark street below (sometimes it seemed I spent more time staring at that same empty street than I spent at my desk). All manner of questions raced through my mind. Which bank? Was it an institutional effort being run from the top or was it a single rogue employee? Even if it were the latter, the employee would have to be one of a small number of highly trusted employees if he or she had access to a triple-DES key-encrypting key.