CS 341: Cryptography

The ATM Story

Be ready on Monday Jan 17 to be expert on the topic your name is next to below.

Hand in your detailed (4-8 pages) version of the story via e-mail by 8:30AM Wednesday, Jan 19.

This is my rough version of the story of what happens when I withdraw money from the ATM. On Monday, we'll talk through the story in as much detail as possible in the 70 minutes. You should be prepared to be the experts on your particular sub-topics below.

On Wednesday, you should hand in your own detailed version of the whole story. Please submit it via e-mail as text, pdf, rtf, doc, or docx.

  1. Key exchange. (Bouchard, Freeland) Sometime, somehow, the ATM and the server(s) it communicates with come to have a shared TripleDES key.

    • How does this happen?
    • How is the key changed, and how often?
    • What if an ATM talks to more than one server? Does it?
    • Is IKE relevant here? Some other protocol?

  2. Magnetic card. (Avalos, McCarty) I put my card into the ATM.

    • What information is stored on the card itself?
    • How is it formatted?
    • Is it encrypted? How?
    • Are there relevant international standards?

  3. The ATM asks me for my PIN.

  4. I enter my PIN.

  5. PIN. (Howald/Johnson, Huang/Schroeder) The ATM verifies that my PIN is correct.

    • How precisely is this done?
    • Where is the PIN against which the verification is completed stored?
    • Is a 4-digit PIN enough? What attacks does it prevent?

  6. Storage of user-specific data. (Solow/Smith) The ATM gives me choices.

    • How/where are my choices stored?
    • How are my choices retrieved so they can be displayed to me?

  7. I choose withdraw $100 from checking, no receipt.

  8. Communication protocol. (Raines) The ATM sends my withdrawal request to a server.

    • Exactly what protocol is used to for this communication? Is it ISO 8583? If so, what specific commands go back and forth?
    • How is this exchange encrypted?

  9. Nature of the network. (Gelles/Simmons-Marengo, Strode/Riemer) The server says OK.

    • This is more about the ATM/server exchange.
    • Over what specific networks are these exchanges transmitted?
    • Is it the ordinary Internet? Dedicated financial networks?
    • Is it the same or different from the network(s) used by point-of-sale units (e.g. credit card boxes at the gas station).
    • Dial-up? Broadband?

  10. Nature of the server. (Ondich) Maybe the server updates its records now (reducing my balance by $100). Or maybe it's later.

    • In general, what is stored on the server, and in what form?
    • What is the relationship between the owner/maintainer of the server and my bank?
    • What is Cirrus? Are there competitors to Cirrus, and who are they?
    • Are there treaties involved?

  11. Physical ATM. (Kanazawa, Matsui, Garnaas-Holmes/Becerra) The ATM delivers my card, money, and receipt to me.

    • What internal records does the ATM keep?
    • Is there redundancy in the record keeping?
    • How is the money secured physically?
    • What's the deal with the "tamper-resistant cryptoprocessor"?
    • Are cameras, 911 buttons, biometrics, etc. required?