Target’s Use of 3DES Encryption Invites Scrutiny, Worry

Target’s admission that encrypted PIN data was stolen and secured with 3DES encryption has experts concerned because of the age of the algorithm and the availability of stronger options.

Target Corp.’s admission that encrypted PIN data was stolen in the Black Friday breach was bad news for consumers. For security experts, especially cryptographers, particular exception was taken to the retail giant’s use of Triple DES (3DES) encryption to keep the PIN data safe.

With all crypto suffering scrutiny under the weight of the Snowden leaks, security experts are extra leery of 3DES because of its age and the availability of cryptographically stronger options such as AES.

Target insists the PIN data is safe because the numbers were encrypted at physical retail locations on the PIN pad, and the key is not stored with the data. Instead, the key is with the company’s payment processors, one of which, First Data, said it is not aware of any breaches or abuse on its end.

“What this means is that the ‘key’ necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident,” Target spokesperson Molly Snyder said.

Matthew Green, a noted cryptographer and professor at Johns Hopkins University, said the PIN data is likely secure if Target is being forthright. Hackers cannot decrypt the PIN data without the key, or access to the machine storing the key.

“Most people object to 3DES because it’s an ancient algorithm that was designed as a patch for (now broken) DES until AES was finalized,” Green said via email. “Now we’ve had AES for more than a decade, it’s questionable why we’d be using 3DES.”

Assuming too that Target is compliant with the Payment Card Industry Data Security Standard (PCI-DSS), the mandates there require unique keys for every payment terminal, limiting the scale of risk brought by the breach, which resulted in 40 million debit and credit card numbers being stolen. The attackers, Green wrote in a blog post, would have to hit every terminal to have all the PIN data, or hack the processors.

PCI also requires four-digit PINs to be padded to add complexity to the data being encrypted. Four-digit PINs are child’s play for a brute force attack since there are only 10,000 possible combinations. Padding and salting the PIN data raises the cost of decrypting the data for an attacker. These techniques require using part of the credit card number as part of the key encrypting the PIN.

“Done this way, every PIN number now decrypts to a different value. If they did this, then it would indeed be the same as if no PIN information were stolen at all,” wrote Robert Graham, a researcher with Errata Security.

Green, meanwhile, described a number of possible encryption formats for PIN data. One involves the use of the XOR cipher on the PIN data with the last 12 digits of the card number, and encrypting the rest using 3DES in ECB mode. Another involves stringing the PIN with a transaction number that is then encrypted using 3DES in ECB mode. The final format involves padding random bytes onto the PIN and then encrypting. All three methods, Green said, prevent two users with the same PIN having their data encrypt to the same value under the same key.

“ECB mode has many flaws, but one nice feature is that the encryption of two different values (even under the same key) should lead to effectively unrelated ciphertexts,” Green wrote. “This means that even an attacker who learns the user’s PAN shouldn’t be able to decompose the encrypted PIN¬†without knowledge of the key.”

All that said, the derision levied against 3DES was intense for days after Target’s announcement. Green noted that two-key 3DES will be banned for FIPS-certified products after next year because the 112-bit key was too short; three-key is 168 bits and is FIPS approved.

Green added that some impractical attacks are possible against 3DES, largely because its block size is 64 bits long, something that 128-bit AES eliminates.

“There are some impractical attacks on 3DES that dramatically reduce its key strength,” Green said. “However these are way too expensive to use in practice, and they only reduce the key strength to a level that’s still pretty large (168 down to 112 bit).”

Suggested articles