Do you know whose birthday is on November 26? The Advanced Encryption Standard, AES. This year, 2018, AES turns 17. Although it is the most widely used symmetric algorithm worldwide, you would hardly know it from looking at the payments landscape, where Triple-DES still rules. But AES is finally coming to the payments space; we’re going to look at a few recent developments to see why.
What’s the Problem?
Why is AES moving so slowly into the payments environment? Part of the reason is AES’ larger block and key sizes. AES, like DES, is a block cipher, meaning that each iteration of the encryption or decryption process works on a block of data; 8 bytes with DES, 16 bytes with AES. AES keys are different too: instead of DES/TDES’ 8, 16 or 24 bytes, AES key lengths are 16, 24 or 32 bytes. For many applications, these differences are fairly easy to accommodate, with little or no downstream impact. A good example is the Transport Layer Security (TLS) that much of the Web relies on for secure data transfer; changing the cryptographic algorithms in the underlying cipher suite to use AES is a matter of updating the server and client browser software to accept it, but doing so is invisible to the actual browser application, and has no hardware impact.
The payment environment is significantly different, because so much cryptography is performed in devices. In 2015, there were estimated to be 14 million POS terminals in the US alone. Every device must be either replaced or field-upgraded to support AES. Most, if not all EMV chip cards issued today (the estimate is 785 million of them in 2017) are AES-capable; the statistics of how many issuers are actually using AES is harder to determine. Based on our knowledge about the US market, we think the percentage is very low – we are not aware of a single US client currently using AES-based ARQC verification.
In addition to cards and terminals, there are ATMs and gas pumps to consider, and Host Security Modules (HSM) at the transaction acquirers that need upgrades. Last, but by no means least, are the upgrades that need to occur to the transaction messaging software to accommodate the larger block size for AES, especially PIN blocks.
It’s Always About Key Management
Another significant hurdle is AES key exchange. Until last year, there was no standard that described a secure, interoperable method for exchanging AES keys in the payment arena. That changed with the release of the latest version of ANS X9 TR-31 which, for the first time, described a standardized method for transporting AES keys and their usage metadata that used AES wrapping keys to preserve the strength of the transported key instead of TDES, which is significantly weaker. Now that the industry has a PCI-mandated target date of June, 2021 to implement Key Blocks for external connections to Associations and Networks, we will see a significant uptick in the number of organizations that will include AES in their interchange planning and implementation.
A significant advance also occurred in 2017 with the release of ANS X9.24 part 3, which extended the immensely popular Derived Unique Key Per Transaction (DUKPT) terminal key management system to include AES. Already some terminal manufacturers (notably Verifone) are upgrading their terminal software and key management messaging to include AES DUKPT, as are payment HSM manufacturers, like Thales.
So Why Bother?
Some of you are probably asking: so if migrating my payment infrastructure to support AES incurs such hassle and expense, why bother? Why not stick with my current TDES system?
Those are good questions; here are a few considerations to ponder:
- AES is the future. Consider the National Institute of Standards and Technology (NIST); 2-key TDES approval was withdrawn at the end of 2015. Although 3-key TDES is still approved for use, its security strength is significantly less; and it is the only other approved block cipher other than AES. NIST SP800-57 part 1 is recommending phasing out 3-key TDES by 2031. The conclusion? TDES days are numbered.
- AES is simply a better algorithm. AES is faster and more secure. AES DUKPT-equipped terminals now support up to two billion transactions before requiring a rekey, instead of 1 million for TDES terminals. Because the AES key space is so much larger, keys have a longer cryptoperiod, reducing the frequency of key exchange ceremonies.
- AES has better quantum computing resistance. This probably sounds a bit esoteric, and for the near future it is. But considering how long it takes to upgrade the payment security infrastructure (fully migrating from DES to TDES took over 20 years), as an industry we need to be planning for upgrades now. Quantum computing breakthroughs could occur at any time.
GEOBRIDGE has the experience and expertise to assist you in your AES migration plans. We can help take the guesswork out of the upgrade effort. Let us be your partner as you plan your next infrastructure uplift.