Secure Upgrade of Hardware Security Modules in Bank Networks

摘要

We study the secure upgrade of critical components in wide networked systems, focussing on the case study of PIN processing Hardware Security Modules (HSMs). These tamper-resistant devices, used by banks to securely transmit and verify the PIN typed at the ATMs, have been shown to suffer from API level attacks that allow an insider to recover user PINs and, consequently, clone cards. Proposed fixes require to reduce and modify the HSM functionality by, e.g., sticking on a single format of the transmitted PIN or adding MACs for the integrity of user data. Upgrading HSMs worldwide is, of course, unaffordable. We thus propose strategies to incrementally upgrade the network so to obtain upgraded, secure subnets, while preserving the compatibility towards the legacy system. Our strategies aim at finding tradeoffs between the cost for special "guardian" HSMs used on the borderline between secure and insecure nodes, and the size of the team working in the upgrade process, representing the maximum number of nodes that can be simultaneously upgraded.