इंटरनेट मानक Disclosure to Promote the Right To Information Whereas the Parliament of India has set out to provide a practical regime of right to information for citizens to secure access to information under the control of public authorities, in order to promote transparency and accountability in the working of every public authority, and whereas the attached publication of the Bureau of Indian Standards is of particular interest to the public, particularly disadvantaged communities and those engaged in the pursuit of education and knowledge, the attached public safety standard is made available to promote the timely dissemination of this information in an accurate manner to the public. “जान1 का अ+धकार, जी1 का अ+धकार” “प0रा1 को छोड न’ 5 तरफ” Mazdoor Kisan Shakti Sangathan Jawaharlal Nehru “The Right to Information, The Right to Live” “Step Out From the Old to the New” IS 15042-2 (2007): Banking - Personal Identification Number Managemnet and Secuirty, Part 2: Approved Algorithms for PIN Encipherment [MSD 7: Banking and Financial services] “!ान $ एक न’ भारत का +नम-ण” Satyanarayan Gangaram Pitroda ““IInnvveenntt aa NNeeww IInnddiiaa UUssiinngg KKnnoowwlleeddggee”” “!ान एक ऐसा खजाना > जो कभी च0राया नहB जा सकता हहहहै””ै” Bhartṛhari—Nītiśatakam “Knowledge is such a treasure which cannot be stolen” IS 15042 (Part 2) :2007 ISO 9564-2:2005 Indian Standard BANKING — PERSONAL IDENTIFICATION NUMBER MANAGEMENT AND SECURITY PART 2 APPROVED ALGORITHMS FOR PIN ENCIPHERMENT First Revision) ( ICS 35.240.40 @ BIS 2007 BUREAU OF INDIAN STANDARDS MANAK BHAVAN, 9 BAHADUR SHAH ZAFAR MARG NEW DELHI 110002 September 2007 Price Group 1 Banking and Financial Services Sectional Committee, MSD 7 NATIONAL FOREWORD This Indian Standard (Part 2) (First Revision) which is identical with ISO 9564-2:2005 ‘Banking — Personal Identification Number management and security — Part 2: Approved algorithms for PIN encipherment’ issued by the International Organization for Standardization (ISO) was adopted by the Bureau of Indian Standards on the recommendation of the Banking and Financial Services Sectional Committee and approval of the Management and Systems Division Council. The text of ISO Standard has been approved as suitable for publication as an Indian Standard without deviations. Certain conventions are, however, not identical to those used in Indian Standards. Attention is particularly drawn to the following: a) Wherever the words ‘International Standard’ appear referring to this standard, they should be read as ‘Indian Standard’. b) Comma (,) has been used as a decimal marker, while in Indian Standards, the current practice is to use a point (.) as the decimal marker. In this adopted standard, reference appears to the following International Standard for which Indian Standard also exists. The corresponding Indian Standard, which is to be substituted in its place, is listed below along with its degree of equivalence for the edition indicated: Mermtional Standard Corresponding Indian Standard Degree of Equivalence ISO 9564-1 :2002 Banking — Personal IS 15042 (Part 1) : 2006 Banking — Identical Identification Number (PIN) Personal Identification Number management and security — Part 1: management and. security: Part 1 Basic Basic principles and requirements for principles and requirements for online online PIN handling in ATM and POS PIN handling in ATM and POS systems systems (first revision) The technical committee respon sible for the preparation of this standard has reviewed the provisions of the following International Stan d ards referred in this adopted standard and has decided that they are acceptable for use in conjunction with this standard: /nternationa/ Standard . Title ISO 9564-3 Banking — Personal Identification Number management and security — Part 3: Requirements for offline PIN handling in ATM and POS systems lSO/lEC 10116 Information technology — Security techniques — Modes of operation for an n-bit block cipher ISO 11568-2:1994 Banking — Key management (retail) — Part 2: Key management techniques for symmetric ciphers EMV 2000 Integrated Circuit Card Specifications for Payment Systems, Book 2: Security and Key Management) ANSI INCITS 92-1981 Data Encryption Algorithm [formerly ANSI X3.92-1 981 (R1998)]2) ANSI X9.52-1998 Triple Data Encryption Algorithm Modes of Operation*) AS 2805.5.3-1992 “Electronic funds transfer — Requirements for interfaces — Ciphers — Data encipherment algorithm 2 (DEA 2)3) 1)EMV: Europay, Mastercard, VISA. 2)American National Standards Institute Standard. 3)standards Australia standard. IS 15042 (Part 2) : 2007 ISO 9564-2:2005 Indian Standard BANKING — PERSONAL IDENTIFICATION NUMBER MANAGEMENT AND SECURITY PART 2 APPROVED ALGORITHMS FOR PIN ENCIPHERMENT First Revision) ( 1 Scope This part of ISO 9564 specifies algorithms for the encipherment of Personal Identification Numbers (PINs). These algorithms, based on the approval processes established in ISO 9564-1, are the data encryption algorithm (DEA) and the RSA encryption algorithm. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition ofthe referenced document (including any amendments) applies. ISO9564-1, Banking — Personal Identification Number (PIN) management and security — Part 1: Basic principles and requirements for online PIN handling inATM and POS systems ISO9564-3, Banking — Personal identification Number management and security — Part 3: Requirements for off/ine P/N handling in ATM and POS systems lSO/lEC 10116, Information technology — Security techniques — Modes of operation for an n-bit block cipher ISO 11568-2:1994, Banking — Key management (retail) — Part 2: Key management techniques for symmetric ciphers EMV 2000, Integrated Circuit Card Specifications for Payment Systems, Book 2: Security and Key Management’ ) ANSI INCITS 92-1981, Data Encryption Algorithm [formerly ANSI X3.92-1981 (R1998)]2) ANSI X9.52-1998, Triple Data Encryption Algorithm Modes of Operation*) AS 2805.5.3-1992, Electronic funds transfer — Requirements for interfaces — Ciphers — Data encipherment algorithm 2 (DEA 2) 3, 1) EMV Europay, Mastercard, VISA. 2) American National Standards Institute standard 3) Standards Australia standard. 1 IS 15042 (Part 2):2007 ISO 9564-2:2005 3 Data Encryption Algorithm (DEA) 3.1 Definition The definition of DEA shall be in accordance with that published inANSI X3.92:1981. 3.2 Specification Encipherment, using the TDEA, of the PIN blocks according to 1S0 9564-1 shall be achieved using the algorithm operating in the Electronic Code Book (ECB) mode (with n equal to 64) in accordance with lSO/lEC 10116. Each TDEA encryption/decryption operation is a compound operation of DEA encryption/decryption operations, as defined in ISO 11568-2 and ANS X9.52. 4 RSA encryption algorithm 4.1 Definition The definition of the RSA4) encryption algorithm shall be in accordance with that published in AS 2805.5.3:1992. 4.2 Specification Encipherment, using RSA, of the PIN blocks according to ISO 9564-3 shall be achieved in accordance with EMV 2000, Book 2. 4.3 Applicability This algorithm is approved for use with ISO 9564-3 only. 4) Named after its inventors, Ronald Rivest, Adi Shamir and Leonard Adleman. 2 Bureau of Indian Standards 61S is a statutory institution established under the Bureau of /ndian Standards Act, 1986 to promote harmonious development of the activities of standardization, marking and quality certification of goods and attending to connected matters in the country. Copyright 61S has the copyright of all its publications. No part of these publications maybe reproduced in any form without the prior permission in writing of BIS. This does not preclude the free use, in the course of implementing the standard, of necessary details, such as symbols and sizes, type or grade designations. Enquiries relating to copyright be addressed to the Director (Publications), BIS. Review of Indian Standards Amendments are issued to standards as the need arises on the basis of comments. Standards are also reviewed periodically; astandard along with amendments is reaffirmed when such review indicates that no changes are needed; ifthe review indicates that changes are needed, it istaken up for revision. Users of Indian Standards should ascertain that they are in possession of the latest amendments or edition by referring to the latest issue of ‘BIS Catalogue’ and ‘Standards: Monthly Additions’. This Indian Standard has been developed from Dot: No. MSD 7 (307). Amendments Issued Since Publication Amend No. Date of Issue Text Affected BUREAU OF INDIAN STANDARDS Headquarters: Manak Bhavan, 9 Bahadur Shah Zafar Marg, New Delhi 110002 Telephones: 23230131, 23233375, 23239402 website: www.bis.org.in Regional Offices: Telephones Central : Manak Bhavan, 9 Bahadur Shah Zafar Marg 23237617 NEW DELHI 110002 { 23233841 Eastern : 1/14 C.I.T. Scheme Vll M, V.I.P. Road, Kankurgachi 23378499,23378561 KOLKATA 700054 { 23378626,23379120 Northern : SCO 335-336, Sector 34-A, CHANDIGARH 160022 2603843 { 2609285 Southern : C.I.T. Campus, IV Cross Road, CHENNAI 600113 22541216,22541442 { 22542519,22542315 Western : Manakalaya, E9 MlDC, Marol, Andheri (East) 28329295,28327858 MUMBAI 400093 { 28327891,28327892 Branches: AHMEDABAD. BANGALORE. BHOPAL. BHUBANESHWAR. COIMBATORE. FARIDABAD. GHAZIABAD. GUWAHATI. HYDERABAD. JAIPUR. KANPUR. LUCKNOW. NAGPUR. PARWANOO. PATNA. PUNE. RAJKOT. THIRUVANANTHAPU RAM. VISAKHAPATNAM. Printed at Sirnco Printing Press, Delhi