I am constructing ISO 8583 message in java which includes setting up a
Encrypted Pin Block in 52 ISO field.
Presently i am struck in setting this field.
I have to encrypt the Pin BLock (ISO -0 format) with ZPK key. I have
received key check value as well.
I tried many things but didnt get the clear solution.
rams wrote: > I am constructing ISO 8583 message in java which includes setting up a > Encrypted Pin Block in 52 ISO field. > Presently i am struck in setting this field.
JPos will be perfect for this, I guess you are using it?
> I have to encrypt the Pin BLock (ISO -0 format) with ZPK key. I have > received key check value as well.
So you have a secure key? Keep it safe!
What HSM are you aiming to use now/in production?
> I tried many things but didnt get the clear solution.
A clear result is precisely what you don't want 8).
What did you try?
BouncyCastle?
I'm sure there was recent discussion on this mailing list, did you try searching at all?
-----Original Message-----
From: jpos-users@googlegroups.com [mailto:jpos-users@googlegroups.com] On
Behalf Of Mark Salter
Sent: Monday, June 29, 2009 12:29 PM
To: jpos-users@googlegroups.com
Subject: Re: Need help in constructing ISO 8583 message with Encrypted Pin
Block.
rams wrote:
> I am constructing ISO 8583 message in java which includes setting up a
> Encrypted Pin Block in 52 ISO field.
> Presently i am struck in setting this field.
JPos will be perfect for this, I guess you are using it?
> I have to encrypt the Pin BLock (ISO -0 format) with ZPK key. I have
> received key check value as well.
So you have a secure key? Keep it safe!
What HSM are you aiming to use now/in production?
> I tried many things but didnt get the clear solution.
A clear result is precisely what you don't want 8).
What did you try?
BouncyCastle?
I'm sure there was recent discussion on this mailing list, did you try
searching at all?
> Even if you're not using the Thales, the examples are relevant as they
> detail the required practices.
> Andy Orrock
> -----Original Message-----
> From: jpos-users@googlegroups.com [mailto:jpos-users@googlegroups.com] On
> Behalf Of Mark Salter
> Sent: Monday, June 29, 2009 12:29 PM
> To: jpos-users@googlegroups.com
> Subject: Re: Need help in constructing ISO 8583 message with Encrypted Pin
> Block.
> rams wrote:
> > I am constructing ISO 8583 message in java which includes setting up a
> > Encrypted Pin Block in 52 ISO field.
> > Presently i am struck in setting this field.
> JPos will be perfect for this, I guess you are using it?
> > I have to encrypt the Pin BLock (ISO -0 format) with ZPK key. I have
> > received key check value as well.
> So you have a secure key? Keep it safe!
> What HSM are you aiming to use now/in production?
> > I tried many things but didnt get the clear solution.
> A clear result is precisely what you don't want 8).
> What did you try?
> BouncyCastle?
> I'm sure there was recent discussion on this mailing list, did you try
> searching at all?
Well, unfortunately, you don't get ZPKs on a fluffy pillow. They only exist
within the greater world and consideration of ZMKs and LMKs. For example,
to interact with an HSM and encrypt using a ZPK, you're working with the ZPK
cryptogram (encoded under your LMK), not the clear text value.
I don't see where you've addressed Mark's earlier questions. [Note: I am
not Mark.]
-----Original Message-----
From: jpos-users@googlegroups.com [mailto:jpos-users@googlegroups.com] On
Behalf Of rams
Sent: Monday, June 29, 2009 1:09 PM
To: jPOS Users
Subject: Re: Need help in constructing ISO 8583 message with Encrypted Pin
Block.
Mark,
It talks about other Keys also like ZMK and LMK.
Whats the procedure for encrypting Pin Block with ZPK, thats no where
mentioned.
Can you please clarify that.
On Jun 29, 11:04 pm, "Andy Orrock" <aaorr...@gmail.com> wrote:
> Relevant pieces if you're using a Thales re. the ZPK - obtaining it,
storing
> it, using it in a translation, etc...
> Even if you're not using the Thales, the examples are relevant as they
> detail the required practices.
> Andy Orrock
> -----Original Message-----
> From: jpos-users@googlegroups.com [mailto:jpos-users@googlegroups.com] On
> Behalf Of Mark Salter
> Sent: Monday, June 29, 2009 12:29 PM
> To: jpos-users@googlegroups.com
> Subject: Re: Need help in constructing ISO 8583 message with Encrypted Pin
> Block.
> rams wrote:
> > I am constructing ISO 8583 message in java which includes setting up a
> > Encrypted Pin Block in 52 ISO field.
> > Presently i am struck in setting this field.
> JPos will be perfect for this, I guess you are using it?
> > I have to encrypt the Pin BLock (ISO -0 format) with ZPK key. I have
> > received key check value as well.
> So you have a secure key? Keep it safe!
> What HSM are you aiming to use now/in production?
> > I tried many things but didnt get the clear solution.
> A clear result is precisely what you don't want 8).
> What did you try?
> BouncyCastle?
> I'm sure there was recent discussion on this mailing list, did you try
> searching at all?
> Whats the procedure for encrypting Pin Block with ZPK, thats no where > mentioned. > Can you please clarify that.
It is just a triple DES encryption using the clear ZPK.
This *should* take place within a secure environment (and HSM) so that the clear ZPK is will not be compromised.
If the ZPK you have been given is a production key, it won't be usable outside of a secure environment; you should stop and ask the provider for a test key.
If your ZPK is test, then...
The ZPK you have will be encrypted under another key - perhaps a transport key, do you have the details of that key? This is likely why you have been provided with a Key Check Value - so that you can check you have the right key as your translate it to store it under your LMK.
The algorithm for clear PIN block generation (Format 0) is well documented, google kindly provides 10000000+ hits for +PIN +Format +0, the first link I see holds the detail you need:-
Once you have the PIN block, you need to triple DES (probably) encrypt the PIN block using your clear ZPK. BouncyCastle might be of use here, but there are many options, I encourage you to seek out one that suits you best.
Andy kindly provided some excellent links and I have some questions outstanding; try to answer them and then let us know how you get on.
Yes i have planning to use Thales HSM.
And i have to use single DES with ZPK.
Now i need sample java API which can talk to the HSM and call the commands
for encrypt the key under LMK and translate the key.
I have these commands with me. I just want a sample code
to Call the HSM and perform this operations.
NOTE: I have one more doubt. I have seen JPOS code for encryptPIN and other
stuff. It does not say anything related to connection to the HSM. JPOS not
connecting to HSM for any operation ? or it uses just LMK key labels
directly from file
-Ramanath Pai
On Tue, Jun 30, 2009 at 2:14 PM, Mark Salter <marksal...@talktalk.net>wrote:
> > Whats the procedure for encrypting Pin Block with ZPK, thats no where
> > mentioned.
> > Can you please clarify that.
> It is just a triple DES encryption using the clear ZPK.
> This *should* take place within a secure environment (and HSM) so that
> the clear ZPK is will not be compromised.
> If the ZPK you have been given is a production key, it won't be usable
> outside of a secure environment; you should stop and ask the provider
> for a test key.
> If your ZPK is test, then...
> The ZPK you have will be encrypted under another key - perhaps a
> transport key, do you have the details of that key? This is likely why
> you have been provided with a Key Check Value - so that you can check
> you have the right key as your translate it to store it under your LMK.
> The algorithm for clear PIN block generation (Format 0) is well
> documented, google kindly provides 10000000+ hits for +PIN +Format +0,
> the first link I see holds the detail you need:-
> Once you have the PIN block, you need to triple DES (probably) encrypt
> the PIN block using your clear ZPK. BouncyCastle might be of use here,
> but there are many options, I encourage you to seek out one that suits
> you best.
> Andy kindly provided some excellent links and I have some questions
> outstanding; try to answer them and then let us know how you get on.
Umm…those links I sent to you to yesterday happen to show you exactly what to do. If your source is DUKPT, you can use the CI/CJ commands referenced in my pieces. If it’s the Triple DES variety of DUKPT, you can use the G0/G1 command (search my blog for ‘G0’ – that’s G-zero). If your source is TPK (not seen too much anymore because it’s a compliance concern), then use the CA/CB.
The pieces make clear that (a) you can use jPOS to implement an HSM station; (b) jPOS’ FSD facility is the way to do it; and (c) here’s how to implement it with the Thales. It’s your lucky day. Your job is very easy now.
Re. your doubts: I’m confident you have already purchased the “jPOS Programmers’ Guide” from jPOS.org. In your reading, you would have encountered this sentence:
“jPOS provides a software-based security module adapter implementation called org.jpos.security.jceadapter.JCESecurityModule. This adapter can be used to simulate a hardware-based Tamper-Resistant Security Module ('TRSM') in software.”
Andy
From: jpos-users@googlegroups.com [mailto:jpos-users@googlegroups.com] On Behalf Of Ramanath Pai
Sent: Tuesday, June 30, 2009 7:39 AM
To: jpos-users@googlegroups.com
Subject: Re: Need help in constructing ISO 8583 message with Encrypted Pin Block.
Yes i have planning to use Thales HSM.
And i have to use single DES with ZPK.
Now i need sample java API which can talk to the HSM and call the commands for encrypt the key under LMK and translate the key.
I have these commands with me. I just want a sample code to Call the HSM and perform this operations.
NOTE: I have one more doubt. I have seen JPOS code for encryptPIN and other stuff. It does not say anything related to connection to the HSM. JPOS not connecting to HSM for any operation ? or it uses just LMK key labels directly from file
-Ramanath Pai
On Tue, Jun 30, 2009 at 2:14 PM, Mark Salter <marksal...@talktalk.net> wrote:
rams wrote:
> Whats the procedure for encrypting Pin Block with ZPK, thats no where
> mentioned.
> Can you please clarify that.
It is just a triple DES encryption using the clear ZPK.
This *should* take place within a secure environment (and HSM) so that
the clear ZPK is will not be compromised.
If the ZPK you have been given is a production key, it won't be usable
outside of a secure environment; you should stop and ask the provider
for a test key.
If your ZPK is test, then...
The ZPK you have will be encrypted under another key - perhaps a
transport key, do you have the details of that key? This is likely why
you have been provided with a Key Check Value - so that you can check
you have the right key as your translate it to store it under your LMK.
The algorithm for clear PIN block generation (Format 0) is well
documented, google kindly provides 10000000+ hits for +PIN +Format +0,
the first link I see holds the detail you need:-
Once you have the PIN block, you need to triple DES (probably) encrypt
the PIN block using your clear ZPK. BouncyCastle might be of use here,
but there are many options, I encourage you to seek out one that suits
you best.
Andy kindly provided some excellent links and I have some questions
outstanding; try to answer them and then let us know how you get on.
Now i am able to load the keys and get the encrypted value of the pin from
the Thales HSM ... But when use the encrypted value 16 digit enc value
in setting the field 52 of ISO package ,it gives me the following error:
"(org.jpos.iso.ISOException: Binary data length not the same as the packager
length (16/8))"
On Tue, Jun 30, 2009 at 6:38 PM, Andy Orrock <aaorr...@gmail.com> wrote:
> Umm…those links I sent to you to yesterday happen to show you exactly
> what to do. If your source is DUKPT, you can use the CI/CJ commands
> referenced in my pieces. If it’s the Triple DES variety of DUKPT, you can
> use the G0/G1 command (search my blog for ‘G0’ – that’s G-zero). If your
> source is TPK (not seen too much anymore because it’s a compliance concern),
> then use the CA/CB.
> The pieces make clear that (a) you can use jPOS to implement an HSM
> station; (b) jPOS’ FSD facility is the way to do it; and (c) here’s how to
> implement it with the Thales. It’s your lucky day. Your job is very easy
> now.
> Re. your doubts: I’m confident you have already purchased the “jPOS
> Programmers’ Guide” from jPOS.org. In your reading, you would have
> encountered this sentence:
> *“jPOS provides a software-based security module adapter implementation
> called org.jpos.security.jceadapter.JCESecurityModule. This adapter can be
> used to simulate a hardware-based Tamper-Resistant Security Module
> ('TRSM') in software.”*
> Andy
> *From:* jpos-users@googlegroups.com [mailto:jpos-users@googlegroups.com] *On
> Behalf Of *Ramanath Pai
> *Sent:* Tuesday, June 30, 2009 7:39 AM
> *To:* jpos-users@googlegroups.com
> *Subject:* Re: Need help in constructing ISO 8583 message with Encrypted
> Pin Block.
> Yes i have planning to use Thales HSM.
> And i have to use single DES with ZPK.
> Now i need sample java API which can talk to the HSM and call the commands
> for encrypt the key under LMK and translate the key.
> I have these commands with me. I just want a sample code
> to Call the HSM and perform this operations.
> NOTE: I have one more doubt. I have seen JPOS code for encryptPIN and other
> stuff. It does not say anything related to connection to the HSM. JPOS not
> connecting to HSM for any operation ? or it uses just LMK key labels
> directly from file
> -Ramanath Pai
> On Tue, Jun 30, 2009 at 2:14 PM, Mark Salter <marksal...@talktalk.net>
> wrote:
> rams wrote:
> > Whats the procedure for encrypting Pin Block with ZPK, thats no where
> > mentioned.
> > Can you please clarify that.
> It is just a triple DES encryption using the clear ZPK.
> This *should* take place within a secure environment (and HSM) so that
> the clear ZPK is will not be compromised.
> If the ZPK you have been given is a production key, it won't be usable
> outside of a secure environment; you should stop and ask the provider
> for a test key.
> If your ZPK is test, then...
> The ZPK you have will be encrypted under another key - perhaps a
> transport key, do you have the details of that key? This is likely why
> you have been provided with a Key Check Value - so that you can check
> you have the right key as your translate it to store it under your LMK.
> The algorithm for clear PIN block generation (Format 0) is well
> documented, google kindly provides 10000000+ hits for +PIN +Format +0,
> the first link I see holds the detail you need:-
> Once you have the PIN block, you need to triple DES (probably) encrypt
> the PIN block using your clear ZPK. BouncyCastle might be of use here,
> but there are many options, I encourage you to seek out one that suits
> you best.
> Andy kindly provided some excellent links and I have some questions
> outstanding; try to answer them and then let us know how you get on.
Your value comes back from the Thales as the 16-position character representation of the Hex. You need to pack it into 8.
Andy
From: jpos-users@googlegroups.com [mailto:jpos-users@googlegroups.com] On Behalf Of Ramanath Pai
Sent: Wednesday, July 01, 2009 7:33 AM
To: jpos-users@googlegroups.com
Subject: Re: Need help in constructing ISO 8583 message with Encrypted Pin Block.
Hi ,
Now i am able to load the keys and get the encrypted value of the pin from the Thales HSM ... But when use the encrypted value 16 digit enc value in setting the field 52 of ISO package ,it gives me the following error:
"(org.jpos.iso.ISOException: Binary data length not the same as the packager length (16/8))"
Please can any one help?
-Ramanath Pai
On Tue, Jun 30, 2009 at 6:38 PM, Andy Orrock <aaorr...@gmail.com> wrote:
Umm…those links I sent to you to yesterday happen to show you exactly what to do. If your source is DUKPT, you can use the CI/CJ commands referenced in my pieces. If it’s the Triple DES variety of DUKPT, you can use the G0/G1 command (search my blog for ‘G0’ – that’s G-zero). If your source is TPK (not seen too much anymore because it’s a compliance concern), then use the CA/CB.
The pieces make clear that (a) you can use jPOS to implement an HSM station; (b) jPOS’ FSD facility is the way to do it; and (c) here’s how to implement it with the Thales. It’s your lucky day. Your job is very easy now.
Re. your doubts: I’m confident you have already purchased the “jPOS Programmers’ Guide” from jPOS.org. In your reading, you would have encountered this sentence:
“jPOS provides a software-based security module adapter implementation called org.jpos.security.jceadapter.JCESecurityModule. This adapter can be used to simulate a hardware-based Tamper-Resistant Security Module ('TRSM') in software.”
Andy
From: jpos-users@googlegroups.com [mailto:jpos-users@googlegroups.com] On Behalf Of Ramanath Pai
Sent: Tuesday, June 30, 2009 7:39 AM
To: jpos-users@googlegroups.com
Subject: Re: Need help in constructing ISO 8583 message with Encrypted Pin Block.
Yes i have planning to use Thales HSM.
And i have to use single DES with ZPK.
Now i need sample java API which can talk to the HSM and call the commands for encrypt the key under LMK and translate the key.
I have these commands with me. I just want a sample code to Call the HSM and perform this operations.
NOTE: I have one more doubt. I have seen JPOS code for encryptPIN and other stuff. It does not say anything related to connection to the HSM. JPOS not connecting to HSM for any operation ? or it uses just LMK key labels directly from file
-Ramanath Pai
On Tue, Jun 30, 2009 at 2:14 PM, Mark Salter <marksal...@talktalk.net> wrote:
rams wrote:
> Whats the procedure for encrypting Pin Block with ZPK, thats no where
> mentioned.
> Can you please clarify that.
It is just a triple DES encryption using the clear ZPK.
This *should* take place within a secure environment (and HSM) so that
the clear ZPK is will not be compromised.
If the ZPK you have been given is a production key, it won't be usable
outside of a secure environment; you should stop and ask the provider
for a test key.
If your ZPK is test, then...
The ZPK you have will be encrypted under another key - perhaps a
transport key, do you have the details of that key? This is likely why
you have been provided with a Key Check Value - so that you can check
you have the right key as your translate it to store it under your LMK.
The algorithm for clear PIN block generation (Format 0) is well
documented, google kindly provides 10000000+ hits for +PIN +Format +0,
the first link I see holds the detail you need:-
Once you have the PIN block, you need to triple DES (probably) encrypt
the PIN block using your clear ZPK. BouncyCastle might be of use here,
but there are many options, I encourage you to seek out one that suits
you best.
Andy kindly provided some excellent links and I have some questions
outstanding; try to answer them and then let us know how you get on.
Ramanath Pai wrote: > Now i am able to load the keys and get the encrypted value of the pin from > the Thales HSM ... But when use the encrypted value 16 digit enc value > in setting the field 52 of ISO package ,it gives me the following error:
> "(org.jpos.iso.ISOException: Binary data length not the same as the packager > length (16/8))"
Can you show the code you use to set the field and also the content of the value going in please?
As Andy indicates the response from the HSM will be 16 bytes, each holding a single digit character hexadecimal.
There is an helper on the ISOMsg.set method which checks for a binary target and will do the conversion, perhaps you have an old version or have no packager set on your message (yet)?
The code and content used may give a clue, also can you check or confirm the version of ISOMsg (or jPos) you are using please?
Ya i am able to set the field to byte by doing Hex to byte conversion.
Now the ISO request created [after setting the field] is ready to sent to
the backend on TCP.
While doing that i packed the ISO req object to bytes array.
Its giving me some -ve values, is that expected ?
Because i guess we should not get values in the bytes.
Ex: bytes that we received
"2,0,34,60,0,1,40,-32,-112,0,48,80,0,7,1,32,3,35,0,0,1,0,0,0,32,3,35,7,1,21 ,6,8,0,0,0,5,36,53,50,54,55,48,50,48"
On Wed, Jul 1, 2009 at 8:09 PM, Mark Salter <marksal...@talktalk.net> wrote:
> Ramanath Pai wrote:
> > Now i am able to load the keys and get the encrypted value of the pin
> from
> > the Thales HSM ... But when use the encrypted value 16 digit enc value
> > in setting the field 52 of ISO package ,it gives me the following error:
> > "(org.jpos.iso.ISOException: Binary data length not the same as the
> packager
> > length (16/8))"
> Can you show the code you use to set the field and also the content of
> the value going in please?
> As Andy indicates the response from the HSM will be 16 bytes, each
> holding a single digit character hexadecimal.
> There is an helper on the ISOMsg.set method which checks for a binary
> target and will do the conversion, perhaps you have an old version or
> have no packager set on your message (yet)?
> The code and content used may give a clue, also can you check or confirm
> the version of ISOMsg (or jPos) you are using please?
Ramanath Pai wrote: > Ya i am able to set the field to byte by doing Hex to byte conversion.
This could be automatic (see previous post).
> Now the ISO request created [after setting the field] is ready to sent to > the backend on TCP. > While doing that i packed the ISO req object to bytes array.
> Its giving me some -ve values, is that expected ? > Because i guess we should not get values in the bytes.
> Ex: bytes that we received > "2,0,34,60,0,1,40,-32,-112,0,48,80,0,7,1,32,3,35,0,0,1,0,0,0,32,3,35,7,1,21 ,6,8,0,0,0,5,36,53,50,54,55,48,50,48"
You are displaying them as signed bytes, so and byte with the high order bit on is showing as negative (twos complement?). In this case yet it is what I would expect, but isn't helping you. Perhaps use a 'watch' of ISOUtil.hexdump(byte[]) to see what you really have - the debugger is trying to be helpful and failing; it might provide a 'raw' presentation - which IDE are you using?
Ramanath Pai wrote: > So hexdump and ascii dumps are same right?
Not really...
ASCII is a character set; You might build a hex dump using ASCII characters.
Perhaps you should try it and see what you get. Paste the output here with any questions, but also scan this mailing list, we had some recent discussion about hex dumps and what the different areas are trying to say.
Your message was binary, so you will have no ASCII characters in your raw values - unless they happen to occur in your bitmap.
If you are expecting ASCII characters in your result, then you need to check the packager you are using matches your specification!
Need help in converting in the ascii or hex dump to clear string lilke in
the following format
[02001113434145423411630500007012323221111112323220701150608000000055267020 100000582]
For ex: 0200 is MTI String .. ]
I want the ISO Request Object created to split out the clear string of the
data it created.
> Need help in converting in the ascii or hex dump to clear string lilke in > the following format > [02001113434145423411630500007012323221111112323220701150608000000055267020 100000582]
> For ex: 0200 is MTI String .. ]
So you have a byte[] and you want the a string holding the hex string of the binary data? It is always best to be very clear on what you are asking...
String result = "[" + ISOUtil.hexString(byte[]) + "]";
might do you?
> I want the ISO Request Object created to split out the clear string of the > data it created.
See, I have created the ISO request object from JPOS. When i see the hex
dump of the request it prep-ends the some $ and other hex characters.
I want to check how JPOS will send this request while connecting to some
Switch or Backend server.
Is there any API in JPOS used to send the ISO Request ?
-Ramanath Pai
On Thu, Jul 2, 2009 at 12:34 PM, Mark Salter <marksal...@talktalk.net>wrote:
> So you have a byte[] and you want the a string holding the hex string of
> the binary data? It is always best to be very clear on what you are
> asking...
> String result = "[" + ISOUtil.hexString(byte[]) + "]";
> might do you?
> > I want the ISO Request Object created to split out the clear string of
> the
> > data it created.
> See, I have created the ISO request object from JPOS. When i see the
> hex dump of the request it prep-ends the some $ and other hex
> characters.
> I want to check how JPOS will send this request while connecting to
> some Switch or Backend server.
> Is there any API in JPOS used to send the ISO Request ?
> -Ramanath Pai
> On Thu, Jul 2, 2009 at 12:34 PM, Mark Salter
> <marksal...@talktalk.net> wrote:
> Ramanath Pai wrote:
> > Need help in converting in the ascii or hex dump to clear string
> lilke in
> > the following format
> So you have a byte[] and you want the a string holding the hex
> string of
> the binary data? It is always best to be very clear on what you are
> asking...
> String result = "[" + ISOUtil.hexString(byte[]) + "]";
> might do you?
> > I want the ISO Request Object created to split out the clear
> string of the
> > data it created.
One more thing i need to know about this JPOS ISO structure.
When i jst create a string according to the 0200 requst message structure, i
get a definite string, starting from MTI to Last field value that is Field
52
But when i create a Object from JPOS API ISOMsg in AsciiPackager it gives me
string with almost same as the manually constructed string but with some
extra 4-5 value in it.
For ex:
Manually
0200623C000128E090001652670201000005823050000702141819000002141819070215060 80000000215215267020100000582=1506
ISO Msg API
0200623C000128E09000181652670201000005823050000702155101000001000000
155101070215061008000000021523215267020100000582=1506
> Do you have the jPOS programmers guide ? this is discussed in detail there,
> otherwise look at the client and server simulator examples in the code.
|
