Pin Encrytpion: How to load Encrypted ZPK Key to JCESMAdaptor in jpos ?
3,191 views
Skip to first unread message
Pugazhendhi T
Sep 5, 2013, 7:34:49 AM9/5/13
to jpos-...@googlegroups.com
Hi All ,
I am trying to use JCE Security module for the Pin Encryption?
Our system behaves as Acquirer. Need to Encrypt the Pin and Sent to Network? this is my objective
Keys
Clear Component 1 :
xxxx xxxx xxxx xxxx xxxx xxxx xxxx
C7CD 8232 27
Clear Component
2 : xxxx xxxx xxxx xxxx xxxx xxxx xxxx
BCF8 40AD A6
Clear Component
3 : xxxx xxxx xxxx xxxx xxxx xxxx xxxx
BA61 2B99 08
Encrypted ZPK under ZMK : xxxx xxxx xxxx xxxx xxxx xxxx xxxx 627B E103 1C
How to load the Following keys to the JCE Security Module ?
Do we need the LMK Key file from the Customer (I mean , whether LMK key file should be same for both Acquirer & Network) (or ) We can have our own LMK Key ? any idea on this ?
FYI
------
I am following steps as follows in jpos.
Plain Text PIN = 1234
PAN = 36070500001012
JCESecurityModule sec = new JCESecurityModule();sec.encryptPIN("1234","36070500001012");
i am getting the exception as :
org.jpos.security.SMException: Invalid key code: LMK0x0004
at org.jpos.security.jceadapter.JCESecurityModule.getLMK(JCESecurityModule.java:1538)
at org.jpos.security.jceadapter.JCESecurityModule.encryptPINImpl(JCESecurityModule.java:246)
at org.jpos.security.BaseSMAdapter.encryptPIN(BaseSMAdapter.java:197)
at org.jpos.security.BaseSMAdapter.encryptPIN(BaseSMAdapter.java:208)
at PinEncryptionTest.main(PinEncryptionTest.java:28)
Thanks
T.Pugazhendhi
Victor Salaman
Sep 5, 2013, 7:37:26 AM9/5/13
to jpos-...@googlegroups.com
Hi:
What you actually need is a real HSM. Now don't tell me you're still on the "testing" path!
/V
What you actually need is a real HSM. Now don't tell me you're still on the "testing" path!
/V
--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage.
Please support jPOS, contact: sa...@jpos.org
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to jpos-...@googlegroups.com
To unsubscribe, send email to jpos-users+...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Pugazhendhi T
Sep 5, 2013, 7:45:40 AM9/5/13
to jpos-...@googlegroups.com
hi victor , PO is not signed from client , but they started sharing the documents with us .. by soon we will buy the commercial license if we are sure with our process ..
we are trying to simulate acquirer ... Not a live system.
Thanks for your reply .
How to use the JCESMAdaptor , in docs its mentioned it will simulate like HSM ?
we are trying to simulate acquirer ... Not a live system.
Thanks for your reply .
How to use the JCESMAdaptor , in docs its mentioned it will simulate like HSM ?
Pugazhendhi T
Sep 5, 2013, 8:03:13 AM9/5/13
to jpos-...@googlegroups.com
if anyone have experience on pin encryption , could you please share your thoughts . and ist possible to do with JCESM Adaptor or Thales HSM Simulator ? with the above data i shared ..
for me doubt is , LMK Key file - LMK keys need to be same in Acquirer and Network ? so that i can load the LMK key to the thales HSM Simulator or JCE SM Adaptor?
for me doubt is , LMK Key file - LMK keys need to be same in Acquirer and Network ? so that i can load the LMK key to the thales HSM Simulator or JCE SM Adaptor?
chhil
Sep 5, 2013, 8:13:54 AM9/5/13
to jpos-users
You should be able to test with either the jpos security adaptor or the Thales sim.
Thales sim needs a TCP channel and its fsd packager to work. Then use Thales commands to import the zmk .
The jpos one you need to import the key using the conole app provided so that you get the key under lmk.
The key under lmk from either process needs to be stored securely somewhere.
Use the appropriate commands with either approach to save the pin working key (usually exchanged encrypted under the zmk).
Then use commands available to do pin translation / verification.
The above is very simplistically stated, its a more involved process and you really need to understand what you are doing in a secure manner.
-chhil
On Sep 5, 2013 5:33 PM, "Pugazhendhi T" <pugazhe...@gmail.com> wrote:
if anyone have experience on pin encryption , could you please share your thoughts . and ist possible to do with JCESM Adaptor or Thales HSM Simulator ? with the above data i shared ..
for me doubt is , LMK Key file - LMK keys need to be same in Acquirer and Network ? so that i can load the LMK key to the thales HSM Simulator or JCE SM Adaptor?
--
Pugazhendhi T
Sep 5, 2013, 8:35:08 AM9/5/13
to jpos-...@googlegroups.com
Hi Chill ,
i have following keys , Do i need the LMK Key File too ? or i have to generate with the following data .
I understand that using the three clear Components we can derive the ZMK Key ,
Using ZMK Key i need to decrypt the Encrypted ZPK Key = to get clear key ( ZPK) for the Pin encryption.
Can you correct me if i am wrong .
How to use this console app in jpos to load my keys ?
Keys
Clear Component 1 :
xxxx xxxx xxxx xxxx xxxx xxxx xxxx
C7CD 8232 27
Clear Component
2 : xxxx xxxx xxxx xxxx xxxx xxxx xxxx
BCF8 40AD A6
Clear Component
3 : xxxx xxxx xxxx xxxx xxxx xxxx xxxx
BA61 2B99 08
23EE 52
Encrypted ZPK under ZMK : xxxx xxxx xxxx xxxx xxxx xxxx xxxx 627B E103 1C
Encrypted ZPK under ZMK : xxxx xxxx xxxx xxxx xxxx xxxx xxxx 627B E103 1C
chhil
Sep 5, 2013, 9:06:23 AM9/5/13
to jpos-users
Each HSM has its own LMK file. Both the Thales Sim and jpos adaptor come with a default (jpos generates a default file using a command line switch). You can change them and point to it to use your values.
Search for Console class. Read the code, read the help you get when you run it from command line (without params).
-chhil
Pugazhendhi T
Sep 5, 2013, 9:31:20 AM9/5/13
to jpos-...@googlegroups.com
Hi chill
If i use my own values ( i mean LMK Keys) , will it make difference in computation . Because, as you say every HSM will have their own LMK key. if they share the Encrypted ZPK & 3 Clear components. generated with that LMK Key . if i want to use for my pin encryption , i need to decrypt the Encrypted ZPK from ZMK formed from 3 clear components .
Is it correct to use our own LMK key ? How do real system behaves?
How we can cross check our computation is correct or not . ?
thanks
T.Pugazhendhi
If i use my own values ( i mean LMK Keys) , will it make difference in computation . Because, as you say every HSM will have their own LMK key. if they share the Encrypted ZPK & 3 Clear components. generated with that LMK Key . if i want to use for my pin encryption , i need to decrypt the Encrypted ZPK from ZMK formed from 3 clear components .
Is it correct to use our own LMK key ? How do real system behaves?
How we can cross check our computation is correct or not . ?
thanks
T.Pugazhendhi
Pugazhendhi T
Sep 5, 2013, 9:46:06 AM9/5/13
to jpos-...@googlegroups.com
To make very clear with my scenario:
---------------------
Thales HSM
---------------------
|
| (Network connected with Thales HSM )
|
--------------- ---------------
| Acquirer | ------------------------> | Network |
--------------- ---------------
(jpos - i am developing) (Customer)
Step1: For Pin Based Transaction , i need to encrypt the PIN using the ZPK Key
Step2 : i have the following keys shared from customer.
Keys Check Digit
Clear Component 1 :
xxxx xxxx xxxx xxxx xxxx xxxx xxxx
C7CD 8232 27
Clear Component
2 : xxxx xxxx xxxx xxxx xxxx xxxx xxxx
BCF8 40AD A6
Clear Component
3 : xxxx xxxx xxxx xxxx xxxx xxxx xxxx
BA61 2B99 08
Encrypted ZPK under ZMK : xxxx xxxx xxxx xxxx xxxx xxxx xxxx 627B E103 1C
Step3 : I need to generate the ZMK key from the Clear Component 1 , Clear Component 2, & Clear Component 3
Step4 : Decrypt the Encrypted ZPK from the generated ZMK key in Step 3.
Step5: Encrypt the PIN with ZPK.
To do the following steps ? Whether LMK Keys is needed from customer or we can have our own lmk key generated.
What is the use of check digit ?
Thanks
T.Pugazhendhi
Step4 : Decrypt the Encrypted ZPK from the generated ZMK key in Step 3.
Step5: Encrypt the PIN with ZPK.
To do the following steps ? Whether LMK Keys is needed from customer or we can have our own lmk key generated.
What is the use of check digit ?
Thanks
T.Pugazhendhi
Mark Salter
Sep 5, 2013, 1:50:40 PM9/5/13
to jpos-...@googlegroups.com
You really must seek to educate yourself on the process elsewhere, this
is off topic really here.
On 05/09/2013 14:31, Pugazhendhi T wrote:
> If i use my own values ( i mean LMK Keys) , will it make difference in
> computation .
No of course not - as a Local Master Key is unique to each system and
possible each HSM on the planet.
Your LMK is used to encrypt any keys you want to hold on your system.
The keys for the various purposes can be kept on file because they are
encrypted under your LMK.
The clear key is made clear and used in the relevant algorithm inside an
HSM - never anywhere else.
> Because, as you say every HSM will have their own LMK
> key. if they share the Encrypted ZPK & 3 Clear components. generated
> with that LMK Key . if i want to use for my pin encryption , i need to
> decrypt the Encrypted ZPK from ZMK formed from 3 clear components .
The ZPK you have been given needs to be decrypted under the ZMK and
re-encrypted under your LMK all inside the HSM. they Encrypted result
is what is kept on your file for later return to the HSM so it can use it.
>
> Is it correct to use our own LMK key ?
Yes, multiple LMKs normally.
> How do real system behaves?
Please see above and...
.. google; these processes mechanisms, behaviour and approaches are
documented in full in many places.
>
> How we can cross check our computation is correct or not . ?
You probably all ready have a Key Check Value, this is the result of
encrypting hex zeros with the key that is secret.
--
Mark
is off topic really here.
On 05/09/2013 14:31, Pugazhendhi T wrote:
> If i use my own values ( i mean LMK Keys) , will it make difference in
> computation .
possible each HSM on the planet.
Your LMK is used to encrypt any keys you want to hold on your system.
The keys for the various purposes can be kept on file because they are
encrypted under your LMK.
The clear key is made clear and used in the relevant algorithm inside an
HSM - never anywhere else.
> Because, as you say every HSM will have their own LMK
> key. if they share the Encrypted ZPK & 3 Clear components. generated
> with that LMK Key . if i want to use for my pin encryption , i need to
> decrypt the Encrypted ZPK from ZMK formed from 3 clear components .
re-encrypted under your LMK all inside the HSM. they Encrypted result
is what is kept on your file for later return to the HSM so it can use it.
>
> Is it correct to use our own LMK key ?
> How do real system behaves?
.. google; these processes mechanisms, behaviour and approaches are
documented in full in many places.
>
> How we can cross check our computation is correct or not . ?
encrypting hex zeros with the key that is secret.
--
Mark
chhil
Sep 6, 2013, 1:08:10 AM9/6/13
to jpos-users
Mark,
Great job explaining it.
Pughazhendhi,
http://jpos.org/wiki/HSM_basics
http://jpos.org/wiki/HSM_basics_continued
http://www.m-sinergi.com/hairi/hthalesadaptor/ [a thales adaptor that works with jpos to talk to a thales hsm or even a thalessim, I havent used it but you can always look at te code to move forward]
http://jpos.org/wiki/HSM_basics
http://jpos.org/wiki/HSM_basics_continued
http://www.m-sinergi.com/hairi/hthalesadaptor/ [a thales adaptor that works with jpos to talk to a thales hsm or even a thalessim, I havent used it but you can always look at te code to move forward]
I have also attached a pdf that I had written up and you may find useful. It references a thales spec sections 3.1 and 3.2 for tables. These can be found in the copyright thales spec shared on the hairi page referenced above.
-chhil
Pugazhendhi T
Sep 6, 2013, 5:12:09 AM9/6/13
to jpos-...@googlegroups.com
Hi Chill & Mark , thanks for your help , i have done successfully my Pin encryption . ... Thanks a lot for u guys ...
chhil
Sep 6, 2013, 11:31:55 PM9/6/13
to jpos-users
You are welcome.
I hesitantly ask the approach you have taken and precautions taken to secure the keys.
-chhil
On Sep 6, 2013 2:42 PM, "Pugazhendhi T" <pugazhe...@gmail.com> wrote:
Hi Chill & Mark , thanks for your help , i have done successfully my Pin encryption . ... Thanks a lot for u guys ...
--
murali5999
Aug 31, 2018, 8:38:21 AM8/31/18
to jPOS Users
Hi Pugazhendhi and chhil,
Great Explanation..
Can you please guide me on this. I have created lmk file from the following command.
java -jar jpos-1.9.6.jar -c "smconsole -lmk /tmp/test.lmk -rebuildlmk; shutdown --force"
Then I replaced LMK file of all the values from LMK0x00 to LMk0x0e with single value 9B204323F7460EF7EAxxx4C1209DE01A9B204323F7460EFE
LMK file seems like
LMK0x01=9B204323F7460EF7EAxxx4C1209DE01A9B204323F7460EFE
LMK0x00=9B204323F7460EF7EAxxx4C1209DE01A9B204323F7460EFE
LMK0x09=9B204323F7460EF7EAxxx4C1209DE01A9B204323F7460EFE
...
LMK0x0e=9B204323F7460EF7EAxxx4C1209DE01A9B204323F7460EFE
Then I executed the following command for importing ZPK
import ZPK
java -jar jpos-1.9.6.jar -c "smconsole -lmk test.lmk FK 128 ZPK ZPK_KEY_FROM_PROVIDER_GOES_HERE 00000000000000000000000000000000 00000000000000000000000000000000; shutdown --force"
java -jar jpos-1.9.6.jar -c "smconsole -lmk test.lmk FK 128 ZPK ZPK_KEY_FROM_PROVIDER_GOES_HERE 00000000000000000000000000000000 00000000000000000000000000000000; shutdown --force"
My doubt is should I use ZPK key from provider given ZPK under ZMK value or ZPK translated with ZMK(got from clear components) and LMK Key. Here ZPK is in crypted form.
Then I used the following code to generate encrypted Pin block to pass to ATM switch along with ISO message. Here I have not used HSM hard ware module.
generate pinblock using JPOS
JCESecurityModule jcesecmod = new JCESecurityModule("/tmp/test.lmk", "com.sun.crypto.provider.SunJCE");
String pin = "1234";
System.out.println("PIN ==>> " + pin);
String pan = "511985236238";(Original Pan number 4593511985236238, I have used right most 12 digit)
System.out.println("PAN ==>> " + pan);
String zpkKey = "NEW_ZPK_GENERATED"; //here goes the secure-des-key gerated in the previous step
System.out.println("ZPK KEY ==>> " + zpkKey);
SecureDESKey sdk = new SecureDESKey(SMAdapter.LENGTH_DES3_2KEY, SMAdapter.TYPE_ZPK, zpkKey, "026268");
EncryptedPIN pinUnderLMK = jcesecmod.encryptPINImpl(pin, pan);
System.out.println("pinUnderLMK ==>>" + ISOUtil.hexString(pinUnderLMK.getPINBlock()));
EncryptedPIN pinUnderZPK = jcesecmod.exportPINImpl(pinUnderLMK, sdk, SMAdapter.FORMAT00);
System.out.println("pinUnderZPK ==>>" + ISOUtil.hexString(pinUnderZPK.getPINBlock()));
JCESecurityModule jcesecmod = new JCESecurityModule("/tmp/test.lmk", "com.sun.crypto.provider.SunJCE");
String pin = "1234";
System.out.println("PIN ==>> " + pin);
String pan = "511985236238";(Original Pan number 4593511985236238, I have used right most 12 digit)
System.out.println("PAN ==>> " + pan);
String zpkKey = "NEW_ZPK_GENERATED"; //here goes the secure-des-key gerated in the previous step
System.out.println("ZPK KEY ==>> " + zpkKey);
SecureDESKey sdk = new SecureDESKey(SMAdapter.LENGTH_DES3_2KEY, SMAdapter.TYPE_ZPK, zpkKey, "026268");
EncryptedPIN pinUnderLMK = jcesecmod.encryptPINImpl(pin, pan);
System.out.println("pinUnderLMK ==>>" + ISOUtil.hexString(pinUnderLMK.getPINBlock()));
EncryptedPIN pinUnderZPK = jcesecmod.exportPINImpl(pinUnderLMK, sdk, SMAdapter.FORMAT00);
System.out.println("pinUnderZPK ==>>" + ISOUtil.hexString(pinUnderZPK.getPINBlock()));
Please correct me if I did wrong.
Thanks for Support..
Murali
Ahmed Mohamedin
Aug 8, 2019, 7:43:31 PM8/8/19
to jPOS Users
you should use the most right 13 digits and exclude the last digit so you will have 12 digits and that's the account number,
like this:
4593511985236238 The PAN
351198523623 The account number
Reply all
Reply to author
Forward
0 new messages