Comamnd 1: get combined ZMK
java -cp bcprov-jdk18on-172.jar -jar /opt/jPOS/jpos/build/install/jpos/jpos-2.1.8-ST-q2.jar -c "smconsole -lmk lmk.key -jce org.bouncycastle.jce.provider.BouncyCastleProvider FK 128 ZMK <Clear Key1> <Clear Key2> <Clear key3>"
Clear Key 1, Clear Key 2 and Clear Key 3 shared by bank
Output KCV is "check-value" is matching with the KCV shared by bank, so I am assuming that clear text ZMK is correct,
then I try to get KCV of encrypted ZPK and that process is also working but "check-value" is not matching what shared by bank
Command 2: (get check-value of ZPK)
java -cp bcprov-jdk18on-172.jar -jar /opt/jPOS/jpos/build/install/jpos/jpos-2.1.8-ST-q2.jar -c "smconsole -jce org.bouncycastle.jce.provider.BouncyCastleProvider -lmk lmk.key IK 128 <encrypted zpk> 128 ZMK <ZMK got in last previous command> <check value got in previous command>"
--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/ba26a94d-cedc-4bee-9791-cca032d3c777n%40googlegroups.com.
java -cp bcprov-jdk18on-172.jar -jar /opt/jPOS/jpos/build/install/jpos/jpos-2.1.8-SNAPSHOT-q2.jar -c "smconsole -jce org.bouncycastle.jce.provider.BouncyCastleProvider -lmk lmk.key IK 128 TPK D67BCE2AF5508A0E8705BC05AE0BC69B 128 ZMK 393DD47AE3791D5119631D0684790632 E7472E"
Trying to find out the command executed at the HSM owner end, will update here
java -cp bcprov-jdk18on-172.jar -jar /opt/jPOS/jpos/build/install/jpos/jpos-2.1.8-ST-q2.jar -c "smconsole -jce org.bouncycastle.jce.provider.BouncyCastleProvider -lmk lmk.key IK 128 ZPK E61BCE2AF5508A0E8705BC05AE0BC68B 128 ZMK D48177CDD2ED9E43BB607D9BEE21B17F E7472E"
I was getting below error,
" <security-module-exception>
Parity not adjusted
org.jpos.security.jceadapter.JCEHandlerException: Parity not adjusted"
To overcome this error, I commented line number 1474 and 1475 in file jPOS/jpos/src/main/java/org/jpos/security/jceadapter/JCESecurityModule.java
Line 1474 - if (!Util.isDESParityAdjusted(clearKeyBytes))
Line 1475 throw new JCEHandlerException("Parity not adjusted");
This change removed the Parity not adjusted error, but not sure if this causing any issue
LMK0x00=527901263191B9C1E576FDB32C49A7FD527901263191B9C7
You commenting the line won’t work , the parity needs to be adjusted to odd parity for your input ZPK cryptogram.
By changing the parity the cryptogram is not changed.
What you need to do is either call adjustParity to fix the parity on you zpk and use that.
https://github.com/jpos/jPOS/blob/096227e42b3edd63a4187eba48da145630dc502d/jpos/src/main/java/org/jpos/security/Util.java#L53
Output
E61ACE2AF4518A0E8604BC04AE0BC78AUse
E61ACE2AF4518A0E8604BC04AE0BC78A as your ZPK instead of
E61BCE2AF5508A0E8705BC05AE0BC68B
Another simple example is the key 0909090909090909 is even parity and the odd parity for it would make it 0808080808080808.
You need to understand that the key contents are the same, the parity bits are changed from even to odd. If you passed 0808080808080808 into the method the output would be 0808080808080808 as its already odd parity.
-chhil
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/696af5f0-0f56-44fc-8e8b-4cb52ca1fe04n%40googlegroups.com.
public Key decryptDESKey(short keyLength, byte[] encryptedDESKey, Key encryptingKey, boolean checkParity) throws JCEHandlerException { byte[] clearKeyBytes = doCryptStuff(encryptedDESKey, encryptingKey, Cipher.DECRYPT_MODE); if (checkParity && !Util.isDESParityAdjusted(clearKeyBytes)) { throw new JCEHandlerException("Parity not adjusted"); } return formDESKey(keyLength, clearKeyBytes); }
if (checkParity && !Util.isDESParityAdjusted(clearKeyBytes)) { throw new JCEHandlerException("Parity not adjusted"); }
with
You received this message because you are subscribed to a topic in the Google Groups "jPOS Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jpos-users/sa8LIIg4ZNQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jpos-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/CAP6rG0zpy_Zm%2BXTO-FCL62CV8KYdOHyKkiv4E0bpz6FfKrvyTA%40mail.gmail.com.
<result name="Imported Key">
<secure-des-key length="128" type="ZPK" variant="0" scheme="X">
<data>9358E4144035F52BE321AF0A297FB2E1</data>
<check-value>23A270</check-value>
</secure-des-key>
</result>
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/CAPazefAP_MmsoN__ugix7R1rLGK0RQRGe%2BYRRioUWsLYA28D1g%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/CAP6rG0w6ftt34hiBocOz97g-YCgkJPs1GZuRV1V9GD8p94cP2w%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/CAPazefBsFXaL_z8UaD4rdiNUrE7WanwG%3DySkVUdCnzbzbyW7og%40mail.gmail.com.
Step 1 : ( Create 3 no. of clear keys )
Online-AUTH>GC
Enter LMK id [0-9]: 0
Enter key length [1,2,3]: 2
Enter key type: 000
Enter key scheme: U
Online-AUTH>GC
Enter LMK id [0-9]: 0
Enter key length [1,2,3]: 2
Enter key type: 000
Enter key scheme: U
Online-AUTH>GC
Enter LMK id [0-9]: 0
Enter key length [1,2,3]: 2
Enter key type: 000
Enter key scheme: U
STEP 2 : (Create ZMK under LMK)
Online-AUTH>FK
Enter LMK id [0-9]: 0
Enter key length [1,2,3]: 2
Enter key type: 000
Enter key scheme: U
Enter component type [X,H,T,E,S]: X
Enter number of components [1-9]: 3
Enter component 1: *******************
Enter component 2: *******************
Enter component 3: *******************
ZPK Activity
Step 3 : (Create ZPK clear component)
Online-AUTH>GC
Enter LMK id [0-9]: 0
Enter key length [1,2,3]: 2
Enter key type: 001
Enter key scheme: U
Step 4 : ( XOR – Encrypt ZPK under LMK)
Online-AUTH>FK
Enter LMK id [0-9]: 0
Enter key length [1,2,3]: 2
Enter key type: 001
Enter key scheme: U
Enter component type [X,H,T,E,S]: X
Enter number of components [1-9]: 1
Step 5 : (Create Encrypted/Exported ZPK under ZMK)
Online-AUTH>KE
Enter LMK id [0-9]: 0
Enter key type: 001
Enter key scheme: X
Enter ZMK: ------- o/p of step 2 component ------
Enter ZMK Variant: press Enter
Enter key under LMK: ----- o/p of step 4 component -----
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/474bb33b-dbca-48d6-ac5e-6e90220e2cf5n%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/KruMqznDakFW_xa5lQz_pWXAygGwnnMlQZqHpSSeADdboYma3E7Qv23eD5Ti56EUgO4C17NV6yLHvVrOcqjIYlIpB7S96G6kVtFx4wOlFww%3D%40pm.me.
java -cp bcprov-jdk18on-172.jar -jar /opt/jPOS/jpos/build/install/jpos/jpos-2.1.8-SNAPSHOT-q2.jar -c "smconsole -lmk lmk.key -jce org.bouncycastle.jce.provider.BouncyCastleProvider FK 128 ZMK component1 component2 Component3"
I am aware that scheme can be used in line ZMK:1U (U scheme) but I guess that is about output value, not specifying that components are in the U scheme