Re: [jpos-users] Using JPOS DUKPT to decrypt track2 data.

[Alejandro Revilla]

Take a look at https://github.com/jpos/jPOS/blob/master/jpos/src/test/java/org/jpos/security/jceadapter/DUKPTTest.java

Perhaps you can load your test data into a test and see if it works for you.

There's a complex process, defined in ANSX9.24 that combines your KSN and BDK to derive the unique key used to decrypt that transaction. To make things more complex, there's a difference between PIN encryption and DATA encryption (like the one you see in track2). jPOS DUKPT supports both, so it should be a good starting point.

--

@apr

On Mon, Sep 19, 2016 at 3:15 PM, <derin...@gmail.com> wrote:

Greetings to you all.

1. I do not really know, if my question fits into this forum.

2. Already tried reading through the algorithm to use in decrypting this data, but still not getting the needed result ought to be gotten.

This is where my challenge comes from

in the process of trying to decrypt an encrypted (track2 data) from a device, i am having a little challenge while trying to decrypt this data, so as to be able to get my PAN and some other data from it (in carrying out a transaction).

In decrypting this data (after reading through the document that was been given), while taking note of its Base Derivation Key(BDK), Initially loaded key serial number and the initially loaded pin entry device key. 

I have the below example in the document given, i was made to know that they actually used a 3DES-128 bits CBC Mode (padding zero) method. 

and, the following are the data that were been used for its encryption. 

        Base Derivation Key (BDK):                                 0123456789ABCDEFFEDCBA9876543210 
        Initially Loaded Key Serial Number (KSN):         FFFF9876543210E00000 
        Initially Loaded PIN Entry Device Key:                 6AC292FAA1315B4D858AB3A3D7D5933A 

Data Encryption key variant 
Initially Loaded Key Serial Number (KSN):               FFFF9876543210E00001 
Data Encryption key variant:                                  448D3F076D8304036A55A3D7E0055A78 
Track 2 Data (Plaintext):                                        1234567890ABCDEFFEDCBA0987654321 

(Encrypt by 3DES-128 bits CBC Mode (padding zero)) 
Track 2 Data (Encrypted):                                D0911CD510047AC6AEE9CE8AFEDA9301 


my question now is, how was the plaintext gotten from the encrypted data, because i tried using the below method below in carrying out this operation, and also used the JPOS security package, but wasn't close to getting the accurate result. 

Although, this is what i have been able to do..trying to make use of this simple algorithm, but not getting it at all. 

public String do3DESDecryption(String key, String text) {
        String decryptedInfo = null;
        try {
            String key1 = key.substring(0, 16);
            String key2 = key.substring(16);
            decryptedInfo = doDESDecryption(key1, text);
            decryptedInfo = doDESEncryption(key2, decryptedInfo);
            decryptedInfo = doDESDecryption(key1, decryptedInfo);
        } catch (Exception ex) {
            System.out.println("What's happening"+ex.getMessage());
            ex.printStackTrace();
        }

        return decryptedInfo;
    }

Will be so glad, if i can see where i am getting this wrong.

Thanks for your time in reading this.

Hoping to hearing from you all.

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to jpos-...@googlegroups.com
To unsubscribe, send email to jpos-users+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/4b682646-892b-4b81-bfb9-328ec751af08%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Victor Salaman]

The process is easy and straightforward. The only problem is that the derivekey method in the dukpt jpos code is private.

Sent from my iPhone

To unsubscribe, send email to jpos-users+...@googlegroups.com

For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/CAAgSK%3DnMre2%3DT0Rp009gG2jgC70D01yPfAjCZ%3DvNcU2XcUWKdw%40mail.gmail.com.

[Victor Salaman]

Hi:

The following gist shows working code that produces the desired results:

https://gist.github.com/vsalaman/aae2274eea0d8bf422895337e7fb4e28

You'd need to modify jPOS code so that the deriveKey method is accesible.

Cheers,

/V

To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/CAAgSK%3DnMre2%3DT0Rp009gG2jgC70D01yPfAjCZ%3DvNcU2XcUWKdw%40mail.gmail.com.

[derin...@gmail.com]

I do really appreciate this git of yours, and I will definitely like to know how i can make this deriveKey method accessible for usage.

Since i am trying to get  this particular line resolved (from the git you shared)

                  Key derived = sm.getDerivedKey(bdk, ksn,true);

in the JCESecurityModule JPOS module.

Thanks for your time.

--

@apr

To unsubscribe, send email to jpos-users+...@googlegroups.com

For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/4b682646-892b-4b81-bfb9-328ec751af08%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to jpos-...@googlegroups.com

To unsubscribe, send email to jpos-users+...@googlegroups.com

For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.

[derin...@gmail.com]

I do really appreciate this java class as a pointer to getting the issue resolved. 

In the cause of me trying to study through and see how i can use it for implementation at my own end, the PAN2 (as stated in the DUKPT.java class) is what i do not really know on how to use, in decrypting the encrypted PIN BLOCK (since i can only have access to just its PAN which can be gotten from my track2 data).

On Monday, September 19, 2016 at 7:52:02 PM UTC+1, Alejandro Revilla wrote:

Take a look at https://github.com/jpos/jPOS/blob/master/jpos/src/test/java/org/jpos/security/jceadapter/DUKPTTest.java

Perhaps you can load your test data into a test and see if it works for you.

--

@apr

[Victor Salaman]

Hi:

Here is a gist with a little bit of reflection magic! https://gist.github.com/vsalaman/419901d8f7bd0271c0f9b447944f9dd8

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to jpos-...@googlegroups.com
To unsubscribe, send email to jpos-users+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/00141b63-47ab-4a92-a0c4-80b41ebf94cd%40googlegroups.com.

[derin...@gmail.com]

Thanks so much for your lead @Victor Salaman, i had to do some little tweaking too, since the implementation is to be carried out from an Android device, using the org.bouncycastle.jce.provider.BouncyCastleProvider didn't really work well at first, since i was having issue using the Hex.toHexString(derived.getEncoded(). What i did was just to gimmick a Hex class to use at my own end.

But, everything has been figured out already and working so fine. I really appreciate your time.

[Victor Salaman]

Excellent... 

1. For that code you don't need BouncyCastle, I just happened to use BC instead of the reference implementation.

2. The Hex class is not needed as you can use the conversion methods in ISOUtil (from jPOS)

Anyhow, I'm glad it all worked out. Here's a link with the code without BouncyCastle, https://gist.github.com/vsalaman/fb6934ccb81b4f5eb2aa1c51239c3117

/V

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to jpos-...@googlegroups.com
To unsubscribe, send email to jpos-users+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/cf259fc5-ac88-45cf-adf4-613751c9478f%40googlegroups.com.

[Victor Salaman]

On Tue, Sep 20, 2016 at 1:40 PM, <derin...@gmail.com> wrote:

5413339000001513

Hi:

Your are not getting the expected value because for PIN, probably because for your using DESede/CBC instead of DESede/ECB/NoPadding ... Additionally, when using jPOS DUKPT implementation make sure to invoke the methods correctly (setting dataUsage to false). Of course, for PIN encryption jPOS has a better API making you work less and without knowing all the details. Also remember, that you should be doing all these operations in a real HSM in production!

Herte's a snippet: https://gist.github.com/vsalaman/c41d5ae78c099f21885c671b2a2bd859

/V

[derin...@gmail.com]

Thanks so much for your time @Victor, you have been so much of a help, and I am so glad you have been so much of help.

I also tried using the decryptPIN method, in the BaseSMAdapter in the  JPOS security package, to see if i can actually get the  data from the Encrypted data (trying to see, if i can reverse engineer it). i.e getting the PIN and PAN from the encrypted data 

After carrying out this operation, using this method, i was getting 00�8�������

NOTE: I used the ISOUtil.hexString and the BouncyCastleProvider

but, was getting same result.

Thank you so much ONCE AGAIN

[Victor Salaman]

Hi:

You need to understand the cryptography behind the operations you are doing. 

/V

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to jpos-...@googlegroups.com
To unsubscribe, send email to jpos-users+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/c274eea3-2f53-45c1-9d19-0b19cd92e871%40googlegroups.com.

[derin...@gmail.com]

Thanks for your reply. So glad for your time.

What i am trying to do is; after encrypting the data which will be encrypted on the device (at my own end). I will need to decrypt it in the process of packaging it with JPOS, since i have my BDK and KSN from the device. So, i will now have to make it encrypted during the cause of key exchange to be provided by my Service Provider in the cause of carrying out transactions.

With your help, I have actually been able to carry out the PIN encryption (which works fine on the HSM). What i am now trying to figure out is the implementation to be used in decrypting this already encrypted data with its BDK and KSN so as for it to appear raw (while packaging with JPOS after which i will use the KEY to be provided by my Server) in encrypting it again.

I don't know if i am clear enough.

Thanks for your time.

On Wednesday, September 21, 2016 at 10:05:41 AM UTC+1, Victor Salaman wrote:

Hi:

You need to understand the cryptography behind the operations you are doing. 

/V

On Wed, Sep 21, 2016 at 5:01 AM, <derin...@gmail.com> wrote:

Thanks so much for your time @Victor, you have been so much of a help, and I am so glad you have been so much of help.

I also tried using the decryptPIN method, in the BaseSMAdapter in the  JPOS security package, to see if i can actually get the  data from the Encrypted data (trying to see, if i can reverse engineer it). i.e getting the PIN and PAN from the encrypted data 

After carrying out this operation, using this method, i was getting 00�8�������

NOTE: I used the ISOUtil.hexString and the BouncyCastleProvider

but, was getting same result.

Thank you so much ONCE AGAIN
On Tuesday, September 20, 2016 at 11:17:55 PM UTC+1, Victor Salaman wrote:

On Tue, Sep 20, 2016 at 1:40 PM, <derin...@gmail.com> wrote:

5413339000001513

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to jpos-...@googlegroups.com

To unsubscribe, send email to jpos-users+...@googlegroups.com

For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.