Generate PINBLOCK using ZPK key

[André Fonseca]

Hi all,

I am using JPOS to generate the PINBLOCK to a external user, the user send to me only the ZPK key and the PIN SEED.

I need to use FORMAT00 and Triple DES cryptography and 128 bits.

My question is, its possible to use JCESecurityModel (I am using JDK 6 with JCE extended) without the LMK file? Or JCESecurityModel always need to use LMK files?

Every tests I have performed gives me strange values.

TIA.

[Alejandro Revilla]

JCESecurityModel doesn't use LMK files, but jPOS software based security module emulation does. It mimics the way a real HSM operates, always using keys encrypted under the LMKs. 

You probably need to encrypt your clear keys under LMK encryption.

--

@apr

[André Fonseca]

Hi Alejandro,

Thanks for you reply.

I tried to use JCESecurityModel with the file security.lmk that comes with JPOS.

I tried the code below

SecureDESKey sdk = new SecureDESKey(SMAdapter.LENGTH_DES3_2KEY, SMAdapter.TYPE_ZPK, "B1BD0FE1C0C5FFF57B7463D8C07EE15A", "026268");

JCESecurityModule jcesecmod = new JCESecurityModule("src/dist/cfg/secret.lmk", "com.sun.crypto.provider.SunJCE");

EncryptedPIN pinUnderLMK = jcesecmod.encryptPIN("511985236238", "5511985236238");

EncryptedPIN pinUnderTPK = jcesecmod.exportPINImpl(pinUnderLMK, sdk, SMAdapter.FORMAT00);

System.out.println(ISOUtil.hexString(pinUnderTPK.getPINBlock()));

But I got the Exception

Exception in thread "main" org.jpos.security.jceadapter.JCEHandlerException: Parity not adjusted

at org.jpos.security.jceadapter.JCESecurityModule.decryptFromLMK(JCESecurityModule.java:1070)

at org.jpos.security.jceadapter.JCESecurityModule.exportPINImpl(JCESecurityModule.java:298)

If I try to instanciate JCESecurityModule without secret.lmk I got

Exception in thread "main" org.jpos.security.SMException: Invalid key code: LMK0x0004

Do you know how is the correct way to encript the ZPK key that I received?

[Alejandro Revilla]

You need to ‘import’ the ZPK under LMK encryption, using the SMConsole.

You can start the jPOS CLI by calling ‘bin/q2 —cli’ and then try the ‘smconsole’ command. Use a ‘tab’ to see all the available commands.

From the smconsole command line, you do something like:

smconsole -lmk path/to/your/test.lmk FK 128 ZPK 0123456789ABCDEFFEDCBA9876543210 00000000000000000000000000000000 00000000000000000000000000000000

Then you pick the encrypted ZPK and store it in a secure key file, i.e.:

myzpk.key=D34EF6268835AFAFED0CAD295B818CF1
myzpk.checkvalue=08D7B4
myzpk.length=128
myzpk.type=BDK
myzpk.class=org.jpos.security.SecureDESKey

The ‘key’ and ‘checkvalue’ are the output of the import command above.

--

@apr

[André Fonseca]

Hi Alejandro,

I tried to run q2 but I have got "Error: Unable to access jarfile @jarname@"

Should I configure something in the java classpath?

TIA

[Alejandro Revilla]

If you build the system using 'gradle dist' and expand the produce archive, or you use 'gradle installApp' and move to build/install/jpos, the build system should replace @jarname@ with the appropriate jar name.

--

@apr

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to jpos-...@googlegroups.com
To unsubscribe, send email to jpos-users+...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/0f337a27-f6a1-4673-ab85-5b69986e791a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[André Fonseca]

Hi,

I could run using "java -jar jpos-1.9.6.jar --cli"

Then I type "smconsole -lmk test.lmk FK 128 ZPK B1BD0FE1C0C5FFF57B7463D8C07EE15A 00000000000000000000000000000000 00000000000000000000000000000000"

It works, I will try now to use the key.

TIA.

[André Fonseca]

After importing the key I have the log output

<log realm="jce-security-module" at="Fri Apr 04 14:12:57 BRT 2014.465" lifespan
"213ms">
  <s-m-operation>
    <command name="Form Key from Three Clear Components">
      <parameter name="Key Length">
        128
      </parameter>
      <parameter name="Key Type">
        ZPK
      </parameter>
      <parameter name="Component 1 Check Value">
        026268
      </parameter>
      <parameter name="Component 2 Check Value">
        8CA64D
      </parameter>
      <parameter name="Component 3 Check Value">
        8CA64D
      </parameter>
    </command>
    <result name="Formed Key">
      <secure-des-key length="128" type="ZPK" variant="0" scheme="X">
        <data>EF0353A3043D0D54945985A8B69881DD</data>
        <check-value>026268</check-value>
      </secure-des-key>
    </result>
  </s-m-operation>
</log>

Then I do:

JCESecurityModule jcesecmod = new JCESecurityModule("c:/tmp/test.lmk", "com.sun.crypto.provider.SunJCE");
SecureDESKey sdk = new SecureDESKey(SMAdapter.LENGTH_DES3_2KEY, SMAdapter.TYPE_ZPK, "EF0353A3043D0D54945985A8B69881DD", "026268");
EncryptedPIN pinUnderLMK = jcesecmod.encryptPIN("511985236238", "EF0353A3043D0D54945985A8B69881DD");

EncryptedPIN pinUnderTPK = jcesecmod.exportPINImpl(pinUnderLMK, sdk, SMAdapter.FORMAT00);
System.out.println(ISOUtil.hexString(pinUnderTPK.getPINBlock()));

Its the correct way to generate the PINBLOCK?

[Alejandro Revilla]

You're almost there, but the second parameter to your encryptPIN call should be the the 12 right-most digits of the account number excluding the check digit.

--

@apr

[André Fonseca]

Hi Alejandro,

Thanks for your help again.

One more question, I need to generate exactly the same PINBLOCK that is generated by my provider (ZPK key provider)

Should I use the parameter --rebuillmk for importing the ZPK key? If I rebuild the LMK using the ZPK I will have another LPK keys file? (the same LPK used by my provider)

TIA

[chhil]

If the clear key is identical, you will get the same pinblock.

The LMKs are just an additional level of encryption so that you dont have to use the clear keys in your operations.

LMKs need to be very secret and the chances of you and the other party having the same LMKs will be practically 0.

If the party that is providing the ZPK to you is using a Thales and have the default LMKs then the thalessim (search for it) works pretty well but you will need to use the thales api to communicate with it.

-chhil

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to jpos-...@googlegroups.com
To unsubscribe, send email to jpos-users+...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/a29466dc-9562-40ba-931a-cc6b33bdea29%40googlegroups.com.

[André Fonseca]

Hi chhil,

I can generate now the same PINBLOCK by my side.

If someone needs to do that (generate the same pinblock using ZPK key from provider) in the future, I will post below the steps we should perform

1) rebuild LMK in the server
java -jar jpos-1.9.6.jar -c "smconsole -lmk /tmp/my.lmk -rebuildlmk; shutdown --force"

2) import ZPK
java -jar jpos-1.9.6.jar -c "smconsole -lmk my.lmk FK 128 ZPK ZPK_KEY_FROM_PROVIDER_GOES_HERE 00000000000000000000000000000000 00000000000000000000000000000000; shutdown --force"

3) generate pinblock using JPOS
    JCESecurityModule jcesecmod = new JCESecurityModule("/tmp/jpos/my.lmk", "com.sun.crypto.provider.SunJCE");
    String pin = "123456";
    System.out.println("PIN ==>> " + pin);
    String pan = "511985236238";
    System.out.println("PAN ==>> " + pan);
    String lmkKey = "NEW_ZPK_GERATED"; //here goes the secure-des-key gerated in the previous step
    System.out.println("LMK KEY ==>> " + lmkKey);
    SecureDESKey sdk = new SecureDESKey(SMAdapter.LENGTH_DES3_2KEY, SMAdapter.TYPE_ZPK, lmkKey, "026268");
    EncryptedPIN pinUnderLMK = jcesecmod.encryptPINImpl(pin, pan);
    System.out.println("pinUnderLMK ==>>" + ISOUtil.hexString(pinUnderLMK.getPINBlock()));
    EncryptedPIN pinUnderZPK = jcesecmod.exportPINImpl(pinUnderLMK, sdk, SMAdapter.FORMAT00);
    System.out.println("pinUnderZPK ==>>" + ISOUtil.hexString(pinUnderZPK.getPINBlock()));

Sorry, I dont know very well the concepts involved in encryption/pinblock, so I could have made some theoretical errors

[Robson Dantas]

Good resource about pinblock formats is here:

http://www.paymentsystemsblog.com/2010/03/03/pin-block-formats/

Regards

--

Robson Dantas

To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/934df1c3-7137-4627-b0a4-54fbfc1a2f2e%40googlegroups.com.

[Eunice Obugyei]

Hi Andre, 

I know this is an old post but I hope you can be of help. I am trying to follow the steps you outlined but when I run the command to rebuild the LMK, I get a "java.lang.NoClassDefFoundError: org/apache/commons/cli/MissingArgumentException" exception. Any ideas as to what the problem could be? I already placed the commons-cli jar in the same folder as the jpos jar but that didn't help.  Please find below a stacktrace of the error:

Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/commons/cli/MissingArgumentException

at java.lang.Class.getDeclaredMethods0(Native Method)

at java.lang.Class.privateGetDeclaredMethods(Class.java:2570)

at java.lang.Class.getMethod0(Class.java:2813)

at java.lang.Class.getMethod(Class.java:1663)

at sun.launcher.LauncherHelper.getMainMethod(LauncherHelper.java:494)

at sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:486)

Caused by: java.lang.ClassNotFoundException: org.apache.commons.cli.MissingArgumentException

at java.net.URLClassLoader$1.run(URLClassLoader.java:366)

at java.net.URLClassLoader$1.run(URLClassLoader.java:355)

at java.security.AccessController.doPrivileged(Native Method)

at java.net.URLClassLoader.findClass(URLClassLoader.java:354)

at java.lang.ClassLoader.loadClass(ClassLoader.java:425)

at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)

at java.lang.ClassLoader.loadClass(ClassLoader.java:358)

... 6 more

[Mark Salter]

On 03/10/2014 15:33, Eunice Obugyei wrote:
> I am trying to
> follow the steps you outlined but when I run the command to rebuild the
> LMK,

Can you share the command you typed and state if jpos-1.9.6.jar is in
the directory in which you are running your command?

> Any ideas
> as to what the problem could be?

A class that is need is not on your classpath.

> I already placed the *commons-cli* jar

> in the same folder as the jpos jar but that didn't help.

Is this folder/jar on the classpath?

Which version of java are you using?

try adding a :-

-cp .;[dir_that_holds_the_cli_jar_if_not_.]

to your invocation (dependant on your o/s being windows!)


--
Mark

[Eunice Obugyei]

Mark, thanks for the response. This is the command I used : sudo java -cp /home/eunice/jpos_fix/ -jar jpos-1.9.6.jar -c "smconsole -lmk /tmp/test.lmk -rebuildlmk; shutdown --force"

When that one didn't work, I as tried this one: sudo java -cp /home/eunice/jpos_fix/commons-cli-1.2.jar -jar jpos-1.9.6.jar -c "smconsole -lmk /tmp/test.lmk -rebuildlmk; shutdown --force"

But that didn't work either

I am running on ubuntu 13.04 and yes, jpos-1.9.6.jar is in the directory I'm running the command from. It's actually the same one that has the commons-cli jar

[Mark Salter]

On 05/10/2014 08:17, Eunice Obugyei wrote:
> sudo java
> -cp /home/eunice/jpos_fix/ -jar jpos-1.9.6.jar -c "smconsole -lmk
> /tmp/test.lmk -rebuildlmk; shutdown --force"
> When that one didn't work,

didn't work = same stacktrace/output ?

> sudo java -cp
> /home/eunice/jpos_fix/commons-cli-1.2.jar -jar jpos-1.9.6.jar -c

> "smconsole -lmk /tmp/test.lmk -rebuildlmk; shutdown --force"*

> But that didn't work either

didn't work = same stacktrace/output ?

>
> I am running on ubuntu 13.04 and yes, jpos-1.9.6.jar is in the directory
> I'm running the command from. It's actually the same one that has the
> commons-cli jar

did you try the variant of the -cp I suggested though, dropping the
"[dir_that_holds_the_cli_jar_if_not_.]" and the path separatot?

--
Mark

[Eunice Obugyei]

Yes same stacktrace in both cases.

I'm not sure I understand the variant you are talking about though

[Victor Salaman]

First, it’s never good to hijack a thread.

That being said, you should not use -cp and -jar at the same time.

Follow these steps:

• Download the jPOS distribution (you mentioned you are using 1.9.6, so your file should be jpos-1.9.6.tgz)
• Create a directory and unpack.
• Change to the directory
• Now type from within the directory:

java -jar jpos-1.9.6.jar -c "smconsole -lmk /tmp/test.lmk -rebuildlmk; shutdown --force"

/V

​

--

--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to jpos-...@googlegroups.com
To unsubscribe, send email to jpos-users+...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/320d739f-def1-407a-b0fa-57681db5ad51%40googlegroups.com.

[Mark Salter]

On 05/10/2014 10:43, Victor Salaman wrote:
> That being said, you should not use -cp and -jar at the same time.

I had a nagging doubt, but not strong enough to stop me :-)

Thanks Victor

--
Mark

[Eunice Obugyei]

Victor, sorry about the thread hijacking.

I first followed the steps you gave me( I got the jar from the maven central repository). 

I run the command you wrote and posted on this thread when I got the error

[Victor Salaman]

Please re-read my message. You need to download the distribution and not a bare jpos jar from the Maven repo.

/V

To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/94be6ed1-8820-4bc6-b686-7d2b600d1691%40googlegroups.com.

[Eunice Obugyei]

Victor, probably not a very good question but can you get me a url to the distribution? The url I found on the jpos.org/download page is to the source code on github

[Victor Salaman]

Sorry, I always compile from source. Alejandro might jump in on monday and provide a URL, or you can compile from source w/

gradle dist

that will produce a distribution archive in the directory : build/distributions ...

Sorry I couldn't be of more help.

/V

To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/4a72340f-49f3-48fc-bd13-d29f834ce8b1%40googlegroups.com.

[Eunice Obugyei]

Thanks a lot. I will take my chances with gradle till monday then. 

[chhil]

Hi,

You mentioned you placed the commons cli jar in the same folder as the jpos jar.

If you open the jpos jar and read its manifest you will see a classpath in there.

Its looks for the commons cli in the lib folder. 

Try placing it there.

Your directory structure should be standard like this.

+---bin

+---cfg

+---classes

+---deploy

+---lib

+---log

+---jpos.jar

-chhil

To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/6b44526f-edf7-4688-97da-435ac79e5fb4%40googlegroups.com.

[Eunice Obugyei]

Thanks a lot chhil, putting the jars in a lib folder worked.