> If I may ask,
>
> I'm using safeNet's software HSM simulator. In my case, It's as good
> as the real hardware HSM.
Good for testing 8).
> The other party is using HP Atalla HSM. I
> know that if for thales (as I have read some pages on Andy Orrock' s
> blog), I will need to enable the ANSI X9.17 mode to send data to the
> Atalla HSM.
You you going to be moving to use the Atalla HSM *instead* of your
software HSM; and you are trying to set your code in preparation for the
migration?
>
> Accordig to my vendor, SafeNet does not require such configuration.
> Can anyone confirm this fact from my vendor?
I would think you could confirm this by exchanging some relevant test
data and trying out the decode/recode/validation on it?
Do you think your software HSM vendor gave you the wrong answer, or was
it just not the one you were expecting as you have already had problems?
--
Mark
>> You you going to be moving to use the Atalla HSM *instead* of your
>> software HSM; and you are trying to set your code in preparation for the
>> migration?
> No, we plan to use safenet's hsm. right now we are connecting to a
> party that is using atalla.
This feels wrong, but I will have to assume you are satisfying PCI
compliance - although I'm sorry to say I have my doubts that you can.
>> Do you think your software HSM vendor gave you the wrong answer, or was
>> it just not the one you were expecting as you have already had problems?
> Yeah we're having trouble. Our encrypted PIN block is wrong according
> to Atalla side.
You have checked the keys in use (including their parity if relevant)?
How about going the other way, get Atalla to build a PIN block you
decrypt - perhaps outside of any HSM?
I'm sure you are using test keys, so if you can share some data and
keys, perhaps we could take a look.
>
>
> So it would be great if someone have experience with Atalla or SafeNet
> or both :) and can shed the light on this issue :D
Oh indeed, but I fear this is unlikely.
I think we have asked before; can you share your solutions/company name
at all?
--
Mark
--
Mark
Phew, good.
>> I'm sure you are using test keys, so if you can share some data and
>> keys, perhaps we could take a look.
> Ok, here goes
>
> The component of the KEK
> First Left: 2222222222222222
> First Right: 4444444444444444
> Second Left: 6666666666666666
> Second Right: 8888888888888888
> Check Digit: D8EBBD
I don't get this KCV, encrypting 16 bytes of x'00' bytes of zeros under
this key gives me 5611AC13D98BDF6F5611AC13D98BDF6F.
Are we using the same approach to generate our Key Check Value?
>
> we have verified that the check digit is same for both HSMs. Just that
> the Atalla HSM can only show the first 4.
So my approach must be different, hmmmm.
> here's a sample simulation using safenet's HSM (soft HSM)
>
> PPK raw in hex (session key): 11111111222222223333333344444444
This looks like a clear test key to me, but if you are sure...
> Decrypted (now is PPK clean): B5FCDFA20F537677780EABC78940C602
So you decrypted 11111111222222223333333344444444 using key
22222222444444446666666688888888 and got B5FCDFA20F537677780EABC78940C602?
I can't replicate this decryption...
...I get A56A0AA97C78D9B42946F8D9783BAD44
> Encrypted (now is PPK raw again): 11111111222222223333333344444444
> (proves the decrypt process is OK)
It certainly proves you have a symmetrical algorithm 8).
>
> PIN: 111111
> ANSI 0 PIN Block: 061111036FFFFFDE
Although our KCV doesn't match, I continued on...
So working back the XOR this gives a card number containing:-
nnn001290000021n
Is this what you have?
> DESede PIN block, encrypted using PPK clean: 34CB8BCAFB6C0B22
I do get this value using a PPK of B5FCDFA20F537677780EABC78940C602; but
we do know (I think) that this is bad - as far as the Issuer system
(Atalla end) is concerned anyway.
Could you try the exchange - or check - using a clear PPK of
11111111222222223333333344444444 please?
This gives me a encrypted PIN block of E6A7EE81E0A4221B.
Has your Issuer end given you the encrypted PIN block value they are
expecting - is this (E6A7EE81E0A4221B) it perhaps?
It seems impossible that our PIN Blocks can match but our decrypt of PPK
under KEY don't seem to?
>
> But as it turns out, every time we attempt 0200, we got 05.
'05' doesn't sound very 'invalid PIN' or 'System Malfunction' like, but
I guess they told you what the problem was (HSM function failed
indicating data error)?
>
> So running out of factors to blame, The Atalla side mentioned for
> Thales, they will have to use the ANSI X9.17 setting before they can
> get 00.
So they can get a correct validation by changing their call to their HSM
for your provided PIN Block?
Is any other system translating the PIN block before it hits the Atalla
system?
> I'm sorry I can't reveal the company name here but the solutions we
> are working on is
> to process with a national ATM network switch. like when you need to
> withdraw money from bank B's ATM while you are actually holding ATM
> card from bank A.
So you are doing (or will be) PIN translation.
> We will use safeNet's HSM. The national switch is using Atalla.
I was interested in the product/company *if* you were using software
HSMs in production as you are not I am less worried.
In a commercial concern though you must check the jPOS license you are
using. Someone in this setup very likely need to be purchasing a
commercial license.
--
Mark
The case of a bad question...
... I think DC meant what does a value of x'08' mean as an Atalla
Variant. Time to RTFM 8).
--
Mark
This question has *nothing* to do with the thread you have added it to.
Having a 'useful' subject text does not mean you should hijack it; do
use a new message thread for each *new* question.
paulac wrote:
>
> Hi I am deveolping a credit card authorization app, using a SafeNet HSM, but
> our client didn't buy the API, so we are programming from scratch the
> protocol.
Boy they are cheap eh.
Was it more expensive then paying you to sort if for them?
Odd that.
> We are using TCP/IP, setting the 6 byte header that communication's Manual
> says, but each time we try (even a simple HSM_STATUS) we receive no response
> plus, the socket is closed.
Have you get the right message length format and encoding?
If the HSM sees rubbish arriving, I would expect it to close the channel.
> Do you have any idea about this?
Check the communications manual for message structure - length and
format. Then check you are using a matching channel.
Check your license conformity too!
--
Mark
--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+unsubscribe@googlegroups.com.
To post to this group, send email to jpos-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/49a46222-b684-4a1e-824a-42cb5ac43a28%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.