What is the scheme

146 views
Skip to first unread message

Vishesh

unread,
Jan 5, 2023, 9:31:34 AM1/5/23
to jPOS Users
Hi All,

I was exploring "JCESecurityModule" file and using command "smconsole" 

I got stuck on the concept of scheme and couldn't find any relevant documentation.

Also, why is there more than one key in the local master key file? 

Appreciate any help on the same 


igor skljar

unread,
Jan 5, 2023, 2:07:43 PM1/5/23
to jPOS Users
Hi.
Try to find thales documentation
General Information Manual
Chapter 4 – Variant Key Scheme

четверг, 5 января 2023 г. в 16:31:34 UTC+2, Vishesh:

murtuza chhil

unread,
Jan 6, 2023, 4:35:11 AM1/6/23
to jPOS Users
The software security module (SSM) tries to mimic concepts of a Hardware Security Module (HSM).  SSM is not something you would use in production; you would use a HSM and the wording and operations mimic hsm functionality and api.

In a HSM there are LMK pairs that are used for specific operations to keep keys secure.


-chhil

Vishesh

unread,
Jan 10, 2023, 3:59:30 AM1/10/23
to jPOS Users
Thanks for the reply,


I followed the steps on SSM and ZMK, KCV matching with what provided by another end (bank end)

But  KCV(check-value) of ZPK  of is not matching though I am following the given approach for SSM

Comamnd 1: get combined ZMK

java  -cp bcprov-jdk18on-172.jar -jar /opt/jPOS/jpos/build/install/jpos/jpos-2.1.8-ST-q2.jar -c "smconsole -lmk lmk.key -jce  org.bouncycastle.jce.provider.BouncyCastleProvider  FK 128 ZMK <Clear Key1>  <Clear Key2> <Clear key3>"

Clear Key 1, Clear Key 2 and Clear Key 3 shared by bank

Output KCV is "check-value" is matching with the KCV shared by bank, so I am assuming that clear text ZMK is correct, 


then I try to get KCV of encrypted ZPK and that process is also working but "check-value" is not matching what shared by bank

Command  2: (get check-value of ZPK)

java  -cp bcprov-jdk18on-172.jar -jar /opt/jPOS/jpos/build/install/jpos/jpos-2.1.8-ST-q2.jar -c "smconsole  -jce org.bouncycastle.jce.provider.BouncyCastleProvider  -lmk  lmk.key IK 128 <encrypted zpk> 128 ZMK <ZMK got in last previous command> <check value got in previous command>"


Note : jpos-2.1.8-ST-q2.jar  created by me my "./gradlew installApp"

murtuza chhil

unread,
Jan 11, 2023, 3:13:49 AM1/11/23
to jPOS Users
Your command does not look right for import key: IK.

Here is an old thread from the group, it may help.
https://groups.google.com/g/jpos-users/c/fdzkQTo94ak/m/WPhWEol7BQAJ

-chhil

murtuza chhil

unread,
Jan 12, 2023, 8:35:10 AM1/12/23
to jPOS Users

I don't respond to personal emails, please post in the group for visibility and other users to respond/assist.

Vishesh's response
I used below java -cp bcprov-jdk18on-172.jar -jar /opt/jPOS/jpos/build/install/jpos/jpos-2.1.8-ST-q2.jar -c "smconsole -jce org.bouncycastle.jce.provider.BouncyCastleProvider -lmk lmk.key IK 128 ZPK <encrypted zpk> 128 ZMK <ZMK got in last previous command> <check value got in previous command>" Note: Missed "ZPK" in my original message, that was a copy-paste error

-chhil

murtuza chhil

unread,
Jan 12, 2023, 8:45:40 AM1/12/23
to jPOS Users
You should find out what command and HSM was used by the owner of the ZPK.
We can investigate it further after that.

You may want to try using TPK (terminal pin key) instead of ZPK (zone pin key).

-chhil

Mark Salter

unread,
Jan 12, 2023, 8:49:20 AM1/12/23
to jpos-...@googlegroups.com
Also, perhaps share the clear values? Since they can only. E test keys you should be good to do so; that way your results can be checked and experimentation if people care is possible.


-- 
Mark


Sent from Proton Mail mobile



-------- Original Message --------
--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/ba26a94d-cedc-4bee-9791-cca032d3c777n%40googlegroups.com.
signature.asc

Vishesh

unread,
Jan 12, 2023, 9:14:56 AM1/12/23
to jPOS Users
Thanks, Chhil for the reply,

TPK produces the same results as ZPK. , 

java  -cp bcprov-jdk18on-172.jar -jar /opt/jPOS/jpos/build/install/jpos/jpos-2.1.8-SNAPSHOT-q2.jar -c "smconsole  -jce org.bouncycastle.jce.provider.BouncyCastleProvider  -lmk  lmk.key IK 128 TPK D67BCE2AF5508A0E8705BC05AE0BC69B 128 ZMK 393DD47AE3791D5119631D0684790632 E7472E"


Trying to find out the command executed at the HSM owner end, will update here

Vishesh

unread,
Jan 12, 2023, 11:25:54 AM1/12/23
to jPOS Users
Thanks for your help,

One point I missed to mention that while executing the command to get ZPK,


java  -cp bcprov-jdk18on-172.jar -jar /opt/jPOS/jpos/build/install/jpos/jpos-2.1.8-ST-q2.jar -c "smconsole  -jce org.bouncycastle.jce.provider.BouncyCastleProvider  -lmk  lmk.key IK 128 ZPK E61BCE2AF5508A0E8705BC05AE0BC68B 128 ZMK D48177CDD2ED9E43BB607D9BEE21B17F E7472E"

I was getting below error,

  "  <security-module-exception>

      Parity not adjusted

      org.jpos.security.jceadapter.JCEHandlerException: Parity not adjusted"


To overcome this error, I commented line number 1474 and 1475 in file jPOS/jpos/src/main/java/org/jpos/security/jceadapter/JCESecurityModule.java

Line 1474     -     if (!Util.isDESParityAdjusted(clearKeyBytes))

Line 1475             throw new JCEHandlerException("Parity not adjusted");


https://github.com/jpos/jPOS/blob/master/jpos/src/main/java/org/jpos/security/jceadapter/JCESecurityModule.java


This change removed the Parity not adjusted error, but not sure if this causing any issue




Vishesh

unread,
Jan 12, 2023, 12:13:42 PM1/12/23
to jPOS Users
My LMK file has 15 entries , lmk file was generated using rebuildlmk, and LMK is in something like the below

LMK0x00=527901263191B9C1E576FDB32C49A7FD527901263191B9C7


murtuza chhil

unread,
Jan 12, 2023, 8:26:07 PM1/12/23
to jPOS Users

You commenting the line won’t work , the parity needs to be adjusted to odd parity for your input ZPK cryptogram.

By changing the parity the cryptogram is not changed.

What you need to do is either call adjustParity to fix the parity on you zpk and use that.
https://github.com/jpos/jPOS/blob/096227e42b3edd63a4187eba48da145630dc502d/jpos/src/main/java/org/jpos/security/Util.java#L53

public static void main(String[] args) throws ISOException { byte[] zpk = ISOUtil.hex2byte("E61BCE2AF5508A0E8705BC05AE0BC68B"); adjustDESParity(zpk); System.out.println(ISOUtil.byte2hex(zpk) .toUpperCase()); } public static void adjustDESParity(byte[] bytes) { for (int i = 0; i < bytes.length; i++) { int b = bytes[i]; bytes[i] = (byte) (b & 0xfe | (b >> 1 ^ b >> 2 ^ b >> 3 ^ b >> 4 ^ b >> 5 ^ b >> 6 ^ b >> 7 ^ 0x01) & 0x01); } }

Output

E61ACE2AF4518A0E8604BC04AE0BC78A

Use

E61ACE2AF4518A0E8604BC04AE0BC78A as your ZPK instead of
E61BCE2AF5508A0E8705BC05AE0BC68B

Another simple example is the key 0909090909090909 is even parity and the odd parity for it would make it 0808080808080808.

You need to understand that the key contents are the same, the parity bits are changed from even to odd. If you passed 0808080808080808 into the method the output would be 0808080808080808 as its already odd parity.

-chhil

murtuza chhil

unread,
Jan 12, 2023, 9:46:02 PM1/12/23
to jPOS Users
This may help with a better user experience.


-chhil

Vishesh Kumar

unread,
Jan 12, 2023, 11:16:09 PM1/12/23
to jpos-...@googlegroups.com
Thanks Chhil for your help,

I have one query , 

ZPK passed to me by bank is encrypted ZPK , odd parity validation will require on encrypted ZPK ? 

I used your function to change by encrypted ZPK to odd parity , and it’s changing ZPK but passing that changed ZPK also giving KCV value that also not matching with what passed by bank 



--
Vishesh Kumar 
Linuxmantra IT Services

Please provide Feedback : https://abot.linuxmantra.com/feedback

Address: BS-719,7th Floor, Galaxy Diamond Plaza, TechZone-IV, Greater Noida, Sector 2, Uttar Pradesh - 201306

Support Email: sup...@linuxmantra.com
Support Phone: +91-1205110884

chhil

unread,
Jan 13, 2023, 12:18:50 AM1/13/23
to jpos-...@googlegroups.com
I was incorrect, the decrypted deskey needs to be parity adjusted so it correctly does not work by passing in an adjusted cryptogram.

    public Key decryptDESKey(short keyLength, byte[] encryptedDESKey, Key encryptingKey, boolean checkParity)
            throws JCEHandlerException {
        byte[] clearKeyBytes = doCryptStuff(encryptedDESKey, encryptingKey, Cipher.DECRYPT_MODE);
        if (checkParity && !Util.isDESParityAdjusted(clearKeyBytes)) {
            throw new JCEHandlerException("Parity not adjusted");
        }
        return formDESKey(keyLength, clearKeyBytes);
    }


So instead of if statement with the the exception, replace it with 

i.e. replace 
        if (checkParity && !Util.isDESParityAdjusted(clearKeyBytes)) {
            throw new JCEHandlerException("Parity not adjusted");
        }
with 
Util.adjustDESParity(clearKeyBytes);

-chhil





You received this message because you are subscribed to a topic in the Google Groups "jPOS Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jpos-users/sa8LIIg4ZNQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jpos-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/CAP6rG0zpy_Zm%2BXTO-FCL62CV8KYdOHyKkiv4E0bpz6FfKrvyTA%40mail.gmail.com.

Vishesh Kumar

unread,
Jan 13, 2023, 1:21:16 AM1/13/23
to jpos-...@googlegroups.com
Thanks Chhil for your help,


Util.adjustDESParity(clearKeyBytes); resolved parity bit error

But imported ZPK, KCV value is not matching what the bank provided



<result name="Imported Key">

      <secure-des-key length="128" type="ZPK" variant="0" scheme="X">

        <data>9358E4144035F52BE321AF0A297FB2E1</data>

        <check-value>23A270</check-value>

      </secure-des-key>

    </result>




chhil

unread,
Jan 13, 2023, 1:33:59 AM1/13/23
to jpos-...@googlegroups.com
Reach out to the sender and request how they generated the ZPK cryptogram (commands used and HSM brand). 
I don't have anything further to add here.

-chhil

Vishesh Kumar

unread,
Jan 13, 2023, 1:37:29 AM1/13/23
to jpos-...@googlegroups.com
Thanks, Chhil, for all your help. Initiated communication with the bank to get exact process details for encrypted ZPK generation, they are using Thales HSM 




murtuza chhil

unread,
Jan 13, 2023, 2:55:26 AM1/13/23
to jPOS Users
Share your ZMK components (if they are test ones). You have used 2 different values in the thread with the same check value. 

ZMK D48177CDD2ED9E43BB607D9BEE21B17F E7472E
ZMK 393DD47AE3791D5119631D0684790632 E7472E

Share the ZPK shared with you and the check value expected.

-chhil

Vishesh

unread,
Jan 13, 2023, 3:54:39 AM1/13/23
to jPOS Users
Thanks for reply Chhil,

Bank using below process to generate ZMK and ZPK

Step 1 : ( Create 3 no. of clear keys )

 

Online-AUTH>GC

 

Enter LMK id [0-9]: 0

Enter key length [1,2,3]: 2

Enter key type: 000

Enter key scheme: U

 

Online-AUTH>GC

 

Enter LMK id [0-9]: 0

Enter key length [1,2,3]: 2

Enter key type: 000

Enter key scheme: U

 

Online-AUTH>GC

 

Enter LMK id [0-9]: 0

Enter key length [1,2,3]: 2

Enter key type: 000

Enter key scheme: U

 

STEP 2 : (Create ZMK under LMK)

 

Online-AUTH>FK

 

Enter LMK id [0-9]: 0

Enter key length [1,2,3]: 2

Enter key type: 000

Enter key scheme: U

Enter component type [X,H,T,E,S]: X

Enter number of components [1-9]: 3

 

Enter component 1: *******************

Enter component 2: *******************

Enter component 3: *******************

 

ZPK Activity

 

Step 3 : (Create ZPK clear component)

 

Online-AUTH>GC

 

Enter LMK id [0-9]: 0

Enter key length [1,2,3]: 2

Enter key type: 001

Enter key scheme: U

 

Step 4 : ( XOR – Encrypt ZPK under LMK)

 

Online-AUTH>FK

 

Enter LMK id [0-9]: 0

Enter key length [1,2,3]: 2

Enter key type: 001

Enter key scheme: U

Enter component type [X,H,T,E,S]: X

Enter number of components [1-9]: 1

 

Step 5 : (Create Encrypted/Exported ZPK under ZMK)

 

Online-AUTH>KE

 

Enter LMK id [0-9]: 0

Enter key type: 001

Enter key scheme: X

Enter ZMK:     ------- o/p of step 2 component ------

Enter ZMK Variant: press Enter

Enter key under LMK:    ----- o/p of step 4 component -----

 


Mark Salter

unread,
Jan 13, 2023, 5:51:19 AM1/13/23
to jpos-...@googlegroups.com
Thales hsms usd odd parity keys for 3des.

Unobscured test data will help us help you, also make sure your 'bank' is aware you are posting to a public forum before sharing anything from them!


-- 
Mark


Sent from Proton Mail mobile



-------- Original Message --------
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/474bb33b-dbca-48d6-ac5e-6e90220e2cf5n%40googlegroups.com.
signature.asc

chhil

unread,
Jan 13, 2023, 6:11:25 AM1/13/23
to jpos-...@googlegroups.com


I find it surprising the ZPK provided has even parity. Something does not sit right with me.

The KE command would have provided a clear zpk, if its test data, I wonder if we could have access to it and verify the check digit calculation on it.

-chhil

Vishesh

unread,
Jan 13, 2023, 7:39:39 AM1/13/23
to jPOS Users
Thanks for helping,

I am not able to understand one thing conceptually

"Bank shared three components of ZMK, and they used the U scheme at the time of generation,  I am not getting any option in SSM to mention that these three component are in U scheme while using FK command" 

Can anyway we can specify that three given components are in U scheme"

java  -cp bcprov-jdk18on-172.jar -jar /opt/jPOS/jpos/build/install/jpos/jpos-2.1.8-SNAPSHOT-q2.jar -c "smconsole -lmk lmk.key -jce  org.bouncycastle.jce.provider.BouncyCastleProvider  FK 128 ZMK component1 component2  Component3"

I am aware that scheme can be used in line ZMK:1U (U scheme) but I guess that is about output value, not specifying that components are in the U scheme

murtuza chhil

unread,
Jan 13, 2023, 9:26:43 AM1/13/23
to jPOS Users
One can pass the scheme , I am not familiar with it though (after key type colon scheme  is possible)


-chhil

Reply all
Reply to author
Forward
0 new messages