CSC calculation from CSCK

[kapilashantha rajapaksha]

Dear All,

I have to generate CSC values from my application. Pls let me know the steps  for CSC calculation from CSCK

Example,

Card number = 341234567890123

Expire date = 9912

CSCK = 1234567890ABCDEF1234567890ABCDEF

Expected result 3,4 & 5 digits CSC

Any export on this matter ?

Regards

[kapilashantha rajapaksha]

Anyone who expert on this ?

[chhil]

The following 
http://www-03.ibm.com/security/cryptocards/pdfs/IBM_4758_Basic_Services_Release_2_52.pdf

is referenced from http://jpos.org/wiki/HSM_basics

-chhil

​

On Mon, Mar 16, 2015 at 4:19 PM, kapilashantha rajapaksha <kapila...@gmail.com> wrote:

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to jpos-...@googlegroups.com
To unsubscribe, send email to jpos-users+...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/CAKV%2BfV05GPgsJmGSdM%3DG4iUU5HmWjcAck9j5iSC7iBKQM%3Dd%2B7A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[chhil]

https://eftcalculator.codeplex.com/SourceControl/latest#EFTCalculator.Core/Utility/Utility.vb

Here is some .Net code from the above link that translates the earlier graphic.

    ''' <summary>
    ''' Calculates a CVV.
    ''' </summary>
    ''' <param name="CVKPair"></param>
    ''' <param name="AccountNumber"></param>
    ''' <param name="ExpirationDate"></param>
    ''' <param name="SVC"></param>
    ''' <returns></returns>
    ''' <remarks></remarks>
    Public Shared Function GenerateCVV(ByVal CVKPair As HexKey, ByVal AccountNumber As String, ByVal ExpirationDate As String, ByVal SVC As String) As String
        Dim CVKA As String = CVKPair.PartA
        Dim CVKB As String = CVKPair.PartB
        Dim block As String = (AccountNumber + ExpirationDate + SVC).PadRight(32, "0"c)
        Dim blockA As String = block.Substring(0, 16)
        Dim blockB As String = block.Substring(16)

        Dim result As String = TripleDES.TripleDESEncrypt(New HexKey(CVKA), blockA)
        result = XORHex(result, blockB)
        result = TripleDES.TripleDESEncrypt(New HexKey(CVKA + CVKB), result)

        Dim CVV As String = "", i As Integer = 0
        While CVV.Length < 3
            If Char.IsDigit(result.Chars(i)) Then
                CVV += result.Substring(i, 1)
            End If
            i += 1
        End While

        Return CVV
    End Function

-chhil

​

[kapilashantha rajapaksha]

Thanks Chhil,

It's detailing  how to calculate CVV but I'm looking for CSC calculation  for American express cards.

Is it following same logic ?

And I've attached the example for your reference

Regards 

 

To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/CAPazefCCJ%2B%3Db5WyC4FmZbUWbOOSkbEgH-68iERWe5cXcRS_3sw%40mail.gmail.com.

[chhil]

CSC and CVV calculations are the same as far as I am aware for MC and Visa.

Mastercard calls its CSC and Visa calls it CVV and are 3 wide.

Amex csc however doesnt use a service code in its calculations and is 4 wide. Research it further and you could try to use the pad characters for service code in the algorithm.

The attachments you have provided are from the HSM manual, I dont know much about the HSM, but it probably is the data format the HSM expects for the csc generation command and not the algorithm used.

-chhil

To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/CAKV%2BfV2%3Di-tfyDj17eaUGMZV3P7jm4aw9PRaUvtOvwyZwWsK2Q%40mail.gmail.com.

[kapilashantha rajapaksha]

Thanks  Chhil for advice,
 

As I aware it's like

For VISA = CVV, MC = CAV &  Amex = CSC

In fact the verification of CSC, it's required to perform at my application level without HSM.

CSC would be 3-digits , 4- digits & 5 - digits

According to the HSM manual, I just encrypted ANB using sample double length key (ECB mode ). And I can see the expected values (CSC ) order in the result.

But problem is that how they are  doing the decimalization    when 12 (5 + 4 + 3) numeric digits are not available in the result 

URL - http://tripledes.online-domain-tools.com/

Example

Encrypted result is 6b8cbc90eab0deb3  of ANB 1234567890129912 under sample CSCK

Found numeric from result  = 6890 03

Expected CSCs are = 68900   ,   3232  and 806

Thanks

To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/CAPazefARnf9rZ0jMKwchj9aSZWbyEVsn72L9H8dX%2B%3DD2ibkmLA%40mail.gmail.com.

[Mark Salter]

On 17/03/15 05:15, kapilashantha rajapaksha wrote:
>
> In fact the verification of CSC, it's required to perform at my
> application level without HSM.

I doubt this very much. Can I suggest you share the intent not to use
an HSM with the scheme and your security department before going any
further?

At the point you need keys to check any cryptographically derived value,
you need an HSM to protect the keys used.

--
Mark

[chhil]

Without getting into why you need this, I don't think hsms  differentiate on card type to validate a cvv/csc. So I would assume the algorithm should not vary.

An addition of cvv generation  in the jpos security module might be a good thing.

-chhil

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage.  Please support jPOS, contact: sa...@jpos.org

Join us in IRC at http://webchat.freenode.net/?channels=jpos

You received this message because you are subscribed to the  "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to jpos-...@googlegroups.com

To unsubscribe, send email to jpos-users+unsubscribe@googlegroups.com

For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/5507D493.9070904%40talktalk.net.

[kapilashantha rajapaksha]

Thanks for the information,

Totally agree with Mark and  it's not secure (For protecting the  keys, it needs to have the HSM ). But the client is looking for SSM base module for the time being and later they will provide the HSM facilities us.

Regarding the CVV calculation, it's pretty clear the steps to be followed up  but for CSC there is a some missing steps for me.

And I assume that it will differ from one card association to another.

I'm just refering the safeNet HSM manual to get idea this, but still I cant simulate its example with correct values.

Hope you help

Thanks,  

To unsubscribe, send email to jpos-users+...@googlegroups.com

For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/CAPazefCRim9BAxc%3DJEW4mBSe%3D-2g6xEiySQF%3D7sGmJ4r4K293g%40mail.gmail.com.

[Mark Salter]

On 17/03/15 12:06, kapilashantha rajapaksha wrote:
> But the client is looking for SSM base module for the time being and
> later they will provide the HSM facilities us.

You will be requiring a commercial jPOS license too.


--
Mark the good news boy!

[Mark Salter]

On 17/03/15 03:49, chhil wrote:
>
> Amex csc however doesnt use a service code in its calculations and is 4
> wide. Research it further and you could try to use the pad characters
> for service code in the algorithm.

Amex 'CSC's are 3,4 or 5 digits depending on where they are placed
(front, back, track).

The data into the DES3 is key, varying with the first two digits of the
PAN and with conditional padding if the digit selection from the
encrypted data is to short to produce the 3 types.

>
> The attachments you have provided are from the HSM manual, I dont know
> much about the HSM, but it probably is the data format the HSM expects
> for the csc generation command and not the algorithm used.

I think the detail needed is in there for the OP to use; or they could
contact Amex to check the algorithm and indeed confirm if the CSC should
be being generated for checking in software.

It is the Verify.CSC function that should be used of course, and I still
don't believe it is valid to generate the CSC outside of an HSM for
comparison to real data - otherwise the CSCK is lost and the values for
the card in the transaction checked are compromised.

--
Mark

[kapilashantha rajapaksha]

Thanks Mark,

I'm in a negotiation stage  to use HSM.

Regards,

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage.  Please support jPOS, contact: sa...@jpos.org

Join us in IRC at http://webchat.freenode.net/?channels=jpos

You received this message because you are subscribed to the  "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to jpos-...@googlegroups.com

To unsubscribe, send email to jpos-users+unsubscribe@googlegroups.com

For more options, visit this group at http://groups.google.com/group/jpos-users
--- You received this message because you are subscribed to the Google Groups "jPOS Users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/55092CD1.2030807%40talktalk.net.