Establishing Security Zone Between POS terminal and HSM
ola
Please I am facing a security challenge here. I want to establish a
security zone between my POS terminal application (written in C) and
say an HSM for PIN translation. How do i do this? I dont want to
transmit the PIN entered from the terminal PIN pad in clear text to
the HSM (which is usually through an IP and a port), but in an
encrypted PIN BLOCK format. Can some one please give me a guide?
Sample code and references will be appreciated.
Thanks,
Ola.
David Bergert
https://www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html?mn=I
https://www.pcisecuritystandards.org/security_standards/ped/index.shtml
David Bergert, CISSP, CISA, CPISM/A
www.paymentsystemsblog.com
ola
PIN-PED certified, and I believe something is being used before PED
spec. So, if the Pinpad has no PED, how do I still acheive my security
zone, saying generating PINBLOCK using tripple DES?
On Oct 14, 5:18 pm, David Bergert <dbergert...@gmail.com> wrote:
> This is typically not done in software but in a PED - Pin Entry Device
>
> https://www.pcisecuritystandards.org/security_standards/ped/index.shtml
>
> David Bergert, CISSP, CISA, CPISM/Awww.paymentsystemsblog.com
>
> On Oct 14, 2009, at 11:11 AM, ola wrote:
>
>
>
> > I dont want to
> > transmit the PIN entered from the terminal PIN pad in clear text to
> > the HSM (which is usually through an IP and a port), but in an
>
> - Show quoted text -
Mark Salter
> Yes, agreed, but all the POS terminal devices in my locality are not
> PIN-PED certified, and I believe something is being used before PED
> spec.
between organisations, outside of a PIN block?
May I ask what your locality is - just interested?
> So, if the Pinpad has no PED, how do I still acheive my security
> zone, saying generating PINBLOCK using tripple DES?
I can accept your concern about not *adding* to the risk of exposure of
the cardholders PIN, but does your locality permit the use of these POS
devices with PIN *if* they do not protect the PIN at all?
You can certainly make a PIN block (what format is your HSM expecting?),
but as David indicates this seems very unusual.
You could do this in software, you just need the algorithm, but you will
need a clear DES key for generating the PIN block, unless you go to an
HSM to generate the PIN block, but then you have the same problem (of
transporting the PIN in the clear *and* the risk to you DES key(s).
May I also check that you have exhausted all PIN processing options with
your POS devices before arriving at this need? To have to deal with
clear PINs really are really unusual, I imagine your HSM does not expect
a clear PIN to be placed in any of its input message fields.
The approach feels flawed whilst you have the original problem of a
clear PIN to deal with.
Can you encrypt the whole message exchange (you to POS and/or you to HSM
system?).
--
Mark
ola
> between organisations, outside of a PIN block?
the terminals are not PIN-PED, rather have encryption algorithm
loaded to the pinpad or within the pos app.
>but does your locality permit the use of these POS
> devices with PIN *if* they do not protect the PIN at all?
> You could do this in software, you just need the algorithm, but you will
> need a clear DES key for generating the PIN block
> system?).
Chhil
info.
-Chhil
Mark Salter
>> So your POS devices pass you the PIN in the clear, across a network,
>> between organisations, outside of a PIN block?
> NO! This is done through the software. What i mean is that most of
> the terminals are not PIN-PED, rather have encryption algorithm
> loaded to the pinpad or within the pos app.
So the clear PIN travels from the device to your app over whatever
networks in clear, outside a PIN block?
>
>> but does your locality permit the use of these POS
>> devices with PIN *if* they do not protect the PIN at all?
>
> NO! The PIN has to be protected with at least Tripple DES
But you are getting it in the clear?
How is that possible *if* the PIN 'has to be protected', please help me
understand the connection/link between your POS device(s) and your
application.
>
>> You could do this in software, you just need the algorithm, but you will
>> need a clear DES key for generating the PIN block
>> Can you encrypt the whole message exchange (you to POS and/or you to HSM
>> system?).
>
> I need guide on how to generate the PIN block.
This is freely available, you can search for it.
I think you must question your need though - as I ask above.
--
Mark
Mark Salter
> ola wrote:
>> Yes, agreed, but all the POS terminal devices in my locality are not
>> PIN-PED certified, and I believe something is being used before PED
>> spec.
>
--
Mark
Andy Onyung
Nigeria are PIN-PED certified.
Mark Salter
> Mark Salter wrote:
>> By your email headers, I surmise that your processing is running in Nigeria?
>>
>>
> I'm pretty certain that all POS terminals certified to be used in
> Nigeria are PIN-PED certified.
I wonder which type (or network) ola is making use of.
Perhaps something 'closed-loop'?
Thanks for the detail Andy.
8)
--
Mark
ola
Andy, pls can you give me sample terminals perhaps I am mis-
conceiving!
>> By your email headers, I surmise that your processing is running in Nigeria?
why i need guide pls, so that i put the right thing into production. I
will appreciate here if guidance is being given rather than otherwise.
>How is that possible *if* the PIN 'has to be protected', please help me
>understand the connection/link between your POS device(s) and your
>application.
JPOS application, so the application is still on the device.
My concern is how to get the PIN entered on the device being encrypted
on the device before being transmitted at all across network to either
an HSm or a JPOS application, thus i need to establish security zone.
Andy Onyung
well as the MX (830, 830, 870). But like Mark said, perhaps you should
tell us what terminal type you are using (or planning to use). But you
might want to explore the DUKPT and Master Session encryption schemes
for what you want to achieve. This isn't really a jpos issue.
Kind Regards,
Andy
Mark Salter
>>> By your email headers, I surmise that your processing is running in Nigeria?
> why i need guide pls, so that i put the right thing into production. I
> will appreciate here if guidance is being given rather than otherwise.
I really am trying to help, but worry we are not seeing your true
position...
>
>> How is that possible *if* the PIN 'has to be protected', please help me
>> understand the connection/link between your POS device(s) and your
>> application.
>
> see, the application i refer to here is POS terminal application NOT
> JPOS application, so the application is still on the device.
This is still unclear - to me anyway. This appears to not be a jPos
question at all?
Are you writing code that is running *on* the POS device?
> My concern is how to get the PIN entered on the device being encrypted
> on the device before being transmitted at all across network to either
> an HSm or a JPOS application, thus i need to establish security zone.
I think you may need to be looking at the POS devices 'api', I am sure
the ability to produce a PIN block *should* be available, otherwise how
can these devices ever work in a production environment at all?
--
Mark
ola
> I think you may need to be looking at the POS devices 'api', I am sure
> the ability to produce a PIN block *should* be available, otherwise how
> can these devices ever work in a production environment at all?
see, I have with with a virgin/blank POS terminal, which I loaded
kernel, ramdisk and develop my own app for and on the pos device.
Anyway, I am still trying to get this security issue fix, God helps
me!
Mark Salter
>> Are you writing code that is running *on* the POS device?
>
> YES
You 'shout' because I should have guessed this and didn't?
8)
>
>> I think you may need to be looking at the POS devices 'api', I am sure
>> the ability to produce a PIN block *should* be available, otherwise how
>> can these devices ever work in a production environment at all?
>
> I have been trying to contact them but never get fruitful result. You
> see, I have with with a virgin/blank POS terminal, which I loaded
> kernel, ramdisk and develop my own app for and on the pos device.
> Anyway, I am still trying to get this security issue fix, God helps
> me!
So you have a supplier problem, as you are 'rolling your own' I can
imagine they may not be able to give fruitful support - just like us.
Please mark off-topic postings to this list with OT in the subject line,
that way we need not waste time reading them if they are nothing to do
with jPOS.
Good luck.
--
Mark
Zablon Ochomo
If I got your question well, you need the setup below.
POS <----> POS Switch <-----> HSM
That means, POS application is made in C, POS Switch may be jPOS and HSM device may be from Thales.
If that is the case, then your jPOS application should handle the field with PIN block and send the correct HSM command during POS terminal request processing.
What do you think?
Zablon Ochomo
ola
STILL COMMUNICATE TO JPOS APP, which acts like a gateway between the
POS terminal app and the Postilion. So, the security zone I am
establishing involve both the POS terminal and JPOS app that I
developed that acts like a gateway, so I am NOT WASTING YOUR TIME,
only NEED help. But if you taught I had, sorry for that.
THANK YOU.
ola
> PIN block and send the correct HSM command during POS terminal request
> processing.
>
> What do you think?
scenario and pain. This is exact picture of what i am doing. You see,
right now, I have JPOS generating the PIN BLOCK correctly before being
communicated to the host/postilion, only what i now need to establish
is a security zone between my POS app and the JPOS app, so i taught
using a PIN block would be safer.
POS Switch <-----> HSM : No problem
POS <----> POS Switch : Need to establish security zone.
I really appreciate your reply.
ola
little Courtesy.
> So you have a supplier problem, as you are 'rolling your own' I can
> imagine they may not be able to give fruitful support - just like us.
Mark Salter
> THIS IS NOT COMPLETELY OFF JPOS TOPIC, BECAUSE THE POS TERMINAL APP
> STILL COMMUNICATE TO JPOS APP,
As I hope I have indicated, I think you are trying to fix a problem that
should not exist...
...your POS application must create a PIN block very 'close' - no clear
values network - to the PIN entry mechanism, how it does that I don't
know, it is I think for you to discover with your
hardware/kernel/environment supplier...
... this is why I consider this as off-topic; just for now.
You will need DES key(s) to generate a PIN block and you may need to
control/negotiate/dictate this from your jPOS system, only you can find
out how your terminal can help you do that - I'm hoping the POS device
has some 'secure memory' in which to lodged your working/current PIN
transport key, or built in hsm to help you; if so, generating a PIN
block is something it can help you do.
Generation of key exchange messages from a jPOS system to your POS would
be on topic.
> which acts like a gateway between the
> POS terminal app and the Postilion. So, the security zone I am
> establishing involve both the POS terminal and JPOS app that I
> developed that acts like a gateway, so I am NOT WASTING YOUR TIME,
You are right, *I* am wasting my own time.
8)
I wish you luck.
--
Mark
Mark Salter
>> You 'shout' because I should have guessed this and didn't?
>
> SHOUT? that i need assistance does not mean i should NOT be given
> little Courtesy.
I have been courteous all through in all of your previous and current
postings..
>
>> So you have a supplier problem, as you are 'rolling your own' I can
>> imagine they may not be able to give fruitful support - just like us.
>
> But i have someone who has already giving me fruitful support! BYE
8)
--
Mark
Victor Salaman
Is this the same POS C application you've been asking about since August 2008?
I think this is off-topic (OT) at this point as Mark has said.
If after all this time, you're still struggling to go to production with your POS app, my best suggestion for you is to stop self-abusing, and go with a standard terminal and well supported platform such as Hypercom or Verifone and use their respective SDKs. Your job then becomes much simpler, and processes such as key injection are very WELL documented :) Following is a good combo so you see what I'm talking about:
T4220 Terminal:
http://www.hypercom.com/products/t4220.asp
SDK for that terminal:
http://www.hypercom.com/products/hdt.asp
/V
Emeka Onwuka
I think you may be getting into some more problems with Nigeria going
fully EMV by the end of this year, you may want to use a terminal that
has PED support or better still able to do chip and PIN, while your
approach may look cost efficient, it may be more academic than actual
production level development, take advice from people that have been
in the ePayment industry for decades
just my 2 cents.
ola
Regards
>
> >> ola wrote:
> >> >> You 'shout' because I should have guessed this and didn't?
>
> >> > SHOUT? that i need assistance does not mean i should NOT be given
> >> > little Courtesy.
>
> >> I have been courteous all through in all of your previous and current
> >> postings..
>
> >> >> So you have a supplier problem, as you are 'rolling your own' I can
> >> >> imagine they may not be able to give fruitful support - just like us.
>
> >> > But i have someone who has already giving me fruitful support! BYE
>
> >> 8)
>
> >> --
SChari
Your question is actually about a Des/3Des algorithm in 'C' for the
PIN block generation, and still that wont really be "Establishing
Security Zone Between POS terminal and HSM"
You can google for Des/3DES /Desede algorithm code in C or Java and
adapt it to your device manufacturer's C compiler.I have done that for
Ingenicos and Nokia phone terminals. Its not a complicated task if you
are a true C/java coder.If you still have problems you can fly over to
Zimbabwe and I will do it for you.
See you in Zim?
Sammy