How to generate the ZMK from clear component 1 and clear component 2

Thilina Himal

unread,

Mar 8, 2015, 1:35:22 PM3/8/15

to jpos-...@googlegroups.com

In an issuer scenario, can I get the ZMK, using clear components (2) of ZPK? Kindly let me know.

Thanks in advance !!

Andy Orrock

unread,

Mar 8, 2015, 1:46:27 PM3/8/15

to jpos-...@googlegroups.com

[This has nothing to do with jPOS and should be marked off-topic.]

You seem to be asking if -- having clear ZPK knowledge in hand and guessing here that you also have the ZPK under the ZMK - can you reverse engineer and know the clear ZMK.

I'd ask your HSM rep or distributor.

It seems a really sketchy situation: why would you not have access to a ZMK if you've got your hands on those other bits?

Andy

On Mar 8, 2015 12:35 PM, "Thilina Himal" <thilin...@gmail.com> wrote:

In an issuer scenario, can I get the ZMK, using clear components (2) of ZPK? Kindly let me know.

Thanks in advance !!

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org

Join us in IRC at http://webchat.freenode.net/?channels=jpos

You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to jpos-...@googlegroups.com
To unsubscribe, send email to jpos-users+...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/c24ab50a-484d-4224-9ccc-77efb6c92521%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Thilina Himal

unread,

Mar 9, 2015, 2:31:34 PM3/9/15

to jpos-...@googlegroups.com

Hi Andy,

Thanks a lot for your response !

Let me explain my real scenario. I need to act as the issuer.

I get 2 clear components of ZMK, and a key check value.

Component 1: 7A92 3870 1691 AD4A 3192 8023 E5E9 1CCE

Component 2: 4CD6 51BF 3BF7 108A C4A8 4A16 2F3D 43F2

Key check value: 87C7E0

And I also get the following.

ZPK_encrypted_under_ZMK: 9A97E90DC9A4741ADFBDA4F00757D254

Key check value: 396D2E

And I get the PIN block in following format.

PIN BLOCK FORMAT: 01

PIN BLOCK: 6099923E2B46491E (PIN_encrypted_under_ZPK)

My goal is to decrypt the PIN_encrypted_under_ZPK, so I can get the PIN BLOCK. So first of all, I need to "Generate ZMK using Clear components". Could you please let me know how to generate ZMK using clear components?

Thanks a lot !

Thilina

Victor Salaman

unread,

Mar 9, 2015, 3:03:18 PM3/9/15

to jpos-...@googlegroups.com

Hi:

For the ZMK, normally you'll perform a Key Ceremony to enter the components into your HSM. I won't get into key management best practices, so let's just assume that they are imported into your HSM. Once this happens your HSM will give you back the key encrypted under the HSMs LMK. You can now store this key into your database for future use.

Normally, the ZPK would be given to you under a key exchange message. At which point you would send the encrypted ZPK-under-the-ZMK and the encrypted ZMK to the HSM, and the HSM would return your ZPK encrypted under its LMK. You can store this value in your database for future use.

If you are the issuer, you've designed how your PIN verification works. So let's assume you are using Visa PVV, you'd have stored in your database a PVV which along with the ZPK, and PVK (Pin Verification Key used during PVV creation) can be sent to the HSM, and instruct it to verify the PIN.

/V

To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/c92cfbcb-2c2c-4707-a973-2e2e33ca66ad%40googlegroups.com.

Mark Salter

unread,

Mar 10, 2015, 2:53:04 AM3/10/15

to jpos-...@googlegroups.com

On 09/03/2015 18:31, Thilina Himal wrote:
> My goal is to decrypt the PIN_encrypted_under_ZPK, so I can get the PIN

> BLOCK. So first of all, I need to "*Generate ZMK using Clear
> components*". Could you please let me know how to generate ZMK using
> clear components?
>
As Victor says, you need an HSM to do the verify PIN once you have given
it the ZMK.

If any of those keys you posted are non-test, then please make sure you
consider them compromised.

--
Mark

Thilina Himal

unread,

Mar 10, 2015, 3:40:28 AM3/10/15

to jpos-...@googlegroups.com

Hi Victor & Mark,

Thanks a lot for your responses !

Mark, the keys are from the test environment. Thanks for the advice !

Could you kindly let me know, whether I can do the following - using JPOS?

- "Generate the ZMK using Clear components" (I have 2 clear components, and a check value)

For example, I saw how an example on acquirer side has been done on the following URL.

http://read.pudn.com/downloads108/sourcecode/app/445609/jpos/src/ext-examples/smadapter/Test.java__.htm

Can a similar kind of a thing be done to generate the ZMK from clear components?

Kindly advice.

Thanks & best regards,

Thilina

You received this message because you are subscribed to a topic in the Google Groups "jPOS Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jpos-users/42spPsfvWyY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jpos-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/CALK1SyxNo2HEvN7h5y3ccU0QKMGPv52Cx_ENVdAXv5qj10_zwQ%40mail.gmail.com.

Alejandro Revilla

unread,

Mar 10, 2015, 4:58:20 PM3/10/15

to jPOS Users

Hi Thilina,

You can use the jPOS SMCONSOLE command to import your key, you should do something like this:

Start jPOS with the --cli command (or use the SSH module from jPOS-EE and ssh to your running Q2)
You’ll see a q2> prompt, press tab to see available commands

If you type smconsole you’ll see the usage page, you first need to build your LMKs, use something like this:

smconsole -lmk /tmp/test.lmk -rebuildlmk

Then you can use the FK command like this:

smconsole -lmk /tmp/test.lmk FK 128 ZMK 7A9238701691AD4A31928023E5E91CCE 4CD651BF3BF7108AC4A84A162F3D43F2 00000000000000000000000000000000

The SMCONSOLE expects 3 components, you use zeros for the third one (keys are XORed, additional key in zero has no effect on the result).

When you run the command, you’ll see something like this:

    <result name="Formed Key">
      <secure-des-key length="128" type="ZMK" variant="0" scheme="X">
        <data>F57AE51270A370C96C17D98722E3ABEB</data>
        <check-value>87C7E0</check-value>
      </secure-des-key>
    </result>

You can see that the check value matches yours. The value F57AE51270A370C96C17D98722E3ABEB is the key encrypted under the randomly generated local master keys (created in the first step). It will give you another value once you use your owns.

You can write that key in a key file, i.e. in the cfg directory you can put something like this (i.e. in a file called test-key.cfg)

zmk.key= F57AE51270A370C96C17D98722E3ABEB
zmk.checkvalue= 87C7E0
zmk.length=128
zmk.type=ZMK
zmk.class=org.jpos.security.SecureDESKey

If you’re using Q2, you can deploy a keystore QBean like this (i.e. 02_keystore.xml)

<ks class="org.jpos.q2.security.KeyStoreAdaptor">
 <attr name="impl">org.jpos.security.SimpleKeyFile</attr>
 <property name="key-file" value="cfg/test-key.cfg" />
</ks>

Then you locate the KS using the NameRegistrar and call its getKey("zmk") methods to get a SecureKey (that’s a key encrypted under the LMK) used as a parameter for all SMAdapter operations. Here is the Javadoc: http://jpos.org/doc/javadoc/org/jpos/security/SecureKeyStore.html

Hope this helps.

--

@apr

Thilina Himal

unread,

Mar 14, 2015, 6:18:57 AM3/14/15

to jpos-...@googlegroups.com

Hi Alejandro,

Thanks a lot for your advice !!

We used the following command line command, as was able to generate the ZMK. Sharing it here, as it might be useful to someone else in future

java -jar jpos-1.9.6.jar -c "smconsole -lmk test.lmk FK 128 ZMK 7A9238701691AD4A31928023E5E91CCE 4CD651BF3BF7108AC4A84A162F3D43F2 00000000000000000000000000000000"

We hope that the imported key is correct, as the check value which is displayed in the output ("87C7E0") is equivalent to the check value we received from the external party, along with the 2 clear components of the ZMK.

Thanking you once again !!

Kind regards,

Thilina

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org

Join us in IRC at http://webchat.freenode.net/?channels=jpos

You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to jpos-...@googlegroups.com
To unsubscribe, send email to jpos-users+...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to a topic in the Google Groups "jPOS Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jpos-users/42spPsfvWyY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jpos-users+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/CAAgSK%3DkS_v18wnwwHsKntUHU%3DDKSsX8RfXuqr4v_nRU8D4%2BCsg%40mail.gmail.com.

Reply all

Reply to author

Forward