Can I Generating PIN Block with org.jpos.security?
1,706 views
Skip to first unread message
ola
Apr 7, 2009, 3:06:11 AM4/7/09
to jPOS Users
Hello All,
Please, I want to find out if I can generate PIN BLOCK (field 52)
using org.jpos.security? And if yes, please can you refer me to some
documentation about this and steps to do this. Presently, i can do key
change with my Postilion Server and I could get 48 bytes
(97ECDA8CF3A1A001CC0BDDB6579D32DDBBBFB73030303030303030303030303030303030303030303030303030303030)
data from postilion. Also, is there any way in JPOS that I can extract
session key from this field value for generating my PIN Block?
Thanks as I expect your reply and guides...
Ola.
Please, I want to find out if I can generate PIN BLOCK (field 52)
using org.jpos.security? And if yes, please can you refer me to some
documentation about this and steps to do this. Presently, i can do key
change with my Postilion Server and I could get 48 bytes
(97ECDA8CF3A1A001CC0BDDB6579D32DDBBBFB73030303030303030303030303030303030303030303030303030303030)
data from postilion. Also, is there any way in JPOS that I can extract
session key from this field value for generating my PIN Block?
Thanks as I expect your reply and guides...
Ola.
chhil
Apr 7, 2009, 3:55:32 AM4/7/09
to jpos-...@googlegroups.com
Your question raises concerns...
I am fairly certain you are currently not using a HSM for crypto (please please tell me thats not the case).
The key that you have received in the exchange is encrypted under a parent so this key is totally useless unless you know its clear parent value and if any variants were used.
-chhil
ola
Apr 7, 2009, 4:19:33 AM4/7/09
to jPOS Users
Hello Chill,
Thanks for your reply. Really, I am not using HSM at my end, but the
Postilion System is using Thales as HSM. According to the guys in the
bank, what i need is to establish a security zone between my
application gateway and the Postilion system, which leads to exchange
of keys.The stage I am now is that I can get encrypted pinblock from
the postilion, I have clear parent value to be given to me by the bank
(which they used for the encryption), so I need to use this "clear"
key component to decrypt the exchanged pin block, get the "clear" key
which I will then use to generate the pinblock. Please how do i go
about these using JPOS:
- decrypt the exchange pinblock from postilion
(97ECDA8CF3A1A001CC0BDDB6579D32DDBBBFB7303030303030303030303030303030303030
3030303030303030303030), using clear key component given to me, to get
clear key.
- use the clear key to generate pinblock for my PIN (field 52).
Thanks.
Ola.
On Apr 7, 8:55 am, chhil <chil...@gmail.com> wrote:
> Your question raises concerns...
>
> I am fairly certain you are currently not using a HSM for crypto (please
> please tell me thats not the case).
>
> In order to generate a pinblock you need a pin in the "clear" (are you sure
> about what you are trying to do). I was hoping you wanted to translate the
> encypted pinblock that you acquired and need to translate and send it to
> your host.
> The key that you have received in the exchange is encrypted under a parent
> so this key is totally useless unless you know its clear parent value and if
> any variants were used.
>
> -chhil
>
>
>
> On Tue, Apr 7, 2009 at 12:36 PM, ola <ollysof...@gmail.com> wrote:
>
> > Hello All,
>
> > Please, I want to find out if I can generate PIN BLOCK (field 52)
> > using org.jpos.security? And if yes, please can you refer me to some
> > documentation about this and steps to do this. Presently, i can do key
> > change with my Postilion Server and I could get 48 bytes
>
> > (97ECDA8CF3A1A001CC0BDDB6579D32DDBBBFB73030303030303030303030303030303030303030303030303030303030)
>
> - Show quoted text -
Thanks for your reply. Really, I am not using HSM at my end, but the
Postilion System is using Thales as HSM. According to the guys in the
bank, what i need is to establish a security zone between my
application gateway and the Postilion system, which leads to exchange
of keys.The stage I am now is that I can get encrypted pinblock from
the postilion, I have clear parent value to be given to me by the bank
(which they used for the encryption), so I need to use this "clear"
key component to decrypt the exchanged pin block, get the "clear" key
which I will then use to generate the pinblock. Please how do i go
about these using JPOS:
- decrypt the exchange pinblock from postilion
(97ECDA8CF3A1A001CC0BDDB6579D32DDBBBFB7303030303030303030303030303030303030
3030303030303030303030), using clear key component given to me, to get
clear key.
- use the clear key to generate pinblock for my PIN (field 52).
Thanks.
Ola.
On Apr 7, 8:55 am, chhil <chil...@gmail.com> wrote:
> Your question raises concerns...
>
> I am fairly certain you are currently not using a HSM for crypto (please
> please tell me thats not the case).
>
> In order to generate a pinblock you need a pin in the "clear" (are you sure
> about what you are trying to do). I was hoping you wanted to translate the
> encypted pinblock that you acquired and need to translate and send it to
> your host.
> The key that you have received in the exchange is encrypted under a parent
> so this key is totally useless unless you know its clear parent value and if
> any variants were used.
>
> -chhil
>
>
>
> On Tue, Apr 7, 2009 at 12:36 PM, ola <ollysof...@gmail.com> wrote:
>
> > Hello All,
>
> > Please, I want to find out if I can generate PIN BLOCK (field 52)
> > using org.jpos.security? And if yes, please can you refer me to some
> > documentation about this and steps to do this. Presently, i can do key
> > change with my Postilion Server and I could get 48 bytes
>
> > data from postilion. Also, is there any way in JPOS that I can extract
> > session key from this field value for generating my PIN Block?
>
> > Thanks as I expect your reply and guides...
>
> > Ola.- Hide quoted text -
> > session key from this field value for generating my PIN Block?
>
> > Thanks as I expect your reply and guides...
>
>
> - Show quoted text -
chhil
Apr 7, 2009, 4:59:36 AM4/7/09
to jpos-...@googlegroups.com
You may want to brush up some crypto stuff at http://www.jpos.org/wiki/HSM_basics that will allow you to play around with crypto in a "test" environment.
-chhil
Emeka Onwuka
Apr 7, 2009, 10:37:53 AM4/7/09
to jpos-...@googlegroups.com
Are your sure you are supposed to decrypt the PIN Block and re-generate it or just translate it? i would assume that you are just translating it. as regards your ZPK, the first 32 xters are your ZPK the next 6 are the check digits. and if the information you pasted here is from field 53 post 0800 key exchange request then it is not a PIN Block.
ola
Apr 7, 2009, 12:14:18 PM4/7/09
to jPOS Users
Hello All,
Let me explain better. I am not doing PIN verification/translation.
That will be done at Postilion side that has HSM. These are steps of
what i am doing:
1. I send 0800 key exchange to postilion source node (already loaded
with KEK), with field 70 set to 101 and I get in response with field
53 containing encrypted KWP
(97ECDA8CF3A1A001CC0BDDB6579D32DDBBBFB73030303030303030303030303030303030303030303030303030303030)
2. The bank sent clear key used at their side to me
3. I need to use this clear key (TMK) to decrypt the encrypted KWP (in
the field KWP) to get clear KWP that I will use to form the PIN block
and encrypt with the clear KWP.
4. Then I will forward my 0200 transaction messages with field 52 set
to the value of Pin block above.
So my challenge is, how will I go about step 3 above using JPOS?
Ola
On Apr 7, 3:37 pm, Emeka Onwuka <seonw...@gmail.com> wrote:
> Are your sure you are supposed to decrypt the PIN Block and re-generate it
> or just translate it? i would assume that you are just translating it. as
> regards your ZPK, the first 32 xters are your ZPK the next 6 are the check
> digits. and if the information you pasted here is from field 53 post 0800
> key exchange request then it is not a PIN Block.
>
>
>
> On Tue, Apr 7, 2009 at 9:59 AM, chhil <chil...@gmail.com> wrote:
>
> > Are you expected to go live with this setup?
> > You may want to brush up some crypto stuff at
> >http://www.jpos.org/wiki/HSM_basicsthat will allow you to play around
> >> > - Show quoted text -- Hide quoted text -
Let me explain better. I am not doing PIN verification/translation.
That will be done at Postilion side that has HSM. These are steps of
what i am doing:
1. I send 0800 key exchange to postilion source node (already loaded
with KEK), with field 70 set to 101 and I get in response with field
53 containing encrypted KWP
(97ECDA8CF3A1A001CC0BDDB6579D32DDBBBFB73030303030303030303030303030303030303030303030303030303030)
2. The bank sent clear key used at their side to me
3. I need to use this clear key (TMK) to decrypt the encrypted KWP (in
the field KWP) to get clear KWP that I will use to form the PIN block
and encrypt with the clear KWP.
4. Then I will forward my 0200 transaction messages with field 52 set
to the value of Pin block above.
So my challenge is, how will I go about step 3 above using JPOS?
Ola
On Apr 7, 3:37 pm, Emeka Onwuka <seonw...@gmail.com> wrote:
> Are your sure you are supposed to decrypt the PIN Block and re-generate it
> or just translate it? i would assume that you are just translating it. as
> regards your ZPK, the first 32 xters are your ZPK the next 6 are the check
> digits. and if the information you pasted here is from field 53 post 0800
> key exchange request then it is not a PIN Block.
>
>
>
> On Tue, Apr 7, 2009 at 9:59 AM, chhil <chil...@gmail.com> wrote:
>
> > Are you expected to go live with this setup?
> > You may want to brush up some crypto stuff at
> > with crypto in a "test" environment.
>
> > -chhil
>
>
> > -chhil
>
Chhil
Apr 7, 2009, 2:17:20 PM4/7/09
to jpos-...@googlegroups.com
The pinblock that you want to send in the 0200 can only be sent if you
have a clear pin in hand. How in the world do you have a clear pin?
Do you understand the implications of what you are trying to do?
Lets assume you are developing a test system to inject transactions
coz that's the only time you will have a clear kwp and a clear pin in
hand what you have indicated can never happen in a production system.
Having said this, use bouncy castle or suns jce to decrypt the kwp.
Now you have a clear kwp.
Use the clear pin you have to create a pin block. This format needs to
be something you have agreed upon with Postilion.
Use this clear kwp and encrypt the pinblock.
Send this pinblock in the 0200.
I repeat, you need a Hsm to provide crypto services to you, what HSM
do you plan on using when you move your system into a production
environment?
Can you tell us what bank you are doing this project for?
-chhil
have a clear pin in hand. How in the world do you have a clear pin?
Do you understand the implications of what you are trying to do?
Lets assume you are developing a test system to inject transactions
coz that's the only time you will have a clear kwp and a clear pin in
hand what you have indicated can never happen in a production system.
Having said this, use bouncy castle or suns jce to decrypt the kwp.
Now you have a clear kwp.
Use the clear pin you have to create a pin block. This format needs to
be something you have agreed upon with Postilion.
Use this clear kwp and encrypt the pinblock.
Send this pinblock in the 0200.
I repeat, you need a Hsm to provide crypto services to you, what HSM
do you plan on using when you move your system into a production
environment?
Can you tell us what bank you are doing this project for?
-chhil
ola
Apr 8, 2009, 4:14:21 AM4/8/09
to jPOS Users
Thanks Chill,
Really, this is still a test environment.
> Having said this, use bouncy castle or suns jce to decrypt the kwp.
> Now you have a clear kwp.
> Use the clear pin you have to create a pin block.
Please, can you give a guide on how to use this "bouncy castle or suns
jce"?
I never see any documentation on it!
Ola.
On Apr 7, 7:17 pm, Chhil <chil...@gmail.com> wrote:
> The pinblock that you want to send in the 0200 can only be sent if you
> have a clear pin in hand. How in the world do you have a clear pin?
> Do you understand the implications of what you are trying to do?
>
> Lets assume you are developing a test system to inject transactions
> coz that's the only time you will have a clear kwp and a clear pin in
> hand what you have indicated can never happen in a production system.
> Having said this, use bouncy castle or suns jce to decrypt the kwp.
> Now you have a clear kwp.
> Use the clear pin you have to create a pin block. This format needs to
> be something you have agreed upon with Postilion.
> Use this clear kwp and encrypt the pinblock.
> Send this pinblock in the 0200.
>
> I repeat, you need a Hsm to provide crypto services to you, what HSM
> do you plan on using when you move your system into a production
> environment?
>
> Can you tell us what bank you are doing this project for?
>
> -chhil
>
Really, this is still a test environment.
> Having said this, use bouncy castle or suns jce to decrypt the kwp.
> Now you have a clear kwp.
> Use the clear pin you have to create a pin block.
jce"?
I never see any documentation on it!
Ola.
On Apr 7, 7:17 pm, Chhil <chil...@gmail.com> wrote:
> The pinblock that you want to send in the 0200 can only be sent if you
> have a clear pin in hand. How in the world do you have a clear pin?
> Do you understand the implications of what you are trying to do?
>
> Lets assume you are developing a test system to inject transactions
> coz that's the only time you will have a clear kwp and a clear pin in
> hand what you have indicated can never happen in a production system.
> Having said this, use bouncy castle or suns jce to decrypt the kwp.
> Now you have a clear kwp.
> Use the clear pin you have to create a pin block. This format needs to
> be something you have agreed upon with Postilion.
> Use this clear kwp and encrypt the pinblock.
> Send this pinblock in the 0200.
>
> I repeat, you need a Hsm to provide crypto services to you, what HSM
> do you plan on using when you move your system into a production
> environment?
>
> Can you tell us what bank you are doing this project for?
>
> -chhil
>
> On Apr 7, 2009, at 9:44 PM, ola <ollysof...@gmail.com> wrote:
>
>
>
>
>
> > Hello All,
>
> > Let me explain better. I am not doing PIN verification/translation.
> > That will be done at Postilion side that has HSM. These are steps of
> > what i am doing:
> > 1. I send 0800 key exchange to postilion source node (already loaded
> > with KEK), with field 70 set to 101 and I get in response with field
> > 53 containing encrypted KWP
> > (97ECDA8CF3A1A001CC0BDDB6579D32DDBBBFB73030303030303030303030303030303030303030303030303030303030)
>
>
>
>
>
> > Hello All,
>
> > Let me explain better. I am not doing PIN verification/translation.
> > That will be done at Postilion side that has HSM. These are steps of
> > what i am doing:
> > 1. I send 0800 key exchange to postilion source node (already loaded
> > with KEK), with field 70 set to 101 and I get in response with field
> > 53 containing encrypted KWP
> > 2. The bank sent clear key used at their side to me
> > 3. I need to use this clear key (TMK) to decrypt the encrypted KWP (in
> > the field KWP) to get clear KWP that I will use to form the PIN block
> > and encrypt with the clear KWP.
> > 4. Then I will forward my 0200 transaction messages with field 52 set
> > to the value of Pin block above.
>
> > So my challenge is, how will I go about step 3 above using JPOS?
>
> > Ola
>
> > On Apr 7, 3:37 pm, Emeka Onwuka <seonw...@gmail.com> wrote:
> >> Are your sure you are supposed to decrypt the PIN Block and re-
> >> generate it
> >> or just translate it? i would assume that you are just translating
> >> it. as
> >> regards your ZPK, the first 32 xters are your ZPK the next 6 are
> >> the check
> >> digits. and if the information you pasted here is from field 53
> >> post 0800
> >> key exchange request then it is not a PIN Block.
>
> >> On Tue, Apr 7, 2009 at 9:59 AM, chhil <chil...@gmail.com> wrote:
>
> >>> Are you expected to go live with this setup?
> >>> You may want to brush up some crypto stuff at
> >>>http://www.jpos.org/wiki/HSM_basicsthatwill allow you to play
> > 3. I need to use this clear key (TMK) to decrypt the encrypted KWP (in
> > the field KWP) to get clear KWP that I will use to form the PIN block
> > and encrypt with the clear KWP.
> > 4. Then I will forward my 0200 transaction messages with field 52 set
> > to the value of Pin block above.
>
> > So my challenge is, how will I go about step 3 above using JPOS?
>
> > Ola
>
> > On Apr 7, 3:37 pm, Emeka Onwuka <seonw...@gmail.com> wrote:
> >> Are your sure you are supposed to decrypt the PIN Block and re-
> >> generate it
> >> or just translate it? i would assume that you are just translating
> >> it. as
> >> regards your ZPK, the first 32 xters are your ZPK the next 6 are
> >> the check
> >> digits. and if the information you pasted here is from field 53
> >> post 0800
> >> key exchange request then it is not a PIN Block.
>
> >> On Tue, Apr 7, 2009 at 9:59 AM, chhil <chil...@gmail.com> wrote:
>
> >>> Are you expected to go live with this setup?
> >>> You may want to brush up some crypto stuff at
chhil
Apr 8, 2009, 4:23:11 AM4/8/09
to jpos-...@googlegroups.com
http://java.sun.com/j2se/1.4.2/docs/guide/security/jce/JCERefGuide.html#SimpleEncrEx
Look at jpos source to get an idea..
jpos162\modules\security\src\org\jpos\security\jceadapter\JCEHandler.java
-chhil
ola
Apr 15, 2009, 4:40:24 AM4/15/09
to jPOS Users
Hello Chhil
Please I need assistance of you guys concerning generating my Pin
block. I have read the documentation about
org.bouncycastle.jce.provider.BouncyCastleProvider and SMAdapter and I
have looked at the example. But I need you guys to please clear my
doubts:
1. I have value from Postilion in field 53 as
[D80BBE619F99D36C546C7A98C8CA5FEB
69E8433030303030303030303030303030303030303030303030303030303030]
after 0810 key exchange. What will be the value of kwp in this field
53? From the achive I read in this forum, I learnt that the kwp will
be 32 xter length [D80BBE619F99D36C546C7A98C8CA5FEB] of this field 53.
Please explain!
2. Secondly, from Chhil statement: "bouncy castle or suns jce to
decrypt the kwp and have a clear kwp", HOW WILL I ACHIVE THIS? From
the jceadapter documentation i read, I discovered these:
a. to setup SMAdapter, I have to use a file called lmk e.g.
SMAdapter sm=null;
String lmk = "\cfg\lmk";
sm = new JCESecurityModule(lmk); // uses SunJCE Provider
WHAT IS THIS file lmk all about? And what is the content for?
b. Again, to descrypt, i have something like: pin = sm.decryptPIN
(pinUnderLmk); where
pinUnderLmk = sm.encryptPIN(pin, accountNumber);
What is the relationship of this decryptPIN() to decrypting my
kwp (according to Chhil) gotten from postilion 0810 response in field
53?
Please, you guide with sample source codes will be highly appreciated.
I count on you guys....
Ola
On Apr 8, 9:23 am, chhil <chil...@gmail.com> wrote:
> http://java.sun.com/j2se/1.4.2/docs/guide/security/jce/JCERefGuide.ht...
> > > >>>http://www.jpos.org/wiki/HSM_basicsthatwillallow you to play
Please I need assistance of you guys concerning generating my Pin
block. I have read the documentation about
org.bouncycastle.jce.provider.BouncyCastleProvider and SMAdapter and I
have looked at the example. But I need you guys to please clear my
doubts:
1. I have value from Postilion in field 53 as
[D80BBE619F99D36C546C7A98C8CA5FEB
69E8433030303030303030303030303030303030303030303030303030303030]
after 0810 key exchange. What will be the value of kwp in this field
53? From the achive I read in this forum, I learnt that the kwp will
be 32 xter length [D80BBE619F99D36C546C7A98C8CA5FEB] of this field 53.
Please explain!
2. Secondly, from Chhil statement: "bouncy castle or suns jce to
decrypt the kwp and have a clear kwp", HOW WILL I ACHIVE THIS? From
the jceadapter documentation i read, I discovered these:
a. to setup SMAdapter, I have to use a file called lmk e.g.
SMAdapter sm=null;
String lmk = "\cfg\lmk";
sm = new JCESecurityModule(lmk); // uses SunJCE Provider
WHAT IS THIS file lmk all about? And what is the content for?
b. Again, to descrypt, i have something like: pin = sm.decryptPIN
(pinUnderLmk); where
pinUnderLmk = sm.encryptPIN(pin, accountNumber);
What is the relationship of this decryptPIN() to decrypting my
kwp (according to Chhil) gotten from postilion 0810 response in field
53?
Please, you guide with sample source codes will be highly appreciated.
I count on you guys....
Ola
On Apr 8, 9:23 am, chhil <chil...@gmail.com> wrote:
> http://java.sun.com/j2se/1.4.2/docs/guide/security/jce/JCERefGuide.ht...
chhil
Apr 15, 2009, 5:14:10 AM4/15/09
to jpos-...@googlegroups.com
1.You receive a encrypted key in the key exchange message when the key is single length 8 bytes it is 16 hex
wide. When its double length its 16 bytes which is 32 hex wide.
The spec you have should define the contents of field 53 for you and you should use that
to determine which part of field 53 is your encrypted key.
2. For LMK definition/usage refer to 1.1.1 http://www.jpos.org/wiki/HSM_basics_continued.
You would never want to want to decrypt the KWP as it means its a totally insecure system (we have already
gone over this a lot of time). If you want to decrypt it, you can call
the standard JCE decrypt function and pass the encrypted data (the keys byte array is basically data).
I doubt this decrypted value will work for you as there are variants (http://www.jpos.org/wiki/HSM_basics)
involved which you would need to apply at your end to get the right output. If you need the variants you will need to talk to the HSM custodians for these as I am not sure if these are standard for a HSM type).
The only relation I see between decrypt pin and decrypt KWP is that it uses the decrypt functionality
of your crypto provider. The helper decryptPin probably uses an account number as a pin only exists
in a pinblock and a secure pinblock is created using part of the account number (see http://bit.ly/OI5I ).
I am sure that everyone is still curious as what you are trying to do. Can you walk me through a flow of a single transaction that you would process and send to the bank.
So as an example,
card is used at a Atm, I translate it to a hosts 8583 format and sending the mandatory fields. I have a encrpted pin block that I would need to translate as the security zone between the ATM and the host so I need to send a pin translation command to the HSM to get an encrypted pin block which I put in the 8583 and send. So If I do all of this my code never needs to know any key in the clear and there can be no security breach ;).
-chhil
-chhil
ola
Apr 15, 2009, 6:06:32 AM4/15/09
to jPOS Users
Thank you chhil,
According to you:
> card is used at a Atm, I translate it to a hosts 8583 format and sending
> the mandatory fields. I have a encrpted pin block that I would need to
> translate as the security zone between the ATM and the host so I need to
> send a pin translation command to the HSM to get an encrypted pin block
> which I put in the 8583 and send.
This is my sample:
I have a POS terminal with PINPAD, card is stripped on the POS
terminal to say make payment, to get the PAN and track2 data,
customer enters PIN on the PINPAD, and based on the secuiry zone i
established between the POS device and my JPOS application gateway
(which communicates with the postilion directly), the POS application
(in C) forwards the mandatory fields (including encrypted PIN) to the
JPOS application over this security zone using standard encryption
algorithm. The JPOS application serving as gateway to the Postilion
server, get these fields, use ISOMUX and Postpack.xml to translate
these fields to ISO8583 an send to bank host. So, in my JPOS
application, I need to generate PIN BLOCK that I will put in my 8583
and send. To generate this pinbblock, i need to do key exchange for
encrypting the PIN block.
So how will go about this? Without HSM and WITH HSM?
On Apr 15, 10:14 am, chhil <chil...@gmail.com> wrote:
> 1.You receive a encrypted key in the key exchange message when the key is
> single length 8 bytes it is 16 hex
> wide. When its double length its 16 bytes which is 32 hex wide.
> The spec you have should define the contents of field 53 for you and you
> should use that
> to determine which part of field 53 is your encrypted key.
>
> 2. For LMK definition/usage refer to 1.1.1http://www.jpos.org/wiki/HSM_basics_continued.
> > > > > >>>http://www.jpos.org/wiki/HSM_basicsthatwillallowyou to play
> ...
>
> read more »- Hide quoted text -
According to you:
> card is used at a Atm, I translate it to a hosts 8583 format and sending
> the mandatory fields. I have a encrpted pin block that I would need to
> translate as the security zone between the ATM and the host so I need to
> send a pin translation command to the HSM to get an encrypted pin block
> which I put in the 8583 and send.
I have a POS terminal with PINPAD, card is stripped on the POS
terminal to say make payment, to get the PAN and track2 data,
customer enters PIN on the PINPAD, and based on the secuiry zone i
established between the POS device and my JPOS application gateway
(which communicates with the postilion directly), the POS application
(in C) forwards the mandatory fields (including encrypted PIN) to the
JPOS application over this security zone using standard encryption
algorithm. The JPOS application serving as gateway to the Postilion
server, get these fields, use ISOMUX and Postpack.xml to translate
these fields to ISO8583 an send to bank host. So, in my JPOS
application, I need to generate PIN BLOCK that I will put in my 8583
and send. To generate this pinbblock, i need to do key exchange for
encrypting the PIN block.
So how will go about this? Without HSM and WITH HSM?
On Apr 15, 10:14 am, chhil <chil...@gmail.com> wrote:
> 1.You receive a encrypted key in the key exchange message when the key is
> single length 8 bytes it is 16 hex
> wide. When its double length its 16 bytes which is 32 hex wide.
> The spec you have should define the contents of field 53 for you and you
> should use that
> to determine which part of field 53 is your encrypted key.
>
>
> read more »- Hide quoted text -
chhil
Apr 15, 2009, 6:20:41 AM4/15/09
to jpos-...@googlegroups.com
Thank you for the flow.
There is a security zone between the POS c app and your jpos app. You would have exchanged keys between the two so that pinblock comes to you under a key that you share with the POS app.
There is a second zone between JPOS and the host where you are already doing the key exchanges.
The clear ZMK values that you previously got from the bank would actually need to go to the HSM and get encrypted values for.
These encrytpted value is the only thing anyone has access to.
So when you get an encrypted KWP from the host you would send that key along with the encrypted ZMK to the HSM. The HSM will most probably return check digits which you would compare against the check digits in 53 to determine if the keys were loaded correctly.
Now comes the pinblock part. the POS app will give you an encrypted pinblock, you will send this pinblock, the encrypted key shared with the POS app and the encrypted KWP to the HSM and get it translated (maybe the pinblock format would need to get sent). If all is good you will get a translated pinblock that you can send to the host.
If you follow the above closely, you never have any thing in the clear (i.e. its secure).
So to answer your question... With HSM.
I have not personally dealt with loading keys etc so if I have stated something incorrectly, please jump in.
-chhil
ola
Apr 15, 2009, 8:24:50 AM4/15/09
to jPOS Users
Hello Chhil
I appreciate your brilliant idea. But I need some clarifications and
comments:
1.
can successfully exchange keys between the two, but how would i
generate the PIN block in POS c app, after getting the PIN from the
terminal pinpad?
2.
> Now comes the pinblock part. the POS app will give you an encrypted
> pinblock, you will send this pinblock, the encrypted key shared with the POS
> app and the encrypted KWP to the HSM and get it translated (maybe the
> pinblock format would need to get sent)
> WITH HSM
My challenge is HOW WILL I GET HSM INSTALLED IN MY ENVIRONMENT?
3.
and the clear ZMK got from the bank to re-translate the PIN Block I
got from the Pos c app to new PIN BLOCK I will put in my JPOS 8583
sending to bank host? (this is just an idea!).
Expecting your comments!
Ola
I appreciate your brilliant idea. But I need some clarifications and
comments:
1.
> There is a security zone between the POS c app and your jpos app. You would
> have exchanged keys between the two so that pinblock comes to you under a
> key that you share with the POS app.
Presently, I am just encrypting the PIN before sending to JPOS app. I
> have exchanged keys between the two so that pinblock comes to you under a
> key that you share with the POS app.
can successfully exchange keys between the two, but how would i
generate the PIN block in POS c app, after getting the PIN from the
terminal pinpad?
2.
> Now comes the pinblock part. the POS app will give you an encrypted
> pinblock, you will send this pinblock, the encrypted key shared with the POS
> app and the encrypted KWP to the HSM and get it translated (maybe the
> pinblock format would need to get sent)
My challenge is HOW WILL I GET HSM INSTALLED IN MY ENVIRONMENT?
3.
> So when you get an encrypted KWP from the host you would send that key along
> with the encrypted ZMK to the HSM.
But if I am not using HSM, is there anyway I can use the encryted KWP
> with the encrypted ZMK to the HSM.
and the clear ZMK got from the bank to re-translate the PIN Block I
got from the Pos c app to new PIN BLOCK I will put in my JPOS 8583
sending to bank host? (this is just an idea!).
Expecting your comments!
Ola
chhil
Apr 15, 2009, 8:53:25 AM4/15/09
to jpos-...@googlegroups.com
Comments inline...
Hello Chhil
I appreciate your brilliant idea. But I need some clarifications and
comments:
>>
[chhil]Its standard operating procedure.
1.
> There is a security zone between the POS c app and your jpos app. You would
> have exchanged keys between the two so that pinblock comes to you under a
> key that you share with the POS app.
Presently, I am just encrypting the PIN before sending to JPOS app. I
can successfully exchange keys between the two, but how would i
generate the PIN block in POS c app, after getting the PIN from the
terminal pinpad?
[chhil]The pin from the POS is encrypted. You would use the HSM facility for translating it from your POS <->POS C app zone
to the POS Capp <->JPOS zone. I think you would pass in the encrypted
pinblock from POS, source pinblock format, destination pin block format, source encryption
key and destination encryption key (there may be other params).
If you are not planning on using a HSM your attempt to integrate with any HOST is futile.
2.
> Now comes the pinblock part. the POS app will give you an encrypted
> pinblock, you will send this pinblock, the encrypted key shared with the POS
> app and the encrypted KWP to the HSM and get it translated (maybe the
> pinblock format would need to get sent)
> WITH HSM
My challenge is HOW WILL I GET HSM INSTALLED IN MY ENVIRONMENT?
[chhil] Not sure I understand. You buy the hardware and put it on your network. Set it up with some initial keys
and communicate to it in using its api.
3.
> So when you get an encrypted KWP from the host you would send that key along
> with the encrypted ZMK to the HSM.
But if I am not using HSM, is there anyway I can use the encryted KWP
and the clear ZMK got from the bank to re-translate the PIN Block I
got from the Pos c app to new PIN BLOCK I will put in my JPOS 8583
sending to bank host? (this is just an idea!).
[chhil]
Well its just encryption and decryption done in an unsecure environment.
"DO NOT DO THIS" you will bring down the Bank and the company you work for...
You may want to hop onto some java encryption mailing list to get
java crypto sorted out. I am drawling the line here and will not respond to software encryption questions anymore.
-> <encrypted pin block from C app>
-> <decrypt pin block>
-> <decode the pinblock by reverse engineering pin block format and get pin>
-> <encode pinblock using destination pin block format>
-> <encrypt this pinblock with clear KWP>
Expecting your comments!
I am not sure if I am helping you, because I have this voice that tells me you are going to end up doing software encryption..if you were a client interfacing my system without a HSM, I would show you the door....ola
Apr 15, 2009, 8:57:30 AM4/15/09
to jPOS Users
In addition,
I saw Thales Simulator Library, http://thalessim.codeplex.com/ can i
use this simulator to learn how HSM work?
I saw Thales Simulator Library, http://thalessim.codeplex.com/ can i
use this simulator to learn how HSM work?
chhil
Apr 15, 2009, 9:01:37 AM4/15/09
to jpos-...@googlegroups.com
Its a library, which means you will need good knowledge and documentation about the HSM in order to use it.
please feel to share your experience with us.
-chhil
Reply all
Reply to author
Forward
0 new messages