importing zpk using the console

1,123 views
Skip to first unread message

Simon Njuguna

unread,
Aug 1, 2014, 4:27:01 AM8/1/14
to jpos-...@googlegroups.com

hi,

 am trying to import the zpk using the console

org.jpos.security.jceadapter.Console -lmk ./lmk IK 128 ZPK:1U 3219FE23E269E310C6640EABC22C8F70 128 ZMK 4B911D8FCEDA2C5F3206DE14E6456501 79D22E

for the zpk key type 001,  key scheme U
for the zmk key type 000 scheme X

however i keep getting
org.jpos.security.jceadapter.JCEHandlerException: Parity not adjusted
    at org.jpos.security.jceadapter.JCEHandler.decryptDESKey(JCEHandler.java:194)
    at org.jpos.security.jceadapter.JCESecurityModule.importKeyImpl(JCESecurityModule.java:191)
    at org.jpos.security.BaseSMAdapter.importKey(BaseSMAdapter.java:169)
    at org.jpos.security.jceadapter.Console.exec(Console.java:144)
    at org.jpos.security.jceadapter.Console.main(Console.java:49)

any ideas on how to resolve this?

thanks

chhil

unread,
Aug 1, 2014, 6:45:49 AM8/1/14
to jpos-...@googlegroups.com


--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to jpos-...@googlegroups.com
To unsubscribe, send email to jpos-users+...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/d2ee328d-d046-4d03-a29b-ced520563e57%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

chhil

unread,
Aug 1, 2014, 7:13:24 AM8/1/14
to jpos-...@googlegroups.com

The exception gets thrown here 

    public Key decryptDESKey(short keyLength, byte[] encryptedDESKey, Key encryptingKey, boolean checkParity)
            throws JCEHandlerException {
        Key key = null;
        byte[] clearKeyBytes = doCryptStuff(encryptedDESKey, encryptingKey, Cipher.DECRYPT_MODE);
        if (checkParity) {
            if (!Util.isDESParityAdjusted(clearKeyBytes)) {
                throw new JCEHandlerException("Parity not adjusted");
            }
        }
        key = formDESKey(keyLength, clearKeyBytes);
        return key;
    }


If you trace the call hierarchy  it get called from 

                        sm.importKey(keyLength, commandParams[1].toUpperCase(),
                                ISOUtil.hex2byte(commandParams[2]), KEKunderLMK, true);

The last "true" parameter is for making sure that the input keys are parity adjusted.

What is parity adjustment?
DES keys need to be odd parity adjusted. 
Say I have a hex key of 09090909090909090909090909090909

0x09 = 0000 1001 (in binary)

The 0000100 is the key part and 1 is treated as a parity bit

Now in order to make the key part have an odd parity  the parity bit needs to have a value that causes the count of 1’s in the string to become odd. There is just one 1 (excluding the parity bit) so parity bit needs to be 0 to make the count odd.

So the value changes to 0000 1000 = 0x08.

So a parity adjusted key for the above key is 08080808080808080808080808080808


-chhil

To unsubscribe, send email to jpos-users+unsubscribe@googlegroups.com

For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+unsubscribe@googlegroups.com.

Simon Njuguna

unread,
Aug 1, 2014, 9:31:41 AM8/1/14
to jpos-...@googlegroups.com

thanks chhil.
 however when i do in code and add u

Util.adjustDESParity(), the exception disappears but the key check value is not the same as the banks. i get get AED98B while the bank says its 913CBD

here are all the params

Clear Components

D629 971A D6D6 C85D 978F 5E40 9D29 BA94

2FE9 D6BA 163D 9108 730E 8504 61D9 4A0D

3B83 70EA 2591 F18F F13B F8E5 6286 3851


Combined check value : 79D22E

Key under ZMK: U3219 FE23 E269 E310 C664 0EAB C22C 8F70

Key check value : 913CBD

am i missing something?

chhil

unread,
Aug 1, 2014, 11:46:27 AM8/1/14
to jpos-...@googlegroups.com
I am not sure what you are trying to do.Please explain.

Did you generate a new lmk file using the rebuildlmk option?

When I use the default lmk file provided with jpos and combine the 3 clear components of the ZMK (assuming its for zmk) I get 
<log realm="jce-security-module" at="Fri Aug 01 21:11:50 IST 2014.550" lifespan="109ms">
  <s-m-operation>
    <command name="Form Key from Three Clear Components">
      <parameter name="Key Length">
        128
      </parameter>
      <parameter name="Key Type">
        ZMK
      </parameter>
      <parameter name="Component 1 Check Value">
        499D50
      </parameter>
      <parameter name="Component 2 Check Value">
        CF63F9
      </parameter>
      <parameter name="Component 3 Check Value">
        ADFD79
      </parameter>
    </command>
    <result name="Formed Key">
      <secure-des-key length="128" type="ZMK" variant="0" scheme="X">
        <data>BE0A45439C24E47EE6C5638BE1F85916</data>
        <check-value>79D22E</check-value>
      </secure-des-key>
    </result>
  </s-m-operation>
</log>


-chhil

Simon Njuguna

unread,
Aug 1, 2014, 12:46:01 PM8/1/14
to jpos-...@googlegroups.com

generating from three components is fine since the key check value matches ok, even when you do it(79D22E)

the problem is when i import the zpk under the zmk
the bank says the zpk under zmk is  3219FE23E269E310C6640EABC22C8F70 with kcv 913cbd

importing this with console gives parity errors
when i use code to import ,am able to adjustparity but the kcv changes to aed98b

the problem is importing the zpk


 
 

On Friday, August 1, 2014 11:27:01 AM UTC+3, Simon Njuguna wrote:

chhil

unread,
Aug 1, 2014, 2:19:47 PM8/1/14
to jpos-...@googlegroups.com
You may want to follow up with the bank to find the procedure used to generate the encrypted pin that they have provided.

-chhil


--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to jpos-...@googlegroups.com
To unsubscribe, send email to jpos-users+...@googlegroups.com

For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/cb422eeb-80f6-45b6-abed-f96e1017ffdf%40googlegroups.com.

Scholaris

unread,
Oct 16, 2014, 4:54:22 AM10/16/14
to jpos-...@googlegroups.com
Hi chhil,
I have folowed the posting of you and Simon and I realise I am having the same exact problem as Simon.

It's mind boggling as the I get the correct KCV when generating the ZMK from the clear keys they sent me (just like in Simon's case). On trying to import the ZPK under ZMK I get the "parity not adjusted" error

I have contacted my bank and they say they export the ZPK under the ZMK and send them to me just as they are generated by their HSM.

They also have informed me that they are not prompted to adjust parity at any given point during the generation and exporting of the keys. They are using a Thales 9000 HSM.

Another point that seemed baffling is the fact that when I used a friend's Thales 9000 HSM(similar to that of the bank), I was able to import the ZPK under the ZMK and get the correct KCV as given by the bank.

Could you help me point out what I am missing.
Thanks





chhil

unread,
Oct 16, 2014, 10:18:04 AM10/16/14
to jpos-...@googlegroups.com
Hi ,


Sorry I dont know what could be wrong.
Here is a suggestion...

Use Thalesim to simulate the HSM.

And use the EFTLabs tool to send the requests using the commands to the HSM using its HSMCommander and see if it works, then we can try figuring out what could possibly be wrong.

https://thalessim.codeplex.com/
https://www.eftlab.com.au/index.php/downloads/bp-tools


-chhil


--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to jpos-...@googlegroups.com
To unsubscribe, send email to jpos-users+...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/0062d5bc-8e76-46ac-b770-cd07df6477f8%40googlegroups.com.

Scholaris

unread,
Oct 23, 2014, 10:36:59 AM10/23/14
to jpos-...@googlegroups.com
Hi Chhil,

I finally managed to import the ZPK under ZMK using java code as provided by the jPos. I also used the thales simulator from the link. I got a KCV that is similar in each case. However the the KCV got is not the same given by the bank. Could there be that the softHSM works different from an actual HSM? Is it an issues of my soft/thales simulator HSMs being of older versions? Or what other issue could be there?

For now I would like to kindly ask for your assistance in the following ways:
1. create the ZMK from the clear keys below and share the KCV got

Clear Keys
7532640E6407E6AB0808312629E0CBDF
FE5EC10BD619B93B8AD5CDA78CDFF115
2904F8DA9807E95B458A8A4A523E4A25 



2. Import the ZPK under the ZMK below and share the KCV value got

090A2ACD10885B7A797CBC1586B0CC59


This will help me make sure I am doing the right/wrong thing and hopefully point me towards the right direction.

Thanks


chhil

unread,
Oct 23, 2014, 12:20:21 PM10/23/14
to jpos-...@googlegroups.com

Will only be able to do this beginning of next month.
Am away from my laptop till then.
Hopefully someone else can assist you in the interim.

-chhil

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to jpos-...@googlegroups.com
To unsubscribe, send email to jpos-users+...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/b188f05a-8863-43a0-a2a4-57dfcc9aaad3%40googlegroups.com.

Victor Salaman

unread,
Oct 25, 2014, 2:23:23 AM10/25/14
to jpos-...@googlegroups.com
Try to get the bank to export the ZPK with a X key scheme.

/V

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to jpos-...@googlegroups.com
To unsubscribe, send email to jpos-users+...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/0062d5bc-8e76-46ac-b770-cd07df6477f8%40googlegroups.com.

Amel Alagraa

unread,
Jun 8, 2018, 5:38:03 PM6/8/18
to jPOS Users
I have a question related to this topic, can someone explain to me, what is ZPK key type 001?
I am working on a key, and imported ZMK and the check value is a match, for the ZPK i get a "Key parity error", the other party i am working with is asking if i am using key type 001.

Alejandro Revilla

unread,
Jun 8, 2018, 5:44:27 PM6/8/18
to jPOS Users
In your example, is 4B911D8FCEDA2C5F3206DE14E6456501 your ZMK encrypted under the LMKs ?

BTW, if you run `q2 --cli` you have a handy `smconsole` command.





--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+unsubscribe@googlegroups.com.
To post to this group, send email to jpos-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/2086fbdc-1ed0-41bb-871d-876d1ce93ff5%40googlegroups.com.

chhil

unread,
Jun 9, 2018, 12:03:21 AM6/9/18
to jpos-...@googlegroups.com
The error you are seeing occurs when the code decrypts the ZMK which is supposed to be encrypted under the LMK and gets the
clear key. Then it checks the parity of this clear key is odd or not, if its not odd it throws the error you are seeing.

If the ZMK was generated (key encrypted under the LMK)  using console, it would have had odd parity and hence Alejandro's question.

-chhil



To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.

To post to this group, send email to jpos-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/2086fbdc-1ed0-41bb-871d-876d1ce93ff5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.

To post to this group, send email to jpos-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/CAAgSK%3DmiUS3DbxNg1mQu9SvND2jS5EO4HP7SGSa7pQ-BEqBVpg%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages