How to handle HSM on postilion with JPOS
ola
Thanks for your support all this while... Please I am facing another
challenge while dealing with my bank's postilion server: HSM. I need a
guide on how to handle PIN encyption (field 52 : 3 des PIN BLOCK) and
key exchange management with JPOS while communicating with my bank's
host. Presently, the gateway i built sends transaction messages with
NO field 52 to the postilion server and i receive successful
responses. But now i want to include field 52 (PIN), please how do i
go about this?
Thanks once again for your usual support!
Ola.
David Bergert
its documentation, and then scope and determine what message types that you
will need to send/receive to the HSM device.
Secondly you would want to identify the connection/communicate type to the
HSM as well as the field layout of each message and each fields and look at
using FSDMsg (probably) to create valid requests.
You could also read some of these articles from Andy:
http://tinyurl.com/cyahs6
David Bergert, CISSP, CISA, CPISM/A
www.paymentsystemsblog.com
Mark Salter
> Hello All,
>
> Thanks for your support all this while... Please I am facing another
> challenge while dealing with my bank's postilion server: HSM. I need a
> guide on how to handle PIN encyption (field 52 : 3 des PIN BLOCK) and
> key exchange management with JPOS while communicating with my bank's
> host.
You will need a shared common key so that you can generate a PIN block
and the bank's host can check the PIN when provided. You will also
agree on a PIN block format with your bank.
I would imagine that your bank will already have a defined message
exchange protocol they use to do a key exchange. Have they given details
of how they need key exchanges to take place, how often and how they occur?
> Presently, the gateway i built sends transaction messages with
> NO field 52 to the postilion server and i receive successful
> responses. But now i want to include field 52 (PIN), please how do i
> go about this?
How is the PIN being entered (and where) by the card holder?
Do you have a terminal device that captures the PIN and passes it to you
- how is it transported?
Your chosen HSM will provide a transaction that does PIN translation
(from a terminal zone to an Issuer zone perhaps)? I would hope the
cardholder PIN is never ever in the clear?
--
Mark
ola
I wish to provide answer to some Mark's questions:
> Who drives this 'key exchange' your Bank with you or you with your bank?
The type of HSM installed on the postilion at the bank side is: THALES
RG7000
To generate the PIN block format, the bank's said i need to use 3DES.
The PIN is being entered from the POS terminal pin pad, which I
encrypt using AES algorithm before being transmitted to my JPOS
gateway. At the gateway, I can decrypt it, after which i need to be
formated in PIN BLOCK before being transferred to bank's host.
Your chosen HSM will provide a transaction that does PIN translation
Thanks,
Ola
chhil
Mark Salter
> Thanks.
> I wish to provide answer to some Mark's questions:
>
>> Who drives this 'key exchange' your Bank with you or you with your bank?
>
> I wish to do the key exchange with the bank.
Ah, but I mean...
... Does the bank generate PIN keys and send them to you in a message
exchange they initiate. Perhaps you generate a key and then ask them to
use it via a key exchange you start once a day or more frequently?
>
> The type of HSM installed on the postilion at the bank side is: THALES
> RG7000
Ok, but which one do you have or intend to have. Suppliers each have
there own hardware and associated protocol, you will need to acquire
your own HSM - unless you have access to their HSM hardware?
>
> To generate the PIN block format, the bank's said i need to use 3DES.
Yes, but the PIN block format that goes into the encryption step) comes
in a few flavours (format-0, Format-1).
>
> The PIN is being entered from the POS terminal pin pad, which I
> encrypt using AES algorithm before being transmitted to my JPOS
> gateway. At the gateway,
> I can decrypt it,
You should never decrypt it - outside of an HSM - not ever.
> after which i need to be
> formated in PIN BLOCK before being transferred to bank's host.
This decode+encode should all take place inside an HSM - a secure place
for clear PINs to exist and then only temporarily - the other place in
in the cardholders mind 8).
>
>
> Your chosen HSM will provide a transaction that does PIN translation
>> (from a terminal zone to an Issuer zone perhaps)? THIS IS NOT YET CLEAR TO ME PLS, MARK.
Usually a terminal will encrypt the PIN under a key that it and the
acquiring host share - within 'hardware'.
The acquirer host would then be use it's HSM to translate the PIN block
from under this key to under a key shared between the acquirer system
and the Issuer; in turn the Issuer would then ask it's HSM to check if
the PIN is valid. At no time is the PIN held in clear in any 'software
storage' variable or log.
I should mention that in test systems without real cardholders PIN the
rules are relaxed, but not by much.
--
Mark
Andy Orrock
I have some Thales-based examples of what chhil describes here (“translating…from the terminal zone to the issuer zone”) in my blog. [Dave referenced some of these pieces earlier.] See:
http://tinyurl.com/dmfjzj (PIN translation example where terminal does single DES DUKPT)
http://tinyurl.com/3uo68o (Implementing a Thales HSM Adapter + also makes reference to the PIN translation where the device does the Triple DES flavor of DUKPT)
Even though they’re Thales-based examples, the concepts are applicable to other manufacturer types.
Andy Orrock
David Bergert
And of course there is your/our redacted OLS.Switch Encryption Section here: http://tinyurl.com/cdmaop
David Bergert
> > The PIN is being entered from the POS terminal pin pad, which I
> > encrypt using AES algorithm before being transmitted to my JPOS
> > gateway. At the gateway,
>
> > I can decrypt it,
> You should never decrypt it - outside of an HSM - not ever.
security stuff:
https://www.pcisecuritystandards.org/security_standards/ped/index.shtml
> From: jpos-...@googlegroups.com [mailto:jpos-...@googlegroups.com] On
> Behalf Of Mark Salter
> Sent: Monday, March 16, 2009 10:51 AM
> To: jpos-...@googlegroups.com
> Subject: Re: How to handle HSM on postilion with JPOS
>
>
Jeff Gordy
I'm going to look at this question from a slightly different perspective. Assuming you asked, "How do I handle PIN block encryption/decryption when dealing with my bank"?
The answer to this and the ONLY acceptable answer is that you need to buy a HSM or you need access to their HSM by way of having the bank verify the pin block. There is no acceptable way to handle pin block encryption without a certified hardware security module. If you were doing this for fun or for an exercise the answer may be a different story, but if you are doing this (as I suspect) as part of a commercial application you absolutely must protect card holder data by following PCI data security standards. The standards were not designed to make your life difficult, rather to protect people, their identities, and their money.
If you need assistance integrating your HSM into your jPOS application there are certainly many people on this board willing to help and interested in the minutia of such an exercise. However, if you elect to bypass these standards I would appreciate you posting the name of your finished product so I can make sure my wife and I never use it.
Regards,
-Jeff
ola
Never mind, you and your wife will use my app, at least with your
guides and that of others.
I agree with everything you said. I am using the HSM of the bank which
is Thales 7000, and the bank do the PIN translation and verification.
My challenge is how to decrypt ZPK push to me from the bank's
postilion as a response of my 0800 message, use the clear key
component given to me by the bank to encrypt the PIN, and generate PIN
Block for my field 52 before forwarding to the bank host postilion.
I have read the documentation given to me by Chill (using jceadapter)
but i am still getting confusing.
Ola
>
> - Show quoted text -
Chhil
1. I will send it a software encryted pin block and the bank will do
the verification?
This does not mean using an HSM. Using an HSM would mean,I don't have
any clear keys with me and any encryption that needs to be done is
done by the HSM.
Have you walked through this process with the bank?
Your current software solution will be unacceptable to any Financial
Institution and you need to ASAP work your solution around using an HSM.
Talking about using Jce (software)is purely academic in our field of
EFT.
I am not convinced that you need to send an software encrypted pin
pinblock.
Convince me.
-Chhil