help about ISO-1 (ECI-4)

92 views
Skip to first unread message

enKoder

unread,
Sep 25, 2009, 7:41:48 AM9/25/09
to jPOS Users
Hello,

I need some knowledge of ISO-1 standard. How it works in ISO-8583
message formation (steps to generate an encrypted PIN block from
user's input)? and related terms like PIN Encryption Key etc ...

Thanx

chhil

unread,
Sep 25, 2009, 8:30:04 AM9/25/09
to jpos-...@googlegroups.com

Mark Salter

unread,
Sep 25, 2009, 9:46:55 AM9/25/09
to jpos-...@googlegroups.com
enKoder wrote:

The ISO8583 message format/field and PIN block format expected will
vary slightly from target system to target system.

The PAN, service code, a pin offset (perhaps) a key and an HSM will be
needed to produce a PIN block of whatever format.

What have you found out so far?

What specifically (not generally) do you want to know?

Chhil's link is a great starter, but had you already read that?

8)

--
Mark

M. Aatif Ghafoor

unread,
Sep 25, 2009, 4:27:08 PM9/25/09
to jpos-...@googlegroups.com
I want to know how the specified PIN block can be generated programmatically by using PIN, PAN, service code (what is it? by the way) and Key? like ISO-0 block can be generated by XORing some PIN and PAN based hex strings...

Secondly, I want to know about;

Is length of user's PIN fixed?
length of Key?
length or no. of PAN digits?
service code?
and anything related which I missed..

Regards,
--
-------
Muhammad Aatif Ghafoor
Team Lead Developer
Paybox Pakistan Pvt. Ltd.
56-XX, DHA
Lahore,
Pakistan
Cell: 92-333-8125575
Tel: 92-42-111-PAYBOX (729269)

Victor Salaman

unread,
Sep 25, 2009, 4:44:04 PM9/25/09
to jpos-...@googlegroups.com
Hi:

You really want to buy an HSM, even for testing :)

Anyhow, please take a look at the org.jpos.security package.

Take a look at the calculatePINBlock method.... The rest is simple encryption :)

You want something along the lines of (although this won't compile for you!):

    public static byte[] generatePINBlock(String zmk,account,String track2,String pin) throws SMException
    {
        JCESecurityModule sm = new JCESecurityModule();
        JCEHandler h=new JCEHandler(new SunJCE());
        Key key=h.formDESKey((short) 64, ISOUtil.hex2byte(zmk));
        byte[] clearPINBlock = sm.calculatePINBlock(pin, JCESecurityModule.FORMAT00, account);
        byte[] translatedPINBlock = h.encryptData(clearPINBlock, key);
        EncryptedPIN encryptedPIN = new EncryptedPIN(translatedPINBlock, JCESecurityModule.FORMAT00, account);
        return encryptedPIN.getPINBlock();
    }

/V

M. Aatif Ghafoor

unread,
Sep 25, 2009, 4:28:56 PM9/25/09
to jpos-...@googlegroups.com
I want to know how the specified PIN block can be generated programmatically by using PIN, PAN, service code (what is it? by the way) and Key? like ISO-0 block can be generated by XORing some PIN and PAN based hex strings...

Secondly, I want to know about;

Is length of user's PIN fixed?
length of Key?
length or no. of PAN digits?
service code?
and anything related which I missed..

Regards,

On Fri, Sep 25, 2009 at 6:46 PM, Mark Salter <marks...@talktalk.net> wrote:

Mark Salter

unread,
Sep 25, 2009, 4:58:11 PM9/25/09
to jpos-...@googlegroups.com
M. Aatif Ghafoor wrote:
> I want to know how the specified PIN block can be generated programmatically
> by using PIN, PAN, service code (what is it? by the way) and Key? like ISO-0
> block can be generated by XORing some PIN and PAN based hex strings...
As Victor states an HSM is where PIN blocks should be generated, clear
PINs being just held in cardholder's minds.

The algorythm is documented...

>
> Secondly, I want to know about;
>
> Is length of user's PIN fixed?

PIN's can be 1? - 12 digits, but are fixed by the Issuer. 4 digits
seems 'normal' although 6 digit PINs are starting to be used.

> length of Key?
Will depend on the crypto strength - 3DES so double length keys - 16
bytes would be likely.

> length or no. of PAN digits?

last 12, excluding check goes in (from memory).

> service code?
Sorry I lost the plot here - service code makes an appearence in CVV and
the like, *not* PIN.

--
Mark

M. Aatif Ghafoor

unread,
Oct 21, 2009, 7:24:45 AM10/21/09
to jpos-...@googlegroups.com
thanks Victor, for guiding me towards 'calculatePINBlock' method, but it doesn't appear to have support for ISO-1 format i-e FORMAT05 in jpos...


public static byte[] generatePINBlock(String zmk,account,String track2,String pin) throws SMException
{
        JCESecurityModule sm = new JCESecurityModule();
        JCEHandler h=new JCEHandler(new SunJCE());
        Key key=h.formDESKey((short) 64, ISOUtil.hex2byte(zmk));
        byte[] clearPINBlock = sm.calculatePINBlock(pin, JCESecurityModule.FORMAT00, account);
        byte[] translatedPINBlock = h.encryptData(clearPINBlock, key);
        EncryptedPIN encryptedPIN = new EncryptedPIN(translatedPINBlock, JCESecurityModule.FORMAT00, account);
        return encryptedPIN.getPINBlock();
}
   
Thanks.

David Bergert

unread,
Oct 21, 2009, 8:22:02 AM10/21/09
to jpos-...@googlegroups.com
Format ISO-1 isn't allowed for TG-3 compliance...

From TG-3:

X9 Approved PIN Block Formats

Documented procedures exist and are followed that ensure any cleartext
PIN-block format combined with a PIN encryption process has the
characteristic that, for different accounts, encryption of the same
PIN value under a given encryption key does not predictably produce
the same encrypted result. (Note: any cleartext PIN block, formats 0
and 3 meet this requirement, as specified in X9.8-1).

and http://www.andyorrock.com/2009/07/eliminate-all-unused-pin-block-formats-from-your-hsms.html

ISO Format 0 - uses the AccountNumber and PIN
ISO Format 1 only uses the PIN and random data
ISO Format 3 - uses the AccountNumber, PIN, and random data

ISO 1 is not bound to an account number -- many PIN attacks with HSM's
involve translating a PIN format from 0 or 3 to format 1 to attack it.


David Bergert, CISSP, CISA, CPISM/A
www.paymentsystemsblog.com
Reply all
Reply to author
Forward
0 new messages