Need help in constructing ISO 8583 message with Encrypted Pin Block.

[rams]

I am constructing ISO 8583 message in java which includes setting up a
Encrypted Pin Block in 52 ISO field.
Presently i am struck in setting this field.

I have to encrypt the Pin BLock (ISO -0 format) with ZPK key. I have
received key check value as well.

I tried many things but didnt get the clear solution.

Can anyone help in this?

Thanks in advance

[Mark Salter]

rams wrote:
> I am constructing ISO 8583 message in java which includes setting up a
> Encrypted Pin Block in 52 ISO field.
> Presently i am struck in setting this field.

JPos will be perfect for this, I guess you are using it?

>
> I have to encrypt the Pin BLock (ISO -0 format) with ZPK key. I have
> received key check value as well.

So you have a secure key? Keep it safe!

What HSM are you aiming to use now/in production?

>
> I tried many things but didnt get the clear solution.

A clear result is precisely what you don't want 8).

What did you try?

BouncyCastle?

I'm sure there was recent discussion on this mailing list, did you try
searching at all?

http://www.catb.org/~esr/faqs/smart-questions.html

--
Mark

[Andy Orrock]

Relevant pieces if you're using a Thales re. the ZPK - obtaining it, storing
it, using it in a translation, etc...

Presented in no specific order:

http://www.andyorrock.com/2006/08/thales_key_exch.html

http://www.andyorrock.com/2007/04/dynamic_key_exc.html

http://www.andyorrock.com/2006/08/implementing_th.html

http://www.andyorrock.com/2006/04/doing_pin_trans.html

Even if you're not using the Thales, the examples are relevant as they
detail the required practices.

Andy Orrock

[rams]

Mark,
It talks about other Keys also like ZMK and LMK.

Whats the procedure for encrypting Pin Block with ZPK, thats no where
mentioned.
Can you please clarify that.

[Andy Orrock]

Well, unfortunately, you don't get ZPKs on a fluffy pillow. They only exist
within the greater world and consideration of ZMKs and LMKs. For example,
to interact with an HSM and encrypt using a ZPK, you're working with the ZPK
cryptogram (encoded under your LMK), not the clear text value.

I don't see where you've addressed Mark's earlier questions. [Note: I am
not Mark.]

Andy

[Mark Salter]

rams wrote:

>
> Whats the procedure for encrypting Pin Block with ZPK, thats no where
> mentioned.
> Can you please clarify that.
>

It is just a triple DES encryption using the clear ZPK.

This *should* take place within a secure environment (and HSM) so that
the clear ZPK is will not be compromised.

If the ZPK you have been given is a production key, it won't be usable
outside of a secure environment; you should stop and ask the provider
for a test key.

If your ZPK is test, then...

The ZPK you have will be encrypted under another key - perhaps a
transport key, do you have the details of that key? This is likely why
you have been provided with a Key Check Value - so that you can check
you have the right key as your translate it to store it under your LMK.

The algorithm for clear PIN block generation (Format 0) is well
documented, google kindly provides 10000000+ hits for +PIN +Format +0,
the first link I see holds the detail you need:-

http://preview.tinyurl.com/nhbp3v

Once you have the PIN block, you need to triple DES (probably) encrypt
the PIN block using your clear ZPK. BouncyCastle might be of use here,
but there are many options, I encourage you to seek out one that suits
you best.

Andy kindly provided some excellent links and I have some questions
outstanding; try to answer them and then let us know how you get on.

--
Mark

[Ramanath Pai]

Yes i have planning to use Thales HSM.
And i have to use single DES with ZPK.

Now i need sample java API which can talk to the HSM and call the commands for encrypt the key under LMK and translate the key.

I have these commands  with me. I just want a sample code
to Call the HSM and perform this operations.

NOTE: I have one more doubt. I have seen JPOS code for encryptPIN and other stuff. It does not say anything related to connection to the HSM. JPOS not connecting to HSM for any operation ?  or it uses just LMK key labels directly from file


-Ramanath Pai

[Andy Orrock]

Umm…those links I sent to you to yesterday happen to show you exactly what to do.  If your source is DUKPT, you can use the CI/CJ commands referenced in my pieces.  If it’s the Triple DES variety of DUKPT, you can use the G0/G1 command (search my blog for ‘G0’ – that’s G-zero).  If your source is TPK (not seen too much anymore because it’s a compliance concern), then use the CA/CB.

 

The pieces make clear that (a) you can use jPOS to implement an HSM station; (b) jPOS’ FSD facility is the way to do it; and (c) here’s how to implement it with the Thales.  It’s your lucky day.  Your job is very easy now.

 

Re. your doubts:  I’m confident you have already purchased the “jPOS Programmers’ Guide” from jPOS.org.  In your reading, you would have encountered this sentence: 

 

“jPOS provides a software-based security module adapter implementation called org.jpos.security.jceadapter.JCESecurityModule. This adapter can be used to simulate a hardware-based Tamper-Resistant Security Module ('TRSM') in software.”

 

Andy

 

From: jpos-...@googlegroups.com [mailto:jpos-...@googlegroups.com] On Behalf Of Ramanath Pai
Sent: Tuesday, June 30, 2009 7:39 AM
To: jpos-...@googlegroups.com
Subject: Re: Need help in constructing ISO 8583 message with Encrypted Pin Block.

 

[Ramanath Pai]

Hi ,

Now i am able to load the keys and get the encrypted value of the pin from the  Thales HSM ... But when use the encrypted value 16 digit enc value
in setting the field 52 of ISO package ,it gives me the following error:

"(org.jpos.iso.ISOException: Binary data length not the same as the packager length (16/8))"

Please can any one help?

-Ramanath Pai

[Andy Orrock]

Your packager probably looks like this:

 

  <isofield

      id="52"

      length="8"

      name="PIN DATA"

      class="org.jpos.iso.IFB_BINARY"/>

 

Your value comes back from the Thales as the 16-position character representation of the Hex.  You need to pack it into 8.

[Mark Salter]

Ramanath Pai wrote:

> Now i am able to load the keys and get the encrypted value of the pin from
> the Thales HSM ... But when use the encrypted value 16 digit enc value
> in setting the field 52 of ISO package ,it gives me the following error:
>
> "(org.jpos.iso.ISOException: Binary data length not the same as the packager
> length (16/8))"

Can you show the code you use to set the field and also the content of
the value going in please?

As Andy indicates the response from the HSM will be 16 bytes, each
holding a single digit character hexadecimal.

There is an helper on the ISOMsg.set method which checks for a binary
target and will do the conversion, perhaps you have an old version or
have no packager set on your message (yet)?

The code and content used may give a clue, also can you check or confirm
the version of ISOMsg (or jPos) you are using please?

--
Mark

[Ramanath Pai]

Ya i am able to set the field to byte by doing Hex to byte conversion.

Now the ISO request created [after setting the field] is ready to sent to the backend on TCP.
While doing that i packed the ISO req object to bytes array.

Its giving me some -ve values, is that expected ?
Because i guess we should not get values in the bytes.

Ex: bytes that we received "2,0,34,60,0,1,40,-32,-112,0,48,80,0,7,1,32,3,35,0,0,1,0,0,0,32,3,35,7,1,21,6,8,0,0,0,5,36,53,50,54,55,48,50,48"

-Ramanath Pai

[Mark Salter]

Ramanath Pai wrote:
> Ya i am able to set the field to byte by doing Hex to byte conversion.

This could be automatic (see previous post).

>
> Now the ISO request created [after setting the field] is ready to sent to
> the backend on TCP.
> While doing that i packed the ISO req object to bytes array.
>
> Its giving me some -ve values, is that expected ?
> Because i guess we should not get values in the bytes.
>
> Ex: bytes that we received
> "2,0,34,60,0,1,40,-32,-112,0,48,80,0,7,1,32,3,35,0,0,1,0,0,0,32,3,35,7,1,21,6,8,0,0,0,5,36,53,50,54,55,48,50,48"

You are displaying them as signed bytes, so and byte with the high order
bit on is showing as negative (twos complement?). In this case yet it
is what I would expect, but isn't helping you. Perhaps use a 'watch' of
ISOUtil.hexdump(byte[]) to see what you really have - the debugger is
trying to be helpful and failing; it might provide a 'raw' presentation
- which IDE are you using?

Good news is your message looks 'fine':-

x'0200223C000128E09000305000070120'
x'03230000010000002003230701150608'
x'00000005243532363730323008400BF0'
x'F0F0F0F000D7E2C1D9F0F0F0F0F9F640'
x'40D7E2C1D9F2D7C3C940404040404040'
x'40404040404040404040404040404008'
x'40'

It is an EBCDIC message, but then you knew that 8).

hth

--
Mark

[Mark Salter]

Mark Salter wrote:
>
> Good news is your message looks 'fine':-
>
> x'0200223C000128E09000305000070120'
> x'03230000010000002003230701150608'
> x'00000005243532363730323008400BF0'
> x'F0F0F0F000D7E2C1D9F0F0F0F0F9F640'
> x'40D7E2C1D9F2D7C3C940404040404040'
> x'40404040404040404040404040404008'
> x'40'

Opps, I went too far (old EBCDIC int data ), your message is only :-

x'0200223C000128E09000305000070120'
x'03230000010000002003230701150608'
x'000000052435323637303230'

and is thus binary, please ignore my EBCDIC comment!

--
Mark

[Ramanath Pai]

Thanks,

Do you know how to get ASCII dump?

I tried ISOUtil.ebcdicToAscii(byte[]) is that correct?


-Ramanath Pai

[Mark Salter]

Ramanath Pai wrote:
>
> Do you know how to get ASCII dump?

An ASCII dump of binary data?

ISOUtil.hexdump(byte[])

My EBCDIC comment was incorrect, I did try and indicate that I had made
a mistake.

--
Mark

[Ramanath Pai]

So hexdump and  ascii dumps are same right?


-Ramanath Pai

[Mark Salter]

Ramanath Pai wrote:
> So hexdump and ascii dumps are same right?

Not really...

ASCII is a character set; You might build a hex dump using ASCII
characters.

Perhaps you should try it and see what you get. Paste the output here
with any questions, but also scan this mailing list, we had some recent
discussion about hex dumps and what the different areas are trying to say.

Your message was binary, so you will have no ASCII characters in your
raw values - unless they happen to occur in your bitmap.

If you are expecting ASCII characters in your result, then you need to
check the packager you are using matches your specification!

--
Mark

[Mark Salter]

Mark Salter wrote:

> Your message was binary, so you will have no ASCII characters in your
> raw values - unless they happen to occur in your bitmap.

Or in your binary fields like you PIN block which was not obviously
present in your output shown?

--
Mark

[Ramanath Pai]

Hi,

Need help in converting in the ascii or hex dump to clear string lilke in the following format 
[02001113434145423411630500007012323221111112323220701150608000000055267020100000582]

For ex: 0200 is MTI String .. ]

I want the ISO Request Object created to split out the clear string of the data it created.

Is there any API in ISO to get this ?


-Ramanath Pai

[Mark Salter]

Ramanath Pai wrote:
>
> Need help in converting in the ascii or hex dump to clear string lilke in
> the following format
> [02001113434145423411630500007012323221111112323220701150608000000055267020100000582]
>
> For ex: 0200 is MTI String .. ]

So you have a byte[] and you want the a string holding the hex string of
the binary data? It is always best to be very clear on what you are
asking...

String result = "[" + ISOUtil.hexString(byte[]) + "]";

might do you?

>
> I want the ISO Request Object created to split out the clear string of the
> data it created.

Why and what is an 'ISO Request Object'?

You sound a little lost...

...what are you actually trying to achieve?

--
Mark

[Ramanath Pai]

See, I have created the ISO request object from JPOS. When i see the hex dump of the request it prep-ends the some $ and other hex characters.
I want to check how JPOS will send this request while connecting to some Switch or Backend server.

Is there any API in JPOS used to send the ISO Request ?



-Ramanath Pai

[Chhil]

Create a sample tcp server, connect ur jpos client to it, use a sniffer like wireshark to see the data on the line. 
 

If ur data is binary you will end up seeing these characters.  
-chhil

[David Bergert]

On Jul 2, 2009, at 3:40 AM, Ramanath Pai wrote:

Is there any API in JPOS used to send the ISO Request ?

jPOs has the concept of channels to send ISOMsg's

http://www.jpos.org/doc/javadoc/org/jpos/iso/Channel.html

http://www.jpos.org/doc/javadoc/org/jpos/q2/iso/ChannelAdaptor.html

Do you have the jPOS programmers guide ? this is discussed in detail there, otherwise look at the client and server simulator examples in the code.

David Bergert, CISSP, CISA, CPISM/A
www.paymentsystemsblog.com

[Ramanath Pai]

Thanks,

One more thing i need to know about this JPOS ISO structure.

When i jst create a string according to the 0200 requst message structure, i get a definite string, starting from MTI to Last field value that is Field 52

But when i create a Object from JPOS API ISOMsg in AsciiPackager it gives me string with almost same as the manually constructed string but with some extra 4-5 value in it.
For ex:
Manually
0200623C000128E09000165267020100000582305000070214181900000214181907021506080000000215215267020100000582=1506

ISO Msg API
0200623C000128E09000181652670201000005823050000702155101000001000000155101070215061008000000021523215267020100000582=1506

-Ramanath Pai

[David Bergert]

The packing of an ISO Message depends on the packager that is used, in your case you are ising the AsciiPackager, some of the data elements, will have fields that are variable length with length indicators, and others can be fixed with padding chars.a

is the length of you PAN or DE2 18 ? 

David Bergert, CISSP, CISA, CPISM/A
www.paymentsystemsblog.com

[Ramanath Pai]

Oh yes thanks i got that, PAN is 16 so it added the length.
But my field 43 for MTI 0200 is not variable one.. .but still JPOS added 40 i.e length of that field to that field.
Can anyone tell why JPOS has included tat length eventhough its jst ans
 
-Ramanath Pai

[David Bergert]

Because in the Ascii Packager it is defined as :

in ISO87APackager.java

    /*043*/ new IF_CHAR     ( 40, "CARD ACCEPTOR NAME/LOCATION"),

or :

from iso87ascii.xml

  <isofield

      id="43"

      length="40"

      name="CARD ACCEPTOR NAME/LOCATION"

      class="org.jpos.iso.IF_CHAR"/>

I don't know which one you are using.

but IF_CHAR means a fixed 40 positions, so when jpos packs the message with the packager, it uses what is defined in the the pacakger to do so...

David Bergert, CISSP, CISA, CPISM/A
www.paymentsystemsblog.com

[Ramanath Pai]

Thanks i was using
ISO93APackager. so was getting that issue

But that means all the messages depend upon the packager.


-Ramanath Pai

[Mark Salter]

Ramanath Pai wrote:
> Thanks i was using
> ISO93APackager. so was getting that issue

Not really an issue, it is exactly what you wanted - because you
selected that packager.

>
> But that means all the messages depend upon the packager.

A Packager is responsible for packaging an ISOMsg, so your statement is
correct.

Do you have the Programmers guide? If not I suggest you get it and read
it - if only to reduce the number of 'surprises' you might get.

--
Mark

[Andy Orrock]

“But that means all the messages depend upon the packager.”

 

Not sure where to even begin with that.

 

From: jpos-...@googlegroups.com [mailto:jpos-...@googlegroups.com] On Behalf Of Ramanath Pai
Sent: Thursday, July 02, 2009 9:29 AM
To: jpos-...@googlegroups.com
Subject: Re: Need help in constructing ISO 8583 message with Encrypted Pin Block.

 

Thanks i was using

[Ramanath Pai]

No i dont have the programmer's guide.
Do i have to buy it?

-Ramanath Pai

[Mark Salter]

Ramanath Pai wrote:
> No i dont have the programmer's guide.

Hmmm..

> Do i have to buy it?

Hmmm...

Well it would certainly help you - and save us from spending our time
answering your basic java and minor jPos questions.

But then we are a helpful bunch...
... good thing we don't all have real jobs (and lives) to get on with.

8)

--
Mark

[Andy Orrock]

Yes.

 

See http://jpos.org/products/proguide 

 

The reason you’re seeing some level of curtness in the answers you’re receiving from the list is that it’s clear you don’t have the Guide.  Many of your answers are in there. 

 

You may tell us you can’t afford the $50.  But by not having it, you’ll increase your toil fourfold if not more.  Are your services really offered so cheaply that a $50 purchase will set your client or employer back more than a 4x expenditure of labor?

 

Andy