Key Management at ATM

1,668 views
Skip to first unread message

queo1987

unread,
Jan 6, 2010, 10:48:59 PM1/6/10
to jpos-...@googlegroups.com

Dear,
I have some problem with keys at atm.
Keys: PinKey, SessionKey, Master Key.
how to create it? how much length? Which algorth?
Thank and regard?

-----
----Cheer :drunk: ---
mail: queo...@gmail.com
Yahoo: queo1987
--
View this message in context: http://old.nabble.com/Key-Management-at-ATM-tp27036539p27036539.html
Sent from the jPOS - Users mailing list archive at Nabble.com.

Chung vu

unread,
Jan 6, 2010, 11:07:21 PM1/6/10
to jpos-...@googlegroups.com
Folow the HSM guide , you can generate key for ATM

First , you generate TMK first ( based on components )

after input this key for ATM and POS , you generate communcation key ( pinkey) based on TMK you already input!

Regard,
VDC

--
You received this message because you are subscribed to the  "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to jpos-...@googlegroups.com
To unsubscribe, send email to jpos-users+...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/jpos-users

kapilashantha rajapaksha

unread,
Jan 6, 2010, 11:23:05 PM1/6/10
to jpos-...@googlegroups.com
On Thu, Jan 7, 2010 at 9:37 AM, Chung vu <dinhc...@gmail.com> wrote:
Folow the HSM guide , you can generate key for ATM

First , you generate TMK first ( based on components )

after inHi
In fact, these key words will depend on your HSM type
and also those clear keys  nobody can see.

Pin key (PPK / TPK)

This is the key that used for encrypting PIN block in the ATM. And it is a dynamic key.
During key exchanging HSM sends the key where under Master key encrypted key to the ATM that is called Session key
and at the ATM it will decrypt using ATM master key and that clear key will act as PIN key for particular  time interval.

Master key should be injected  manually into the ATM


Example

ATM has TMK (Master key)

Key exchanging

Generate the random PPK in HSM side and it will send to the ATM
eTMK (PPK) - > ATM
Then in ATM sidd
dTMK (PPK) and get the clear PPK
this the key session key


In your problem,

Are you using HSM?

Basically  algorithm is Triple-Des using all key as double length keys

Example

PIN key = xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx (double length key)

Encryption like this

Define two keys like this

key1 = xxxx xxxx xxxx xxxx (First part of PIN key)
key2 = xxxx xxxx xxxx xxxx (Second part of PIN key)

PIN block = XXXX XXXX XXXX XXXX


eKey1(PIN block) -> dKey2(eKey1(PIN block)) - > ekey1(dKey2(eKey1(PIN block))) (This is the final output )

And you can do same thing for decrypting

First Decrypt and Encrypt and finally Decrypt


Regards
-Kapilaput this key for ATM and POS , you generate communcation key ( pinkey) based on TMK you already input!

queo1987

unread,
Jan 7, 2010, 2:28:44 AM1/7/10
to jpos-...@googlegroups.com

Dear,
Thank you for your replay.
But I don't understand.

Now, I never see HSM device.
I must to make simulator a application for ATM Machine to test.

As you say, We have 3 key: TMK (Terminal Master Key), Session Key, TPK
(Terminal PIN Key).
and TPK is used to encrypted data before send out.

Please show to create keys.
I don't know if my mind is correct?
TMK (Length: 32 Hexadecimal = 128 bit, use TDES to create)
TPK (Length: 32 Hexadecimal = 128 bit, use TDES to create)

Why must create tow part of TPK while Java only use algorith "DESede" can
encrypt and decrypt.

please explain clearly about relation between keys?


Thank and regard.

>>> jpos-users+...@googlegroups.com<jpos-users%2Bunsu...@googlegroups.com>


>>> For more options, visit this group at
>>> http://groups.google.com/group/jpos-users
>>>
>>
>>
>> --
>> You received this message because you are subscribed to the "jPOS Users"
>> group.
>> Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
>> To post to this group, send email to jpos-...@googlegroups.com
>> To unsubscribe, send email to

>> jpos-users+...@googlegroups.com<jpos-users%2Bunsu...@googlegroups.com>


>> For more options, visit this group at
>> http://groups.google.com/group/jpos-users
>>
>
> --
> You received this message because you are subscribed to the "jPOS Users"
> group.
> Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
> To post to this group, send email to jpos-...@googlegroups.com
> To unsubscribe, send email to jpos-users+...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/jpos-users
>

-----
----Cheer :drunk: ---
mail: queo...@gmail.com
Yahoo: queo1987
--

View this message in context: http://old.nabble.com/Key-Management-at-ATM-tp27036539p27056048.html

chhil

unread,
Jan 7, 2010, 3:07:54 AM1/7/10
to jpos-users
http://www.jpos.org/wiki/HSM_basics

-chhil

Mark Salter

unread,
Jan 7, 2010, 4:19:28 AM1/7/10
to jpos-...@googlegroups.com
chhil wrote:
> http://www.jpos.org/wiki/HSM_basics
> <http://www.jpos.org/wiki/HSM_basics>
> http://www.jpos.org/wiki/HSM_basics_continued
>
> <http://www.jpos.org/wiki/HSM_basics_continued>-chhil

These links are a good start Kapilashantha, may I suggest you take your
time reading through and seek as much other information as you (and your
company) needs yourself.

I believe this subject is off-topic too. Even though there are people
that can help. Please can you consider marking any further messages
with a subject containing [OT], so that people can filter to their needs.

As always...

... you will need an HSM (or similar) for your production environment.
HSM will come with documentation (just like ATMs) that will tell you (or
your security department) how to handle keys of all types.

Which company are you representing - for the work you have been given -
don't they have anyone that knows how keys work you could ask?

--
I have to build a car, anyone tell me how. It needs to be blue.
8)
Mark

Reply all
Reply to author
Forward
0 new messages