RG 7000 DE (Generate an IBM PIN Offset )
418 views
Skip to first unread message
kapilashantha rajapaksha
Jul 23, 2013, 12:59:03 AM7/23/13
to jpos-...@googlegroups.com
Hi,
I'm using RG7000 Security module and If you have experience of DE (Generate an IBM PIN Offset) command, please guide me where is wrong in request to HSM?
Request (JA)
0000 00 14 31 32 33 34 4A 41 30 30 30 30 32 35 33 32 ..1234JA00002532
0010 33 31 32 31 30 34 312104
Response (JB)
0000 00 0D 31 32 33 34 4A 42 30 30 30 37 35 39 32 ..1234JB0007592
Racall(HSM) Reqeust :
0000 00 56 31 32 33 34 44 45 55 39 30 35 33 31 45 39 .V1234DEU90531E9
0010 39 36 46 35 39 36 44 42 36 32 38 46 37 45 45 44 96F596DB628F7EED
0020 39 35 41 38 41 38 34 39 37 30 37 35 39 32 30 34 95A8A84970759204
0030 32 34 35 33 30 34 30 30 30 30 32 35 30 31 32 33 2453040000250123
0040 34 35 36 37 38 39 31 32 33 34 35 36 30 30 30 30 4567891234560000
0050 32 35 33 32 33 31 32 31 25323121
1234
DE
90531E996F596DB628F7EED95A8A8497 - PVK
07592 - LN
04 -Check PIN length
245304000025 - PAN
0123456789123456 - DT
000025323121 - Data
Mark Salter
Jul 23, 2013, 1:34:21 AM7/23/13
to jpos-...@googlegroups.com
On 23/07/2013 05:59, kapilashantha rajapaksha wrote:
> I'm using RG7000 Security module and If you have experience of DE
> (Generate an IBM PIN Offset
> ) command, please guide me where is wrong in request to HSM?
Are you using jPOS to communicate with this device?
> I'm using RG7000 Security module and If you have experience of DE
> (Generate an IBM PIN Offset
> ) command, please guide me where is wrong in request to HSM?
Have you added any Logger to the Channel or Packager to see what might
be happening with the DF response?
>
> Now I try use DE,
>
> Racall(HSM) Reqeust :
> 0000 00 56 31 32 33 34 44 45 55 39 30 35 33 31 45 39 .V1234DEU90531E9
> 0010 39 36 46 35 39 36 44 42 36 32 38 46 37 45 45 44 96F596DB628F7EED
> 0020 39 35 41 38 41 38 34 39 37 30 37 35 39 32 30 34 95A8A84970759204
> 0030 32 34 35 33 30 34 30 30 30 30 32 35 30 31 32 33 2453040000250123
> 0040 34 35 36 37 38 39 31 32 33 34 35 36 30 30 30 30 4567891234560000
> 0050 32 35 33 32 33 31 32 31 25323121
>
>
> 1234
> DE
> 90531E996F596DB628F7EED95A8A8497 - PVK
> 07592 - LN
> 04 -Check PIN length
> 245304000025 - PAN
> 0123456789123456 - DT
> 000025323121 - Data
>
> But now Response
You need to check the manual.
There would normally be a response, which is why I wonder if your
'Packager' is incorrectly defined for the response...
... if you are using jPOS for any part of this exchange.
Is DE a valid command?
What does the manual say, is no response an option for it?
How are you communicating with this device (TCP/IP or UDP or something
else)?
Could a component of your network be conditionally blocking the exchange?
--
Mark
chhil
Jul 23, 2013, 2:00:31 AM7/23/13
to jpos-...@googlegroups.com
Length = .V
Header=1234
Command=DE
PVK=U90531E996F596DB628F7EED95A8A8497
Pin=07592
Pin Check length=04
12 from account + following fields=2453040000250123456789123456000025323121
The 12 from account does not seem to match the 12 from account sent in the JA command.
Usually the HSM will send atleast an error (non 00 error means declined) back if the command is formatted properly. Since its not responding , your DE is not according to spec.
1. As Mark has, If this is jpos related then we would like to see the logs of the formatted message sent with field descriptions.
2. If this is a Thales only question, you are better off getting support from the Thales guys.
3. I recommend you search for ThalesSim and use it, this HSM sim will also provide errors when it fails parsing and give you a better understanding of where you have gone wrong.
-chhil
--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage.
Please support jPOS, contact: sa...@jpos.org
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to jpos-...@googlegroups.com
To unsubscribe, send email to jpos-users+...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
kapilashantha rajapaksha
Jul 23, 2013, 2:01:19 AM7/23/13
to jpos-...@googlegroups.com
Hi Mark,
"No" response? - yes
I found the issue and it was in data (000025323121). According to the manual, "N" should be there in order to check last digit of account number."No" response? - yes
PIN validation data
the character N, which indicates to the HSM where to insert
the last 5 digits of the account number
Racal(HSM) Reqeust :
0000 00 56 31 32 33 34 44 45 55 39 30 35 33 31 45 39 .V1234DEU90531E9
0010 39 36 46 35 39 36 44 42 36 32 38 46 37 45 45 44 96F596DB628F7EED
0010 39 36 46 35 39 36 44 42 36 32 38 46 37 45 45 44 96F596DB628F7EED
0020 39 35 41 38 41 38 34 39 37 30 33 39 36 34 30 34 95A8A84970396404
0030 32 34 35 33 30 34 30 30 30 30 32 35 30 31 32 33 2453040000250123
0040 34 35 36 37 38 39 31 32 33 34 35 36 34 34 35 38 4567891234564458
0050 33 32 39 33 37 32 4E 35 329372N5
Racal(HSM) Response :
0000 00 14 31 32 33 34 44 46 30 30 32 39 35 39 46 46 ..1234DF002959FF
0010 46 46 46 46 46 46 FFFFFF
Thanks a lot for your quick response .0050 33 32 39 33 37 32 4E 35 329372N5
Racal(HSM) Response :
0000 00 14 31 32 33 34 44 46 30 30 32 39 35 39 46 46 ..1234DF002959FF
0010 46 46 46 46 46 46 FFFFFF
On Tue, Jul 23, 2013 at 11:04 AM, Mark Salter <marks...@talktalk.net> wrote:
kapilashantha rajapaksha
Jul 31, 2013, 11:48:50 PM7/31/13
to jpos-...@googlegroups.com
Hi,
JA- Will return the clear PIN (But document says that it's LMK (PIN)). In bellow response the encrypted PIN is 07592Response (JB)
0000 00 0D 31 32 33 34 4A 42 30 30 30 37 35 39 32 ..1234JB0007592
Actually, I want to keep this value (07592) until PIN is printing but it seems to be security issue. Please let me know why it's returning clear PIN? Any setting is to be set in HSM?
Thanks,
Mark Salter
Aug 1, 2013, 1:17:20 AM8/1/13
to jpos-...@googlegroups.com
On 01/08/2013 04:48, kapilashantha rajapaksha wrote:
> Hi,
>
> JA- Will return the clear PIN (But document says that it's LMK (PIN)).
> In bellow response the encrypted PIN is 07592
>
> Note : I'm using Thalse simulator
Is the JA/JB exchange implemented properly in this simulator (which one?)?
> Hi,
>
> JA- Will return the clear PIN (But document says that it's LMK (PIN)).
> In bellow response the encrypted PIN is 07592
>
> Note : I'm using Thalse simulator
Have you tried asking the provider of the simulator - as previously this
doe not sound like a jPOS question at all?
>
> Response (JB)
> 0000 00 0D 31 32 33 34 4A 42 30 30 30 37 35 39 32 ..1234JB0007592
>
> Actually, I want to keep this value (07592) until PIN is printing but it
> seems to be security issue.
It is a security issue that you have the PIN in the clear at all - ever;
it should be in a PIN block (as you seem to agree) all the way up to the
point of 'printing' on a 'secure printing' device/process and even then
it would rarely not be secured even after printing (I am presuming a PIN
mailer of some sort here).
> Please let me know why it's returning clear
> PIN? Any setting is to be set in HSM?
for the real HSM device you will/should be using.
I don't have the (real HSM) documentation handy, but I might check later
and reply again.
--
Mark
kapilashantha rajapaksha
Aug 1, 2013, 2:07:48 AM8/1/13
to jpos-...@googlegroups.com
Hi,
Yes it's implemented properly but I'm not following the provider (Thalse) yet.
I'm doing offline PIN printing as a batch using PE (PF) function . So in order to call PE command, it's requiring the encrypted PIN block (LN or LH) which returns from JA. (Actually excepting encrypted PIN block (8 bytes) but returns value is the case for me)Yes it's implemented properly but I'm not following the provider (Thalse) yet.
PIN L N or LH The derived PIN encrypted under LMK pair 02-03.
Anyway, Thanks for you advice even out of jpos,
Thanks
--
Mark
Martha Gani
Aug 1, 2013, 2:34:38 AM8/1/13
to jpos-...@googlegroups.com
as you specified the pin length is 04 in JA , so the output pin is 7592 not 07592.
DE
90531E996F596DB628F7EED95A8A8497 - PVK
DE
90531E996F596DB628F7EED95A8A8497 - PVK
07592 - LN ----> should be 7592
04 -Check PIN length
245304000025 - PAN
0123456789123456 - DT
000025323121 - DataFrom: kapilashantha rajapaksha <kapila...@gmail.com>
To: jpos-...@googlegroups.com
Sent: Tuesday, July 23, 2013 11:59 AM
Subject: [jpos-users] RG 7000 DE (Generate an IBM PIN Offset )
kapilashantha rajapaksha
Aug 1, 2013, 2:45:58 AM8/1/13
to jpos-...@googlegroups.com
HI,
07592 is the encrypted PIN. So in DE, It's requiring the encrypted PIN (07592 not clear PIN-7592)Reply all
Reply to author
Forward
0 new messages