Pin Translation from TPK to ZPK

3,308 views
Skip to first unread message

Dipin C

unread,
Aug 11, 2014, 8:59:16 PM8/11/14
to jpos-...@googlegroups.com
Hi,

Firstly I want to apologize the members of this group for coming up with a topic irrelevant to jpos, but I had no other option so kindly excuse me. My requirement is to generate TMK & TPK using Thales and on the POS terminal I need to load TMK, TPK and form pinblock under TPK than i need to translate pinblock under TPK to ZPK. I am able to generate TMK & TPK and on the POS terminal I am able to form the pinblock & now I need to translate pin block encrypted under TPK to ZPK but I am getting error code 24 from HSM. Below is the complete procedure I had followed to generate TMK, TPK & ZPK , and I unable to figure out the issue so Kindly help me 

My Plain TMK
************
Online-AUTH>gc

Enter LMK id [0-1]: 0
Enter key length [1,2,3]: 2
Enter key type: 002
Enter key scheme: u

Clear component: C14C CD94 0B46 43FE 94D3 F701 E0F2 D064

Key check value: 97E7AD

TMK under LMK
*************
Online-AUTH>fk

Enter LMK id [0-1]: 0
Enter key length [1,2,3]: 2
Enter key type: 002
Enter key scheme: u
Enter component type [X,H,T,E,S]: x
Enter number of components [1-9]: 1

Enter component 1: ***************************************
Component 1 check value: 97E7AD
Continue? [Y/N]: y


Encrypted key: UA742 C4D5 2457 66BB CF3D D22E 2A65 9FDE
Key check value: 97E7AD

Session keys under TMK
**********************
Input to HSM : 0000HCUA742C4D5245766BBCF3DD22E2A659FDE;UU0
Output from HSM : 0000HD00UED69C077A97195F3D5741855A861B086UF7F89DAD24CE89C2A8FD4097217E8EFF

Pin Block calculated on terminal in ISO - 0 Standard
*****************************************************
Card no - 4180879999999957(12 - digit card no 087999999995)087999999995
Pin - 1234
clear TPK - C8358F3F90FB69C41C2E31E48B21127A
TPK under TMK - ED69C077A97195F3D5741855A861B086 (clear TMK- C14CCD940B4643FE94D3F701E0F2D064 )
Encrypted Pin block block formed on terminal - E0A87BEC03235198

Bank ZPK
********
Online-AUTH>fk

Enter LMK id [0-1]: 0
Enter key length [1,2,3]: 2
Enter key type: 001
Enter key scheme: U
Enter component type [X,H,T,E,S]: X
Enter number of components [1-9]: 3

Enter component 1: ***************************************
Component 1 check value: 3C7961
Continue? [Y/N]: Y

Enter component 2: ***************************************
Component 2 check value: 88559B
Continue? [Y/N]: Y

Enter component 3: ***************************************
Component 3 check value: 0FFC48
Continue? [Y/N]: Y


Encrypted key: UFA7B BF8B 5847 0D9E 1CC8 09BC AF30 A3B3
Key check value: A7D48E

Pin Translation from TPK to TMK
********************************
Input to HSM : 0000CAUF7F89DAD24CE89C2A8FD4097217E8EFFUFA7BBF8B58470D9E1CC809BCAF30A3B312E0A87BEC032351980101087999999995
Output from HSM : 0000CB24


chhil

unread,
Aug 12, 2014, 5:51:53 AM8/12/14
to jpos-...@googlegroups.com
Your data seems to be correct. Just breaking it up so that someone else may spot the problem.
I assume this was from a real HSM and not a home grown sim. If its a sim, you should probably use the sims helpline to get it answered.


Input to HSM : 0000HC[UA742C4D5245766BBCF3DD22E2A659FDE] TMK Under LMK
                     [;UU0] : optionalData




Pin Block calculated on terminal in ISO - 0 Standard
*****************************************************
The Encrypted pinblock is correct.
ISO 0 Pinblock for 4180879999999957 and pin 1234  =  04123C866666666A
Clear TPK = C8358F3F90FB69C41C2E31E48B21127A
Encrypted under clear C8358F3F90FB69C41C2E31E48B21127A= E0A87BEC03235198


Bank ZPK /Destination ZPK
**************************
Generated via the HSM
Encrypted key: UFA7BBF8B58470D9E1CC809BCAF30A3B3 [Dest ZPK Under LMK]
Key check value: A7D48E

Pin Translation from TPK to ZPK
********************************
Input to HSM : 0000CA    [UF7F89DAD24CE89C2A8FD4097217E8EFF] :TPK under LMK  
[UFA7BBF8B58470D9E1CC809BCAF30A3B3] :Destination ZPK under LMK
[12            ] :Max Pin Length
[E0A87BEC03235198] : Encrypted pin block (encrypted under clear clear tmk)
[01        ]: Src Pin Block Format
[01        ]:Dst Pin Block Format
[087999999995]:Acct Number
 
Output from HSM : 0000CB24

I believe error code 24 is Pin length less than 4 or greater than 24.

-chhil


--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to jpos-...@googlegroups.com
To unsubscribe, send email to jpos-users+...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/9c719582-d123-4365-9537-7600270a249e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Victor Salaman

unread,
Aug 12, 2014, 6:05:47 AM8/12/14
to jpos-...@googlegroups.com
Hi:

If I'm not mistaken the PIN length specified in CA host command needs to be less or equal than the PIN length defined in the CS (Configure Security) console command. 

/V


Dipin C

unread,
Aug 12, 2014, 6:23:05 AM8/12/14
to jpos-...@googlegroups.com
Thanks Chhil,

Yeah it is not a simulator, I am using Thales PayShield 9000 HSM

chhil

unread,
Aug 12, 2014, 6:24:41 AM8/12/14
to jpos-...@googlegroups.com
My manual says it needs to be hardcoded at 12. 
I had a typo in my previous response describing the error, its pin less than 4 and greater than 12 (not 24).

Not aware of the CS command caveat.

-chhil


Dipin C

unread,
Aug 12, 2014, 6:25:56 AM8/12/14
to jpos-...@googlegroups.com
Hi Salaman,

Please find the below configuration of our HSM & I had tried the CA command with max pin length of 4 but I am getting the same response.

Online-AUTH>QS

PIN length: 04
Encrypted PIN length: 05

Alejandro Revilla

unread,
Aug 12, 2014, 1:44:42 PM8/12/14
to jPOS Users
You love this stuff... don't you?

You can continue here: http://cryptopals.com/

:)



chhil

unread,
Aug 12, 2014, 2:04:20 PM8/12/14
to jpos-...@googlegroups.com

Where is our 'OT' man when you need him ;)

-chhil

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to jpos-...@googlegroups.com
To unsubscribe, send email to jpos-users+...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.

Mark Salter

unread,
Aug 12, 2014, 6:15:28 PM8/12/14
to jpos-...@googlegroups.com
On 12/08/2014 10:51, chhil wrote:
> Your data seems to be correct. Just breaking it up so that someone else
> may spot the problem.
Thanks Chhil, time well spent?

> Pin Block calculated on terminal in ISO - 0 Standard
> *****************************************************
> The Encrypted pinblock is correct.
> ISO 0 Pinblock for 4180879999999957 and pin 1234 = 04123C866666666A
> Clear TPK = C8358F3F90FB69C41C2E31E48B21127A
> Encrypted under clear C8358F3F90FB69C41C2E31E48B21127A= E0A87BEC03235198
>
PIN block format *0* - hmmm

>
> Bank ZPK /Destination ZPK
> **************************
> Generated via the HSM
> Encrypted key: UFA7BBF8B58470D9E1CC809BCAF30A3B3 [Dest ZPK Under LMK]
> Key check value: A7D48E
>
> Pin Translation from TPK to ZPK
> ********************************
> Input to HSM : 0000CA [UF7F89DAD24CE89C2A8FD4097217E8EFF] :TPK under
> LMK
> [UFA7BBF8B58470D9E1CC809BCAF30A3B3] :Destination ZPK under LMK
> [12 ] :Max Pin Length
> [E0A87BEC03235198] : Encrypted pin block (encrypted under clear clear tmk)
> [01 ]: Src Pin Block Format
Hmmm, interesting choice...?

> [01 ]:Dst Pin Block Format
> [087999999995]:Acct Number
>
> Output from HSM : 0000CB24
>
> I believe error code 24 is Pin length less than 4 or greater than 24.
Is the PIN block format indicating a length will be present, but the PIN
block does not have a length?

I don't remember the different PIN formats, but the 0 versus 1 made me
wonder, because if the length is absent, then the start of the PIN could
be being taken as a length and perhaps out of range - or vice-versa?

--
Mark

chhil

unread,
Aug 12, 2014, 11:32:24 PM8/12/14
to jpos-...@googlegroups.com

Mark,

Time well spent? Time will tell. :)

The the ISO 0 pinblock has the length preceding it. I did put it in a crypto calculator to generate it.

ISO 0 Pinblock for 4180879999999957 and pin 1234  =  04123C866666666A

The leading 0 is the iso 0 format indicator,  the 4 following it is the length of the pin.

-chhil

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage.  Please support jPOS, contact: sa...@jpos.org

Join us in IRC at http://webchat.freenode.net/?channels=jpos

You received this message because you are subscribed to the  "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to jpos-...@googlegroups.com
To unsubscribe, send email to jpos-users+...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.

Mark Salter

unread,
Aug 13, 2014, 1:33:42 AM8/13/14
to jpos-...@googlegroups.com
On 13/08/2014 04:32, chhil wrote:
> The the ISO 0 pinblock has the length preceding it. I did put it in a
> crypto calculator to generate it.
>
> ISO 0 Pinblock for 4180879999999957 and pin 1234 = 04123C866666666A
>
> The leading 0 is the iso 0 format indicator, the 4 following it is the
> length of the pin.
>
And the input into the CA command showing a value of '01' for the source
PIN Block format indicates ISO 0 format?

I might check the manuals later to see; but it looked like it might be
wrong :-)

--
Mark

chhil

unread,
Aug 13, 2014, 3:07:02 AM8/13/14
to jpos-...@googlegroups.com

Yes, 01 is for format 0.

-chhil

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage.  Please support jPOS, contact: sa...@jpos.org

Join us in IRC at http://webchat.freenode.net/?channels=jpos

You received this message because you are subscribed to the  "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to jpos-...@googlegroups.com
To unsubscribe, send email to jpos-users+...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.

Mark Salter

unread,
Aug 13, 2014, 5:27:31 AM8/13/14
to jpos-...@googlegroups.com


On Wednesday, August 13, 2014 8:07:02 AM UTC+1, chhil wrote:

Yes, 01 is for format 0.

:-)

--
Mark

chhil

unread,
Aug 13, 2014, 6:29:02 AM8/13/14
to jpos-...@googlegroups.com


The user was doing this

Session keys under TMK
**********************
Input to HSM : 0000HCUA742C4D5245766BBCF3DD22E2A659FDE;UU0

The suggestion was to use a X scheme to encrypt the key under TMK.


When you are generating PIN key using HC command for POS terminal you should use ANSI scheme 'X' for exported key as in example below:
0000HCUA742C4D5245766BBCF3DD22E2A659FDE;XU0 
If you are using Variant scheme 'U' for key under TMK the resulting key decrypted by terminal will be different than you are expecting. Thales Variant scheme a bit transforms LMK to encrypt different types and lengths of keys. 'X' scheme is the correct one to get the same key on terminal and host sides. On host side (application) you should keep the key under LMK in 'U' scheme.

Regards,
Juris


chhil

unread,
Aug 13, 2014, 6:41:10 AM8/13/14
to jpos-...@googlegroups.com
I can confirm this works with the ThalesSim.

-chhil

Dipin C

unread,
Aug 13, 2014, 9:20:17 AM8/13/14
to jpos-...@googlegroups.com

Thanks every one for the effort you all put in to respond to the post.

Thanks Chhil the response posted helped me in solving the problem. The change of the scheme to X solved the issue.

chhil

unread,
Aug 13, 2014, 10:24:26 AM8/13/14
to jpos-...@googlegroups.com
You are welcome.
The post in this group and the thalessim discussion area is identical. If you had followed that thread you would have fixed your problem a lot earlier. :)

-chhil


--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to jpos-...@googlegroups.com
To unsubscribe, send email to jpos-users+...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.

Trupti Suryawanshi

unread,
Jun 26, 2019, 9:15:59 AM6/26/19
to jPOS Users
Hi

you know any key injection process for pin pad transaction using 2 clear components. 

Victor Salaman

unread,
Jun 26, 2019, 9:18:39 AM6/26/19
to 'Ruchira Biyani' via jPOS Users
Only you will try to hijack a 5 year old thread and ask something not making sense :)

Please start a new thread, and state the problem in detail.

On Wed, Jun 26, 2019 at 9:16 AM Trupti Suryawanshi <trptsur...@gmail.com> wrote:
Hi

you know any key injection process for pin pad transaction using 2 clear components. 

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.

Mark S

unread,
Jun 26, 2019, 9:22:35 AM6/26/19
to jpos-...@googlegroups.com
Please read here first..

--
Mark


From: jpos-...@googlegroups.com <jpos-...@googlegroups.com> on behalf of Trupti Suryawanshi <trptsur...@gmail.com>
Sent: Wednesday, June 26, 2019 10:11:39 AM
To: jPOS Users
Subject: [jpos-users] Re: Pin Translation from TPK to ZPK
 
Hi

you know any key injection process for pin pad transaction using 2 clear components. 

--

nemat

unread,
Jun 23, 2021, 12:34:18 PM6/23/21
to jPOS Users
Hello everyone. 
My problem is very similar to this conversation's topic. 

I have been given 2 clear components and one TMK generated in Thales HSM just like above.

I need to import them in pos and generate the PINBLOCK iso format-0 and encrypt it in 3DES and in Java.

Is there anyone to help, please?

Alejandro Revilla

unread,
Jun 23, 2021, 12:55:19 PM6/23/21
to jPOS Users
You want to use `q2 --cli` and then `smconsole`.

Press `tab` in order to see the available commands.



Reply all
Reply to author
Forward
0 new messages