PIN Master Key, and PIN Working KEY at ATM

2,307 views
Skip to first unread message

queo1987

unread,
Jan 7, 2010, 9:24:53 PM1/7/10
to jpos-...@googlegroups.com

Dear,
My company just buy a new atm machine for testing.
When I test function for PIN Pad driver.
I see example following:
- create Pin Master Key:
input block 1 (32 bytes): FFFFFF...... (32 char F)
input block 2 (32 bytes): FFFFFF.......(32 char F)
==> result of master key is: 8CA64DE9 (8 char Hex)
- create PIN Working key:
input block 1 (32 bytes): FFFFFFF......(32 char F)
==> result of pin working key: 23EFBC11(8 char Hex)
- Finally:
input PAN number : 55555...... (16 digits)
input PIN : 1234
==> result of pin block cipher (iso format 0): 592323BFD183E3CD (16 char
hex)

Question:
1) what algorithm use for master key? Why input 2 block 64 char (64 bytes)
, but result is 8 char hex (4 bytes)

2) Similar for Pin working key? Why input 32 char, but result is 8 char

3) How to extract pin block cipher ? how to they do?

Thank and regards

-----
----Cheer :drunk: ---
mail: queo...@gmail.com
Yahoo: queo1987
--
View this message in context: http://old.nabble.com/PIN-Master-Key%2C-and-PIN-Working-KEY-at-ATM-tp27070509p27070509.html
Sent from the jPOS - Users mailing list archive at Nabble.com.

kapilashantha rajapaksha

unread,
Jan 7, 2010, 11:18:11 PM1/7/10
to jpos-...@googlegroups.com
Hi,

Dear , you better study of HSMs functions and its usage in financial sector. Without its idea you may trouble understanding and implementing simulator for your testing. However, It can be implemented using Java but remember if someone is auditing  your system, you may be fail due to less security.

Anyway,

First you have to think of these things for you issue ,

01 LMK (Local Master Key) or *KM (Domain Master Key)
02 Clear components and encrypted components of secret key
03 KVC (Key verification code ) or KCV (Key check value) of key
04 PIN block formats and PIN verification methods
05 ZMK (Zone Master key) or KIR/KIS
06 LMK variants
07 What is the key dynamic key exchanging
08 In additionally, PIN issuing process (Using PVK) and how to keep returns offset value in database and also PIN verification using PVK


For you questions,

As I mentioned before nobody can see clear value of any key (Master key , PIN key etc)
Just think inserting master key process

We insert the clear components for ATM (Remember this not a master key)

Example
We use three clear compotes for inserting master key

C1 = aaaa aaaa aaaa aaaa bbb bbbb bbbb bbbb
C2 = 1111 1111 1111 1111 2222 2222 2222 2222
C3 = 4444 4444 4444 4444 5555 5555 5555 5555

Then inside of ATM or HSMs it will create actual key (TMK etc) basically how its happen

TMK = C Xor C2 Xor C3 (This not a correct way any time and it will depends on HSM types as well)

After processing this in inside of HSM or ATM it will returns the KVC for user (Simplify 6 digits Hex value number )

In fact, this value is using for verifying of TMK (Example, suppose you have to insert this key yet another device. After inserting above clear value in that device there KVC also should be equal to the previous  one then you can think both device has same TMK )

you have got 4 byte value when you inserting two input block. I think that it can be KVC of you master key. Same this is taken place for PIN key as well.

Basically you cant extract PIN block (Possible)

Format 0

PAN = 1234 5678 9012 3456
PIN = 1234

Get of this from PAN    A = 4 5678 9012 345 FFF
And re-format PIN       B = 0000 1234 FFFF FFFF

Get Final PIN block = A XOR B

Regards,
Kapia,





--
You received this message because you are subscribed to the  "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to jpos-...@googlegroups.com
To unsubscribe, send email to jpos-users+...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/jpos-users

queo1987

unread,
Jan 8, 2010, 1:21:40 AM1/8/10
to jpos-...@googlegroups.com

Dear,
Thank you for your reply.
I see that you convert not right iso format 0

Iso Format 0 (ISO 9564-1)

PAN = 1234 5678 9012 3456
PIN = 1234

Get of this from PAN A = 4 5678 9012 345 FFF (wrong) ==> A = 0000 5678
9012 3456
And re-format PIN B = 0000 1234 FFFF FFFF (wrong) ==> B = 0412 34FF
FFFF FFFF

Get Final PIN block = A XOR B

That is my mind.

Thank and regard.

>> jpos-users+...@googlegroups.com<jpos-users%2Bunsu...@googlegroups.com>


>> For more options, visit this group at
>> http://groups.google.com/group/jpos-users
>>
>
> --
> You received this message because you are subscribed to the "jPOS Users"
> group.
> Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
> To post to this group, send email to jpos-...@googlegroups.com
> To unsubscribe, send email to jpos-users+...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/jpos-users
>

-----
----Cheer :drunk: ---
mail: queo...@gmail.com
Yahoo: queo1987
--

View this message in context: http://old.nabble.com/PIN-Master-Key%2C-and-PIN-Working-KEY-at-ATM-tp27070509p27071845.html

kapilashantha rajapaksha

unread,
Jan 8, 2010, 2:59:41 AM1/8/10
to jpos-...@googlegroups.com
Dear ,
Yes sorry, for that my mistaking , I just reply you without looking any doc

Thanks and regards
-kapila

Mark Salter

unread,
Jan 8, 2010, 7:38:04 AM1/8/10
to jpos-...@googlegroups.com
kapilashantha rajapaksha wrote:
> It can be implemented using Java but remember if
> someone is auditing your system, you may be fail due to less security.

For testing, no problem. When I say testing that means, test ATM, test
HSM (or software), test plastics, test money and test keys too.

Cryptography performed outside of a secure environment in a production
environment is just bad and must be avoided at all costs - a companies
reputation and financial standing would be placed at risk.
Although a security audit would find it and *fail* the system, the
'chance' of an audit should never be a consideration...

... Production Data == HSM.

--
Mark

Reply all
Reply to author
Forward
0 new messages