That's the PIN encrypted under the LMK. For more info (which isn't much) have a look in the Thales Command Reference Manual.
↧
New Post: JA command
↧
New Post: JA command
Hi Nick,
Thanks for the reply, would you mind to describe me, in general, how the pin mailers are generated ?
At the moment we are utilising an ESM to generate the PINs, put them in file and send it to our card manufacture for them to print the pin mailers. The ESM is very different from how HSM works, take this for example,
Our program first sends command to the ESM request a "session key", it returns a session key and an encrypt key.
All the pin blocks will then generated and encrypted under the encrypt key.
The session key at the end will be attached in the PIN file and send to them.
For me it looks like the ZPK(under LMK) on HSM is similar to the encrypt key on ESM so I need to encrypt all pins under a ZPK
and attache the ZPK in the PIN file so they can undo the PINs.
What I am not understand are :
Thanks
DL
Thanks for the reply, would you mind to describe me, in general, how the pin mailers are generated ?
At the moment we are utilising an ESM to generate the PINs, put them in file and send it to our card manufacture for them to print the pin mailers. The ESM is very different from how HSM works, take this for example,
Our program first sends command to the ESM request a "session key", it returns a session key and an encrypt key.
All the pin blocks will then generated and encrypted under the encrypt key.
The session key at the end will be attached in the PIN file and send to them.
For me it looks like the ZPK(under LMK) on HSM is similar to the encrypt key on ESM so I need to encrypt all pins under a ZPK
and attache the ZPK in the PIN file so they can undo the PINs.
What I am not understand are :
- How will their decryption device able to get the clear PIN to print on the mailers if they don't have our LMK?
-
What would the "session key" for the HSM here
Thanks
DL
↧
↧
New Post: Confused on pin verfication Process + How to Generate a pinblock for a 16Digit card
we have a ATM system in which we use TMK and TPK for the pin encryption process.
and Pinblock is generated by encrypted keypad.
and for generation of pinblock we give 32 bit cipher input.
Cipher key input holds TPK Index + customer card number+ LRC as input
Once the pinblock is derived i really don't know how it is verified and i really want to learn how decryption process is done.
** When i see the reference manual i don't see anywhere where it used 16 digit card number is used for generating a PinBlock.
in general i see 12 Digit account number is used ( am very much noob sorry if i am wrong anywhere)
so with generated pinblock from ATM device which does not have the customer's account number in it how it is verified.
Please guide
and Pinblock is generated by encrypted keypad.
and for generation of pinblock we give 32 bit cipher input.
Cipher key input holds TPK Index + customer card number+ LRC as input
Once the pinblock is derived i really don't know how it is verified and i really want to learn how decryption process is done.
** When i see the reference manual i don't see anywhere where it used 16 digit card number is used for generating a PinBlock.
in general i see 12 Digit account number is used ( am very much noob sorry if i am wrong anywhere)
so with generated pinblock from ATM device which does not have the customer's account number in it how it is verified.
Please guide
↧
New Post: JA command
Like you said, all the PIN blocks are encrypted under the ZPK. Since the do have the ZPK, they can decrypt the PIN block and derive the PIN. Since you've exchanged ZMKs and created a ZPK, they don't need access to your LMKs.
Using Thales only, the batch process is like this:
Using Thales only, the batch process is like this:
- A random PIN is generated using JA.
- The PIN block is generated and saved for encoding to the card.
- The PIN is printed to a printer attached to the HSM using the PE command.
↧
New Post: Confused on pin verfication Process + How to Generate a pinblock for a 16Digit card
I'm sorry to say that I did not understand the question...?
↧
↧
New Post: Confused on pin verfication Process + How to Generate a pinblock for a 16Digit card
sorry for bad language.
i am just trying to simulate a ATM system with HSM authentication process.
In that need some guidance pin process system
i am just trying to simulate a ATM system with HSM authentication process.
In that need some guidance pin process system
- How to create a pin block for a 16 digit card number
-
After creating a pin block for the 16 digit what is the process to verify.
↧
New Post: Problem on VerifyTerminalPinUsingComparisonMethod
Requesting your help for a simple pin validation using thales simulator.
Below is the process i follow for using thales simulator
i get an exception while calculating key length.Below is the exception
Parameter name: length
at System.String.InternalSubStringWithChecks(Int32 startIndex, Int32 length, Boolean fAlwaysCopy)
at System.String.Substring(Int32 startIndex, Int32 length)
at ThalesSim.Core.PIN.PINBlockFormat.ToPIN(String PINBlock, String AccountNumber_Or_PaddingString, PIN_Block_Format Format) in C:\venkat\test\learnings\HSM\ThalesSim\ThalesCore\PIN\PINBlockFormat.vb:line 180
at ThalesSim.Core.HostCommands.BuildIn.VerifyTerminalPinUsingComparisonMethod_BC.ConstructResponse() in C:\venkat\test\learnings\HSM\ThalesSim\ThalesCore\HostCommands\BuildIn\VerifyTerminalPINUsingComparisonMethod_BC.vb:line 93
at ThalesSim.Core.ThalesMain.WCMessageArrived(WorkerClient sender, Byte[]& b, Int32 len) in C:\venkat\test\learnings\HSM\ThalesSim\ThalesCore\ThalesMain.vb:line 780
Below is the process i follow for using thales simulator
* Please point my mistakes
-
Generated a random pin for the card Number : 5239512524895006 : Considering acct No as : 951252489500
sample pin generated for the acct is 6627 and 06627 acctNo = "951252489500" -
Generate a key using A0
Key generated (LMK):DF4216452CAC9E6672BF185B5A904403 Check value: 932ECC)) -
HC to generate a session key using Key generated (LMK)
New key (TMK): U 77F71F1B41F05FD551FAB0903A1C09A9 New key (LMK): U B7AA1FD0661DC76714C94A7550ED5F9A -
Now i generated a pin block for pin 6627 using New key (TMK). This is done by encrypted keypad.
pin block generated by EPP : 1875C09B117BB1DA pinBlk = "1875C09B117BB1DA" -
Now i try to validate PIN using BC command
i get an exception while calculating key length.Below is the exception
Parameter name: length
at System.String.InternalSubStringWithChecks(Int32 startIndex, Int32 length, Boolean fAlwaysCopy)
at System.String.Substring(Int32 startIndex, Int32 length)
at ThalesSim.Core.PIN.PINBlockFormat.ToPIN(String PINBlock, String AccountNumber_Or_PaddingString, PIN_Block_Format Format) in C:\venkat\test\learnings\HSM\ThalesSim\ThalesCore\PIN\PINBlockFormat.vb:line 180
at ThalesSim.Core.HostCommands.BuildIn.VerifyTerminalPinUsingComparisonMethod_BC.ConstructResponse() in C:\venkat\test\learnings\HSM\ThalesSim\ThalesCore\HostCommands\BuildIn\VerifyTerminalPINUsingComparisonMethod_BC.vb:line 93
at ThalesSim.Core.ThalesMain.WCMessageArrived(WorkerClient sender, Byte[]& b, Int32 len) in C:\venkat\test\learnings\HSM\ThalesSim\ThalesCore\ThalesMain.vb:line 780
↧
New Post: Validation of Pinblock
I see a possible error:
then, you add a "0" for comparison with the clear pin, then: 1234 = 01234 the result "verification failure".
Can you fix this ? and recompile please ?
__Dim clearDBPIN As String = "0" + DecryptPINUnderHostStorage(_pinDatabase)__
If clearDBPIN = clearPIN Then
mr.AddElement(ErrorCodes.ER_00_NO_ERROR)
Else
mr.AddElement(ErrorCodes.ER_01_VERIFICATION_FAILURE)
End If
Return mr
then, you add a "0" for comparison with the clear pin, then: 1234 = 01234 the result "verification failure".
Can you fix this ? and recompile please ?
↧
New Post: Thales HSM Error Code 41
Hi guys , I am not sure if anybody has had this problem or if this is the appropriate place to post (codeplex newbie) :
I've tried to verify dCVV using PM HSM command (schema = 0, version = 0) with HSM simulator.
I keep getting back an Error Code 41 response and I am not sure what this means. Can anybody help in describing the possible causes for error code 41?
Thanks in advance,
I've tried to verify dCVV using PM HSM command (schema = 0, version = 0) with HSM simulator.
I keep getting back an Error Code 41 response and I am not sure what this means. Can anybody help in describing the possible causes for error code 41?
Thanks in advance,
↧
↧
New Post: Thales HSM Error Code 41
any help would be appreciated. I am using the PM command to verify a cvv (schema = 0 , version = 0), and the
response has error code 41. Does anybody know what the problem might be?
response has error code 41. Does anybody know what the problem might be?
↧
New Post: Thales HSM Error Code 41
Hi Nick,
it has been some time since the first message post. any help would be appreciated. I am using the PM command to verify a cvv (schema = 0 , version = 0), and the
response has error code 41. Does anybody know what the problem might be?
having done some more digging I have found the following:
error code 41 : internal hardware, software error : bad RAM , invalid error codes etc.
this is purely in a simulation environment so it is safe to rule out any hardware issues. as far as software is concerned , I am not sure if the NTG Thales HSM library
supports scheme ID = 0 , version = 0 . In the xml definitions for host commands in the NTG simulator seem to only allow for specific values regarding scheme ID (acceptable value 1) and version (acceptable value 2) could this be the problem?
it has been some time since the first message post. any help would be appreciated. I am using the PM command to verify a cvv (schema = 0 , version = 0), and the
response has error code 41. Does anybody know what the problem might be?
having done some more digging I have found the following:
error code 41 : internal hardware, software error : bad RAM , invalid error codes etc.
this is purely in a simulation environment so it is safe to rule out any hardware issues. as far as software is concerned , I am not sure if the NTG Thales HSM library
supports scheme ID = 0 , version = 0 . In the xml definitions for host commands in the NTG simulator seem to only allow for specific values regarding scheme ID (acceptable value 1) and version (acceptable value 2) could this be the problem?
↧
New Post: Is the command "T" a real HSM command? How do I use it?
I am testing out the HSM simulator and I want to do symmetric encryption.
I found out the T command in the console. However I don't see such a command in the host commands list.
Is this a command supported by real HSMs ?
Can I use it to encrypt an arbitrary string ?
I found out the T command in the console. However I don't see such a command in the host commands list.
Is this a command supported by real HSMs ?
Can I use it to encrypt an arbitrary string ?
↧
New Post: Clear ZMK and Clear ZMK components
How can I generate a Clear ZMK and Clear ZMK components from an encrypted ZMK ?
↧
↧
New Post: Generate ZMK components with GC command
Hello,
I have been using command F from console to generate 3 clear ZMK components and then I was encrypting them using Z command.
After that I was combining the 3 encrypted under LMK components using the GG host command: GG + COMP1 + COMP2 + COMP3. Everything is woking fine with this procedure.
Now insteaded of using F and Z command, I would like to use the new command GC to generate clear and encrypted components together.
I have tried generating the components with the following paramaters:
GC -> 00 --> 2 --> 000 or 100 (tried both) --> U
and received clear and encrypted values.
However when trying to combine them on my host using the GG command I get the GH10 response from HSM.
My HSM is Thales 9000 using variant LMK.
What am I doing wrong?
Regards,
Yiannis
I have been using command F from console to generate 3 clear ZMK components and then I was encrypting them using Z command.
After that I was combining the 3 encrypted under LMK components using the GG host command: GG + COMP1 + COMP2 + COMP3. Everything is woking fine with this procedure.
Now insteaded of using F and Z command, I would like to use the new command GC to generate clear and encrypted components together.
I have tried generating the components with the following paramaters:
GC -> 00 --> 2 --> 000 or 100 (tried both) --> U
and received clear and encrypted values.
However when trying to combine them on my host using the GG command I get the GH10 response from HSM.
My HSM is Thales 9000 using variant LMK.
What am I doing wrong?
Regards,
Yiannis
↧
New Post: Generate ZMK components with GC command
Hi
I was having similar issues and saw in the guide that gg is superseded by 'A4'
I think that if you generate with GC then you have to combine with A4
-H
I was having similar issues and saw in the guide that gg is superseded by 'A4'
I think that if you generate with GC then you have to combine with A4
-H
↧
New Post: Help on BC command
I need help to understand the use of the command "BC", with respect to the parameter "PIN - The PIN from the Host database encrypted under LMK pair
02-03 "as it should be passed, or rather, where it comes from?
02-03 "as it should be passed, or rather, where it comes from?
↧
New Post: Generate ZMK components with GC command
Hello,
It is difficult to change the code of my host from GG to A4.
Even so, I have tried to manually send the A4 command as written below but I get the error A527:
A43000U + COMP1 + COMP2 + COMP3
It is difficult to change the code of my host from GG to A4.
Even so, I have tried to manually send the A4 command as written below but I get the error A527:
A43000U + COMP1 + COMP2 + COMP3
↧
↧
New Post: M0 command
Can please someone clarify if the M0 command is supported? Looking back here, sound the answer is no.
Downloaded latest beta version and development version. Getting a message:
Request: 0000M0001100BU845897A154C4C6A00F2D1F350AB2C7D900100000000000001234
Parsing header and code of message 0000M0001100BU845897A154C4C6A00F2D1F350AB2C7D900100000000000001234...
Searching for implementor of M0...
No implementor for M0.
Disconnecting client.
Client disconnected.
Tks
R.
Downloaded latest beta version and development version. Getting a message:
Request: 0000M0001100BU845897A154C4C6A00F2D1F350AB2C7D900100000000000001234
Parsing header and code of message 0000M0001100BU845897A154C4C6A00F2D1F350AB2C7D900100000000000001234...
Searching for implementor of M0...
No implementor for M0.
Disconnecting client.
Client disconnected.
Tks
R.
↧
New Post: PVV generation
Hey Guys,
Have new Challenge ...We had PIN encryption happening earlier with IBM method ..but now want to switch to PVV method ..
I have clear PIN , card number and PVK..
What command should be used to generate PVV value (PIN offset) so that clear PIN value remain unchanged .
Cheers :)
Have new Challenge ...We had PIN encryption happening earlier with IBM method ..but now want to switch to PVV method ..
I have clear PIN , card number and PVK..
What command should be used to generate PVV value (PIN offset) so that clear PIN value remain unchanged .
Cheers :)
↧
New Post: PVV generation
Hi,
I am having the same problem needing to transfer the PIN from an old card to a new card (we currently have an ESM which provides calculating PVV from IBM offset but we are retiring it and that's where I came from).
What I did is using EE command with PIN offset to get the encrypted PIN, when trying to use DG command to generate a PVV for the PIN,
I got a DH14 error which means PIN encrypted under LMK pair 02-03 is invalid from the error code section of the manual.
NG (decrypt the PIN) then BA (encrypt the PIN with new card number) would work however the two commands are not authorized in our enviroment (and I don't think they want to authorise them).
Thanks,
David
I am having the same problem needing to transfer the PIN from an old card to a new card (we currently have an ESM which provides calculating PVV from IBM offset but we are retiring it and that's where I came from).
What I did is using EE command with PIN offset to get the encrypted PIN, when trying to use DG command to generate a PVV for the PIN,
I got a DH14 error which means PIN encrypted under LMK pair 02-03 is invalid from the error code section of the manual.
NG (decrypt the PIN) then BA (encrypt the PIN with new card number) would work however the two commands are not authorized in our enviroment (and I don't think they want to authorise them).
Thanks,
David
↧