Quantcast
Channel: thalessim Discussions Rss Feed
Viewing all 279 articles
Browse latest View live

New Post: PVV generation

September 24, 2013, 9:02 pm
$
0
0
Thanks David .

I got a problem Solved .


I was having clear PIN with IBM method ...used BA to encrypt the PIN and DG to generate PVV (Visa Method) with encrypted PIN..I think u need BA if u want to generate PVV but not Sure .

I have done earlier the requirement to transfer PIN from one acct/card to another card with IBM method and used below commands. Not aware now, y we dcrypted and encrypted ..It was long back..

But here also you can't go away from BA & NG

EE - to generate PIN
NG- Dcrypt the PIN
BA- Encrypt PIN
DE-PIN offset calculation
Search

New Post: PVV generation

September 24, 2013, 9:40 pm
$
0
0
Thanks Jassi,

I will see if I can get our local Thales support to have a look whether there's another way of doing it or there can be only two way out:
  1. Authorize BA and NG if possible.
  2. Let our customers know we are not doing it anymore.
Cheers,
David

New Post: Clear ZMK Components

September 26, 2013, 8:36 am
$
0
0
Hi guys,

I have the following keys:
  • PVKA under LMK: XXXX XXXX XXXX XXXX
  • PVKB under LMK: XXXX XXXX XXXX XXXX
  • PVKA under ZMK: XXXX XXXX XXXX XXXX
  • PVKB under ZMK: XXXX XXXX XXXX XXXX
  • CVKA Under LMK: XXXX XXXX XXXX XXXX
  • CVKB Under LMK: XXXX XXXX XXXX XXXX
  • CVKA Under ZMK: XXXX XXXX XXXX XXXX
  • CVKB Under ZMK: XXXX XXXX XXXX XXXX
  • ZMK Under LMK: XXXX XXXX XXXX XXXX
  • ZMK encrypted component
    Component 1: XXXX XXXX XXXX XXXX
    Component 2: XXXX XXXX XXXX XXXX
    Component 3: XXXX XXXX XXXX XXXX
I need the three clear components for the ZMK, how can i get this keys?

ZMK clear component?
Component 1:
Component 2:
Component 3:

Thanks.

New Post: BA Command Result Vs EE Command Result

October 1, 2013, 7:31 pm
$
0
0
Hi Everyone,

I have used the command 'EE' with the PAN, OFFSET, PVK, Decimalization Table, Security Code and received the Response Derived PIN Encrypted using LMK in the EF Reply Message from HSM.
'Derived PIN Encrypted under LMK 02-03' as per the Programmer Manual of Thales

But I realy know the Clear PIN say 123456 of the Card and use the BA command to decrypt the Clear PIN using the above PAN used in the EE Command.

Then I got the Reply from HSM.

PIN Encrypted Under LMK 02-03
But the Results of the above 2 commands are not the same. Can u please clarify the difference between the results of those two commands.

Thank u

New Post: Pin encryption with ZPK

October 26, 2013, 8:14 am
$
0
0
lsyeong wrote:
Hi Nick, Thanks. Will go thru again. Regards,Sean
Hi Isyeong,

I knew it has been more than one year since your last reply.
But could you share with me the solution for your problem ?

I'm facing the same problem right now.
Someone told me that I should use "clear" key to encrypt pin on Internet Banking, so the encrypted pin can be decrypted by HSM.
He told me that I can use "encrypted" key, only if I have another HSM on Internet Banking side.

Thank you

New Post: BA Command Result Vs EE Command Result

October 29, 2013, 12:29 am
$
0
0
Dear ,
Currently i m also using EE command but facing some issues

Actually in Command

'Message Header' = [27600000]
[None an 002 M] : 'Command Code' = [EE]
[16H/1A+32H/1A+48H M] : 'PVK' = '9FFFFFFFFFFFFFFF'
[None Hex 012 M] : 'Offset' = [6772FFFFFFFF]
[None n 002 M] : 'Check Length' = [04]
[None n 012 M] : 'Account Number' = [123243461600]
[None n 016 M] : 'Decimalization Table' = [0123456789078910]
[None an 012 M] : 'PIN Validation Data' = [1243501014N8]


In PVK, we have only 16bye in command but in my base code (provided by third party), it is expectiong 32Byte .. Is it dependent on HSM configuration .. after 16byte PVK... i m sending 16 spaces to make it 32 .

I have modified the data..It may seem wrong ..Just want to check if I can send 16 byte PVK value..or it will depend on some configuration

New Post: How to Generate TPK (LMK) and TPK (TMK) using the HC host command

October 29, 2013, 2:19 am
$
0
0
Hi,

I need to obtain the TPK (LMK) and TPK (TMK) by sending the TMK (LMK) value using the HC command. I can connect to the simulator using the below code. However now I need to know how to send HC command along with TMK (LMK) value to the simulator and I am expecting a response of TPK (LMK) and TPK (TMK). Following is my code to connect to simulator:

string strthalesIPAddressOrHostName = "XX.XX.XX.XX";
            int intthalesPort = XXXX;
            ThalesSim.Core.TCP.WorkerClient thales;
            string strHostCommandString;

            thales = new ThalesSim.Core.TCP.WorkerClient(new System.Net.Sockets.TcpClient(strthalesIPAddressOrHostName, intthalesPort));
            thales.InitOps();

    // After connecting to the Simulator, How to send HC command with TMK (LMK) value and I want a response back of TPK (LMK) and TPK (TMK) 


            // disconnect from HSM
            thales.TermClient();
Can you please provide me with the HC command or code that I need to include above to Generate/Obtain TPK (LMK) and TPK (TMK)

Thanks.

New Post: HOW TO GENERATE (DERIVE) AN IPEK (IKEY) on Payshield 9000

November 19, 2013, 6:09 am
$
0
0
Hi Guys,

I'm getting problems to derive (or create) and IPEK based on a BDK already generated.

I already read all the syntax about the A0 command for Payshield 9000, but when I try to send it using the simulator I'm getting response 29.
So, not sure if the simulator is currently supporting A0 for deriving an IPEK from BDK.

For more clarification, the following is the command I'm sending and the response I'm getting:

Input to HSM : 0000A0A302U0EDCC6D6966ADC1A3C83FE89F63BBD483FFFF9876543333E
Output from HSM : 0000A129

Sim App events output:

Request: 0000A0A302U0EDCC6D6966ADC1A3C83FE89F63BBD483FFFF9876543333E
Parsing header and code of message 0000A0A302U0EDCC6D6966ADC1A3C83FE89F63BBD483FFFF9876543333E...
Searching for implementor of A0...
Found implementor ThalesSim.Core.HostCommands.BuildIn.GenerateKey_A0, instantiating...
Calling AcceptMessage()...
Calling ConstructResponse()...
Calling ConstructResponseAfterOperationComplete()...
Attaching header/response code to response...
Sending: 0000A129
Calling Terminate()...
Implementor to Nothing
Client disconnected.

Can you guys give me some light here?


Thanks!!
Search

New Post: DES encryption on PIN Block creation

November 20, 2013, 12:00 am
$
0
0
Hi, i'm newbie on HSM field, i don't know about this until i get this project.
i will write app on java language that act like ATM.

after reading on this board, i think i need this step :
for the first time, i need to create pin block, it's constructed by pin XOR PAN ( both in ISO 9564 format 0)
then encrypted in DES/ECB/NoPadding with TAK as key.
but, DES encryption give more than 16 Hexchar as result.
i look at DES.vb (byteDESEncrypt()) @this link , and found this code :

csMyCryptoStream = New CryptoStream(outStream, desProvider.CreateEncryptor(bKey, bNullVector), CryptoStreamMode.Write)
csMyCryptoStream.Write(bData, 0, 8)

in my mind,
result from encryption is more than 16 hexcar but it grab from first byte until 8th byte,
so converted to Hex is 16 hexcar as result.
is it right ?

please advice if i'm in wrong direction.

note : i use thales sim V0.9.6

New Post: IMPORTING PVK Keys using the Simulator

November 21, 2013, 12:48 am
$
0
0
Hi, I am trying to import PVK keys from our HSM test environment using the simulator. When i am trying to generate cards, i am getting "cannot generate pvv." error message. How can i check if i am importing the correct keys? Your response will be of great help. Thank you.

-des

New Post: Pin Mailer Printing using the Simulator

December 1, 2013, 10:07 pm
$
0
0
Hi,

I would like to ask how to print pin mailers (serial port) using the Thales Simulator?

Thank you.

New Post: multiple threads on single tcp connection?

December 4, 2013, 7:47 am
$
0
0
A question on scaling:

Our implementation receives front end calls, and sends CI command to HSM for PIN translation under ZPK. It is working very well on single sequential requests.

Now we will have higher volume of requests, and asking guidance on building the scalability from messages arriving from a thread pool. Currently we use a static WorkerClient with MessageArrived delegate event handler.

As the responses from HSM do not carry any source request reference number, how is it possible to tie back the CJ response to the original request?

In light of this, we see these available options:
1) open new tcp connection for each front end call, or

2) keep open a single tcp connection
  • by using a synchronous blocking receive mode, or
  • with async delegate by building an internal queueing mechanism
I'd be connecting to an RG7900 in production, but simply unsure of its per translation latency and/or tcp client connection scalability (i see the simulator is set to 5 clients by default).

Many Thanks
Tozzi

New Post: multiple threads on single tcp connection?

December 4, 2013, 8:22 am
$
0
0
After brief investigation, it seems the header can be used to track requests and match up with responses?

New Post: HOW TO GENERATE (DERIVE) AN IPEK (IKEY) on Payshield 9000

December 5, 2013, 11:41 am
$
0
0
Hi...

It looks like you're missing a parameter, DUKPT master key type, and the BDK key scheme

Can you try
0000A0A302U01UEDCC6D6966ADC1A3C83FE89F63BBD483FFFF9876543333E


That's
0000A0A302U0 1U EDCC6D6966ADC1A3C83FE89F63BBD483FFFF9876543333E
1= for example, BDK-type1,
U= key scheme

New Post: Pinblock translation from single DES to triple DES

December 18, 2013, 12:43 am
$
0
0
Hi,

I have a pin block encrypted under single length key, and I can translate the pin block under another double length key to encrypted under triple DES, using host commands SC/CC.

Do we have console command to perform that? Or any other method we can do that in console? Not using host command due to limited access to console only.

Thanks.
Search

New Post: multiple threads on single tcp connection?

December 18, 2013, 9:11 pm
$
0
0
Yes, resolved. Working smoothly.

New Post: static (clear) BDK?

December 18, 2013, 9:26 pm
$
0
0
We generate a BDK using BI command, and console shows:
 
Request: 1234BI;UU0
MAJOR>>>Parsing header and code of message 1234BI;UU0...
MAJOR>>>Searching for implementor of BI...
MAJOR>>>Found implementor ThalesSim.Core.HostCommands.BuildIn.GenerateBDK_BI, instantiating...
MINOR>>>=== [BI], starts 13:30:54.738 =======
MAJOR>>>Calling AcceptMessage()...
MINOR>>>[Key,Value]=[Delimiter,;]
[Key,Value]=[Key Scheme LMK,U]
[Key,Value]=[Reserved,U]
[Key,Value]=[Reserved 2,0]

MAJOR>>>Calling ConstructResponse()...
MINOR>>>New BDK (clear): EF3D7A252AA8EAF82919E6C4D99EC86B
MINOR>>>New BDK (LMK): U243095316AC1757907565118B441BB31
MAJOR>>>Calling ConstructResponseAfterOperationComplete()...
MAJOR>>>Attaching header/response code to response...
MAJOR>>>Sending: 1234BJ00U243095316AC1757907565118B441BB31
MINOR>>>=== [BI], ends 13:30:54.748 =======
 
In our implementation, we use this clear BDK in pin pad and an initial KSN to generate per device IPEK.

Pin pad sends 3DES encyrpted pinblock in Ansi9.8 ISO-0 to server with KSN, and we pass to Thales using command CI which translates successfully:
MAJOR>>>Calling AcceptMessage()...
MINOR>>>[Key,Value]=[Account Number,999999999999]
[Key,Value]=[BDK,243095316AC1757907565118B441BB31]
[Key,Value]=[BDK Scheme,U]
[Key,Value]=[Destination PIN Block Format Code,01]
[Key,Value]=[Encrypted Block,7C6E2C03F30AADBF]
[Key,Value]=[Key Serial Number,FFFF0123456789E00002]
[Key,Value]=[KSN Descriptor,605]
[Key,Value]=[ZPK,450CF23F70F182EB]

MAJOR>>>Calling ConstructResponse()...
MINOR>>>Clear source BDK: UEF3D7A252AA8EAF82919E6C4D99EC86B
MINOR>>>Clear target ZPK: 5E752CA43194A8F4
MINOR>>>Clear PIN Block: 04551E6666666666
MINOR>>>Clear PIN: 5587
MINOR>>>New clear PIN Block: 04551E6666666666
MINOR>>>New crypt PIN Block: 4A2D6BFA62BB9866
MAJOR>>>Calling ConstructResponseAfterOperationComplete()...
MAJOR>>>Attaching header/response code to response...
MAJOR>>>Sending: 0004CJ00044A2D6BFA62BB986601
MINOR>>>=== [CI], ends 13:31:46.154 =======
 
However, if we restart server calling BI again, it generates a new clear BDK and the translation of pin block fails:
MAJOR>>>Parsing header and code of message 0004CIU90AB1164E510816161D4D74C312A83C41CC5DB1D37156A0B605FFFF0123456789E000027C6E2C03F30AADBF01999999999999...
MAJOR>>>Searching for implementor of CI...
MAJOR>>>Found implementor ThalesSim.Core.HostCommands.BuildIn.TranslatePINFromDUKPTToZPK_CI, instantiating...
MINOR>>>=== [CI], starts 13:32:27.154 =======
MAJOR>>>Calling AcceptMessage()...
MINOR>>>[Key,Value]=[Account Number,999999999999]
[Key,Value]=[BDK,90AB1164E510816161D4D74C312A83C4]
[Key,Value]=[BDK Scheme,U]
[Key,Value]=[Destination PIN Block Format Code,01]
[Key,Value]=[Encrypted Block,7C6E2C03F30AADBF]
[Key,Value]=[Key Serial Number,FFFF0123456789E00002]
[Key,Value]=[KSN Descriptor,605]
[Key,Value]=[ZPK,1CC5DB1D37156A0B]

MAJOR>>>Calling ConstructResponse()...
MAJOR>>>Exception while processing message
System.ArgumentOutOfRangeException: Index and length must refer to a location within the string.
Parameter name: length
at System.String.InternalSubStringWithChecks(Int32 startIndex, Int32 length, Boolean fAlwaysCopy)
at ThalesSim.Core.PIN.PINBlockFormat.ToPIN(String PINBlock, String AccountNumber_Or_PaddingString, PIN_Block_Format Format) in C:\Users\Documents\ThalesSim.Src.0.9.6\ThalesCore\PIN\PINBlockFormat.vb:line 177
at ThalesSim.Core.HostCommands.BuildIn.TranslatePINFromDUKPTToZPK_CI.ConstructResponse() in C:\Users\Documents\ThalesSim.Src.0.9.6\ThalesCore\HostCommands\BuildIn\TranslatePINFromDUKTPToZPK_CI.vb:line 108
at ThalesSim.Core.ThalesMain.WCMessageArrived(WorkerClient sender, Byte[]& b, Int32 len) in C:\Users\Documents\ThalesSim.Src.0.9.6\ThalesCore\ThalesMain.vb:line 778
MAJOR>>>Disconnecting client.
 
Our work suggests pin pad is initialised with static clear BDK, and BSK should not change.

Why does the simulator create a new clear BDK each time, and does a production Thales HSM also demonstrate this behaviour? Or, is there a BDK under LMK that should be used for IPEK generation?

Many thanks!

New Post: static (clear) BDK?

December 19, 2013, 6:29 am
$
0
0
Hi tozzi21

my understanding is that the BDK should be used to generate an IPEK on the HSM based on the KSN. the IPEK is then loaded on the terminal

the IKEY can be exported under a previously agreed transport key

on the terminal, a new key is generated based on the IPEK and KSN to encrypt a PIN block. the original, encrypted BDK, the KSN and encrypted PIN block can then be supplied to an HSM to translate

NB: in production, you'd never have access to a clear BDK

New Post: static (clear) BDK?

December 19, 2013, 8:43 am
$
0
0
Hello hexdrill

online reading e.g. http://stackoverflow.com/questions/17362567/how-ciphertext-was-generated-in-card-reader-using-dukpt-encryption discusses the process though never specifies where BDK/KSN/IPEK generation actually takes place.

interestingly, my reader expects me to provide a BDK and initial KSN, and will then generate the IPEK itself. it therefore assumes we have access to the clear BDK. now it sense that we will not have access to clear BDK, and we might need to change the firmware.

does command OC (or A2) print clear BDK to an attached printer, or is BDK only ever exposed under LMK 28-29?

i've been unable to find any reference on generating IPEK on HSM. any experience or guidance?

many thanks!

New Post: static (clear) BDK?

December 20, 2013, 9:46 am
$
0
0
going over Thales 9000 documentation shows command A0 with ability to derive key IPEK (IKEY). it allows selection of type of BDK (type 1 bidirectional vs 2 unidirectional), and specifying the KSN.

simulator does not support this A0 function for IPEK when sending: 0000A0A302U01... seems to be expecting ZMK even though not needed (only required if mode = '1' or 'B').

yet, our production system employs only Thales 8000.

any guidance on generating IPEK/IKEY?
Viewing all 279 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>