Quantcast
Channel: Thales Simulator Library
Viewing all 332 articles
Browse latest View live

New Post: How to interact with HSM using JAVA

November 13, 2014, 6:07 am
$
0
0
Hi,

I am new to Thales Simulator. I am trying to send a message to Thales Simulator console using my java code. Problem is it is connected and all but i am not getting any response back from Thales Simulator in my java code.

Do i need to do any additional configuration while setting up the Thales Simulator library?
Below is the code i have picked up from one of the discussion threads.

package thales;

import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.net.Socket;

public class TestHSMJava {
public static void main(String args[]) {
System.out.println("<<< Main Method Entry >>>");
String command = null;
Socket socket = null;
DataOutputStream out = null;
DataInputStream in = null;
byte[] b= new byte[100];
try {
    socket = new Socket("localhost", 9997);
    System.out.println("<<< Socket >>> :" + socket);
    if (socket != null) {
        System.out.println("<<< Connected to HSM  >>>:"
                + socket.isConnected());
        in = new DataInputStream (new BufferedInputStream(socket.getInputStream()));
        out = new DataOutputStream (new BufferedOutputStream(socket.getOutputStream()));
        command = "000b3030303041303030303255";
        out.writeUTF(command);
        System.out.println("Input to HSM : " +command);
        out.flush();
        String response = in.readUTF();
        System.out.println("Output from HSM : " +response);
        System.out.println("");
    }
}
catch(Exception exception){
    System.err.println("exception...exception : "+exception.getMessage());
}
finally{
    System.out.println("Complet..now get out");
}
}
}


Regards,
Amrutansu
Search

New Post: How to interact with HSM using JAVA

November 14, 2014, 1:17 am
$
0
0
Hi!

Why do you need to send HOST command to HSM console? Use 9998 port to send it to host.

Regards,
Juris

New Post: Online Banking Authentication

November 14, 2014, 3:12 pm
$
0
0
Hello Everyone,

I would really appreciate getting some help in regards to the following:-

I have an online banking application where customers can register using card number and PIN code (only at the registration process). I want to encrypt the entered clear PIN using TPK or ZPK and send the encrypted pin block to third party application that will verify user's PIN.

1) Do I need to generate PIN block from my application? or HSM can generate one for me?
2) How to encrypt PIN block? do I need to connect to HSM or I can do it from software level?
3) In case using the HSM to encrypt PIN block, do I need the clear ZPK or the encrypted one?
4) In case using software to encrypt PIN block, do I need clear or encrypted ZPK ?

Note: we are using payshield 9000.

Thanks,
HS

New Post: How to interact with HSM using JAVA

November 15, 2014, 4:35 am
$
0
0
Are you able to connect your Hardware????

Your connection is OK. Verify your HSM server Ip/Port correctly and try to send Command in Uppercase.

__
HsmFirst

New Post: Online Banking Authentication

November 16, 2014, 3:22 pm
$
0
0
Hi!

If you want to use HSM to encrypt PINs you need:

1) The CS (security) parameter "Select clear PINs" must be YES, it will allow clear PIN commands;
2) When customer enters PIN and PAN you should encrypt it under LMK first using BA host command;
3) After, you will be able to translate PIN from LMK encryption to ZPK using BQ command. You will be able to select the PIN block format you want to use.

If you want to encrypt PIN by application without HSM you will need:
1) Generate plain text ZPK component using KG console command (key type 001). This component will be used as key in application;
2) Encrypt key under LMK using FK console command. This encrypted key will be used to decrypt PIN block using HSM;

Your application will need to do the following:
1) Combine the PIN-block, for example EMV'96. The format of EMV'96 PIN-block is as follows (the example PIN is 1234):
241234FFFFFFFFFF
First digit points to ISO standard PIN block format (ISO-2), secund digit is PIN length in HEX format (4 - C), after comes PIN itself and padding with F character till length of 8 bytes;
2) Just encrypt the 8 byte PIN-block with ZPK component. Do not add additional padding block. The result must be 8 bytes long.

Regards,
Juris

New Post: How to interact with HSM using JAVA

November 16, 2014, 10:32 pm
$
0
0
I was just trying to connect to HSM by giving any dummy command. I had opened the console from Thales Simulator and was trying to connect to the console at the same time from java. The problem is resolved now.

Thanks,
Amrutansu

New Post: PIN BOCK ENCRYPTION

November 16, 2014, 11:13 pm
$
0
0
Hi,

I am new to HSM. CAn any one point out how i encrypt a pin block using HSM.
I am trying to achieve this using JAVA.

I have tried to use command BA to do this. BA has been mentioned in the list of HSM commands.
say i have a pin block 4492. I want to encrypt it using HSM.
Can anyone provide some pointers to help me?

Thanks,
Amrutansu

New Post: PIN BOCK ENCRYPTION

November 17, 2014, 2:09 am
$
0
0
Hi!

First, the HSM do not use plain keys. The keys (ZPK) always are encrypted under LMK which must be installed on HSM. So, the first thing you should do in your Java code, you need to decrypt the ZPK key from under LMK (DESede/ECB/NoPadding).

ZPK is encrypted with the 06-07 LMK pair. If you use Thales Variant Test LMK the value of that pair will be:
616161616161616170707070707070706161616161616161
To not use the "Variants" of LMK you can use single length ZPK. You will not require to do any chemistry with LMK key for each key part. Single length keys with Variant 0 are encrypted like ANSI x9.17 (common 3DES).

The HSM applies only PINs encrypted under LMK. Unfortunately, the algorithm is unknown and Thales keeps it in secret :( But you can just pad clear PIN with zeroes in your Java code like it is implemented in "Thales Simulator Library". To verify the result of PIN encryption on HSM you can encrypt your PIN under LMK using "BA" host command.

After that you can combine PIN-block, for example EMV'96 (34). The descrition of that PIN block you can find in the following topic: https://thalessim.codeplex.com/discussions/572135

It will look like 
244492FFFFFFFFFF
This PIN block can be encrypted using your decrypted ZPK with "DESede/ECB/NoPadding" method.

The result can be verified using "JG" host command.

Regards,
Juris
Search

New Post: Online Banking Authentication

November 18, 2014, 9:29 am
$
0
0
Hello Juris,

Thank you very much for your explanation.

I am sorry but it seems my message was not clear enough. when we issue a card for customer, we generate random PIN that can be used at the ATM.
The cardholder will register at online banking using his card and PIN (so we are not planning to issue new PIN for him).

My application will communicate to our Switch "through a web service call" and should pass PIN block and card ("the switch will connect to the HSM and validate")
My question here, how to generate encrypted PIN block? do I need to store clear ZPK? or I need to connect to HSM and encrypt PIN block using encrypted ZPK?

I would appreciate if you tell me about the exact flow.

Thanks for you collaboration.

Regards,
HS

New Post: Online Banking Authentication

November 19, 2014, 2:01 am
$
0
0
Hello,

The best way is to use HSM on both sides if you are working with PIN codes. It is PCI-DSS requirement. The flow will be as follows:

1) Store encrypted ZPK under LMK on e-banking side. On switch side should be used the same ZPK key but under appropriate LMK. You can verify if key is the same using CK console command. It will return key check value. On both sides ZPK must have the same check value.

2) When customer enters PIN and PAN on e-banking side you should first encrypt PIN under LMK using BA host command, Note, the HSM Security parameter "Select clear PINs" must be "Yes" to use that command. The received PIN under LMK will have length which is defined in "Encrypted PIN length" HSM Security parameter.

Encrypted PIN length is always 1 digit longer than "PIN length" parameter

3) When you have the PIN under LMK you can translate it from LMK to ZPK encryption using JG host command. The result PIN-block will be 8 bytes long (16 characters). The best choice of PIN-block to use is ISO-9564 format 0 (01).

4) Send PIN-block to switch.

5) I am not sure what do you mean about "the switch will connect to the HSM and validate".

Regards,
Juris

New Post: Online Banking Authentication

November 19, 2014, 2:29 am
$
0
0
Hello Juris,

I mean e-banking application will generate the PIN block and pass it to the switch over a web service call, The switch will verify recieved data and validate the PIN.

When using "BA" command, i need to pass clear PIN and PAN, is it recommeended to pass clear PIN over TCP/IP to the HSM?

Thanks,
HS

New Post: ATM Terminal Master Key - TMK

November 20, 2014, 4:27 am
$
0
0
Hello,

As per PCI-DSS standard, keys have to be encrypted and clear keys should not be stored anywhere inside the application.

In this case, why the ATM is storing clear TMK (entered by a supervisor at the ATM )?
So why storing clear key part of the application is not allowed where keeping a clear TMK at the terminal level is accepted?

Thanks,
HS

New Post: Online Banking Authentication

November 20, 2014, 4:33 am
$
0
0
Hi,

I am not sure what actually you need to implement, but if you want to generate new PINs you can use JA host command. It will return PIN encrypted under LMK. After you can translate PIN under ZPK encryption using JG host command.

Regards,
Juris

New Post: Unable to decrypt PIN block

November 20, 2014, 6:46 am
$
0
0
Hi,

I am having a problem where I have to integrate with a system which uses a Thales HSM (I believe it is an 8000).
The problem is that I need to generate and encrypt a pin block with the "ZPK under ZMK clear component" shared by them, but they are unable to decrypt it.
I am doing the following to generate the pin block:
  1. Forming the pin block according to ISO Format 0.
    eg: if pin is 1234 then pinblock = (041234FFFFFFFFFF) xor (PAN)
  2. Encrypting the pinblock with the ZPK using 3DES
The 3rd party is doing a pin translation using CC command but are unable to do so with the encrypted pin block generated.

Thanks for the help in advance

New Post: ATM Terminal Master Key - TMK

November 21, 2014, 1:33 am
$
0
0
Hi,

The ATMs and POS terminals stores keys in secure environment in PIN pad. It is allowed by PCI-DSS.

Regards,
Juris
Search

New Post: Unable to decrypt PIN block

November 21, 2014, 1:38 am
$
0
0
Hi,

The 3rd party have shared ZPK under ZMK and ZMK component with you. First, you should decrypt the ZPK key from under ZMK. Only after that you can use ZPK to encrypt PIN block.

Also, if you have already decrypted ZPK and encrypted PIN-block under clear ZPK, and 3rd party unable to decrypt that PIN-block ask them, what key scheme they have used to export ZPK under ZMK. They have to export ZPK in ANSI x9.17 scheme for you to make decryption on your side easier without any "Thales Variants".

Regards,
Juris

New Post: How to interact with HSM using JAVA

November 21, 2014, 1:40 am
$
0
0
Hi Amrutansu,

Did you managed to send command to simulator or you need future assistance?

Regards,
Juris

New Post: Unable to decrypt PIN block

November 21, 2014, 5:17 am
$
0
0
Thanks Manshtein for the reply,

I will find out the details and post here

New Post: ATM Terminal Master Key - TMK

November 21, 2014, 1:05 pm
$
0
0
Hello,

Thanks your answer.

PIN pad used when entering the key, but the ATM store the TMK in clear format and anyone has an access "supervisor" can get the clear key.

Thanks,
HS

New Post: Online Banking Authentication

November 21, 2014, 1:12 pm
$
0
0
Hello,

My requirement is very simple, I want to authenticate the cardholder using his ATM card and PIN through e-banking.
The e-banking application has to call a web service "provided by switch" to validate the PIN. one of the parameter to pass is the encrypted PIN block under ZPK.

My question, what is the best way to achieve this? how to generate encrypted PIN block?

You have suggested to use BA & JG commands. Using the BA command has some risk behind it since you have to pass clear PIN over TCPIP, right?

I believe that our security team will not accept using this command, so what is the other options?

Thanks,
HS
Viewing all 332 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>