Check TPK

Oct 25, 2010 at 9:55 AM
Hi, I'm trying to check the TPK under which ZMK it's created. I include the thalescore.dll to my dot net application and trying to find it inside the clsses in the thalessim simulater but I couldn't.
Oct 25, 2010 at 10:20 AM

You cannot directly check under which ZMK your TPK has been created because DES encryption does not work in that way. When you encrypt a TPK under a ZMK you are supposed to make a note of which ZMK you have used.

Oct 25, 2010 at 10:55 AM
the issue is I will have multi ZMK in my HSM 9000 then I will create a TPK's under these ZMK's to send the end user request to the specific location. so I need to understand how to know if that TPK is in my ZMK list .
Oct 25, 2010 at 11:19 AM

I think you're a bit confused. There's no notion of your TPK being in the ZMK list. Any TPK can be encrypted under any ZMK and the result is always a new hexadecimal key. There are no meta-data so there is no way for the crypto (or anyone else for that matter) to know that which TPK has been encrypted under which ZMK - other than to make a note of it during the encryption process.

I don't know if that helped. If not, please post again but be more descriptive about what you did and what you want to achieve.

Oct 25, 2010 at 12:30 PM
oky just to be cleared, I will work as a bank switch, all of my matter is to know how to verify the encrypted message coming from POS to which bank it should go ?
Oct 25, 2010 at 12:56 PM

If you're switching from POS devices you're driving to multiple banks, you're in an acquirer/processor scenario. Typically, there will be a security zone between the POS terminals and your switch and a security zone between the switch and each bank. Switches do not make their routing decisions based on cryptography but rather based on other criteria (like the BIN of the card requesting a transaction, the type of transaction, the originating terminal and others). As such, the switch first decides where to send a transaction. It then translates the encrypted PIN from the POS-switch zone to the switch-bank zone. In order to do that, the switch knows the PIN key used by the terminal at the POS zone and the PIN key used by the bank at the switch-bank zone. It then calls the appropriate PIN translation functions of an HSM.

The above process can have variations. Some switches implement one or two additional security zones - for example, a security zone between the terminal driving application and the switch itself may be present after the security zone between the POS terminals and the switch. What I described above highlights the processing that takes place.

Regarding your question, what I'm trying to say is that the switch should know beforehand how to translate cryptographic information that appears in a message between zones. This is typically done via configuration - for example, for the security zone between the switch and a bank, the switch will need to know beforehand the encrypted value of the zone master key (ZMK) in order to dynamically create a zone pin key (ZPK) and maybe also create new ZPKs in regular time intervals via key exchanges.

I hope this helps. If it does not, send me a private message if you think I can offer additional assistance.

Oct 25, 2010 at 1:05 PM

oky all of this are clear,

but now what I realy need to translate all of this to a code using or JAVA methods, using the ThalesCore.dll

Oct 25, 2010 at 1:08 PM

ThalesCore.dll mostly implements an HSM simulator. If you just need to send host commands to an actual HSM using ThalesCore.dll, please have a look at this wiki article. Does this help?

Oct 25, 2010 at 1:51 PM

hi nickntg

actually it's not so clear to me,


oky I connect and all of that, but to do what I need I didn't got it, can you please help me more ????

Oct 25, 2010 at 2:02 PM

Once you connect, you can use the send method to send host commands. For example, if you've instantiated a thales object as in the wiki example, using thales.send("1234B200100123456789ABCDEF") will send an echo test command (B2) to the HSM or the simulator. As you see ThalesCore.dll does not contain any methods that build host commands for you - you have to create them yourself.

Oct 25, 2010 at 2:46 PM


now you send this command "1234B200100123456789ABCDEF"

what is it mean ???

Oct 25, 2010 at 3:54 PM

It is an echo test command. The HSM or the simulator should respond with the same data you're sending.

Header = 1234

Command code = B2

Data length = 0010 (hex)

Data = 0123456789ABCDEF

Oct 26, 2010 at 9:50 AM
Edited Oct 26, 2010 at 12:03 PM

thank you soooooooooooooooo much


now I start understanding the things how it goes, but one last question hoping not linking to another question.

Data = 0123456789ABCDEF it's encrypted data, what is the encryption format is it ASCII or EBCDIC ?

Oct 26, 2010 at 10:51 AM

In this particular case (echo test) this is not encrypted data. Generally, host commands that pass encrypted keys use hexadecimal ASCII.