pinblock descripcion

Apr 28, 2011 at 6:33 PM

1) command: F

Clear ZMK Component: EC85 4523 7C04 8C86

Encrypted ZMK Component: 5C8E 7A3E F98B F366

Key check value: 86BF 6A


2) command: F

Clear ZMK Component: D020 FB7A 0220 7F68

Encrypted ZMK Component: CF2C 406D 2F13 1060

Key check value: F7AF 51

3) command: F

Clear ZMK Component: FD92 C11F 1F57 C1CE

Encrypted ZMK Component: CE80 EAA6 2B78 7C3E

Key check value: 8AEA D9


4) command: D

Enter number of components (2-9): 3

Enter encrypted component #1: 5C8E7A3EF98BF366

Enter encrypted component #2: CF2C406D2F131060

Enter encrypted component #3: CE80EAA62B787C3E

Encrypted key: 370C A80B 47E0 FA37

Key check value: 8C47 53


5) command: KG  (the simulator has not implemented the command B)

Key length [1,2,3]: 1

Key Type: 000

Key Scheme (LMK): 0

Key Scheme (ZMK) [ENTER FOR NONE]: 0

Enter encrypted ZMK [ENTER FOR NONE]: 370CA80B47E0FA37

Enter ZMK check value [ENTER TO SKIP CV TEST]: 8C4753

Key under LMK: AF3C AC31 23CE 3878

Key encrypted for transmission: F04CDB6650F6A457

Key check value: 9125 16

6) Additional information:
PAN Account = 8802430100000019
PIN                = 1234
pinblock sent by ATM = B680B85536878A85
format pinblock = ANSI X.98
simple DES encryption
I am a user who is connected to an ATM network, and I need to validate the pinblock, finding the pin in clear and check my database if it is correct. format or message that I send to the simulator to achieve pinblock decipher? 
Apr 28, 2011 at 6:58 PM

Step 5 generates a key of type 000 which is another ZMK. Why do you do that?

If you are doing issuing with transactions switched-in from another network, you would want to create a ZPK to give to them, which is key type 001.

Apr 28, 2011 at 6:58 PM

BTW, can you please continue the discussion on the same thread instead of creating a new discussion thread for each reply?

Apr 28, 2011 at 7:28 PM


ok, I have generated the key again in step 5, I will send to the bank to generate a new pinblock and continued testing

Key length [1,2,3]: 1
Key Type: 001
Key Scheme (LMK): 0
Key Scheme (ZMK) [ENTER FOR NONE]: 0
Enter encrypted ZMK [ENTER FOR NONE]: 370CA80B47E0FA37
Enter ZMK check value [ENTER TO SKIP CV TEST]: 8C4753
Key under LMK: E1AA 3728 9BC9 F3D2
Key encrypted for transmission: AAE6 2E10 9405 C50D
Key check value: 8826 1B

Apr 28, 2011 at 7:59 PM

That's the easiest thing to do.

If you want to not send a new key to the other party, you can let them use the old key. The problem isn't the old key you've send them - since you send it to them using ANSI encoding (key for transmission), they got the key ok. It's clear value is 6DC8134AE93715F8. Your original ZMK's clear value is C1377F4661733220. The encrypted value of 6DC8134AE93715F8 under C1377F4661733220 is F04CDB6650F6A457 so they got the key without problem. But the problem with your original command is that you requested to encrypt 6DC8134AE93715F8 under LMK pair 04-05 (used to encrypt ZMKs) instead of LMK pair 06-07 (used to encrypt ZPKs). In other words, the clear key 6DC8134AE93715F8 looks like AF3CAC3123CE3878 when encrypted under LMK for ZMKs (which is what you got from the KG command) but it looks like 93D3439DE9D3D674 when encrypted under LMK for ZPKs - that is the value you should have used in the first place. To confirm this, you can use the simulator console IK (import key) command like below:

Key Type: 001
Key Scheme: 0
Enter encrypted ZMK: 370CA80B47E0FA37
Enter key: F04CDB6650F6A457
Key under LMK: 93D3 439D E9D3 D674
Key Check Value: 9125 16

Notice that the key check value is the same as it was when generated by the KG command. In short, you can use this encrypted value and re-run your test.

Apr 29, 2011 at 12:42 AM

perform the tests and everything was ok, thanks for your support, greetings from Peru

Apr 29, 2011 at 6:44 AM

You're welcome.

Aug 25, 2011 at 9:20 PM


"I am a user who is connected to an ATM network, and I need to validate the pinblock, finding the pin in clear and check my database if it is correct. format or message that I send to the simulator to achieve pinblock decipher?"

I don't know if you're still monitoring this board but you should never need the PIN block in the clear. You should be storing PIN Offsets and using the HSM to verify the Offset for you. The Thales HSMs are designed specifically to not let you have the clear PIN. Storing clear PIN numbers is just begging for you to be the victim of a data breach.