Supporting MS/MT command?

Oct 10, 2011 at 8:28 AM

Hi nickntq,

Are you intend to make the MS/MT(Generate MAC (MAB) using ANSI X9.19 Method for a Large Message) host command?

I've taken part in some financial system, they almost use MS/MT command to generate MAC value, in order to use these command, may be the following command is need:

  • FI (FJ) Generate ZEK/ZAK
  • FK (FL) Translate a ZEK/ZAK from ZMK to LMK Encryption
  • FM (FN) Translate a ZEK/ZAK from LMK to ZMK Encryption
  • ...

I'm willing to help you test these command with a real HSM (thales 8000 and 9000) if you do.

Best regards!


Oct 10, 2011 at 8:38 AM

Thanks to a contributing member, MS is now implemented but is currently available only by getting the latest source code or downloading the latest dev build.

FI, FK and FM are currently implemented. If you can test against a real HSM, we'd be grateful!

Oct 10, 2011 at 8:50 AM

Thanks nickntg,

I will try this build and notice you my result soon.

Oct 10, 2011 at 10:17 AM

Hi nickntg,

I've test the MS/MT command with a real HSM and it's great. Here is the step by step in my test case:

Step 1: Form a ZMK from 2 clear components on HSM simulator:

Key length [1,2,3]: 2
Key Type: 000
Key Scheme: U
Component type [X,H,E,S]: X
Enter number of components (2-9): 2
Enter component #1: 753BBA235D623410B03483154315D9C2 (real HSM)
Enter component #2: E0E57515D63E648C45CBE6DCC131DA5E (HSM simulator)
Encrypted key: U DD29 B47D 88D4 BBFD 6AD8 D116 3D6A E320
Key check value: 1A87 73


Step 2: Translate the MAK from real HSM system to encrypted under LMK of HSM simulator

The MAK encrypted under ZMK from real HSM is: XB65B646D7079FDC289F10006CCAB1D80

+ Send to HSM:

Send to HSM: M1234FK1UDD29B47D88D4BBFD6AD8D1163D6AE320XB65B646D7079FDC289F10006CCAB1D80;XU1
Receive from HSM: 1234FL00UC97C420ABBCFBF35A6F5C461D6D83303138EAE

Key encrypted under LMK: UC97C420ABBCFBF35A6F5C461D6D83303
Key Check Value: 138EAE


Step 3: send a financial transaction (ISO 8583) from real system to test system and verify MAC

  <field id="0" value="0200"/>
  <field id="2" value="9704000000000001"/>
  <field id="3" value="390010"/>
  <field id="4" value="000002000000"/>
  <field id="7" value="1010030702"/>
  <field id="11" value="002463"/>
  <field id="12" value="100702"/>
  <field id="13" value="1010"/>
  <field id="15" value="1010"/>
  <field id="18" value="6011"/>
  <field id="19" value="704"/>
  <field id="22" value="021"/>
  <field id="25" value="02"/>
  <field id="32" value="970400"/>
  <field id="33" value="970401"/>
  <field id="35" value="9704000000000001=121170014683338"/>
  <field id="37" value="123456789012"/>
  <field id="41" value="00000001"/>
  <field id="42" value="123456789012345"/>
  <field id="43" value="                                TEST 704"/>
  <field id="48" value="PAN  970401                                             ABC            9704000000000002       TESTTTTTT ACOUNT NAME     2000000"/>
  <field id="49" value="704"/>
  <field id="52" value="306859A2228A10BF" type="binary"/>
  <field id="100" value="970401"/>
  <field id="103" value="9704000000000002"/>
  <field id="128" value="05D82E77D3A3FAC2" type="binary"/>


Verify MAC with Field #128:

clear data: 020016970400000000000139001000000200000010100307020024630697040000000001123456789012345127PAN  970401                                             ABC            9704000000000002       TESTTTTTT ACOUNT NAME     2000000169704000000000002

+ Send to HSM: 1234MS0111UC97C420ABBCFBF35A6F5C461D6D8330300EB30323030313639373034303030303030303030303031333930303130303030303032303030303030313031303033303730323030323436333036393730343030303030303030303131323334353637383930313233343531323750414E202039373034303120202020202020202020202020202020202020202020202020202020202020202020202020202020202020202041424320202020202020202020202039373034303030303030303030303032202020202020205445535454545454542041434F554E54204E414D45202020202032303030303030313639373034303030303030303030303032
+ Receive from HSM: 1234MT0005D82E77D3A3FAC2


Compare MAC with F128: true

Oct 10, 2011 at 10:33 AM

Lost you there. So the implementation is correct?

Oct 10, 2011 at 10:42 AM

Yes, I think the implementation is correct, I've just tested MS/MT and FK/FL command

Next time I will test the other command for generate & translate MAK between 2 system

Oct 10, 2011 at 10:51 AM

Super. Thanks for the verification, appreciate it!

Oct 11, 2011 at 10:27 AM

Hi nickntg,

I've tested the FI/FJ command, it's correct too. Here is the detail:


ZMK encrypted under LMK of HSM simulator: U DD29 B47D 88D4 BBFD 6AD8 D116 3D6A E320

ZMK encrypted under LMK of real HSM: U 41E9 0F31 E821 2920 893E EF91 C8AF 2964

Step 1: generate MAK encrypted under ZMK from HSM simulator:

    + Send to HSM: 1234FI1UDD29B47D88D4BBFD6AD8D1163D6AE320;XU1
    + Receive from HSM: 1234FJ00X194FA9612EB7B87182BDA2F029C3E707U9DB1887A4D2717D40D1181C75522EA7A3A8D3F

- Key encrypted under ZMK: X194FA9612EB7B87182BDA2F029C3E707
- Key encrypted under LMK: U9DB1887A4D2717D40D1181C75522EA7A
- Key Check Value: 3A8D3F

Step 2: translate MAK to encrypted under LMK with real HSM (and import to system)

    + Send to HSM:  M1234FK1U41E90F31E8212920893EEF91C8AF2964X194FA9612EB7B87182BDA2F029C3E707;XU1
    + Receive from HSM: 1234FL00UB28F7981A56DE6B19B90409470F7287C3A8D3F

- Key encrypted under LMK: UB28F7981A56DE6B19B90409470F7287C
- Key Check Value: 3A8D3F

Oct 11, 2011 at 9:04 PM

Superb. Thanks again for the verification.