Decrypting a Pinblock

Jan 5, 2012 at 2:14 PM

Hi all,

I am trying to decrypt a Pinblock and the format is f3h and has 16 hexadecimal characters. The pinblock is encrypted by a 32 character hexadecimal key (KSPIN) and the PAN. The key (KSPIN) was encrypted by a Zone Master Key (ZMK) that I only have in its encrypted form with 72 hexadecimal characters.

What commands can I use in the thatles 9000 hsm console to get the clear pin?

Would really apreciate some help.




Jan 11, 2012 at 3:42 PM

Thales HSMs, by design, will never give you a clear PIN so there is no answer to your question. If you're trying to verify PINs then you should use the HSM to create a PIN offset using a PIN verification Key. Then compare the PIN offset with one you have stored.

Jan 12, 2012 at 6:40 AM


Thanks for the reply, is there a command to decrypt a key with 72 hexadecimal characters?

Jan 13, 2012 at 5:58 PM

The longest valid key length is 48 hexadecimal characters. If you have 72 characters than it is not in a usable form as-is. 

If you're working with one of the big in-branch ATMs like NCR, IBM/WinCor, or Diebold, chances are the key you're looking at is in octal rather than hexadecimal. A 72-digit octal key will translate to a 48-digit hexadecimal key. And it is probably a PIN Working Key (KWP) rather than a ZMK. 

If it is not a production key then feel free to PM me the 72-digit key. If it is octal, I will convert it and send it back.