Problem with verification of pin block generated with ZPK

Jul 12, 2014 at 11:06 PM
Dear all,
I have generated an encrypted pin block under clear ZPK with my application.
now i want to verify the pin with hsm 8000.but i obtain veification failure.

my application is c# and i'm using .Net Tdes provider.i also crypted the pin under the thales simulator i get same pin block.

Please any help will be very appreciated.

Best Regards.
Editor
Jul 14, 2014 at 5:16 AM
Hi!

Give us pls more details what you have actually done and the error code HSM responds you.

Regards,
Juris
Editor
Jul 14, 2014 at 7:43 AM
Also. send us pls the PIN you want to verify, the card number and type of PIN-block (of course if that is test card :) ) you are trying to verify.
Jul 14, 2014 at 9:34 PM
hi thanks for the reply,
here are the details you have requested:
account number= 196009475168 pin number=1111
pin block format=03
clear ZPK is 1A75A146A31B5F61ED2DE4DDD52B4C0A
actually i get the pin block 531AB0D823862DD9 using ECB methode in tdes .Net

but with command EC i'm actually getting verification Failiure.

Your help is very appreciated.

thanks.

Best Regards.
Editor
Jul 15, 2014 at 8:00 AM
Hi!

Show pls the command to HSM you are sending.

Regards,
Juris
Jul 15, 2014 at 9:30 AM
hi,

here is the command :
ECU425F4E50D22391AB8E8E9BF88ED4403E231F696E6D0C77941E4DC6005BE56FF4531AB0D823862

U425F4E50D22391AB8E8E9BF88ED4403E is the crypted key under ZMK.

i have also generated a Pin block with HSM commands BA and then JG the result with EC for this pinblock is veridication success.
thanks for your assistance.

Best regards.


2014-07-15 8:00 GMT+00:00 Manshtein <[email removed]>:

From: Manshtein

Hi!

Show pls the command to HSM you are sending.

Regards,
Juris

Read the full discussion online.

To add a post to this discussion, reply to this email ([email removed])

To start a new discussion for this project, email [email removed]

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe on CodePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at CodePlex.com


Jul 15, 2014 at 9:41 AM
Hi,

just notice please the pin block that was generated for account number= 196009475168 pin number=1111
pin block format=03 under clear ZPK 1A75A146A31B5F61ED2DE4DDD52B4C0A is 531AB0D823862DD9

the pin block was created using thales dll library as follow :


PIN = 1111
PINBlock = PIN.PadRight(16, 'F');
HexKey ZPKHex = new HexKey(ZPK);
EncryptedPINBlock = ThalesSim.Core.Cryptography.TripleDES.TripleDESEncrypt(ZPKHex, PINBlock);


Command HSM for verification is : ECU425F4E50D22391AB8E8E9BF88ED4403E231F696E6D0C77941E4DC6005BE56FF4531AB0D823862
result ED 24 : PIN is fewer than 4 or more than 12 digits
Best regards.
Editor
Jul 16, 2014 at 9:30 AM
Hi!

Looks like the page can not display whole command you are sending.

My command:
EC
U6D344B2D3EEB2CD5F19CC0CB645BD006
UE69ACD0494852B45369F7D08EC3C7F95
531AB0D823862DD9
03
196009475168
1
1234
Returns ED01, that means 03 PIN block is suppoted in this command (note that keys are under my LMK).

Could you pls send whole command and VR console command output (REMOVE SERIAL NUMBER FROM OUTPUT)?

Regards,
Juris
Jul 16, 2014 at 10:21 AM
Here is my command EC

EC
Uxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx key ZPK under LMK
231F696E6D0C7794
1E4DC6005BE56FF4
531AB0D823862DD9
03
196009475168
17611


the command returns ED24 witch is related to the pin block encryption.

hsm is thales 8000.

Best regards.
Jul 17, 2014 at 12:26 PM
Hi,
Could you please specify by witch command i can verify the generated pin block format 03 with the HSM.

Thanks for your help.

Best Regards.
Editor
Jul 18, 2014 at 7:44 AM
Hi!

You can also try to verify the PIN block using Terminal key and host command DC. The only thing, you should form your plain ZPK using console command FK with key type 002 (TPK).

What firmware version your HSM running?

Currently I have tried 2 units of HSM8000 which I have online and both of them processes EC request with 03 PIN-block well.

Regards,
Juris
Jul 18, 2014 at 9:11 AM
thanks Manshtein,
i'll try the folowing and come back to you soon.
Best regards.


2014-07-18 7:44 GMT+00:00 Manshtein <[email removed]>:

From: Manshtein

Hi!

You can also try to verify the PIN block using Terminal key and host command DC. The only thing, you should form your plain ZPK using console command FK with key type 002 (TPK).

What firmware version your HSM running?

Currently I have tried 2 units of HSM8000 which I have online and both of them processes EC request with 03 PIN-block well.

Regards,
Juris

Read the full discussion online.

To add a post to this discussion, reply to this email ([email removed])

To start a new discussion for this project, email [email removed]

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe on CodePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at CodePlex.com


Jul 22, 2014 at 11:32 AM
Hi Manshtein,
sorry for my late response. i guesse the problem is the clear key i 'm using.
actually i have decrypted my ZPK/ZMK as follow : with a des calculator i used the data = zpk/zmk and key = zmk/lmk then crypt the pin block with the result.

could you please confirm that the good approach. or else give me a procedure on how to get the clear ZPK key .

Thanks.
Jul 22, 2014 at 1:16 PM
i also tried with format 01 as follow
gen pin block =
PINBlock1 = ("02" + PIN + "FFFFFFFFFF");
PINBlock2 = "0000" + AccountNumber ;

PIN BLOCK = XORHexS (PINBlock1, PINBlock2);

Cipher PINBLOCK = TripleDESEncrypt (ZPKHex, PINBlock);

but always same problem EC........ return ED20 ( pinblock does not contain valid value )

Thanks for your assistance.

Kind regards.
Editor
Jul 23, 2014 at 9:21 AM
Hi!

To decrypt ZPK you should do the following steps:
1) generate ZMK component with GC console command;
2) form ZMK component into the key in U scheme using FK console command;
3) export your ZPK under ZMK in X scheme using KE console command;
4) decrypt ZPK under ZMK with ZMK component generated in 1st step using DES calculator.

I assume, you are using different keys under LMK and on your application side. When HSM decrypts PIN-block it validates PIN-block quality. If the PIN-block was encrypted with different key the decryption result will be compleately wrong.

Regards,
Juris