Interface to verification the PIN

Feb 29, 2012 at 7:05 PM

Hi, I am newbie to HSM ,
Am working in ATM Dept ,
So , I want to make a web site for our customer to see his account ,
and the cardholder must enter PAN and PVV and Clear PIN ( 4 digt) .

We are using HSM 8000 .

I know i want the TAK/TPK , PVKA , PVKB , PIN Block Format , PAN (11 digt ) and PVV all this send to HSM to check the verification  .
I will Get from database PVKA and PVKB .
how can i get the TAK/TPK and how can i Encryption the PIN .

Regards,

Coordinator
Mar 1, 2012 at 4:35 PM

I cannot envision a web site using these kind of credentials, ever. I would suggest that you rethink your strategy.

Having said that, you can get hold of the encrypted TAK/TPK just like you will access the PVKs (i.e. from a database). The issue, though, is that in order to use the PVV verification algorithm you must provide an encrypted PIN block. Therefore, the web application should have a way to store the clear TAK/TPK and use it to create the encrypted PIN block. Where to store such a clear value is a difficult exercise in itself because the value must be guarded against unauthorized access. IMHO, any storage scheme that is based in s/w is prone to hacking at some point. I would, then, advise to use some kind of secure USB dongle to store it. Note that this only makes it harder to hack the clear TPK, but not impossible. There's a reason that cryptographic processing happens inside secure devices that do not expose the clear values of keys.

Mar 1, 2012 at 6:02 PM

Thanks

my strategy is java application (J2ME) Running on phone , that application can do a bill payment . So , the Cardholder must enter his PAN and PIN into java application then , the application send sms to our server using SMS Gatway and we verification the PIN and make the bill bayment .
By the Way I can't use the USSD on our Network because We have CDMA network .

I see this link it use web site to enter the pan and pin , it's not use dongle .

https://www.e-dinar.poste.tn/fr/recharge_banque.html

Best Regards

Coordinator
Mar 1, 2012 at 8:04 PM

Again, I'd be mindful about the whole setup. SMS and USSD messages are visible by the GSM and the gateway providers. SMS messages left on the phone can also give away information if the phone is lost or stolen.

I really don't think that using a Thales HSM in such a way adds any security at all. The whole purpose is to hide the clear text keys, so if you're going to store a clear text key to a database you're kind of defeating the meaning of the exercise. You might as well do everything in the clear without using a Thales.

Mar 1, 2012 at 8:49 PM

Thank you for reply

The Message will send by Java Application not normal sms .
but I don't want to store  a clear text key into database , I want use the security using HSM .

Coordinator
Mar 1, 2012 at 9:16 PM

You'll have to create the PIN block somehow. For that you'll need to store a clear text key somewhere.

Mar 2, 2012 at 4:30 PM

The clear key will input by the cardholder using java interface then java will encrypted to PIN block before send the sms .

Best Regards .

Coordinator
Mar 2, 2012 at 6:27 PM

I'm sorry, I didn't understand the last. The clear TAK/TPK will be input by the cardholder?

Mar 2, 2012 at 7:29 PM

The Cardholder starting java program , From Mobile bill payment menu  ask to insert this value ( Card Number = ?  , Pin = ? , Mobile No = ? and Amount = ? ) .
then the java program will encrypted the pin to ( pin block ) then send sms message to us  .
the sms message structure will be like this (PAN + pin block + mobile no + amount )
when we receive the message , We will send message to hsm to make verification of pin , if pin is correct the Transaction will complete , or decline the Transaction if the pin is not correct . 
So , how can I encrypted the pin (clear text 4) to pin block (12) .

Note :the encrypted process must be into java program .

Coordinator
Mar 2, 2012 at 8:53 PM

If you have the clear TAK/TPK in the java app, you can create the encrypted PIN block. See method ToPINBlock of this file for more info. Basically, you XOR part of the account with the PIN and PIN length to get the clear PIN block, the you DES-encrypt that in order to get the encrypted PIN block.

Mar 2, 2012 at 9:08 PM

Check this code 

ToPINBlock("1234", "44005555555",PIN_Block_Format.AnsiX98)

So , where I have to put the TAK/TPK to encrypted PIN block ?

 

Thanks.

Coordinator
Mar 2, 2012 at 9:14 PM

You just DES-encrypt the result with the clear TAK/TPK.

Mar 3, 2012 at 8:35 PM

Thank you for reply

I try that code but the pin block  (clearPB ) is not the same that ATM sent it switch , I see the pin block from our trace 

Dim TPK As String = "E2F2351A06E4D53C"
Dim Pin_Block As String = PIN.PINBlockFormat.ToPINBlock("1122", "550000025321", PIN.PINBlockFormat.PIN_Block_Format.AnsiX98)
Dim clearPB As String = DES.DESEncrypt(TPK, Pin_Block)

Coordinator
Mar 3, 2012 at 10:55 PM

What's the full card number?

Mar 4, 2012 at 6:40 AM
Edited Mar 4, 2012 at 5:44 PM

it is 5028550000025321 .

Sorry i was wrong to 855000002532

But I try

Dim Pin_Block As String = PIN.PINBlockFormat.ToPINBlock("1122", "855000002532",

But same problem ..

Coordinator
Mar 4, 2012 at 9:22 PM

That should give you a clear PIN block equal to 0411A7AFFFFFDACD. Using E2F2351A06E4D53C, that should give an encrypted PIN block equal to F80B6AB1A50AF7B8. What are you getting?

Mar 4, 2012 at 9:47 PM

It is Same .

but is different between that we generate and the value which ATM sent to our switch .

should I use the TPK or TMK or ZMK ,  What is the key that use it to encrypted PIN block .

Coordinator
Mar 5, 2012 at 8:20 AM

TPKs are used by terminals. ZPKs are used by interfaces. You may have a PIN block originally encrypted under a TPK, then translated to encryption under a ZPK.

Mar 5, 2012 at 6:00 PM

A Terminal PIN Key (TPK) is a data-encrypting key which is used to encrypt PINs for transmission .

So I use  TPK but is different between that we generate and the value which ATM sent to our switch .

Coordinator
Mar 6, 2012 at 10:19 AM

I don't know why you get the discrepancy. However, with the data you provided, the encrypted PIN block F80B6AB1A50AF7B8 is correct. You can also check it manually.