Unable to decrypt PIN block

Nov 20, 2014 at 2:46 PM
Edited Nov 21, 2014 at 6:16 AM
Hi,

I am having a problem where I have to integrate with a system which uses a Thales HSM (I believe it is an 8000).
The problem is that I need to generate and encrypt a pin block with the "ZPK under ZMK clear component" shared by them, but they are unable to decrypt it.
I am doing the following to generate the pin block:
  1. Forming the pin block according to ISO Format 0.
    eg: if pin is 1234 then pinblock = (041234FFFFFFFFFF) xor (PAN)
  2. Encrypting the pinblock with the ZPK using 3DES
I am performing these operations using JAVA code.
The 3rd party is doing a pin translation using CC command but are unable to do so with the encrypted pin block generated.

Thanks in advance for the help
Editor
Nov 21, 2014 at 9:38 AM
Hi,

The 3rd party have shared ZPK under ZMK and ZMK component with you. First, you should decrypt the ZPK key from under ZMK. Only after that you can use ZPK to encrypt PIN block.

Also, if you have already decrypted ZPK and encrypted PIN-block under clear ZPK, and 3rd party unable to decrypt that PIN-block ask them, what key scheme they have used to export ZPK under ZMK. They have to export ZPK in ANSI x9.17 scheme for you to make decryption on your side easier without any "Thales Variants".

Regards,
Juris
Nov 21, 2014 at 1:17 PM
Thanks Manshtein for the reply,

I will find out the details and post here
Nov 24, 2014 at 3:31 PM
So I managed to get the info:
  1. They have shared ZPK under ZMK and ZPK under LMK with me.
  2. The key has been exported under the 'U' scheme.
  3. I have tried encrypting with both these keys and both haven't worked.
Hope that this is useful.
Nov 25, 2014 at 7:01 PM
I think it would be useful to mention that solutions which use JPOS library would be useful
Editor
Nov 26, 2014 at 9:40 AM
Hi,

When you import ZPK from under ZMT to LMK verify if you have the same check values for ZPK on your side and the opponent who have sent it to you. You can use CK console command for verification.

Regards,
Juris
Nov 26, 2014 at 5:58 PM
I imported the ZPK under LMK using the IK command in JPOS but the key check value is different.

Here's the command I used
smconsole -lmk LMK_FILE IK ZPK:1U ZPK_VALUE ZMK:1U ZMK_VALUE KEY_CHECK_OF_ZMK