So I am new to HSM encryption. We have a Thales PayShield 9000 HSM and the requirement is to encrypt a clear PIN using the ISO 9564 Format 0 standard.
What I have is the following:
Message Header: 00000000
Clear PIN: 1111
PAN: 6999999999999992
PIN Encryption Key (32): XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
My requirement is to use the BA hsm command to encrypt PIN 1111 to get a 16 hex Pin Block. I have tried
00000000BA1111FFFFFFFFFF999999999999XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
But I got response 15, can someone assist advise what is the correct command format or example.
'BA' would encrypt the clear pin using LMK of HSM, it would not encrypt the pin using the ZPK
So first you should use BA command(remove the ZPK from your command) to get the pin encrypted under the LMK, then you can use 'JG' to translate the pin from LMK to ZPK.
You must check the HSM security setting "Encrypted PIN length', and right-pad your PIN with Fs to this length.
So if the encrypted PIN length = 5 and clear PIN = 1111 ==> input value is 1111F.
Also you don't send any PIN key (ZPK), because BA command encrypts PIN under LMK. If you need PIN encrypted under ZPK, use both BA and JG commands.
So your command should look like (if encrypted PIN length = 5)
00000000BA1111F999999999999
Related
I want to understand how and where i can perform an EMV Transaction online PIN Verification.
Suppose i have a few POS terminal and also a Visa Cybersource account, i'am able to perform an EMV Transaction on the terminal , however most EMV Transaction request that we perform an Online PIN verification ,i'm able to extract the basic details needed to charge the card example data ,trackData ,PINBLOCK ,KSN and some TLV Data.
I cant find resources to perform an Online PIN Verification if the EMV Transaction request for it ,especially the VISA cybersource developer page, infact i dont know where to perform the verification or how it works.
A brief lessons and directed resources will be appreciated.
A few things you need to understand to verify PIN, and in most cases this is very much the standard, but can't help unless you share more details.
PIN Block is formed from Card number and PIN, and mostly by ANSI PIN
Block format 0
The received PIN block is Triple DES encrypted by
the sender's key called AWK ( acquirer working key )
You need to have the corresponding key IWK ( issuer working key ).
Send card number, PIN Block, IWK, PIN Block format, PIN Verification Key, PIN
verification Key index to HSM
HSM will respond with whether PIN is
successful or no.
I have an RFID RC522 reader which reads 16-digit card number and a mini keyboard attached to Arduino Mega 2560 Rev3 which reads 4-digit Pin Number. Now I have attached a ESP-8266 Wi-Fi module in order to send that 16-digit card number and 4-digit pin to server for verification whether it is valid card user. So now I want to send both card number and pin to server at once to make less number of requests to server.
Now I want to ask that whether there’s enough memory in Arduino to store 20 digits temporarily and get a bool value from server whether it is a valid user or not.
The ATmega2560 in the Mega2560 has the following memory space :
Flash 256k bytes (of which 8k is used for the bootloader)
SRAM 8k bytes
EEPROM 4k byte
The microcontroller on the Arduino and Genuino AVR based board has EEPROM: memory whose values are kept when the board is turned off (like a tiny hard drive). This library enables you to read and write those bytes.
The supported micro-controllers on the various Arduino and Genuino boards have different amounts of EEPROM: 1024 bytes on the ATmega328P, 512 bytes on the ATmega168 and ATmega8, 4 KB (4096 bytes) on the ATmega1280 and ATmega2560. The Arduino and Genuino 101 boards have an emulated EEPROM space of 1024 bytes.
To use the specific EEPROM library use:
#include <EEPROM.h>
Examples
EEPROM Clear: Clear the bytes in the EEPROM.
EEPROM Read: Read the EEPROM and send its values to the computer.
EEPROM Write: Stores values from an analog input to the EEPROM.
EEPROM Crc: Calculates the CRC of EEPROM contents as if it was an array.
EEPROM Get: Get values from EEPROM and prints as float on serial.
EEPROM Iteration: Understand how to go through the EEPROM memory locations.
EEPROM Put: Put values in EEPROM using variable semantics.
EEPROM Update: Stores values read from A0 into EEPROM, writing the value only if different, to increase EEPROM life.
The full reference is here: https://www.arduino.cc/en/Reference/EEPROM
To summarise and answering specifically to your question, yes it is possible to store your amount of data in Arduino Mega, also using the EEPROM whose values are kept when the board is turned off (like a tiny hard drive). All the best
I need to get the Clear PIN for a card using HSM. I have used (EE/EF) command to get the encrypted PIN using PIN Offset method, and supplying its o/p to NG command to get the decrypted clear PIN value.
I am able to run both command and get the o/p however, Clear PIN value is incorrect.
Could I get some help here please.
I am working with my Ardunio and the contactless reader/writer MFRC522 from NXP. I am using my ePassport (EU standard) and I want to start the Basic Access Control (BAC) procedure by sending the Get Challenge APDU command to its RFID chip.
Here in stackoverflow I found the APDU 00 84 00 00 08. To implement it on my Ardunio project I use the library of miguelbalboa (accessed here). Within this library there is a method to send data to an RFID chip and store its response. But first I get the ATQA which is the ATR equivalent to a contact card (which is in my case 00 08) and then a SAK (which is in my case 20). The library notes that it detected PICC compliant with ISO/IEC 14443-4 in my ePassport and finally I get its randomized UID. Next step I try to get the challenge with
// create MFRC522 instance „mfrc522“
// Init SPI bus
// Init MFRC522 device
// Select RFID chip (PICC_Select method)
byte sendData[] = {0x00, 0x84, 0x00, 0x00, 0x08};
byte backLen = 10; // I know that the answer (= the challenge) is 8 bytes long + 2 bytes for SW1 + SW2
byte sendLen = sizeof(sendData);
byte backData[backLen];
MFRC522::StatusCode status = mfrc522.PCD_TransceiveData(sendData, sizeof(sendData), backData, &backLen);
// Print „status“
No matter what I do/change/extend, the StatusCode returned is always
Timeout in communication
and I can’t find out: What am I doing wrong? I am now doubting that it is a programming error but maybe rather a hardware issue? Maybe the FIFO buffer on the MFRC522 does not accept this command although I didn’t find any restrictions in its technical specs but then I am thinking: all I do is sending and receiving bytes according to the ISO/IEC 7816-4 standard with an ISO/IEC 14443-4 contactless RFID chip…
EDIT: I tried the APDU command with my NFC device in my smartphone and an APDU Debug app from Google Play Store and there it works fine! So the chip or the APDU command itself can’t be the problem.
Have you tried sending a T=1 block?
The Block format PCB|CID|INF|EDC. This is described in http://read.pudn.com/downloads64/ebook/225463/M305_DESFireISO14443.pdf
I had success sending the GetVersion to DESFire but it timeout trying to fetch the next frame (0xAF)
I sniffed a XBEE S1 packet and it's normally a full 802.15.4 packet.
The AES encryption is enable on my module xbee s1 and I know the key.
What is the algorithm to decrypt the data payload ?
Normally, in a 802.15.4 packet, there is the flag "Security level" that say what AES is used (AES-CCM, AES-CTR or AES-CBC). Here the flag is at 0 (None).
I think that is AES-CTR, Wireshark can decrypt AES-CCM and it doesn't work.
I looked in the 802.15.4 specification how to decrypt the AES-CTR and I think that I don't understand how the nonce is build because my decryption doesn't work. Can someone explain to me how to decrypt a XBEE S1 packet ?
Thanks !
I found why I couldn't decrypt the packet.
XBEE S1 modules use AES-CTR but they don't really respect the 802.15.4 specifications during encryption.
The field of security reserved, the key id mode and the sec level are not in the packet however they should be... That shifts the reading of one byte.
And, normally, during encryption, the frame counter and the data payload must be used in big endian. With Xbee S1 modules, they are used in little endian.