![]() Once your application receives it you would send this the PIN block (B07F65762F0F4701), the KWP under the KSK (086F9A1D74C94D4E) ,pan and the PIN block format. The ATM will form the PIN block (I think its ISO-0 for Triton) and encrypt it with the clear KWP. Now the ATM and we have the same TMK and KWP in the clear. The ATM will decrypt the KWP with the TMK and will have the clear KWP (08's). The ATM has the TMK (entered by a supervisor at the ATM) you also have this value and the KWP encrypted under the TMK that we sent it in the key exchange message. See the following URL for PIN block algorithms, ( ) These flavors are algorithms on how the PIN should packed with additional data like pan and padding characters. PIN blocks come in various flavors, ISO-0,ISO-1, OEM-1 etc. This is generally not used by ATMs but most networks will use this. the single length variant repeats itself. For example, a KWP can have a variant 1 which has a hex value of say 0800000000000000, what this does is the clear TMK is XOR'd with this value and then the result is used to encrypt the clear KWP. ![]() A variant is a hex value for each type of key. To make things more secure HSM's use variants. The above is a pretty simplistic approach. The clear KWP encrypted under clear TMK is 10772D40FAD24257 and this is what you would send to the ATM for it to encrypt the PIN block it sends you. The HSM will decrypt the KWP and TMK to get clear values of each and then encrypt the KWP using the TMK (basically you are encrypting 0808080808080808 with a key of 0909090909090909). You would need to send the KWP encrypted under the KSK (086F9A1D74C94D4E) and the TMK encrypted under KSK (3F85C66266E0C409) to the HSM and tell it to give you a the KWP under the TMK. For simulation this is alright but in reality you want to let the HSM generate a random key and you can exchange this key at regular intervals with the ATM. Let's say the Clear PIN Key is 0808080808080808 and the encrypted value (encrypted under KSK) is 086F9A1D74C94D4E. ![]() This is the key used by the ATM to encrypt the PIN block and send it to you in the a withdrawal request. Now you need to generate a PIN Working Key (I call it the KWP). ![]() For simulation this is alright but in reality you want to let the HSM generate a random key. The encrypted value of the TMK will be 3F85C66266E0C409 and this is what you will use as nothing should be in the clear. You would go to the HSM and enter this clear value and obtain a cryptogram (0909090909090909 encrypted under 0123456789ABCDEF). Now consider you want the Triton ATM to have a TMK (terminal Master Key) of 0909090909090909 stored on it. For all my examples I am going to use a single length key. In real life you will never know the clear value of the KSK, the HSM will store it on a chip card. ![]() I will call it the KSK (key storage key).Įvery key you generate will be encrypted under this KSK. (Originally from HSM basic text file corresponding to email dated 12:03 PM, Subject: HSM - help on standards.)Įach Hardware Security Module (HSM) has its own Master Key and can be called an LMK or KSK or whatever the HSM vendor calls it. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |