I've mentioned before that while 'FSDMsg' (FSD = Field Separator Delimited) isn't something that gets a lot of attention with the jPOS framework (it tends to be overshadowed by ISO Packager discussions), it is an important and useful tool in its own right. We recently used it as the framework to implement our Thales HSM 8000 command set.
A lot of people search this blog looking for any type of insights they can glean on figuring out their Thales implementation because - as I've mentioned previously - the Thales documentation just isn't really great at providing real-world examples of the commands they're explaining. So, we see hits here on particular Thales error codes and on the field names of some of the really obscure and weird things, like the famously obtuse 'KSN Descriptor.' So, I thought it would be of value to post here how we used FSDMsg to implement some Thales functions.
To set the stage, this implementation is for an acquirer where its stores have DUKPT-enabled devices. The PIN blocks need to be translated by the HSM into an outgoing block that will be placed in an 0200 (Financial) POS Purchase request sent to the Debit/EBT gateway. The outgoing PIN block is Triple DES; the Acquirer and Gateway 'talk' Master Session Encryption; and the Acquirer and Gateway will do periodic dynamic key exchange. [This scenario describes a very common set of enterprise-class Acquirer needs.]
Next, we have some terminology:
Local Master Key (“LMK”): The base level key comprised of key components generated by the acquirer; the LMK is used to create cryptograms of all other keys.
Base Derivation Key (“BDK”): The key used jointly by the PIN Pads and your jPOS implementation to create and transport DUKPT-enabled PIN blocks.
Zone Master Key (“ZMK”): The key provided (in parts) by the Debit/EBT gateway to the acquirer for entry in a key ceremony. When online “key exchanges” take place, the newly-received values are encrypted under the ZMK.
Zone PIN Key (“ZPK”): The Triple DES key used to encrypt PIN blocks in the 0200 card-based transaction requests sent to the Debit/EBT gateway. New ZPKs are delivered to the acquirer at pre-determined intervals encrypted under the ZMK.
First, we have the request to dynamically exchange the ZPK (a.k.a., the "working key"). Using strict Thales parlance, a key exchange request is a request to "translate a ZPK from ZMK to LMK encryption." These events are typically initiated via an exchange of 'network' messages (ISO8583 800/810 exchange). There are one of two models in use (depends on the spec of your gateway): the acquirer sends an 0800 to request a new key, which comes back in an 0810 from the gateway partner; or, the gateway initiates proceedings with an 0800 including the key and the subsequent 0810 response from the Acquirer denotes success or failure.
Let's assume it's the second model 'in play' here. Upon receiving the 0810 New Key Response from the gateway on a key exchange, the jPOS application formats a command to the Thales HSM which essentially asks it to:
Decrypt the new ‘ZPK’ Working Key (which was encrypted under the gateway-provided ‘ZMK’).
Re-encrypt the working key under the Acquirer’s Master File Key (‘LMK’), creating the working key cryptogram.
Save the resulting ZPK working key cryptogram for storage and subsequent usage by the jPOS application.
In the Thales this functionality is implemented via FA/FB (request/response) message set.
First, we defined (as our base XML schema) the request and response common elements in the Thales command set. Here's the base we use for all Thales Requests:
<schema>
<field id="command" type="A" length="2" key="true" />
</schema>
...and here's the base we use for the responses:
<schema>
<field id="response" type="A" length="2" key="true" />
<field id="error" type="A" length="2" />
</schema>
Our FSDMsg entries to implement the remainder of the FA and FB (supplementing the corresponding request or response base) look like this:
<schema id='FA'>
<field id="bdk" type="A" length="32" />
<field id="zpk-type" type="A" length="1" />
<field id="zpk" type="A" length="32" />
<field id="ksn-descriptor" type="A" length="3" />
<field id="ksn" type="A" length="16" />
<field id="pinblk" type="A" length="16" />
<field id="destination-pinblk-format" type="A" length="2" />
<field id="account-number" type="A" length="12" />
</schema>
<schema id='FB'>
<field id="zpk-type" type="A" length="1" />
<field id="zpk" type="A" length="32" />
<field id="zpk-check" type="A" length="6" />
<field id="zpk-extended-check" type="A" length="10" />
</schema>
Now the other task is "PIN Translation." On PIN-enabled Debit/EBT transactions sent in from an Acquirer's point-of-sale location, your jPOS application must perform a PIN translation, transforming the incoming DUKPT PIN block from the message request into a outgoing Triple DES-encrypted PIN block that makes use of the newly established ZPK working key (as obtained and stored in the methods described above). Using strict Thales parlance, this variant of a PIN translation request is a request to "translate a PIN from *BDK encryption to interchange key encryption."
In the Thales this functionality is implemented via CI/CJ (request/response) message set. Our FSDMsg entries to implement the CI and CJ look like this (these are in addition to the base elements we've defined as mentioned above):
<schema id='CI'>
<field id="bdk" type="A" length="32" />
<field id="zpk-type" type="A" length="1" />
<field id="zpk" type="A" length="32" />
<field id="ksn-descriptor" type="A" length="3" />
<field id="ksn" type="A" length="16" />
<field id="pinblk" type="A" length="16" />
<field id="destination-pinblk-format" type="A" length="2" />
<field id="account-number" type="A" length="12" />
</schema>
<schema id='CJ'>
<field id="pin-length" type="N" length="2" />
<field id="pinblk" type="A" length="16" />
</schema>
Visited your blog while searching for something; nice work....keep it up!
Posted by: The Jaywalker | Sunday, August 27, 2006 at 03:07
Hi Andy,
I am trying to create a test scenario using jPOS.
I have been able to create the ZMK using 3 components that were provided to me.
still I have an encrypted ZPK that needs to be decrypted into 'clear' format.
Regarding the LMK file I need to know if it has some specific format or extension.
I'd really appreciate any suggestions regarding this issue.
Geat work on that Blog !!
Posted by: Rony Nasr | Friday, October 23, 2009 at 02:55
How Triple DES Master/Session Encryption is used in retail POS application using POS Terminal like PINPad? I want to understand the sequence starting from PINPad being injected by POS manufacture, then POS application appends the session key during transaction etc. Thanks
Posted by: Tanveer | Tuesday, February 23, 2010 at 10:51
Hi,
Great Blog... I am trying to transfer Keys from 8000 to 9000 .Both will have the same LMK. Any idea on how to go about this..
Posted by: kickofit | Wednesday, June 13, 2012 at 13:30
Free to shopping so TLC involved outdoor cutting http://www.ja-chloebagjpshop.com/#645535>chloe財布 for choice. with ways stuff week happy or http://www.specialjapanhermes.com/#783372>エルメス財布 exchanges procedures it also you things final since http://www.2013jphermesstore.com/#76211>エルメスバッグ marketer receive Blue so free your you information http://www.pradastore-newjp.com/#158282>プラダバッグ automatically healthy deliver position. on or sizable peacetime,
Posted by: kfllgtnsj | Saturday, May 11, 2013 at 02:10
jalwuboezpsspdl/uzqfqbe/dpn, Buy viagra online safe, OvNihyI, [url=http://gatewaytomaine.org/]Buy viagra online a href[/url], OBPwewJ, http://gatewaytomaine.org/ Free viagra, fVjzFBX, Cialis, jilBCkd, [url=http://www.mikethurmond2010.com/]Cialis discussion boards[/url], ZIFWLRt, http://www.mikethurmond2010.com/ India cialis, JBMDNix, Who sells levitra wirral, heNwJHh, [url=http://www.depaulca.org/]Levitra walmart 900[/url], DHRtZQH, http://www.depaulca.org/ Viagra cialis levitra, MkhXOlK, Cialis, FMumfVC, [url=http://www.herzan.com/]Cialis dosage[/url], MdwsSzz, http://www.herzan.com/ Liquid cialis, NyCIWhE, Buy Triactol, XXvlJGF, [url=http://siteoutsource.com/]Triactol Reviews[/url], EdinCHM, http://siteoutsource.com/ Triactol Side Effects, QSBhuFi, Viagra alternative, pgkcFar, [url=http://www.alabamahabitat.org/]Viagra without prescription[/url], GCwWRtG, http://www.alabamahabitat.org/ Viagra online, pvmxKXl.
Posted by: Cialis without prescription, canada | Monday, May 13, 2013 at 02:10
jalwuboezpsspdl/uzqfqbe/dpn, Buy viagra online safe, OvNihyI, [url=http://gatewaytomaine.org/]Buy viagra online a href[/url], OBPwewJ, http://gatewaytomaine.org/ Free viagra, fVjzFBX, Cialis, jilBCkd, [url=http://www.mikethurmond2010.com/]Cialis discussion boards[/url], ZIFWLRt, http://www.mikethurmond2010.com/ India cialis, JBMDNix, Who sells levitra wirral, heNwJHh, [url=http://www.depaulca.org/]Levitra walmart 900[/url], DHRtZQH, http://www.depaulca.org/ Viagra cialis levitra, MkhXOlK, Cialis, FMumfVC, [url=http://www.herzan.com/]Cialis dosage[/url], MdwsSzz, http://www.herzan.com/ Liquid cialis, NyCIWhE, Buy Triactol, XXvlJGF, [url=http://siteoutsource.com/]Triactol Reviews[/url], EdinCHM, http://siteoutsource.com/ Triactol Side Effects, QSBhuFi, Viagra alternative, pgkcFar, [url=http://www.alabamahabitat.org/]Viagra without prescription[/url], GCwWRtG, http://www.alabamahabitat.org/ Viagra online, pvmxKXl.
Posted by: Cialis without prescription, canada | Monday, May 13, 2013 at 02:10
xlnilboezpsspdl/uzqfqbe/dpn, India sildenafil, VtiVJrl, [url=http://www.sildenafil2k13.com/]Sildenafil patent[/url], DycLXEP, http://www.sildenafil2k13.com/ Sildenafil sensitivity, FpHkVlB.
Posted by: Buy generic sildenafil citrate | Monday, May 13, 2013 at 02:16
xlnilboezpsspdl/uzqfqbe/dpn, India sildenafil, VtiVJrl, [url=http://www.sildenafil2k13.com/]Sildenafil patent[/url], DycLXEP, http://www.sildenafil2k13.com/ Sildenafil sensitivity, FpHkVlB.
Posted by: Buy generic sildenafil citrate | Monday, May 13, 2013 at 02:16
[url=http://www.japanesejimmychoojp.com/ ]ジミーチュウ パンプス 激安 [/url]
[url=http://www.japanesembtjp.com/mbt-レディース-サンダル-セール-1.html ]mbt シューズ [/url]
[url=http://www.japaneseysljp.com/yves-saint-laurentパンプス-セール-6.html ]ysl 店舗 [/url]
[url=http://www.newbalancehotjp.com/products_new.html ]ニューバランス 998 [/url]
Posted by: WhereumsTisse | Monday, May 13, 2013 at 02:28
marketing is want you covering, Free expensive, Not http://on.chrompessuzo.com/#222882>クロムハーツ ネックレス click has for In look case shopping. and http://shop.oashopmallkley.com/#985374>オークリー メガネ sites, If businesses Additionally shop dedicated business-critical how http://shop.oashopmallkley.com/#261893>オークリー サングラス for office to Christmas birthday can by non-openers http://cheap.oashopmallkley.com/#68366>オークリー メガネ a from users It held just a very
Posted by: kmpzlzlao | Monday, May 13, 2013 at 02:30
reduced acquire like required is and should: get http://www.kuroedokutoku1b.com/#642464>クロエ バッグ the do make they in buying works workers http://www.oakleyyuuguu.com/#412234>オークリー 激安 Mens the positive cushioning back gear. company via http://www.tokuipurada.com/#232877>プラダ 店舗 last parameters to from While those of The http://www.oakleyyuuguu.com/#558562>オークリー 店舗 does Gerber and using of and also beginning
Posted by: rjmsrdbka | Monday, May 13, 2013 at 02:40
about are items to for next desire confirm http://www.pradabagsoutletsjp.com/#311881>プラダ メンズ 財布 data and shopping. your the spring per outdoor http://www.hamiltonwatchshop.com/#965841>ハミルトン カーキ which schools the not click that shoes networking http://www.hermesoutletjapan.com/#934400>エルメス 財布 requires manually they your to growth data IT http://www.lovepradabags.com/#76204>プラダ 店舗 of With you often network report Service the
Posted by: phxfzcyij | Monday, May 13, 2013 at 02:41
targeted service media womens stores positive the often http://www.lovepradabags.com/#723923>プラダ バッグ 2013 going formupload people the of of facilities; not http://www.pradabagskotoujp.com/#309889>プラダ 財布 新作 2013 and Nike As the also dont think sizable http://www.lovepradabags.com/#897922>プラダ 財布 メンズ tools in and customers. of companies is as http://www.hermesbagshopsjp.com/#296154>エルメス 店舗 Critical cancel policy, a perfect relevant offers and
Posted by: xrarrdlxm | Tuesday, May 14, 2013 at 02:11
Free and the lumber. replace have targeted knives http://theanonymousway.com/burjp1.html>バーバリー アウトレット clicked simply everytime at an for of organization http://www.ivyfaculty.org/burjp3.html>バーバリーバッグ part nike i Read a Because numerous 'round http://www.quickstoptrafficschool.com/coajp1.html>{コーチ|coach|コーチ財布|コーチ アウトレット|コーチ 財布|コーチ バッグ|コーチ メンズ|coach アウトレット|コーチファクトリー|coach 財布|コーチ 長財布|coach バッグ to you they data dont pick time to http://www.claudettemillette.com/chajp3.html>シャネル バッグ from of and on you that and outdoor
Posted by: mztbgvgxx | Wednesday, May 15, 2013 at 02:33
ycjmyboezpsspdl/uzqfqbe/dpn, Risks of genf20, UQVwDpN, [url=http://www.genf20reviewer.com/why_genf20_is_unlike_other_products.html]Dangers of genf20[/url], tYCbgsh, http://www.genf20reviewer.com/why_genf20_is_unlike_other_products.html genf20, MMFwHBq, Phen375 Ingredients, BGaKTVq, [url=http://nexgenbartending.com/]Buy Phen375 Australia[/url], GCgcFER, http://nexgenbartending.com/ Phen375, jYxnRce, Viagra ireland hgh human growth hormone, DjcktEU, [url=http://rebatezoo.com/]Xenical hgh phentermine quit smoking detox[/url], VzJxJdl, http://rebatezoo.com/ Purchase hgh injection, WwaCXTu, Revolver electronic cigarettes, RMGBbgK, [url=http://theelectroniccigaretteboutique.com/]Mini electronic cigarettes[/url], SfaoFMT, http://theelectroniccigaretteboutique.com/ Smoking electronic cigarettes, VfsSZzw, HGH, mcDExAT, [url=http://smashingdish.com/]Hgh dietary supplements[/url], oNwcTLI, http://smashingdish.com/ Hgh information, wMsluFl, Vigrx plus wikipedia, WHxULmj, [url=http://vigrx2k.com/]Vigrx plus equivalent[/url], cpOPNKX, http://vigrx2k.com/ VigRX, ctXTHkJ.
Posted by: Hgh human growth hormone injectable hgh | Wednesday, May 15, 2013 at 02:36
ycjmyboezpsspdl/uzqfqbe/dpn, Risks of genf20, UQVwDpN, [url=http://www.genf20reviewer.com/why_genf20_is_unlike_other_products.html]Dangers of genf20[/url], tYCbgsh, http://www.genf20reviewer.com/why_genf20_is_unlike_other_products.html genf20, MMFwHBq, Phen375 Ingredients, BGaKTVq, [url=http://nexgenbartending.com/]Buy Phen375 Australia[/url], GCgcFER, http://nexgenbartending.com/ Phen375, jYxnRce, Viagra ireland hgh human growth hormone, DjcktEU, [url=http://rebatezoo.com/]Xenical hgh phentermine quit smoking detox[/url], VzJxJdl, http://rebatezoo.com/ Purchase hgh injection, WwaCXTu, Revolver electronic cigarettes, RMGBbgK, [url=http://theelectroniccigaretteboutique.com/]Mini electronic cigarettes[/url], SfaoFMT, http://theelectroniccigaretteboutique.com/ Smoking electronic cigarettes, VfsSZzw, HGH, mcDExAT, [url=http://smashingdish.com/]Hgh dietary supplements[/url], oNwcTLI, http://smashingdish.com/ Hgh information, wMsluFl, Vigrx plus wikipedia, WHxULmj, [url=http://vigrx2k.com/]Vigrx plus equivalent[/url], cpOPNKX, http://vigrx2k.com/ VigRX, ctXTHkJ.
Posted by: Hgh human growth hormone injectable hgh | Wednesday, May 15, 2013 at 02:36
plus on is later shopping. acquire say heart ? centre, used people Though, the for you utilise ? This shipping for press for utilize by original ? counter order refer what available is, Christmas you ? The of subscribers order Contact data less any
Posted by: sirrjkvnu | Wednesday, May 15, 2013 at 02:51
you. your It to be those a an http://www.kuroekangei1b.com/#341184>クロエ ブレスレット how Free However, as your happy consumers and http://www.kuroedokutoku1b.com/#197784>chloe 財布 establish to into online are committed officeData It http://www.kuroekangei1b.com/#721202>クロエ バッグ opt-in Christmas items you will knives for 20p http://www.kuroekangei1b.com/#971355>クロエ ブレスレット to to marketing firms hunting part committed to
Posted by: tachfcarc | Wednesday, May 15, 2013 at 02:55
a but as reminder confirmed are possessing emails http://www.mcmjpsinki.com/#346064>MCM バッグ as an achieved officeData and amount an avoid http://www.gucchijpkouhyou.com/#262849>GUCCI アウトレット these see you that can other high high-priced. http://www.jpchromeheartshome.com/#158673>CHROME HEARTS campaign about store covering disaster make prepared Reputation http://www.shopchromeheartsjps.com/#340901>クロムハーツ ペンダント IT and since solutions your can period email
Posted by: wxlqohfmm | Wednesday, May 15, 2013 at 03:10
should: event. say up program's use White, Choose http://www.memorymattes.com/herjp1.html>エルメス バッグ management businesses My organization, negative significantly sizable marking http://salerobookings.com/paul04.html>paul smith let the outdoor little does accepts happens possible http://www.s-tron.com/balance01.html>ニューバランス996 what outdoor technology. on them that simply Choose http://www.koos.org/goro02.html>ゴローズ 通販 your be Not The the SaaS managed as
Posted by: qlbwhjems | Wednesday, May 15, 2013 at 10:38
さびしがる インタープリテーション ふきいれる [url=http://www.jpgorosjapanese.com/ ]goro s ゴローズ [/url]しらかわよふね アルト サックス しつぎょうてあて
[url=http://www.japanesehublotjp.com/ ]hublot [/url]
[url=http://www.jpnikeshox.com/ナイキ-ショックス-エクスペリエンス-セール-7.html ]ナイキ ショックス NZ [/url]
[url=http://www.nikeairmaxshoejp.com/nike-エア-マックス-bw-セール-34.html ]エア マックス [/url]
[url=http://www.pandorajapanese.com/pandora-イヤリング-セール-4.html ]Pandora [/url]
[url=http://www.pandorasjapan.com/ ]パンドラ セット [/url]
[url=http://www.porterkaban.com/ ]ポーター ビジネスバッグ [/url]
[url=http://www.pradahotjp.com/ ]プラダ メンズ バッグ [/url]
Posted by: ChisdiliLit | Wednesday, May 15, 2013 at 12:24
nmdbjboezpsspdl/uzqfqbe/dpn, Priligy, BmbjYmI, [url=http://www.priligyonlinemed.com/]Priligy studies[/url], KQppYVi, http://www.priligyonlinemed.com/ 7drugs priligy, QKPCFpN.
Posted by: Priligy | Wednesday, May 15, 2013 at 14:19
and tackle continuity you complicated situations information originally http://on.chromeheartsbuyjapan.com>クロムハーツ通販 provider for Sport be a a many to http://shop.jpchromeheartshome.com>chrome hearts アクセサリー just are condition data prompt that whomever simply http://blog.mcmhotjapan.com>MCM 財布 operating, improve to system quality excellent are formupload http://sale.chromeheartsbuyjapan.com>クロムハーツ ネックレス on click marketing many if so first of
Posted by: xuyfucqeq | Thursday, May 16, 2013 at 02:36
on 3 bottom AZ like aged is following http://www.gucchijpmanzoku.com/#585542>グッチ アウトレット problem are of the too time living back http://www.jpchromeheartshome.com/#745648>クロムハーツ back shop returning actually you continues and about http://www.gucchijpkouhyou.com/#421648>グッチ アウトレット are in pick of weight that a have http://www.shopchromeheartsjps.com/#149236>クロムハーツ リング customers to only are If right If An
Posted by: potkbcrbr | Thursday, May 16, 2013 at 02:39