A brief comparison of AS2805 and (TR-31) Key Blocks

Recently PCI-SSC released PCI industry standards and clarifying.FAQ’s mandating that encryption keys should be managed in structures called Key Blocks. Key Blocks are defined in the ANSI TR-31 Technical Report and ISO 20038 Standard. Similarly, there are concerns about the use of key variants in some regions. Late in 2019 PCI-SSC also published a processContinue reading “A brief comparison of AS2805 and (TR-31) Key Blocks”

Importing ZPK and ZMK into Thales Payshield 9000 HSM

ZMK Zone Master Key (ZMK) also known as an Interchange key (IK), is a key-encrypting key which is distributed manually between two communicating sites, within a shared network, in order that further keys can be exchanged automatically. The ZMK is used to encrypt keys of a lower level (e.g. ZPK) for transmission. The ZMK isContinue reading “Importing ZPK and ZMK into Thales Payshield 9000 HSM”

Signature and Certificate based key injection for ATM

Overview Remote key loading infrastructures generally implement Diebold’s and Triton’s Certificate Based Protocols (CBP), and NCR, Wincor and Hyosung Signature based Protocols. The Diebold and Triton approaches use X.509 certificates and PKCS message formats to transport key data. NCR, Wincor and Hyosung methods rely on digital signatures to ensure data integrity. Both processes require theContinue reading “Signature and Certificate based key injection for ATM”

The Refund vulnerability of AS2805 and EFTPOS

Transactions are normally validated, matched then processed. This is very common to ensure that requests sent to a payments switch are associated with its responses before delivering responses to a terminal. Now for all transaction types this process in true, except for refunds. Well, at least it’s not matched for most financial institutions in Australia.Continue reading “The Refund vulnerability of AS2805 and EFTPOS”

DUKPT Explained with examples

Derived Unique Key Per Transaction (DUKPT) process that’s described in Annex A of ANS X9.24-2004. It’s generally considered to be complex, but I’ve simplified it slightly with the help of online resources. Key Management Here’s a basic outline of the technique: You’re given a Base Derivation Key (BDK), which you assign to a swiper (noteContinue reading “DUKPT Explained with examples”

EFTPOS Initialisation using RSA Cryptography

Before you start with RSA, you should generate a public and private key pair using your HSM. These can be group keys or specific to the terminal you need to connect. Your terminal manufacturer will also provide its public key and modulus. Using these keys you will be able to calculate the TMK1 and TMK2Continue reading “EFTPOS Initialisation using RSA Cryptography”

ATM Pin encryption using 3DES

Introduction Most modern ATM’s use a Triple Des algorithm to encrypt the pin and send it to a host server for processing. Once the host system receives the pin, it does a translation of the pin from one encryption key to another, and sends it to a bank. In this post I will attempt toContinue reading “ATM Pin encryption using 3DES”

Implementing AS2805 Part 6 Host to Host Encryption using a Thales 9000 and Python

Introduction The AS2805.6 Standard specifies communication security between two nodes during a financial transaction. These nodes needs to have a specific set of encryption algorithms, and needs to follow a specific process. The specification is not very clear on what exactly needs to happen, so I intend to clarify the exact steps, with the HSMContinue reading “Implementing AS2805 Part 6 Host to Host Encryption using a Thales 9000 and Python”

Typical Cryptography in AS2805 Explained

Key Management conforms to AS 2805 part 6.1. KEK Establishment Each interchange node contains an Interchange Send Key Encrypting Key (KEKs) and an Interchange Receive Key Encrypting Key (KEKr). The Interchange Send KEK is the same key as the Interchange Receive KEK in the partnering node, similarly the Interchange Receive KEK is the same as the InterchangeContinue reading “Typical Cryptography in AS2805 Explained”

Thales 9000 with AS2805 Interchange & RSA EFTPOS Commands.

Interchange Cryptographic Keys  Interchange keys are used to protect financial transactions initiated at Acquirer eftpos / ATM Terminals while in transit to the Issuer institution. Interchange keys may be either: (a) PIN encrypting keys – used to protect the customer PIN from the point of origin to the point of authorisation. PIN encrypting keys areContinue reading “Thales 9000 with AS2805 Interchange & RSA EFTPOS Commands.”