Importing ZPK and ZMK into Thales Payshield 9000 HSM

ZMK Zone Master Key (ZMK) also known as an Interchange key (IK), is a key-encrypting key which is distributed manually between two communicating sites, within a shared network, in order that further keys can be exchanged automatically. The ZMK is used to encrypt keys of a lower level (e.g. ZPK) for transmission. The ZMK isContinue reading “Importing ZPK and ZMK into Thales Payshield 9000 HSM”

Implementing AS2805 Part 6 Host to Host Encryption using a Thales 9000 and Python

Introduction The AS2805.6 Standard specifies communication security between two nodes during a financial transaction. These nodes needs to have a specific set of encryption algorithms, and needs to follow a specific process. The specification is not very clear on what exactly needs to happen, so I intend to clarify the exact steps, with the HSMContinue reading “Implementing AS2805 Part 6 Host to Host Encryption using a Thales 9000 and Python”

Typical Cryptography in AS2805 Explained

Key Management conforms to AS 2805 part 6.1. KEK Establishment Each interchange node contains an Interchange Send Key Encrypting Key (KEKs) and an Interchange Receive Key Encrypting Key (KEKr). The Interchange Send KEK is the same key as the Interchange Receive KEK in the partnering node, similarly the Interchange Receive KEK is the same as the InterchangeContinue reading “Typical Cryptography in AS2805 Explained”

Thales 9000 with AS2805 Interchange & RSA EFTPOS Commands.

Interchange Cryptographic Keys  Interchange keys are used to protect financial transactions initiated at Acquirer eftpos / ATM Terminals while in transit to the Issuer institution. Interchange keys may be either: (a) PIN encrypting keys – used to protect the customer PIN from the point of origin to the point of authorisation. PIN encrypting keys areContinue reading “Thales 9000 with AS2805 Interchange & RSA EFTPOS Commands.”

Thales Key Exchange Examples and Troubleshooting

Judging from the searches done to locate this blog, it’s clear many of us share the following opinion: although Thales (formerly RACAL) is a market leader with its 7000 and 8000 series of HSM devices, their documentation falls painfully short in two areas: there are NO COMMAND EXAMPLES (!!!) in the manuals (an appalling omission);Continue reading “Thales Key Exchange Examples and Troubleshooting”

Testing DUKPT

As an acquirer, you can validate that your PIN translation command is working correctly even if you haven’t yet established connectivity to your Debit/EBT endpoint (or if you’ve established connectivity but don’t yet have your test key parts). Typically when we’re pressed into this situation, this is what we do if we’re working with theContinue reading “Testing DUKPT”