CINXE.COM

<!doctype html> <html lang="en"> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1" /> <link rel="profile" href="https://gmpg.org/xfn/11" /> <title>HSM – Cryptography & Payments</title> <script type="text/javascript"> WebFontConfig = {"google":{"families":["Source+Sans+Pro:r,i,b,bi:latin,latin-ext"]},"api_url":"https:\/\/fonts-api.wp.com\/css"}; (function() { var wf = document.createElement('script'); wf.src = 'https://s0.wp.com/wp-content/plugins/custom-fonts/js/webfont.js'; wf.type = 'text/javascript'; wf.async = 'true'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(wf, s); })(); </script><style id="jetpack-custom-fonts-css"></style> <meta name='robots' content='max-image-preview:large' /> <meta name="google-site-verification" content="Zw5b22p04kGoy8Ch3FcgAxEamB26jLd3FALtlnOF6RA" />  <script id="wpcom_remote_login_js"> var wpcom_remote_login_extra_auth = ''; function wpcom_remote_login_remove_dom_node_id( element_id ) { var dom_node = document.getElementById( element_id ); if ( dom_node ) { dom_node.parentNode.removeChild( dom_node ); } } function wpcom_remote_login_remove_dom_node_classes( class_name ) { var dom_nodes = document.querySelectorAll( '.' + class_name ); for ( var i = 0; i < dom_nodes.length; i++ ) { dom_nodes[ i ].parentNode.removeChild( dom_nodes[ i ] ); } } function wpcom_remote_login_final_cleanup() { wpcom_remote_login_remove_dom_node_classes( "wpcom_remote_login_msg" ); wpcom_remote_login_remove_dom_node_id( "wpcom_remote_login_key" ); wpcom_remote_login_remove_dom_node_id( "wpcom_remote_login_validate" ); wpcom_remote_login_remove_dom_node_id( "wpcom_remote_login_js" ); wpcom_remote_login_remove_dom_node_id( "wpcom_request_access_iframe" ); wpcom_remote_login_remove_dom_node_id( "wpcom_request_access_styles" ); } // Watch for messages back from the remote login window.addEventListener( "message", function( e ) { if ( e.origin === "https://r-login.wordpress.com" ) { var data = {}; try { data = JSON.parse( e.data ); } catch( e ) { wpcom_remote_login_final_cleanup(); return; } if ( data.msg === 'LOGIN' ) { // Clean up the login check iframe wpcom_remote_login_remove_dom_node_id( "wpcom_remote_login_key" ); var id_regex = new RegExp( /^[0-9]+$/ ); var token_regex = new RegExp( /^.*|.*|.*$/ ); if ( token_regex.test( data.token ) && id_regex.test( data.wpcomid ) ) { // We have everything we need to ask for a login var script = document.createElement( "script" ); script.setAttribute( "id", "wpcom_remote_login_validate" ); script.src = '/remote-login.php?wpcom_remote_login=validate' + '&wpcomid=' + data.wpcomid + '&token=' + encodeURIComponent( data.token ) + '&host=' + window.location.protocol + '//' + window.location.hostname + '&postid=200' + '&is_singular='; document.body.appendChild( script ); } return; } // Safari ITP, not logged in, so redirect if ( data.msg === 'LOGIN-REDIRECT' ) { window.location = 'https://wordpress.com/log-in?redirect_to=' + window.location.href; return; } // Safari ITP, storage access failed, remove the request if ( data.msg === 'LOGIN-REMOVE' ) { var css_zap = 'html { -webkit-transition: margin-top 1s; transition: margin-top 1s; } /* 9001 */ html { margin-top: 0 !important; } * html body { margin-top: 0 !important; } @media screen and ( max-width: 782px ) { html { margin-top: 0 !important; } * html body { margin-top: 0 !important; } }'; var style_zap = document.createElement( 'style' ); style_zap.type = 'text/css'; style_zap.appendChild( document.createTextNode( css_zap ) ); document.body.appendChild( style_zap ); var e = document.getElementById( 'wpcom_request_access_iframe' ); e.parentNode.removeChild( e ); document.cookie = 'wordpress_com_login_access=denied; path=/; max-age=31536000'; return; } // Safari ITP if ( data.msg === 'REQUEST_ACCESS' ) { console.log( 'request access: safari' ); // Check ITP iframe enable/disable knob if ( wpcom_remote_login_extra_auth !== 'safari_itp_iframe' ) { return; } // If we are in a "private window" there is no ITP. var private_window = false; try { var opendb = window.openDatabase( null, null, null, null ); } catch( e ) { private_window = true; } if ( private_window ) { console.log( 'private window' ); return; } var iframe = document.createElement( 'iframe' ); iframe.id = 'wpcom_request_access_iframe'; iframe.setAttribute( 'scrolling', 'no' ); iframe.setAttribute( 'sandbox', 'allow-storage-access-by-user-activation allow-scripts allow-same-origin allow-top-navigation-by-user-activation' ); iframe.src = 'https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=request_access&origin=' + encodeURIComponent( data.origin ) + '&wpcomid=' + encodeURIComponent( data.wpcomid ); var css = 'html { -webkit-transition: margin-top 1s; transition: margin-top 1s; } /* 9001 */ html { margin-top: 46px !important; } * html body { margin-top: 46px !important; } @media screen and ( max-width: 660px ) { html { margin-top: 71px !important; } * html body { margin-top: 71px !important; } #wpcom_request_access_iframe { display: block; height: 71px !important; } } #wpcom_request_access_iframe { border: 0px; height: 46px; position: fixed; top: 0; left: 0; width: 100%; min-width: 100%; z-index: 99999; background: #23282d; } '; var style = document.createElement( 'style' ); style.type = 'text/css'; style.id = 'wpcom_request_access_styles'; style.appendChild( document.createTextNode( css ) ); document.body.appendChild( style ); document.body.appendChild( iframe ); } if ( data.msg === 'DONE' ) { wpcom_remote_login_final_cleanup(); } } }, false ); // Inject the remote login iframe after the page has had a chance to load // more critical resources window.addEventListener( "DOMContentLoaded", function( e ) { var iframe = document.createElement( "iframe" ); iframe.style.display = "none"; iframe.setAttribute( "scrolling", "no" ); iframe.setAttribute( "id", "wpcom_remote_login_key" ); iframe.src = "https://r-login.wordpress.com/remote-login.php" + "?wpcom_remote_login=key" + "&origin=aHR0cHM6Ly9hcnRodXJ2YW5kZXJtZXJ3ZS5jb20%3D" + "&wpcomid=70204527" + "&time=1732383688"; document.body.appendChild( iframe ); }, false ); </script> <link rel='dns-prefetch' href='//s1.wp.com' /> <link rel='dns-prefetch' href='//s2.wp.com' /> <link rel='dns-prefetch' href='//s0.wp.com' /> <link rel='dns-prefetch' href='//fonts-api.wp.com' /> <link rel='dns-prefetch' href='//s.pubmine.com' /> <link rel='dns-prefetch' href='//x.bidswitch.net' /> <link rel='dns-prefetch' href='//static.criteo.net' /> <link rel='dns-prefetch' href='//ib.adnxs.com' /> <link rel='dns-prefetch' href='//aax.amazon-adsystem.com' /> <link rel='dns-prefetch' href='//bidder.criteo.com' /> <link rel='dns-prefetch' href='//cas.criteo.com' /> <link rel='dns-prefetch' href='//gum.criteo.com' /> <link rel='dns-prefetch' href='//ads.pubmatic.com' /> <link rel='dns-prefetch' href='//gads.pubmatic.com' /> <link rel='dns-prefetch' href='//tpc.googlesyndication.com' /> <link rel='dns-prefetch' href='//ad.doubleclick.net' /> <link rel='dns-prefetch' href='//googleads.g.doubleclick.net' /> <link rel='dns-prefetch' href='//www.googletagservices.com' /> <link rel='dns-prefetch' href='//cdn.switchadhub.com' /> <link rel='dns-prefetch' href='//delivery.g.switchadhub.com' /> <link rel='dns-prefetch' href='//delivery.swid.switchadhub.com' /> <link rel='dns-prefetch' href='//a.teads.tv' /> <link rel='dns-prefetch' href='//prebid.media.net' /> <link rel='dns-prefetch' href='//adserver-us.adtech.advertising.com' /> <link rel='dns-prefetch' href='//fastlane.rubiconproject.com' /> <link rel='dns-prefetch' href='//prebid-server.rubiconproject.com' /> <link rel='dns-prefetch' href='//hb-api.omnitagjs.com' /> <link rel='dns-prefetch' href='//mtrx.go.sonobi.com' /> <link rel='dns-prefetch' href='//apex.go.sonobi.com' /> <link rel='dns-prefetch' href='//u.openx.net' /> <link rel="alternate" type="application/rss+xml" title="Cryptography & Payments » Feed" href="https://arthurvandermerwe.com/feed/" /> <link rel="alternate" type="application/rss+xml" title="Cryptography & Payments » Comments Feed" href="https://arthurvandermerwe.com/comments/feed/" /> <link rel="alternate" type="application/rss+xml" title="Cryptography & Payments » HSM Category Feed" href="https://arthurvandermerwe.com/category/hsm/feed/" /> <script type="text/javascript"> /* <![CDATA[ */ function addLoadEvent(func) { var oldonload = window.onload; if (typeof window.onload != 'function') { window.onload = func; } else { window.onload = function () { oldonload(); func(); } } } /* ]]> */ </script> <script> window._wpemojiSettings = {"baseUrl":"https:\/\/s0.wp.com\/wp-content\/mu-plugins\/wpcom-smileys\/twemoji\/2\/72x72\/","ext":".png","svgUrl":"https:\/\/s0.wp.com\/wp-content\/mu-plugins\/wpcom-smileys\/twemoji\/2\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/s2.wp.com\/wp-includes\/js\/wp-emoji-release.min.js?m=1719498190i&ver=6.8-alpha-59438"}}; /*! This file is auto-generated */ !function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings); </script> <link crossorigin='anonymous' rel='stylesheet' id='all-css-0-1' href='https://s2.wp.com/wp-content/blog-plugins/wordads/global.css?m=1561495466i&cssminify=yes' type='text/css' media='all' /> <style id='wp-emoji-styles-inline-css'> img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 0.07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } </style> <link crossorigin='anonymous' rel='stylesheet' id='all-css-2-1' href='https://s0.wp.com/_static/??-eJydzMsOwiAQheEXEibEXtKF8VmATggVgcwMNby91U13LlyenHw/vKryJQtmgZpaiJkhtGM6pHA8hLCbRU96ANdiWsGl4h8qRUeWOrD0hNozX+Bn6KsYNpRqP9z20kQFiuu/CbISc+CT3583M1/NMg6zGbc3O1tP4A==&cssminify=yes' type='text/css' media='all' /> <style id='wp-block-library-inline-css'> .has-text-align-justify { text-align:justify; } .has-text-align-justify{text-align:justify;} </style> <link crossorigin='anonymous' rel='stylesheet' id='all-css-4-1' href='https://s2.wp.com/_static/??-eJzTLy/QzcxLzilNSS3WzyrWz01NyUxMzUnNTc0rQeEU5CRWphbp5qSmJyZX6uVm5uklFxfr6OPTDpRD5sM02efaGpoZmFkYGRuZGmQBAHPvL0Y=&cssminify=yes' type='text/css' media='all' /> <style id='jetpack-sharing-buttons-style-inline-css'> .jetpack-sharing-buttons__services-list{display:flex;flex-direction:row;flex-wrap:wrap;gap:0;list-style-type:none;margin:5px;padding:0}.jetpack-sharing-buttons__services-list.has-small-icon-size{font-size:12px}.jetpack-sharing-buttons__services-list.has-normal-icon-size{font-size:16px}.jetpack-sharing-buttons__services-list.has-large-icon-size{font-size:24px}.jetpack-sharing-buttons__services-list.has-huge-icon-size{font-size:36px}@media print{.jetpack-sharing-buttons__services-list{display:none!important}}.editor-styles-wrapper .wp-block-jetpack-sharing-buttons{gap:0;padding-inline-start:0}ul.jetpack-sharing-buttons__services-list.has-background{padding:1.25em 2.375em} </style> <link crossorigin='anonymous' rel='stylesheet' id='all-css-6-1' href='https://s2.wp.com/wp-content/plugins/coblocks/2.18.1-simple-rev.4/dist/coblocks-style.css?m=1681832297i&cssminify=yes' type='text/css' media='all' /> <style id='classic-theme-styles-inline-css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <link crossorigin='anonymous' rel='stylesheet' id='all-css-8-1' href='https://s1.wp.com/_static/??/wp-content/mu-plugins/core-compat/wp-mediaelement.css,/wp-content/mu-plugins/wpcom-bbpress-premium-themes.css?m=1432920480j&cssminify=yes' type='text/css' media='all' /> <style id='global-styles-inline-css'> :root{--wp--preset--aspect-ratio--square: 1;--wp--preset--aspect-ratio--4-3: 4/3;--wp--preset--aspect-ratio--3-4: 3/4;--wp--preset--aspect-ratio--3-2: 3/2;--wp--preset--aspect-ratio--2-3: 2/3;--wp--preset--aspect-ratio--16-9: 16/9;--wp--preset--aspect-ratio--9-16: 9/16;--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--color--primary: #000000;--wp--preset--color--secondary: #3C8067;--wp--preset--color--foreground: #333333;--wp--preset--color--tertiary: #FAFBF6;--wp--preset--color--background: #FFFFFF;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--gradient--hard-diagonal: linear-gradient(to bottom right, #3C8067 49.9%, #FAFBF6 50%);--wp--preset--gradient--hard-diagonal-inverted: linear-gradient(to top left, #3C8067 49.9%, #FAFBF6 50%);--wp--preset--gradient--hard-horizontal: linear-gradient(to bottom, #3C8067 50%, #FAFBF6 50%);--wp--preset--gradient--hard-horizontal-inverted: linear-gradient(to top, #3C8067 50%, #FAFBF6 50%);--wp--preset--gradient--diagonal: linear-gradient(to bottom right, #3C8067, #FAFBF6);--wp--preset--gradient--diagonal-inverted: linear-gradient(to top left, #3C8067, #FAFBF6);--wp--preset--gradient--horizontal: linear-gradient(to bottom, #3C8067, #FAFBF6);--wp--preset--gradient--horizontal-inverted: linear-gradient(to top, #3C8067, #FAFBF6);--wp--preset--gradient--stripe: linear-gradient(to bottom, transparent 20%, #3C8067 20%, #3C8067 80%, transparent 80%);--wp--preset--font-size--small: 16px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 24px;--wp--preset--font-size--x-large: 42px;--wp--preset--font-size--tiny: 14px;--wp--preset--font-size--normal: 18px;--wp--preset--font-size--huge: 28px;--wp--preset--font-family--albert-sans: 'Albert Sans', sans-serif;--wp--preset--font-family--alegreya: Alegreya, serif;--wp--preset--font-family--arvo: Arvo, serif;--wp--preset--font-family--bodoni-moda: 'Bodoni Moda', serif;--wp--preset--font-family--bricolage-grotesque: 'Bricolage Grotesque', sans-serif;--wp--preset--font-family--cabin: Cabin, sans-serif;--wp--preset--font-family--chivo: Chivo, sans-serif;--wp--preset--font-family--commissioner: Commissioner, sans-serif;--wp--preset--font-family--cormorant: Cormorant, serif;--wp--preset--font-family--courier-prime: 'Courier Prime', monospace;--wp--preset--font-family--crimson-pro: 'Crimson Pro', serif;--wp--preset--font-family--dm-mono: 'DM Mono', monospace;--wp--preset--font-family--dm-sans: 'DM Sans', sans-serif;--wp--preset--font-family--dm-serif-display: 'DM Serif Display', serif;--wp--preset--font-family--domine: Domine, serif;--wp--preset--font-family--eb-garamond: 'EB Garamond', serif;--wp--preset--font-family--epilogue: Epilogue, sans-serif;--wp--preset--font-family--fahkwang: Fahkwang, sans-serif;--wp--preset--font-family--figtree: Figtree, sans-serif;--wp--preset--font-family--fira-sans: 'Fira Sans', sans-serif;--wp--preset--font-family--fjalla-one: 'Fjalla One', sans-serif;--wp--preset--font-family--fraunces: Fraunces, serif;--wp--preset--font-family--gabarito: Gabarito, system-ui;--wp--preset--font-family--ibm-plex-mono: 'IBM Plex Mono', monospace;--wp--preset--font-family--ibm-plex-sans: 'IBM Plex Sans', sans-serif;--wp--preset--font-family--ibarra-real-nova: 'Ibarra Real Nova', serif;--wp--preset--font-family--instrument-serif: 'Instrument Serif', serif;--wp--preset--font-family--inter: Inter, sans-serif;--wp--preset--font-family--josefin-sans: 'Josefin Sans', sans-serif;--wp--preset--font-family--jost: Jost, sans-serif;--wp--preset--font-family--libre-baskerville: 'Libre Baskerville', serif;--wp--preset--font-family--libre-franklin: 'Libre Franklin', sans-serif;--wp--preset--font-family--literata: Literata, serif;--wp--preset--font-family--lora: Lora, serif;--wp--preset--font-family--merriweather: Merriweather, serif;--wp--preset--font-family--montserrat: Montserrat, sans-serif;--wp--preset--font-family--newsreader: Newsreader, serif;--wp--preset--font-family--noto-sans-mono: 'Noto Sans Mono', sans-serif;--wp--preset--font-family--nunito: Nunito, sans-serif;--wp--preset--font-family--open-sans: 'Open Sans', sans-serif;--wp--preset--font-family--overpass: Overpass, sans-serif;--wp--preset--font-family--pt-serif: 'PT Serif', serif;--wp--preset--font-family--petrona: Petrona, serif;--wp--preset--font-family--piazzolla: Piazzolla, serif;--wp--preset--font-family--playfair-display: 'Playfair Display', serif;--wp--preset--font-family--plus-jakarta-sans: 'Plus Jakarta Sans', sans-serif;--wp--preset--font-family--poppins: Poppins, sans-serif;--wp--preset--font-family--raleway: Raleway, sans-serif;--wp--preset--font-family--roboto: Roboto, sans-serif;--wp--preset--font-family--roboto-slab: 'Roboto Slab', serif;--wp--preset--font-family--rubik: Rubik, sans-serif;--wp--preset--font-family--rufina: Rufina, serif;--wp--preset--font-family--sora: Sora, sans-serif;--wp--preset--font-family--source-sans-3: 'Source Sans 3', sans-serif;--wp--preset--font-family--source-serif-4: 'Source Serif 4', serif;--wp--preset--font-family--space-mono: 'Space Mono', monospace;--wp--preset--font-family--syne: Syne, sans-serif;--wp--preset--font-family--texturina: Texturina, serif;--wp--preset--font-family--urbanist: Urbanist, sans-serif;--wp--preset--font-family--work-sans: 'Work Sans', sans-serif;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}.is-layout-flex{flex-wrap: wrap;align-items: center;}.is-layout-flex > :is(*, div){margin: 0;}body .is-layout-grid{display: grid;}.is-layout-grid > :is(*, div){margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;}.has-albert-sans-font-family{font-family: var(--wp--preset--font-family--albert-sans) !important;}.has-alegreya-font-family{font-family: var(--wp--preset--font-family--alegreya) !important;}.has-arvo-font-family{font-family: var(--wp--preset--font-family--arvo) !important;}.has-bodoni-moda-font-family{font-family: var(--wp--preset--font-family--bodoni-moda) !important;}.has-bricolage-grotesque-font-family{font-family: var(--wp--preset--font-family--bricolage-grotesque) !important;}.has-cabin-font-family{font-family: var(--wp--preset--font-family--cabin) !important;}.has-chivo-font-family{font-family: var(--wp--preset--font-family--chivo) !important;}.has-commissioner-font-family{font-family: var(--wp--preset--font-family--commissioner) !important;}.has-cormorant-font-family{font-family: var(--wp--preset--font-family--cormorant) !important;}.has-courier-prime-font-family{font-family: var(--wp--preset--font-family--courier-prime) !important;}.has-crimson-pro-font-family{font-family: var(--wp--preset--font-family--crimson-pro) !important;}.has-dm-mono-font-family{font-family: var(--wp--preset--font-family--dm-mono) !important;}.has-dm-sans-font-family{font-family: var(--wp--preset--font-family--dm-sans) !important;}.has-dm-serif-display-font-family{font-family: var(--wp--preset--font-family--dm-serif-display) !important;}.has-domine-font-family{font-family: var(--wp--preset--font-family--domine) !important;}.has-eb-garamond-font-family{font-family: var(--wp--preset--font-family--eb-garamond) !important;}.has-epilogue-font-family{font-family: var(--wp--preset--font-family--epilogue) !important;}.has-fahkwang-font-family{font-family: var(--wp--preset--font-family--fahkwang) !important;}.has-figtree-font-family{font-family: var(--wp--preset--font-family--figtree) !important;}.has-fira-sans-font-family{font-family: var(--wp--preset--font-family--fira-sans) !important;}.has-fjalla-one-font-family{font-family: var(--wp--preset--font-family--fjalla-one) !important;}.has-fraunces-font-family{font-family: var(--wp--preset--font-family--fraunces) !important;}.has-gabarito-font-family{font-family: var(--wp--preset--font-family--gabarito) !important;}.has-ibm-plex-mono-font-family{font-family: var(--wp--preset--font-family--ibm-plex-mono) !important;}.has-ibm-plex-sans-font-family{font-family: var(--wp--preset--font-family--ibm-plex-sans) !important;}.has-ibarra-real-nova-font-family{font-family: var(--wp--preset--font-family--ibarra-real-nova) !important;}.has-instrument-serif-font-family{font-family: var(--wp--preset--font-family--instrument-serif) !important;}.has-inter-font-family{font-family: var(--wp--preset--font-family--inter) !important;}.has-josefin-sans-font-family{font-family: var(--wp--preset--font-family--josefin-sans) !important;}.has-jost-font-family{font-family: var(--wp--preset--font-family--jost) !important;}.has-libre-baskerville-font-family{font-family: var(--wp--preset--font-family--libre-baskerville) !important;}.has-libre-franklin-font-family{font-family: var(--wp--preset--font-family--libre-franklin) !important;}.has-literata-font-family{font-family: var(--wp--preset--font-family--literata) !important;}.has-lora-font-family{font-family: var(--wp--preset--font-family--lora) !important;}.has-merriweather-font-family{font-family: var(--wp--preset--font-family--merriweather) !important;}.has-montserrat-font-family{font-family: var(--wp--preset--font-family--montserrat) !important;}.has-newsreader-font-family{font-family: var(--wp--preset--font-family--newsreader) !important;}.has-noto-sans-mono-font-family{font-family: var(--wp--preset--font-family--noto-sans-mono) !important;}.has-nunito-font-family{font-family: var(--wp--preset--font-family--nunito) !important;}.has-open-sans-font-family{font-family: var(--wp--preset--font-family--open-sans) !important;}.has-overpass-font-family{font-family: var(--wp--preset--font-family--overpass) !important;}.has-pt-serif-font-family{font-family: var(--wp--preset--font-family--pt-serif) !important;}.has-petrona-font-family{font-family: var(--wp--preset--font-family--petrona) !important;}.has-piazzolla-font-family{font-family: var(--wp--preset--font-family--piazzolla) !important;}.has-playfair-display-font-family{font-family: var(--wp--preset--font-family--playfair-display) !important;}.has-plus-jakarta-sans-font-family{font-family: var(--wp--preset--font-family--plus-jakarta-sans) !important;}.has-poppins-font-family{font-family: var(--wp--preset--font-family--poppins) !important;}.has-raleway-font-family{font-family: var(--wp--preset--font-family--raleway) !important;}.has-roboto-font-family{font-family: var(--wp--preset--font-family--roboto) !important;}.has-roboto-slab-font-family{font-family: var(--wp--preset--font-family--roboto-slab) !important;}.has-rubik-font-family{font-family: var(--wp--preset--font-family--rubik) !important;}.has-rufina-font-family{font-family: var(--wp--preset--font-family--rufina) !important;}.has-sora-font-family{font-family: var(--wp--preset--font-family--sora) !important;}.has-source-sans-3-font-family{font-family: var(--wp--preset--font-family--source-sans-3) !important;}.has-source-serif-4-font-family{font-family: var(--wp--preset--font-family--source-serif-4) !important;}.has-space-mono-font-family{font-family: var(--wp--preset--font-family--space-mono) !important;}.has-syne-font-family{font-family: var(--wp--preset--font-family--syne) !important;}.has-texturina-font-family{font-family: var(--wp--preset--font-family--texturina) !important;}.has-urbanist-font-family{font-family: var(--wp--preset--font-family--urbanist) !important;}.has-work-sans-font-family{font-family: var(--wp--preset--font-family--work-sans) !important;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} :root :where(.wp-block-pullquote){font-size: 1.5em;line-height: 1.6;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} </style> <link rel='stylesheet' id='seedlet-fonts-css' href='https://fonts-api.wp.com/css?family=Fira+Sans%3Aital%2Cwght%400%2C400%3B0%2C500%3B1%2C400%7CPlayfair+Display%3Aital%2Cwght%400%2C400%3B0%2C700%3B1%2C400&subset=latin%2Clatin-ext' media='all' /> <link crossorigin='anonymous' rel='stylesheet' id='all-css-12-1' href='https://s0.wp.com/_static/??/wp-content/themes/pub/seedlet/style.css,/wp-content/themes/pub/seedlet/assets/css/style-navigation.css?m=1720456615j&cssminify=yes' type='text/css' media='all' /> <link crossorigin='anonymous' rel='stylesheet' id='print-css-13-1' href='https://s2.wp.com/wp-content/themes/pub/seedlet/assets/css/print.css?m=1603804565i&cssminify=yes' type='text/css' media='print' /> <link crossorigin='anonymous' rel='stylesheet' id='all-css-14-1' href='https://s0.wp.com/_static/??-eJx9y0EOwjAMRNELYQyiBbFAnKU1JgQ5dlQ7qnp7yq5s2M2X5uFcgUyDNTBeXNixthGd+SEcmJVwrmQFPBbhPbnvcENKgyotZXWceBRL60y4vjb5DyU2EKMhsulPwFOGPH3pvdyO/bU7dOdLf3p/AANwQOQ=&cssminify=yes' type='text/css' media='all' /> <style id='jetpack-global-styles-frontend-style-inline-css'> :root { --font-headings: unset; --font-base: unset; --font-headings-default: -apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",sans-serif; --font-base-default: -apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",sans-serif;} </style> <link crossorigin='anonymous' rel='stylesheet' id='all-css-16-1' href='https://s2.wp.com/wp-content/themes/h4/global.css?m=1420737423i&cssminify=yes' type='text/css' media='all' /> <script id="wpcom-actionbar-placeholder-js-extra"> var actionbardata = {"siteID":"70204527","postID":"0","siteURL":"https:\/\/arthurvandermerwe.com","xhrURL":"https:\/\/arthurvandermerwe.com\/wp-admin\/admin-ajax.php","nonce":"f1f7d771d3","isLoggedIn":"","statusMessage":"","subsEmailDefault":"instantly","proxyScriptUrl":"https:\/\/s0.wp.com\/wp-content\/js\/wpcom-proxy-request.js?ver=20211021","i18n":{"followedText":"New posts from this site will now appear in your <a href=\"https:\/\/wordpress.com\/read\">Reader<\/a>","foldBar":"Collapse this bar","unfoldBar":"Expand this bar"}}; </script> <script id="jetpack-mu-wpcom-settings-js-before"> var JETPACK_MU_WPCOM_SETTINGS = {"assetsUrl":"https:\/\/s1.wp.com\/wp-content\/mu-plugins\/jetpack-mu-wpcom-plugin\/sun\/vendor\/automattic\/jetpack-mu-wpcom\/src\/build\/"}; </script> <script crossorigin='anonymous' type='text/javascript' src='https://s1.wp.com/_static/??/wp-content/js/rlt-proxy.js,/wp-content/blog-plugins/wordads-classes/js/cmp/v2/cmp-non-gdpr.js?m=1720530689j'></script> <script id="rlt-proxy-js-after"> rltInitialize( {"token":null,"iframeOrigins":["https:\/\/widgets.wp.com"]} ); </script> <link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://arthurvandermerwe.wordpress.com/xmlrpc.php?rsd" /> <meta name="generator" content="WordPress.com" />  <meta property="og:type" content="website" /> <meta property="og:title" content="HSM – Cryptography & Payments" /> <meta property="og:url" content="https://arthurvandermerwe.com/category/hsm/" /> <meta property="og:site_name" content="Cryptography & Payments" /> <meta property="og:image" content="https://arthurvandermerwe.com/wp-content/uploads/2018/09/cropped-arthur4.png?w=200" /> <meta property="og:image:width" content="200" /> <meta property="og:image:height" content="200" /> <meta property="og:image:alt" content="" /> <meta property="og:locale" content="en_US" />  <link rel='openid.server' href='https://arthurvandermerwe.com/?openidserver=1' /> <link rel='openid.delegate' href='https://arthurvandermerwe.com/' /> <link rel="search" type="application/opensearchdescription+xml" href="https://arthurvandermerwe.com/osd.xml" title="Cryptography & Payments" /> <link rel="search" type="application/opensearchdescription+xml" href="https://s1.wp.com/opensearch.xml" title="WordPress.com" /> <style type="text/css"> .recentcomments a { display: inline !important; padding: 0 !important; margin: 0 !important; } table.recentcommentsavatartop img.avatar, table.recentcommentsavatarend img.avatar { border: 0px; margin: 0; } table.recentcommentsavatartop a, table.recentcommentsavatarend a { border: 0px !important; background-color: transparent !important; } td.recentcommentsavatarend, td.recentcommentsavatartop { padding: 0px 0px 1px 0px; margin: 0px; } td.recentcommentstextend { border: none !important; padding: 0px 0px 2px 10px; } .rtl td.recentcommentstextend { padding: 0px 10px 2px 0px; } td.recentcommentstexttop { border: none; padding: 0px 0px 0px 10px; } .rtl td.recentcommentstexttop { padding: 0px 10px 0px 0px; } </style> <meta name="application-name" content="Cryptography & Payments" /><meta name="msapplication-window" content="width=device-width;height=device-height" /><meta name="msapplication-tooltip" content="Arthur Van Der Merwe" /><meta name="description" content="Posts about HSM written by arthurvdmerwe" /> <script> var wa_smart = { 'network_id': 3905, 'site_id': 560111, 'page_id': 1700829, 'blog_id': 70204527, 'post_id': null, 'theme': 'pub/seedlet', 'target': 'wp_blog_id=70204527;language=en', '_': { 'title': 'Advertisement', 'privacy_settings': 'Privacy Settings' }, 'top': { 'enabled': false, 'adflow_enabled': true, 'format_id': 135099 }, 'inline': { 'enabled': false, 'adflow_enabled': true, 'format_id': 110354, 'max_slots': 20, 'max_blaze_slots': 20 }, 'belowpost': { 'enabled': false, 'adflow_enabled': true, 'format_id': 134071 }, 'bottom_sticky': { 'enabled': false, 'adflow_enabled': true, 'format_id': 117571 }, 'sidebar': { 'enabled': false, 'adflow_enabled': true, 'format_id': 134686 }, 'sidebar_sticky_right': { 'enabled': false, 'adflow_enabled': true, 'format_id': 135281 }, 'gutenberg_rectangle': { 'enabled': false, 'adflow_enabled': true, 'format_id': 134788 }, 'gutenberg_leaderboard': { 'enabled': false, 'adflow_enabled': true, 'format_id': 135073 }, 'gutenberg_mobile_leaderboard': { 'enabled': false, 'adflow_enabled': true, 'format_id': 135098 }, 'gutenberg_skyscraper': { 'enabled': false, 'adflow_enabled': true, 'format_id': 135088 } }; wa_smart.cmd = []; </script> <script type="text/javascript"> function __ATA_CC() {var v = document.cookie.match('(^|;) ?personalized-ads-consent=([^;]*)(;|$)');return v ? 1 : 0;} var __ATA_PP = { 'pt': 3, 'ht': 1, 'tn': 'seedlet', 'uloggedin': 0, 'amp': false, 'consent': __ATA_CC(), 'gdpr_applies': false, 'ad': { 'label': { 'text': 'Advertisements' }, 'reportAd': { 'text': 'Report this ad' } }, 'disabled_slot_formats': [], 'siteid': 70204527, 'afp_ad_client': 'pub-6694573643007653' }; var __ATA = __ATA || {}; __ATA.cmd = __ATA.cmd || []; __ATA.criteo = __ATA.criteo || {}; __ATA.criteo.cmd = __ATA.criteo.cmd || []; </script> <script type="text/javascript"> (function(){var g=Date.now||function(){return+new Date};function h(a,b){a:{for(var c=a.length,d="string"==typeof a?a.split(""):a,e=0;e<c;e++)if(e in d&&b.call(void 0,d[e],e,a)){b=e;break a}b=-1}return 0>b?null:"string"==typeof a?a.charAt(b):a[b]};function k(a,b,c){c=null!=c?"="+encodeURIComponent(String(c)):"";if(b+=c){c=a.indexOf("#");0>c&&(c=a.length);var d=a.indexOf("?");if(0>d||d>c){d=c;var e=""}else e=a.substring(d+1,c);a=[a.substr(0,d),e,a.substr(c)];c=a[1];a[1]=b?c?c+"&"+b:b:c;a=a[0]+(a[1]?"?"+a[1]:"")+a[2]}return a};var l=0;function m(a,b){var c=document.createElement("script");c.src=a;c.onload=function(){b&&b(void 0)};c.onerror=function(){b&&b("error")};a=document.getElementsByTagName("head");var d;a&&0!==a.length?d=a[0]:d=document.documentElement;d.appendChild(c)}function n(a){var b=void 0===b?document.cookie:b;return(b=h(b.split("; "),function(c){return-1!=c.indexOf(a+"=")}))?b.split("=")[1]:""}function p(a){return"string"==typeof a&&0<a.length} function r(a,b,c){b=void 0===b?"":b;c=void 0===c?".":c;var d=[];Object.keys(a).forEach(function(e){var f=a[e],q=typeof f;"object"==q&&null!=f||"function"==q?d.push(r(f,b+e+c)):null!==f&&void 0!==f&&(e=encodeURIComponent(b+e),d.push(e+"="+encodeURIComponent(f)))});return d.filter(p).join("&")}function t(a,b){a||((window.__ATA||{}).config=b.c,m(b.url))}var u=Math.floor(1E13*Math.random()),v=window.__ATA||{};window.__ATA=v;window.__ATA.cmd=v.cmd||[];v.rid=u;v.createdAt=g();var w=window.__ATA||{},x="s.pubmine.com"; w&&w.serverDomain&&(x=w.serverDomain);var y="//"+x+"/conf",z=window.top===window,A=window.__ATA_PP&&window.__ATA_PP.gdpr_applies,B="boolean"===typeof A?Number(A):null,C=window.__ATA_PP||null,D=z?document.referrer?document.referrer:null:null,E=z?window.location.href:document.referrer?document.referrer:null,F,G=n("__ATA_tuuid");F=G?G:null;var H=window.innerWidth+"x"+window.innerHeight,I=n("usprivacy"),J=r({gdpr:B,pp:C,rid:u,src:D,ref:E,tuuid:F,vp:H,us_privacy:I?I:null},"","."); (function(a){var b=void 0===b?"cb":b;l++;var c="callback__"+g().toString(36)+"_"+l.toString(36);a=k(a,b,c);window[c]=function(d){t(void 0,d)};m(a,function(d){d&&t(d)})})(y+"?"+J);}).call(this); </script> <script> var sas_fallback = sas_fallback || []; sas_fallback.push( { tag: "<div id="atatags-702045271-{{unique_id}}"></div><script>__ATA.cmd.push(function() {__ATA.initDynamicSlot({id: \'atatags-702045271-{{unique_id}}\',location: 120,formFactor: \'001\',label: {text: \'Advertisements\',},creative: {reportAd: {text: \'Report this ad\',},privacySettings: {text: \'Privacy\',}}});});</script>", type: 'belowpost' }, { tag: "<div id="atatags-702045271-{{unique_id}}"></div><script>__ATA.cmd.push(function() {__ATA.initDynamicSlot({id: \'atatags-702045271-{{unique_id}}\',location: 310,formFactor: \'001\',label: {text: \'Advertisements\',},creative: {reportAd: {text: \'Report this ad\',},privacySettings: {text: \'Privacy\',}}});});</script>", type: 'inline' }, { tag: "<div id="atatags-702045271-{{unique_id}}"></div><script>__ATA.cmd.push(function() {__ATA.initDynamicSlot({id: \'atatags-702045271-{{unique_id}}\',location: 140,formFactor: \'003\',label: {text: \'Advertisements\',},creative: {reportAd: {text: \'Report this ad\',},privacySettings: {text: \'Privacy\',}}});});</script>", type: 'sidebar' }, { tag: "<div id="atatags-702045271-{{unique_id}}"></div><script>__ATA.cmd.push(function() {__ATA.initDynamicSlot({id: \'atatags-702045271-{{unique_id}}\',location: 110,formFactor: \'002\',label: {text: \'Advertisements\',},creative: {reportAd: {text: \'Report this ad\',},privacySettings: {text: \'Privacy\',}}});});</script>", type: 'top' } ); </script><link rel="icon" href="https://arthurvandermerwe.com/wp-content/uploads/2018/09/cropped-arthur4.png?w=32" sizes="32x32" /> <link rel="icon" href="https://arthurvandermerwe.com/wp-content/uploads/2018/09/cropped-arthur4.png?w=192" sizes="192x192" /> <link rel="apple-touch-icon" href="https://arthurvandermerwe.com/wp-content/uploads/2018/09/cropped-arthur4.png?w=180" /> <meta name="msapplication-TileImage" content="https://arthurvandermerwe.com/wp-content/uploads/2018/09/cropped-arthur4.png?w=270" /> </head> <body class="archive category category-hsm category-608566 wp-embed-responsive customizer-styles-applied hfeed has-main-navigation jetpack-reblog-enabled"> <div id="page" class="site"> <a class="skip-link screen-reader-text" href="#content">Skip to content</a> <header id="masthead" class="site-header header_classes has-title-and-tagline has-menu" role="banner"> <div class="site-branding"> <p class="site-title"><a href="https://arthurvandermerwe.com/" rel="home">Cryptography & Payments</a></p> <p class="site-description"> Arthur Van Der Merwe </p> </div> <nav id="site-navigation" class="primary-navigation" role="navigation" aria-label="Main"> <button id="primary-close-menu" class="button close"> <span class="dropdown-icon close">Close <svg class="svg-icon" width="24" height="24" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M12 10.9394L5.53033 4.46973L4.46967 5.53039L10.9393 12.0001L4.46967 18.4697L5.53033 19.5304L12 13.0607L18.4697 19.5304L19.5303 18.4697L13.0607 12.0001L19.5303 5.53039L18.4697 4.46973L12 10.9394Z" fill="currentColor"/></svg></span> <span class="hide-visually collapsed-text">collapsed</span> </button> <div class="primary-menu-container"><ul id="menu-financial-switching-1" class="menu-wrapper"><li class="menu-item menu-item-type-taxonomy menu-item-object-category current-menu-item menu-item-239"><a href="https://arthurvandermerwe.com/category/hsm/" aria-current="page">HSM</a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-240"><a href="https://arthurvandermerwe.com/category/cryptography-2/">Cryptography</a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-241"><a href="https://arthurvandermerwe.com/category/financial-switching/">Financial Switching</a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-242"><a href="https://arthurvandermerwe.com/category/atm-tracing/">ATM Tracing</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-27"><a href="https://arthurvandermerwe.com/downloads/">Downloads</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-5"><a href="https://arthurvandermerwe.com/about/">About</a></li> </ul></div> </nav> <div class="menu-button-container"> <button id="primary-open-menu" class="button open"> <span class="dropdown-icon open">Menu <svg class="svg-icon" width="24" height="24" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M4.5 6H19.5V7.5H4.5V6ZM4.5 12H19.5V13.5H4.5V12ZM19.5 18H4.5V19.5H19.5V18Z" fill="currentColor"/></svg></span> <span class="hide-visually expanded-text">expanded</span> </button> </div> <div class="menu-button-container"> </div> </header> <div id="content" class="site-content"> <section id="primary" class="content-area"> <main id="main" class="site-main" role="main"> <header class="page-header default-max-width"> <h1 class="page-title"><span class="archive-prefix">Category Archives: </span><span class="page-description">HSM</span></h1> </header> <article id="post-200" class="post-200 post type-post status-publish format-standard hentry category-cryptography-2 category-financial-switching category-hsm tag-cryptography tag-zmk tag-zpk entry"> <header class="entry-header default-max-width"> <h2 class="entry-title"><a href="https://arthurvandermerwe.com/2016/09/04/importing-zpk-and-zmk-into-thales-payshield-9000-hsm/" rel="bookmark">Importing ZPK and ZMK into Thales Payshield 9000 HSM</a></h2> </header> <div class="entry-content"> <p><strong>ZMK</strong></p> <p>Zone Master Key (ZMK) also known as an <strong>Interchange key (IK)</strong>, is a key-encrypting key which is distributed manually between two communicating sites, within a shared network, in order that further keys can be exchanged automatically. The ZMK is used to encrypt keys of a lower level (e.g. ZPK) for transmission.</p> <p>The ZMK is exchanged using secured methods and Split knowledge policy. The IK is split into two components that are sent by two separate physical couriers to two nominated Security Officers of the other party. This is one of the most secure way to do it since no single person gains knowledge of the clear ZMK.</p> <p>Here is the detailed Process. please note values indicated here are for testing only, in live environment the values will be exchanged securely.</p> <hr /> <p><strong>Build ZMK Key manually:</strong></p> <p>This key is generated by two components, lets call them K1 and K2. To obtain the ZMK Key,</p> <div class="highlighter-rouge"> <pre class="highlight"><code>ZMK = K1 XOR K2 </code></pre> </div> <p>Test values provided,</p> <div class="highlighter-rouge"> <pre class="highlight"><code>K1 (clear) = 6D6B E51F 04F7 6167 4915 54FE 25F7 ABEF K2 (clear) = 6749 9B2C F137 DFCB 9EA2 8FF7 57CD 10A7 ZMK (clear) key = K1 XOR K2 = 0A227E33F5C0BEACD7B7DB09723ABB48; KCV = 05EE1D </code></pre> <hr /> </div> <p><strong>Import ZMK into HSM</strong></p> <div class="highlighter-rouge"> <pre class="highlight"><code>FK Key length [1,2,3]: 2 Key Type: 000 Key Scheme: U Component type [X,H,E,S]: X Enter number of components (2-9): 2 Enter component #1: 6D6BE51F04F76167491554FE25F7ABEF Enter component #2: 67499B2CF137DFCB9EA28FF757CD10A7 Encrypted key: U E685 8676 0A16 3026 C297 1007 3AB2 D7BE Key check value: 05EE1D </code></pre> </div> <p><strong>ZPK</strong></p> <p>Zone PIN Key (ZPK) also known as a A <strong>PIN Protection Key (PPK)</strong>, is a data encrypting key which is distributed automatically and is used to encrypt PINs. For security and protocol reasons the HSM where this key generated, never exposes the ZPK in clear. But it can be exported using another key called ZMK (Interchange Key). In this context exports actually means use the ZMK Key to encrypt the ZPK and give back to the user.</p> <hr /> <p><strong>Import ZPK</strong></p> <p>The following ZPK shared by communicating party, is encrypted under ZMK</p> <div class="highlighter-rouge"> <pre class="highlight"><code>ZPK encrypted under ZMK: AC4D3C5F603C1B502E5F45668A155C25 KCV: AFDA4F </code></pre> </div> <p>From the host application, send the <strong>A6</strong> commands with required arguments as following,</p> <p>HSM Command:</p> <div class="highlighter-rouge"> <pre class="highlight"><code>0000A6001UE68586760A163026C29710073AB2D7BEXAC4D3C5F603C1B502E5F45668A155C25U00 </code></pre> </div> <p>Where,</p> <blockquote><p>Atalla Variant = 00<br /> Encrypted PPK Key = AC4D…….5C25<br /> Key Scheme= X<br /> Key Scheme LMK= U<br /> Key Type = 001<br /> ZMK = E68586760……..D7BE<br /> ZMK Scheme = U</p></blockquote> <div class="highlighter-rouge"> <pre class="highlight"><code>Response: 0000A700U5F2DC42E10C92B16BA54802314CE95F5AFDA4F ZPK under LMK: U5F2DC42E10C92B16BA54802314CE95F5 KCV: AFDA4F </code></pre> </div> <p>Here we can compare KCV (AFDA4F) to check if key is imported successfully.</p> <hr /> <div id="atatags-702045271-674213c8964c7"></div> <script> __ATA.cmd.push(function() { __ATA.initDynamicSlot({ id: 'atatags-702045271-674213c8964c7', location: 120, formFactor: '001', label: { text: 'Advertisements', }, creative: { reportAd: { text: 'Report this ad', }, privacySettings: { text: 'Privacy', } } }); }); </script> </div> <footer class="entry-footer default-max-width"> <span class="byline"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M15 7.5C15 9.15685 13.6569 10.5 12 10.5C10.3431 10.5 9 9.15685 9 7.5C9 5.84315 10.3431 4.5 12 4.5C13.6569 4.5 15 5.84315 15 7.5ZM16.5 7.5C16.5 9.98528 14.4853 12 12 12C9.51472 12 7.5 9.98528 7.5 7.5C7.5 5.01472 9.51472 3 12 3C14.4853 3 16.5 5.01472 16.5 7.5ZM19.5 19.5V16.245C19.5 14.729 18.271 13.5 16.755 13.5L7.245 13.5C5.72898 13.5 4.5 14.729 4.5 16.245L4.5 19.5H6L6 16.245C6 15.5574 6.5574 15 7.245 15L16.755 15C17.4426 15 18 15.5574 18 16.245V19.5H19.5Z" fill="currentColor"/></svg><span class="screen-reader-text">Posted by</span><span class="author vcard"><a class="url fn n" href="https://arthurvandermerwe.com/author/arthurvdmerwe/">arthurvdmerwe</a></span></span><span class="posted-on"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M19.5 7.5H4.5V19.0005C4.5 19.2764 4.72363 19.5 4.9995 19.5H19.0005C19.2764 19.5 19.5 19.2764 19.5 19.0005V7.5ZM3 7.5V4.9995V4.995C3 3.89319 3.89319 3 4.995 3H4.9995H19.0005H19.005C20.1068 3 21 3.89319 21 4.995V4.9995V7.5V19.0005C21 20.1048 20.1048 21 19.0005 21H4.9995C3.89521 21 3 20.1048 3 19.0005V7.5ZM7.5 10.5H9V12H7.5V10.5ZM9 15H7.5V16.5H9V15ZM11.25 10.5H12.75V12H11.25V10.5ZM12.75 15H11.25V16.5H12.75V15ZM15 10.5H16.5V12H15V10.5ZM16.5 15H15V16.5H16.5V15Z" fill="currentColor"/></svg><a href="https://arthurvandermerwe.com/2016/09/04/importing-zpk-and-zmk-into-thales-payshield-9000-hsm/" rel="bookmark"><time class="entry-date published" datetime="2016-09-04T14:13:40+10:00">September 4, 2016</time><time class="updated" datetime="2016-12-19T06:23:08+11:00">December 19, 2016</time></a></span><span class="cat-links"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M12.1979 8.25L11.2098 6.27363C11.1259 6.10593 10.9545 6 10.767 6H4.995C4.72162 6 4.5 6.22162 4.5 6.495V17.505C4.5 17.7784 4.72162 18 4.995 18H19.0005C19.2764 18 19.5 17.7764 19.5 17.5005V8.7495C19.5 8.47363 19.2764 8.25 19.0005 8.25H12.1979ZM13.125 6.75H19.0005C20.1048 6.75 21 7.64521 21 8.7495V17.5005C21 18.6048 20.1048 19.5 19.0005 19.5H4.995C3.89319 19.5 3 18.6068 3 17.505V6.495C3 5.39319 3.89319 4.5 4.995 4.5H10.767C11.5227 4.5 12.2135 4.92693 12.5514 5.60281L13.125 6.75Z" fill="currentColor"/></svg><span class="screen-reader-text">Posted in</span><a href="https://arthurvandermerwe.com/category/cryptography-2/" rel="category tag">Cryptography</a>, <a href="https://arthurvandermerwe.com/category/financial-switching/" rel="category tag">Financial Switching</a>, <a href="https://arthurvandermerwe.com/category/hsm/" rel="category tag">HSM</a></span><span class="tags-links"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M3 12.2045C3 12.5941 3.15158 12.9684 3.42267 13.2482L9.71878 19.747C11.0769 21.1489 13.3201 21.1667 14.7003 19.7865L19.7873 14.6995C21.1677 13.319 21.1497 11.0753 19.7471 9.71731L13.2459 3.42238C12.9661 3.15147 12.5919 3 12.2025 3H4.5C3.67157 3 3 3.67157 3 4.5V12.2045ZM12.2025 4.5H4.5V12.2045L10.7961 18.7033C11.5714 19.5035 12.8518 19.5137 13.6396 18.7258L18.7266 13.6388C19.5146 12.8509 19.5043 11.5701 18.7037 10.7949L12.2025 4.5ZM8.4975 9.495C9.0484 9.495 9.495 9.0484 9.495 8.4975C9.495 7.9466 9.0484 7.5 8.4975 7.5C7.9466 7.5 7.5 7.9466 7.5 8.4975C7.5 9.0484 7.9466 9.495 8.4975 9.495Z" fill="currentColor"/></svg><span class="screen-reader-text">Tags:</span><a href="https://arthurvandermerwe.com/tag/cryptography/" rel="tag">cryptography</a>, <a href="https://arthurvandermerwe.com/tag/zmk/" rel="tag">ZMK</a>, <a href="https://arthurvandermerwe.com/tag/zpk/" rel="tag">ZPK</a></span><span class="comments-link"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M10.0458 15.0001L5.99998 17.697L5.99999 6.49478C5.99999 6.22141 6.2216 5.99979 6.49498 5.99978L17.505 5.99951C17.7784 5.9995 18 6.22113 18 6.49451L18 14.5046C18 14.778 17.7784 14.9996 17.505 14.9996L10.0458 15.0001ZM10.5 16.5L17.5051 16.4996C18.6069 16.4995 19.5 15.6063 19.5 14.5046L19.5 6.49451C19.5 5.39268 18.6068 4.49948 17.5049 4.49951L6.49494 4.49978C5.39315 4.49981 4.49999 5.39299 4.49999 6.49478L4.49998 18.3483C4.49998 18.9842 5.01549 19.4997 5.6514 19.4997C5.8787 19.4997 6.10091 19.4324 6.29004 19.3063L10.5 16.5Z" fill="currentColor"/></svg><a href="https://arthurvandermerwe.com/2016/09/04/importing-zpk-and-zmk-into-thales-payshield-9000-hsm/#comments">2 Comments<span class="screen-reader-text"> on Importing ZPK and ZMK into Thales Payshield 9000 HSM</span></a></span> </footer> </article> <article id="post-92" class="post-92 post type-post status-publish format-standard hentry category-financial-switching category-hsm category-uncategorized tag-as2805-6 tag-generate-kekr-validation-response tag-generate-keks-validation-request tag-kek tag-kekr tag-keks tag-key-exchange tag-krr tag-krs tag-thales-e0-command tag-thales-e2-command tag-thales-oi-command tag-thales-ok-command tag-translate-a-set-of-zone-keys tag-zakr tag-zaks tag-zpk tag-zpks tag-rn entry"> <header class="entry-header default-max-width"> <h2 class="entry-title"><a href="https://arthurvandermerwe.com/2015/03/03/implementing-as2805-part-3-using-a-thales-9000-and-python/" rel="bookmark">Implementing AS2805 Part 6 Host to Host Encryption using a Thales 9000 and Python</a></h2> </header> <div class="entry-content"> <h3>Introduction</h3> <p>The AS2805.6 Standard specifies communication security between two nodes during a financial transaction. These nodes needs to have a specific set of encryption algorithms, and needs to follow a specific process.</p> <p>The specification is not very clear on what exactly needs to happen, so I intend to clarify the exact steps, with the HSM functions. Now in order to do this I will assume you have a Thales 9000 HSM, as well as you need to know how to properly operate it. All commands defined are in the 1270A547-015 Australian Standards LIC003 v2.3a.pdf Manual provided by Thales when purchasing the device.</p> <h3>Source Code</h3> <p>a Copy of this Manual can be found here [<a href="https://arthurvandermerwe.com/wp-content/uploads/2014/12/1270a547-015-australian-standards-lic003-v2-3a.pdf">Thales 9000 Australian Standards LIC003 v2.3a</a>]</p> <p>a Copy of my AS2805 parser is located <a title="Python AS2805" href="https://github.com/Arthurvdmerwe/AS2805_Python_Implementation.git" target="_blank">here</a></p> <p>a Copy of my Thales commands class is located <a title="Thales Commands" href="https://github.com/Arthurvdmerwe/ThalesAS205Commands.git" target="_blank">here</a></p> <p>a Full version of a AS2805 Interchange Node is located <a href="https://github.com/Arthurvdmerwe/AS2805_HostNode_Server.git" target="_blank">here</a></p> <h3>KEK Process (Level 1)</h3> <p>For this process:</p> <ol> <li>you need to go to your HSM and generate 2 Clear components, you then need to form a KEKs key from these components. This can be done using the UI of the HSM manger, or with the FK console command.</li> <li>Store the <strong><span style="color:#ff0000;">KEKs</span></strong> formed from the clear components in your switch database.</li> <li>Your connecting node / host will then provide you with a set of clear components, you need to generate a key again, but in this case a <strong><span style="color:#ff0000;">KEKr</span></strong></li> <li>You need to provide you host with your key components you generated in Step 1,so they can generate their corresponding KEKs.</li> </ol> <p>Now you have a KEKr and a KEKs in your database as well as your host read, for Level2</p> <h3>Session and MAC key Initialisation (Level 2)</h3> <p>This Level has 2 separate steps, the first step (Logon) validating the KEKr and KEKs so that both nodes know that the correct keys are being used. The second step (Key Exchange) is to create temporary keys that are changed every 60 minutes or 256 transactions.</p> <h5>Logon Process</h5> <p> </p> <p>During the logon process your HSM will need to generate 2 things:</p> <ol> <li>a Random Number (RN)</li> <li>an Inverted Random Number (~RN)</li> </ol> <p>These numbers will be returned encrypted under the KEKr and KEKs, and you will need to validate them, this is also called end of proof point validation.</p> <p>The Logon process is a 2 step process outlined in the image below.</p> <h6><img data-attachment-id="94" data-permalink="https://arthurvandermerwe.com/2015/03/03/implementing-as2805-part-3-using-a-thales-9000-and-python/logon_process/" data-orig-file="https://arthurvandermerwe.com/wp-content/uploads/2015/02/logon_process.png" data-orig-size="1062,1170" data-comments-opened="1" data-image-meta="{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"0"}" data-image-title="Logon_process" data-image-description="" data-image-caption="" data-medium-file="https://arthurvandermerwe.com/wp-content/uploads/2015/02/logon_process.png?w=272" data-large-file="https://arthurvandermerwe.com/wp-content/uploads/2015/02/logon_process.png?w=620" class=" wp-image-94 aligncenter" src="https://arthurvandermerwe.com/wp-content/uploads/2015/02/logon_process.png?w=255&h=281" alt="Logon_process" width="255" height="281" srcset="https://arthurvandermerwe.com/wp-content/uploads/2015/02/logon_process.png?w=272 272w, https://arthurvandermerwe.com/wp-content/uploads/2015/02/logon_process.png?w=255 255w, https://arthurvandermerwe.com/wp-content/uploads/2015/02/logon_process.png?w=510 510w, https://arthurvandermerwe.com/wp-content/uploads/2015/02/logon_process.png?w=136 136w" sizes="(max-width: 255px) 100vw, 255px" /></h6> <h6>Step 1</h6> <p>When you connect to your host you will receive a logon request, bit number 48 will be populated with a <span style="color:#ff0000;"><strong>KRs</strong></span> from the host that you will need to validate with your KEKr.</p> <p>Generating a KEKr Validation Response you would need your <strong><span style="color:#ff0000;">KRs</span></strong> received in this request, and you KEKr that you generated from your host components.</p> <p><span style="text-decoration:underline;">E2 Command Definition: </span>To receive a random key (KRs) encrypted under a variant of a double length Key Encrypting Key (KEKr), compute from KRs another value, denoted KRr and encrypt it under another variant of the KEKr</p> <p>Your HSM command will look as follows: >HEADE2{KEKr}{KRs} and you output will generate a <strong><span style="color:#ff0000;">KEKr</span></strong>. Your response to the host will need to include this value in bit number 48.</p> <h6>Step 2</h6> <p>You now need to send the host a logon request with bit 48 set with your <strong><span style="color:#ff0000;">KRs</span></strong></p> <p><span style="text-decoration:underline;">E0 Command Definition</span>:To generate a random key (KRs) and encrypt it with a variant of a double length Key Encrypting Key (KEKs). In addition, KRs is inverted (to form KRr) and the result encrypted with another variant of the KEKs.</p> <p>Your HSM command will look as follows: >HEADE0{KEKs} and the output will generate a <strong><span style="color:#ff0000;">KRs</span></strong>. Your host will validate this request, and return with a response.</p> <p>Once both steps are complete, both you and the host has been validated that you are using the same keys.</p> <p>An Example of this process is outlined below in Python:</p> <p> </p> <pre> def __signon__Part1__(self): self.log.info("====Sign-On Process Started ====") self.__setState('signing_on') cur = self.con_switch.cursor(MySQLdb.cursors.DictCursor) try: self.log.info("Waiting for 0800 Request") self.s.settimeout(20.0) length_indicator = self.s.recv(2) if length_indicator == '': self.log.critical('Received a blank length indicator from switch... might be a disconnect') self.__setState("blank_response") else: size = struct.unpack('!H', length_indicator)[0] payload = self.s.recv(size) payload = ByteUtils.ByteToHex(payload) d = datetime.now() self.log.info(" Getting Sign-On Request 0800 = [%s]" % payload) if payload == '': self.log.critical('Received a blank response from switch... might be a disconnect') self.__setState("blank_response") else: iso_ans = AS2805(debug=False) iso_ans.setIsoContent(payload) self.__storeISOMessage(iso_ans, {"date_time_received": d.strftime("%Y-%m-%d %H:%M:%S")}) if iso_ans.getMTI() == '0800': if iso_ans.getBit(70) == '001': #log.info("Logon Started with KEKr = %s, KEKs = %s" % ( self.KEKr, self.KEKs)) KRs = iso_ans.getBit(48) #log.info("KRs %s Received from Host" % (KRs)) #print "Generating a E0 Command with KEKr=%s, and KRs=%s" % (self.KEKr, KRs) self.ValidationResponse = KeyGenerator.Generate_KEKr_Validation_Response(KEKr=self.KEKr, KRs=KRs) #print self.ValidationResponse if self.ValidationResponse["ErrorCode"] == '00': #log.info("KRs Validation Response %s generated" % (self.ValidationResponse["KRr"])) d = datetime.now() iso_resp = AS2805(debug=False) iso_resp.setMTI('0810') iso_resp.setBit(7, d.strftime("%m%d%H%M%S")) iso_resp.setBit(11, iso_ans.getBit(11)) iso_resp.setBit(33, self.Switch_IIN) iso_resp.setBit(39, '303') iso_resp.setBit(48, self.ValidationResponse["KRr"]) iso_resp.setBit(70, '0001') iso_resp.setBit(100, self.Switch_IIN) iso_send = iso_resp.getNetworkISO() iso_send_hex = ByteUtils.HexToByte(iso_send[2:]) self.log.info("Sending Sign-On Response 0810 [%s]" % ReadableAscii(iso_send)) self.__send_message(iso_send_hex) self.__storeISOMessage(iso_resp, {"date_time_sent": d.strftime("%Y-%m-%d %H:%M:%S")}) self.__setState('signed_on') else: self.log.error("0810 KRr Response Code = %s, Login Failed" % (self.ValidationResponse["ErrorCode"],)) #TODO: Send Decline to the Partner else: self.log.error("Could not login with 0810") except InvalidAS2805, ii: self.log.error(ii) except socket.error as e: pass self.log.debug("nothing from host [%s]" % (e)) except: #self.__signoff() self.log.exception("signon_failed") self.__setState("singon_failed") finally: cur.close() def __signon_Part2__(self): try: self.s.settimeout(20.0) self.ValidationRequest = KeyGenerator.Generate_KEKs_Validation_Request(KEKs=self.KEKs) d = datetime.now() iso_resp = AS2805(debug=False) iso_resp.setMTI('0800') iso_resp.setBit(7, d.strftime("%m%d%H%M%S")) iso_resp.setBit(11, self.__getNextStanNo()) iso_resp.setBit(33, self.HostIIN) iso_resp.setBit(48, self.ValidationRequest["KRs"]) iso_resp.setBit(70, '001') iso_resp.setBit(100, self.HostIIN) iso_send = iso_resp.getNetworkISO() iso_send_hex = ByteUtils.HexToByte(iso_send[2:]) self.log.info("Sending Sign-On Request 0800 [%s]" % ReadableAscii(iso_send)) self.__send_message(iso_send_hex) self.__storeISOMessage(iso_resp, {"date_time_sent": d.strftime("%Y-%m-%d %H:%M:%S")}) self.log.info("Waiting for 0810 Response") a = self.s.recv(8192) payload = ByteUtils.ByteToHex(a[2:]) d = datetime.now() self.log.info(" Getting Sign-On Response 0810 = [%s]" % payload) iso_ans = AS2805(debug=False) iso_ans.setIsoContent(payload) self.log.debug(iso_ans.dumpFields()) self.__storeISOMessage(iso_ans, {"date_time_received": d.strftime("%Y-%m-%d %H:%M:%S")}) if iso_ans.getBit(39) == '3030': self.log.info("====Sign-On Sequence Completed Successfully====") self.__setState("signed_on_dual") else: #self.__signoff() self.log.error("Could not login with 0800") self.__setState("singon_failed") except InvalidAS2805, ii: self.log.info(ii) except socket.error as e: self.log.info("nothing from host [%s]" % (e)) except: #self.__signoff() self.log.exception("signon_failed") self.__setState("singon_failed")</pre> <p> </p> <h3>Key Exchange (Level 2)</h3> <p>In the Key Exchange process, you will generate session keys for your node as well as MAC keys. Now when generating these keys, you need to remember that they need to be the same type as you partner node. (simply ask your processor for a trace if you want to confirm)</p> <p>So right after a successful logon, you would need to wait for a key exchange request, (0820 with field 30 as 303) this key exchange request will have a ZAK and a ZPK in field 48, these are encrypted under the KEKr generated on your host from their components. You would need to translate these keys using your KEKr under your LMK and generate check values for verification.</p> <p>The command will look like follows: >HEADOK{KEKr}21H{ZPK}1H{ZAK}0H11111111111111111111111111111111</p> <p>These keys are known as your: <strong>RECEIVE KEYS</strong></p> <p>Where the KEKr is the KEKr generated from your components, ZPK and ZAK is the ZPK and ZAK received. This will output the following:</p> <pre>def Translate_a_Set_of_Zone_Keys(KEKr, ZPK, ZAK, ZEK): response = KeyClass.execute_Translate_a_Set_of_Zone_Keys(KEKr, ZPK, ZAK, ZEK) #print response TranslatedZoneKeys = {} TranslatedZoneKeys["Header"] = response[2:6] TranslatedZoneKeys["ResponseCode"] = response[6:8] TranslatedZoneKeys["ErrorCode"] = response[8:10] if TranslatedZoneKeys["ErrorCode"] == '00': TranslatedZoneKeys["KCV Processing Flag"] = response[10:11] TranslatedZoneKeys["ZPK(LMK)"] = response[11:44] TranslatedZoneKeys["ZPK Check Value"] = response[44:50] TranslatedZoneKeys["ZAK(LMK)"] = response[50:83] TranslatedZoneKeys["ZAK Check Value"] = response[83:89] TranslatedZoneKeys["ZEK(LMK)"] = response[89:122] TranslatedZoneKeys["ZEK Check Value"] = response[122:128] return TranslatedZoneKeys</pre> <p>In other words, you need to generate the same keys, but under your LMK and store them in your key database</p> <p>Now whenever you get a request from your host with a mac you can validate the mac using the ZAK(LMK), and when you get encrypted values from your host you can translate the values using the ZPK(LMK)</p> <p>So, when you respond to the key exchange process you put the check values in field 40. Your host will validate the check values, and then wait for you to send a request using your KEKs.</p> <p>Here is an implementation using Python:</p> <pre>def __key_exchange_listen(self): self.log.info("===== Key Exchange process Started =======") self.s.settimeout(20.0) length_indicator = self.s.recv(2) if length_indicator == '': self.log.critical('Received a blank length indicator from switch... might be a disconnect') self.__setState("blank_response") else: size = struct.unpack('!H', length_indicator)[0] payload = self.s.recv(size) payload = ByteUtils.ByteToHex(payload) d = datetime.now() self.log.info(" Receiving Key Exchange Request = [%s]" % payload) if payload == '': self.log.critical('Received a blank response from switch... might be a disconnect') self.__setState("blank_response") else: iso_ans = AS2805(debug=False) iso_ans.setIsoContent("%s" % (payload)) self.log.debug(iso_ans.dumpFields()) self.__storeISOMessage(iso_ans, {"date_time_received": d.strftime("%Y-%m-%d %H:%M:%S")}) if iso_ans.getMTI() == '0820' and iso_ans.getBit(70) == '0101': Value = iso_ans.getBit(48) self.ZAK = Value[:32] self.ZPK = Value[32:] self.node_number = iso_ans.getBit(53) log.info("Recieve Keys under ZMK : ZAK= %s, ZPK = %s" % (self.ZAK, self.ZPK )) self.ZoneKeySet2 = KeyGenerator.Translate_a_Set_of_Zone_Keys(self.KEKr,ZPK=self.ZPK, ZAK=self.ZAK, ZEK='11111111111111111111111111111111') cur = self.con_switch.cursor(MySQLdb.cursors.DictCursor) sql = """UPDATE sessions_as2805 set ZPK_LMK = '%s', ZPK_ZMK = '%s', ZPK_Check ='%s', ZAK_LMK = '%s' , ZAK_ZMK = '%s', ZAK_Check = '%s', ZEK_LMK = '%s', ZEK_Check = '%s', keyset_number = '%s' WHERE host_id = '%s' and keyset_description = 'Recieve' """ %\ ( self.ZoneKeySet2["ZPK(LMK)"], self.ZPK, self.ZoneKeySet2["ZPK Check Value"], self.ZoneKeySet2["ZAK(LMK)"], self.ZAK, self.ZoneKeySet2["ZAK Check Value"], self.ZoneKeySet2["ZEK(LMK)"], self.ZoneKeySet2["ZEK Check Value"], self.node_number, self.host_id) log.info("Recieve Keys under LMK : ZAK= %s, ZAK Check Value: %s ZPK = %s, ZPK Check Value: %s" % (self.ZoneKeySet2["ZAK(LMK)"], self.ZoneKeySet2["ZAK Check Value"], self.ZoneKeySet2["ZPK(LMK)"], self.ZoneKeySet2["ZPK Check Value"])) cur.execute(sql) self.log.debug("Records=%s" % (cur.rowcount,)) iso_req = AS2805(debug=False) iso_req.setMTI('0830') iso_req.setBit(7, iso_ans.getBit(7)) iso_req.setBit(11, iso_ans.getBit(11)) iso_req.setBit(33, iso_ans.getBit(33)) iso_req.setBit(39, '303') iso_req.setBit(48, self.ZoneKeySet2["ZAK Check Value"] + self.ZoneKeySet2["ZPK Check Value"]) iso_req.setBit(53, iso_ans.getBit(53)) iso_req.setBit(70, iso_ans.getBit(70)) iso_req.setBit(100, iso_ans.getBit(100)) self.__storeISOMessage(iso_req, {"date_time_sent": d.strftime("%Y-%m-%d %H:%M:%S")}) try: iso_send = iso_req.getNetworkISO() iso_send_hex = ByteUtils.HexToByte(iso_send[2:]) self.log.debug(iso_req.dumpFields()) self.log.info("Sending Key Exchange Response = [%s]" % ReadableAscii(iso_send)) self.__send_message(iso_send_hex) self.node_number = iso_ans.getBit(53) except: self.log.exception("key_exchange_failed") self.__setState('key_exchange_failed') finally: cur.close()</pre> <p> </p> <p>These Keys are known as your <strong>SEND KEYS</strong></p> <p>So when you send a key exchange request you would need to generate a set of zone keys, this command on your HSM would look like this;</p> <p>>HEADOI{KEKs};HU;1</p> <p>Where the KEKs is the KEKs that you generated from your components, and your output will be the following:</p> <pre>def Generate_a_Set_of_Zone_Keys(KEKs): response = KeyClass.execute_get_a_Set_of_Zone_Keys(KEKs) #print response ZoneKeys = {} ZoneKeys["Header"] = response[2:6] ZoneKeys["ResponseCode"] = response[6:8] ZoneKeys["ErrorCode"] = response[8:10] if ZoneKeys["ErrorCode"] == '00': ZoneKeys["ZPK(LMK)"] = response[10:43] ZoneKeys["ZPK(ZMK)"] = response[43:76] ZoneKeys["ZPK Check Value"] = response[76:82] ZoneKeys["ZAK(LMK)"] = response[82:115] ZoneKeys["ZAK(ZMK)"] = response[115:148] ZoneKeys["ZAK Check Value"] = response[148:154] ZoneKeys["ZEK(LMK)"] = response[154:187] ZoneKeys["ZEK(ZMK)"] = response[187:220] ZoneKeys["ZEK Check Value"] = response[220:226] return ZoneKeys</pre> <p>Now when sending your 0820 request, you need to set field 40 as ZAK(ZMK) + ZPK(ZMK). Your host will do a Validation request (same as you did in step 1) and send you the check values. you need to compare this to the check values generated by your OI command, and if they match then you have successfully exchanged keys.</p> <p>Below is an implementation using Python:</p> <p> </p> <pre> def __keyExchange__(self): self.__setState("key_exchange") self.__key_exchange_listen() cur = self.con_switch.cursor(MySQLdb.cursors.DictCursor) d = datetime.now() self.ZoneKeySet1 = {} self.ZoneKeySet2 = {} self.ZoneKeySet1 = KeyGenerator.Generate_a_Set_of_Zone_Keys(self.KEKs) iso_req = AS2805(debug=False) iso_req.setMTI('0820') iso_req.setBit(7, d.strftime("%m%d%H%M%S")) iso_req.setBit(11, self.__getNextStan()) iso_req.setBit(33, self.HostIIN) iso_req.setBit(48, self.ZoneKeySet1["ZAK(ZMK)"][1:] + self.ZoneKeySet1["ZPK(ZMK)"][1:]) iso_req.setBit(53, self.node_number) iso_req.setBit(70, '101') iso_req.setBit(100, self.SwitchLink_IIN) self.__storeISOMessage(iso_req, {"date_time_sent": d.strftime("%Y-%m-%d %H:%M:%S")}) log.info("Send Keys under LMK : ZAK= %s, ZAK Check Value: %s ZPK = %s, ZPK Check Value: %s" % (self.ZoneKeySet1["ZAK(LMK)"], self.ZoneKeySet1["ZAK Check Value"], self.ZoneKeySet1["ZPK(LMK)"], self.ZoneKeySet1["ZPK Check Value"])) try: # send the Send Keys iso_send = iso_req.getNetworkISO() iso_send_hex = ByteUtils.HexToByte(iso_send[2:]) self.log.debug(iso_req.dumpFields()) self.log.info("Sending Key Exchange Request = [%s]" % ReadableAscii(iso_send)) self.__send_message(iso_send_hex) self.s.settimeout(20.0) length_indicator = self.s.recv(2) if length_indicator == '': self.log.critical('Received a blank length indicator from switch... might be a disconnect') self.__setState("blank_response") else: size = struct.unpack('!H', length_indicator)[0] payload = self.s.recv(size) payload = ByteUtils.ByteToHex(payload) d = datetime.now() self.log.info(" Receiving Key Exchange Response = [%s]" % payload) if payload == '': self.log.critical('Received a blank response from switch... might be a disconnect') self.__setState("blank_response") else: iso_ans = AS2805(debug=False) iso_ans.setIsoContent(payload) self.log.debug(iso_ans.dumpFields()) self.__storeISOMessage(iso_ans, {"date_time_received": d.strftime("%Y-%m-%d %H:%M:%S")}) if iso_ans.getMTI() == '0830': if iso_ans.getBit(39) == '3030': Value = iso_ans.getBit(48) self.KMACs_KVC = Value[:6] self.KPEs_KVC = Value[6:] #self.log.info("KMACs_KVC = %s, KPEs_KVC = %s" % (self.KMACs_KVC, self.KPEs_KVC)) if self.KMACs_KVC == self.ZoneKeySet1["ZAK Check Value"] and self.KPEs_KVC == self.ZoneKeySet1["ZPK Check Value"]: self.log.info("0820 Key Exchange successful: Check Values Match, ZAK Check Value= %s , ZPK Check Value = %s" % (self.ZoneKeySet1["ZAK Check Value"], self.ZoneKeySet1["ZPK Check Value"])) sql = """UPDATE sessions_as2805 SET ZPK_LMK = '%s', ZPK_ZMK = '%s', ZPK_Check= '%s' , ZAK_LMK= '%s', ZAK_ZMK = '%s', ZAK_Check ='%s', ZEK_LMK = '%s' , ZEK_ZMK = '%s', ZEK_Check = '%s', keyset_number = '%s' WHERE host_id = '%s' and keyset_description = 'Send' """%\ ( self.ZoneKeySet1["ZPK(LMK)"], self.ZoneKeySet1["ZPK(ZMK)"], self.ZoneKeySet1["ZPK Check Value"], self.ZoneKeySet1["ZAK(LMK)"], self.ZoneKeySet1["ZAK(ZMK)"], self.ZoneKeySet1["ZAK Check Value"], self.ZoneKeySet1["ZEK(LMK)"], self.ZoneKeySet1["ZEK(ZMK)"], self.ZoneKeySet1["ZEK Check Value"], self.node_number, self.host_id) cur.execute(sql) self.log.debug("Records=%s" % (cur.rowcount,)) self.__setState("key_exchanged") self.__setState('session_key_ok') self.log.info("==== Key Exchange Sequence Completed Successfully====") self.last_key_exchange = datetime.now() else: self.log.error("Generate_a_Set_of_Zone_Keys: KVC Check Failed!!") else: self.log.error("0820 Response Code = %s, Key Exchange Failed" % (iso_ans.getBit(39))) except InvalidAS2805, ii: self.log.error(ii) self.s.close() self.s = None self.__setState("session_key_fail") except: self.log.exception("key_exchange_failed") self.__setState('key_exchange_failed') </pre> <p> </p> <p>Now that keys have successfully been exchanged, you can start submitting transactions.</p> <p>When sending transactions encrypt data (pin / field) Send Keys, and when receiving data translate / decrypt using your receive keys, Generate MAC using Send MAC and Verify using Receive MAC.</p> <ul> <li>TAK – Your key to generate and verify MACs</li> <li>TEK – Your key to encrypt data and decrypt / translate</li> </ul> <p>This concludes the implementation of Node to Node interfaces using AS2805 Standards.</p> <p>Easy as Pie!</p> <div id="atatags-702045275-674213c898af2"> <script type="text/javascript"> __ATA.cmd.push(function() { __ATA.initVideoSlot('atatags-702045275-674213c898af2', { sectionId: '702045275', format: 'inread' }); }); </script> </div> </div> <footer class="entry-footer default-max-width"> <span class="byline"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M15 7.5C15 9.15685 13.6569 10.5 12 10.5C10.3431 10.5 9 9.15685 9 7.5C9 5.84315 10.3431 4.5 12 4.5C13.6569 4.5 15 5.84315 15 7.5ZM16.5 7.5C16.5 9.98528 14.4853 12 12 12C9.51472 12 7.5 9.98528 7.5 7.5C7.5 5.01472 9.51472 3 12 3C14.4853 3 16.5 5.01472 16.5 7.5ZM19.5 19.5V16.245C19.5 14.729 18.271 13.5 16.755 13.5L7.245 13.5C5.72898 13.5 4.5 14.729 4.5 16.245L4.5 19.5H6L6 16.245C6 15.5574 6.5574 15 7.245 15L16.755 15C17.4426 15 18 15.5574 18 16.245V19.5H19.5Z" fill="currentColor"/></svg><span class="screen-reader-text">Posted by</span><span class="author vcard"><a class="url fn n" href="https://arthurvandermerwe.com/author/arthurvdmerwe/">arthurvdmerwe</a></span></span><span class="posted-on"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M19.5 7.5H4.5V19.0005C4.5 19.2764 4.72363 19.5 4.9995 19.5H19.0005C19.2764 19.5 19.5 19.2764 19.5 19.0005V7.5ZM3 7.5V4.9995V4.995C3 3.89319 3.89319 3 4.995 3H4.9995H19.0005H19.005C20.1068 3 21 3.89319 21 4.995V4.9995V7.5V19.0005C21 20.1048 20.1048 21 19.0005 21H4.9995C3.89521 21 3 20.1048 3 19.0005V7.5ZM7.5 10.5H9V12H7.5V10.5ZM9 15H7.5V16.5H9V15ZM11.25 10.5H12.75V12H11.25V10.5ZM12.75 15H11.25V16.5H12.75V15ZM15 10.5H16.5V12H15V10.5ZM16.5 15H15V16.5H16.5V15Z" fill="currentColor"/></svg><a href="https://arthurvandermerwe.com/2015/03/03/implementing-as2805-part-3-using-a-thales-9000-and-python/" rel="bookmark"><time class="entry-date published" datetime="2015-03-03T09:06:38+11:00">March 3, 2015</time><time class="updated" datetime="2015-07-29T08:23:33+10:00">July 29, 2015</time></a></span><span class="cat-links"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M12.1979 8.25L11.2098 6.27363C11.1259 6.10593 10.9545 6 10.767 6H4.995C4.72162 6 4.5 6.22162 4.5 6.495V17.505C4.5 17.7784 4.72162 18 4.995 18H19.0005C19.2764 18 19.5 17.7764 19.5 17.5005V8.7495C19.5 8.47363 19.2764 8.25 19.0005 8.25H12.1979ZM13.125 6.75H19.0005C20.1048 6.75 21 7.64521 21 8.7495V17.5005C21 18.6048 20.1048 19.5 19.0005 19.5H4.995C3.89319 19.5 3 18.6068 3 17.505V6.495C3 5.39319 3.89319 4.5 4.995 4.5H10.767C11.5227 4.5 12.2135 4.92693 12.5514 5.60281L13.125 6.75Z" fill="currentColor"/></svg><span class="screen-reader-text">Posted in</span><a href="https://arthurvandermerwe.com/category/financial-switching/" rel="category tag">Financial Switching</a>, <a href="https://arthurvandermerwe.com/category/hsm/" rel="category tag">HSM</a>, <a href="https://arthurvandermerwe.com/category/uncategorized/" rel="category tag">Uncategorized</a></span><span class="tags-links"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M3 12.2045C3 12.5941 3.15158 12.9684 3.42267 13.2482L9.71878 19.747C11.0769 21.1489 13.3201 21.1667 14.7003 19.7865L19.7873 14.6995C21.1677 13.319 21.1497 11.0753 19.7471 9.71731L13.2459 3.42238C12.9661 3.15147 12.5919 3 12.2025 3H4.5C3.67157 3 3 3.67157 3 4.5V12.2045ZM12.2025 4.5H4.5V12.2045L10.7961 18.7033C11.5714 19.5035 12.8518 19.5137 13.6396 18.7258L18.7266 13.6388C19.5146 12.8509 19.5043 11.5701 18.7037 10.7949L12.2025 4.5ZM8.4975 9.495C9.0484 9.495 9.495 9.0484 9.495 8.4975C9.495 7.9466 9.0484 7.5 8.4975 7.5C7.9466 7.5 7.5 7.9466 7.5 8.4975C7.5 9.0484 7.9466 9.495 8.4975 9.495Z" fill="currentColor"/></svg><span class="screen-reader-text">Tags:</span><a href="https://arthurvandermerwe.com/tag/as2805-6/" rel="tag">AS2805.6</a>, <a href="https://arthurvandermerwe.com/tag/generate-kekr-validation-response/" rel="tag">Generate KEKr Validation Response</a>, <a href="https://arthurvandermerwe.com/tag/generate-keks-validation-request/" rel="tag">Generate KEKs Validation Request</a>, <a href="https://arthurvandermerwe.com/tag/kek/" rel="tag">KEK</a>, <a href="https://arthurvandermerwe.com/tag/kekr/" rel="tag">KEKr</a>, <a href="https://arthurvandermerwe.com/tag/keks/" rel="tag">KEKs</a>, <a href="https://arthurvandermerwe.com/tag/key-exchange/" rel="tag">Key Exchange</a>, <a href="https://arthurvandermerwe.com/tag/krr/" rel="tag">KRr</a>, <a href="https://arthurvandermerwe.com/tag/krs/" rel="tag">KRs</a>, <a href="https://arthurvandermerwe.com/tag/thales-e0-command/" rel="tag">Thales E0 Command</a>, <a href="https://arthurvandermerwe.com/tag/thales-e2-command/" rel="tag">Thales E2 Command</a>, <a href="https://arthurvandermerwe.com/tag/thales-oi-command/" rel="tag">Thales OI Command</a>, <a href="https://arthurvandermerwe.com/tag/thales-ok-command/" rel="tag">Thales OK Command</a>, <a href="https://arthurvandermerwe.com/tag/translate-a-set-of-zone-keys/" rel="tag">Translate a Set of Zone Keys</a>, <a href="https://arthurvandermerwe.com/tag/zakr/" rel="tag">ZAKr</a>, <a href="https://arthurvandermerwe.com/tag/zaks/" rel="tag">ZAKs</a>, <a href="https://arthurvandermerwe.com/tag/zpk/" rel="tag">ZPK</a>, <a href="https://arthurvandermerwe.com/tag/zpks/" rel="tag">ZPKs</a>, <a href="https://arthurvandermerwe.com/tag/rn/" rel="tag">~RN</a></span><span class="comments-link"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M10.0458 15.0001L5.99998 17.697L5.99999 6.49478C5.99999 6.22141 6.2216 5.99979 6.49498 5.99978L17.505 5.99951C17.7784 5.9995 18 6.22113 18 6.49451L18 14.5046C18 14.778 17.7784 14.9996 17.505 14.9996L10.0458 15.0001ZM10.5 16.5L17.5051 16.4996C18.6069 16.4995 19.5 15.6063 19.5 14.5046L19.5 6.49451C19.5 5.39268 18.6068 4.49948 17.5049 4.49951L6.49494 4.49978C5.39315 4.49981 4.49999 5.39299 4.49999 6.49478L4.49998 18.3483C4.49998 18.9842 5.01549 19.4997 5.6514 19.4997C5.8787 19.4997 6.10091 19.4324 6.29004 19.3063L10.5 16.5Z" fill="currentColor"/></svg><a href="https://arthurvandermerwe.com/2015/03/03/implementing-as2805-part-3-using-a-thales-9000-and-python/#comments">4 Comments<span class="screen-reader-text"> on Implementing AS2805 Part 6 Host to Host Encryption using a Thales 9000 and Python</span></a></span> </footer> </article> <article id="post-84" class="post-84 post type-post status-publish format-standard hentry category-financial-switching category-hsm category-uncategorized tag-as2805-6-1 tag-interchange-receive-kek tag-kekr tag-keks tag-kmacr1 tag-kmacr2 tag-kmacs1 tag-kmacs2 tag-kper1 tag-kpes1 tag-kpes2 tag-kvcs tag-mac tag-mac-key tag-pin-protect-key tag-session-keys entry"> <header class="entry-header default-max-width"> <h2 class="entry-title"><a href="https://arthurvandermerwe.com/2015/01/04/typical-cryptography-in-as2805-explained/" rel="bookmark">Typical Cryptography in AS2805 Explained</a></h2> </header> <div class="entry-content"> <p>Key Management conforms to AS 2805 part 6.1.</p> <h3>KEK Establishment</h3> <p>Each interchange node contains an Interchange Send Key Encrypting Key (KEKs) and an Interchange Receive Key Encrypting Key (KEKr). The Interchange Send KEK is the same key as the Interchange Receive KEK in the partnering node, similarly the Interchange Receive KEK is the same as the Interchange Send KEK in the partnering node.</p> <p>The Interchange Key Encrypting Keys are used to encipher and decipher the session keys when they are transmitted between the nodes and in the proof of end points process.</p> <p>Interchange Key Encrypting Keys is statistically unique and shall be changed, at a minimum, once every two years.</p> <p> </p> <table style="height:100%;" width="100%"> <tbody> <tr> <td colspan="2"><strong>Node A </strong></td> <td colspan="2"><strong>Node B </strong></td> </tr> <tr> <td>KEKs</td> <td colspan="2">=</td> <td width="84">KEKr</td> </tr> <tr> <td width="84">KEkr</td> <td colspan="2" width="84">=</td> <td width="84">KEKs</td> </tr> <tr> <td width="84"></td> <td width="42"></td> <td width="42"></td> <td width="84"></td> </tr> </tbody> </table> <h3>Session Keys</h3> <p>Each node keeps four sets of session keys, two send sets and two receive sets.</p> <p>Each set of session keys consists of two keys, MAC Key, PIN Protect Key. Each session key is 128-bits long and stored in a secure manner.</p> <p>The send session key sets are generated by the sending node and numbered “1” or “2”. The send session key sets are then forwarded to the receiving node to be used as the receive session key sets.</p> <p>The receive session key sets are received in a 0820 Network Management Advice message with bit ‘070’ equal to 101 from the sending node. The set number of either “1” or “2” contained in bit 53 indicates the receive session key set used by the receiving node to verify the MAC, decipher the data and translate or verify the PIN.</p> <p>One set of send session keys is used at a time and all Transactions sent from the sending node will generate the MAC and encipher the PIN, if present, using the MAC Generator Key and PIN Protect Key, respectively, from the same send session key set. The send session key set used is indicated by bit 53 (contains “1” or “2”) in each message. Session Keys must be statistically unique and replaced, at a minimum, once every hour or on every 256 Transactions, whichever occurs first.</p> <p> </p> <p> </p> <table> <tbody> <tr> <td colspan="2" width="173"><strong>Node A </strong></td> <td colspan="2" width="173"><strong>Node B </strong></td> </tr> <tr> <td colspan="2" width="173"><span style="text-decoration:underline;">Send Session Keys Set 1</span></td> <td colspan="2" width="173"><span style="text-decoration:underline;">Receive Session Keys Set 1</span></td> </tr> <tr> <td width="116">MAC Key (KMACs1)</td> <td colspan="2" width="116">=</td> <td width="116">MAC Verification Key (KMACr1)</td> </tr> <tr> <td width="116">PIN Protect Key (KPEs1)</td> <td colspan="2" width="116">=</td> <td width="116">PIN Protect Key (KPEr1)</td> </tr> <tr> <td colspan="2" width="173"><span style="text-decoration:underline;">Send Session Keys Set 2</span></td> <td colspan="2" width="173"><span style="text-decoration:underline;">Receive Session Keys Set 2</span></td> </tr> <tr> <td width="116">MAC Key (KMACs2)</td> <td colspan="2" width="116">=</td> <td width="116">MAC Verification Key (KMACr2)</td> </tr> <tr> <td width="116">PIN Protect Key (KPEs2)</td> <td colspan="2" width="116">=</td> <td width="116">PIN Protect Key (KPEr2)</td> </tr> <tr> <td colspan="2" width="173"><span style="text-decoration:underline;">Receive Session Keys Set 1</span></td> <td colspan="2" width="173"><span style="text-decoration:underline;">Send Session Keys Set 1</span></td> </tr> <tr> <td width="116">MAC Verification Key (KMACr1)</td> <td colspan="2" width="116">=</td> <td width="116">MAC Key (KMACs1)</td> </tr> <tr> <td width="116">PIN Protect Key (KPEr1)</td> <td colspan="2" width="116">=</td> <td width="116">PIN Protect Key (KPEs1)</td> </tr> <tr> <td colspan="2" width="173"><span style="text-decoration:underline;">Receive Session Keys Set 2</span></td> <td colspan="2" width="173"><span style="text-decoration:underline;">Send Session Keys Set 2</span></td> </tr> <tr> <td width="116">MAC Verification Key (KMACr2)</td> <td colspan="2" width="116">=</td> <td width="116">MAC Key (KMACs2)</td> </tr> <tr> <td width="116">PIN Protect Key (KPEr2)</td> <td colspan="2" width="116">=</td> <td width="116">PIN Protect Key (KPEs2)</td> </tr> <tr> <td width="116"></td> <td width="58"></td> <td width="58"></td> <td width="116"></td> </tr> </tbody> </table> <p> </p> <p>When enciphered for transmission, each session key type will use a unique variant of the Key Enciphering Key in accordance with AS 2805 part 6.1 request response (logon) from the other before starting any other message exchange. When ready to logon, a party should attempt to logon and continue to attempt to logon until a successful response has been received. Upon receipt of an unsolicited logon (i.e. receiving a logon message when in an assumed logged on state) or a message with a response code indicating an irrecoverable error, a party should send an immediate logoff message and attempts to logon should be made as soon as possible. All logon response messages should be inspected to ensure that the response code indicates a successful logon</p> <h3>Changing Session keys</h3> <p>While one set of send session keys is being used, the other send session key set is randomly generated by the sending node and their KVCs generated, the keys are then enciphered under the Interchange Send KEK and transmitted to the receiving node in a 0820 Network Management Advice message.</p> <p>When a 0820 message is received by the receiving node, the session keys are deciphered using the Interchange Receive KEK. These deciphered keys are set up as the set of receive keys specified by the set number contained in bit 53 of the 0820 message. The Key Verification Codes (KVCs) are calculated by the receiving node and transmitted to the sending node in bit 48 of the 0830 message.</p> <p>When the 0830 Network Management Advice response message is received at the node initiating the key change, the KVCs contained in the 0830 message are validated. If the KVCs are correct, the new send session key set can be used immediately. If the KVCs are invalid, new send session key set must be generated and the whole process is repeated.</p> <p> </p> <h3>Sign off</h3> <p>Either node may terminate the transmission of financial messages by sending a Sign Off Advice. A Sign Off is accomplished by the transmission of a 0820 Network Management Advice Message with a NMIC (Bit 70) equal to ‘002’.</p> <p> </p> <h3>Key change during normal processing</h3> <p>A session key change can occur at any time; each node independently initiates the change of their send keys. The sender will advise their sending session keys to the receiver using a 0820 Network Management Advice message with a NMIC equal to ‘101’ indicating key change. Once a valid response (0830 message) is received and the KVCs confirmed, the new keys can be used.</p> </div> <footer class="entry-footer default-max-width"> <span class="byline"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M15 7.5C15 9.15685 13.6569 10.5 12 10.5C10.3431 10.5 9 9.15685 9 7.5C9 5.84315 10.3431 4.5 12 4.5C13.6569 4.5 15 5.84315 15 7.5ZM16.5 7.5C16.5 9.98528 14.4853 12 12 12C9.51472 12 7.5 9.98528 7.5 7.5C7.5 5.01472 9.51472 3 12 3C14.4853 3 16.5 5.01472 16.5 7.5ZM19.5 19.5V16.245C19.5 14.729 18.271 13.5 16.755 13.5L7.245 13.5C5.72898 13.5 4.5 14.729 4.5 16.245L4.5 19.5H6L6 16.245C6 15.5574 6.5574 15 7.245 15L16.755 15C17.4426 15 18 15.5574 18 16.245V19.5H19.5Z" fill="currentColor"/></svg><span class="screen-reader-text">Posted by</span><span class="author vcard"><a class="url fn n" href="https://arthurvandermerwe.com/author/arthurvdmerwe/">arthurvdmerwe</a></span></span><span class="posted-on"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M19.5 7.5H4.5V19.0005C4.5 19.2764 4.72363 19.5 4.9995 19.5H19.0005C19.2764 19.5 19.5 19.2764 19.5 19.0005V7.5ZM3 7.5V4.9995V4.995C3 3.89319 3.89319 3 4.995 3H4.9995H19.0005H19.005C20.1068 3 21 3.89319 21 4.995V4.9995V7.5V19.0005C21 20.1048 20.1048 21 19.0005 21H4.9995C3.89521 21 3 20.1048 3 19.0005V7.5ZM7.5 10.5H9V12H7.5V10.5ZM9 15H7.5V16.5H9V15ZM11.25 10.5H12.75V12H11.25V10.5ZM12.75 15H11.25V16.5H12.75V15ZM15 10.5H16.5V12H15V10.5ZM16.5 15H15V16.5H16.5V15Z" fill="currentColor"/></svg><a href="https://arthurvandermerwe.com/2015/01/04/typical-cryptography-in-as2805-explained/" rel="bookmark"><time class="entry-date published" datetime="2015-01-04T00:56:47+11:00">January 4, 2015</time><time class="updated" datetime="2015-03-11T16:55:11+11:00">March 11, 2015</time></a></span><span class="cat-links"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M12.1979 8.25L11.2098 6.27363C11.1259 6.10593 10.9545 6 10.767 6H4.995C4.72162 6 4.5 6.22162 4.5 6.495V17.505C4.5 17.7784 4.72162 18 4.995 18H19.0005C19.2764 18 19.5 17.7764 19.5 17.5005V8.7495C19.5 8.47363 19.2764 8.25 19.0005 8.25H12.1979ZM13.125 6.75H19.0005C20.1048 6.75 21 7.64521 21 8.7495V17.5005C21 18.6048 20.1048 19.5 19.0005 19.5H4.995C3.89319 19.5 3 18.6068 3 17.505V6.495C3 5.39319 3.89319 4.5 4.995 4.5H10.767C11.5227 4.5 12.2135 4.92693 12.5514 5.60281L13.125 6.75Z" fill="currentColor"/></svg><span class="screen-reader-text">Posted in</span><a href="https://arthurvandermerwe.com/category/financial-switching/" rel="category tag">Financial Switching</a>, <a href="https://arthurvandermerwe.com/category/hsm/" rel="category tag">HSM</a>, <a href="https://arthurvandermerwe.com/category/uncategorized/" rel="category tag">Uncategorized</a></span><span class="tags-links"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M3 12.2045C3 12.5941 3.15158 12.9684 3.42267 13.2482L9.71878 19.747C11.0769 21.1489 13.3201 21.1667 14.7003 19.7865L19.7873 14.6995C21.1677 13.319 21.1497 11.0753 19.7471 9.71731L13.2459 3.42238C12.9661 3.15147 12.5919 3 12.2025 3H4.5C3.67157 3 3 3.67157 3 4.5V12.2045ZM12.2025 4.5H4.5V12.2045L10.7961 18.7033C11.5714 19.5035 12.8518 19.5137 13.6396 18.7258L18.7266 13.6388C19.5146 12.8509 19.5043 11.5701 18.7037 10.7949L12.2025 4.5ZM8.4975 9.495C9.0484 9.495 9.495 9.0484 9.495 8.4975C9.495 7.9466 9.0484 7.5 8.4975 7.5C7.9466 7.5 7.5 7.9466 7.5 8.4975C7.5 9.0484 7.9466 9.495 8.4975 9.495Z" fill="currentColor"/></svg><span class="screen-reader-text">Tags:</span><a href="https://arthurvandermerwe.com/tag/as2805-6-1/" rel="tag">AS2805 6.1</a>, <a href="https://arthurvandermerwe.com/tag/interchange-receive-kek/" rel="tag">Interchange Receive KEK</a>, <a href="https://arthurvandermerwe.com/tag/kekr/" rel="tag">KEKr</a>, <a href="https://arthurvandermerwe.com/tag/keks/" rel="tag">KEKs</a>, <a href="https://arthurvandermerwe.com/tag/kmacr1/" rel="tag">KMACr1</a>, <a href="https://arthurvandermerwe.com/tag/kmacr2/" rel="tag">KMACr2</a>, <a href="https://arthurvandermerwe.com/tag/kmacs1/" rel="tag">KMACs1</a>, <a href="https://arthurvandermerwe.com/tag/kmacs2/" rel="tag">KMACs2</a>, <a href="https://arthurvandermerwe.com/tag/kper1/" rel="tag">KPEr1</a>, <a href="https://arthurvandermerwe.com/tag/kpes1/" rel="tag">KPEs1</a>, <a href="https://arthurvandermerwe.com/tag/kpes2/" rel="tag">KPEs2</a>, <a href="https://arthurvandermerwe.com/tag/kvcs/" rel="tag">KVCs</a>, <a href="https://arthurvandermerwe.com/tag/mac/" rel="tag">MAC</a>, <a href="https://arthurvandermerwe.com/tag/mac-key/" rel="tag">MAC Key</a>, <a href="https://arthurvandermerwe.com/tag/pin-protect-key/" rel="tag">PIN Protect Key</a>, <a href="https://arthurvandermerwe.com/tag/session-keys/" rel="tag">session keys</a></span><span class="comments-link"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M10.0458 15.0001L5.99998 17.697L5.99999 6.49478C5.99999 6.22141 6.2216 5.99979 6.49498 5.99978L17.505 5.99951C17.7784 5.9995 18 6.22113 18 6.49451L18 14.5046C18 14.778 17.7784 14.9996 17.505 14.9996L10.0458 15.0001ZM10.5 16.5L17.5051 16.4996C18.6069 16.4995 19.5 15.6063 19.5 14.5046L19.5 6.49451C19.5 5.39268 18.6068 4.49948 17.5049 4.49951L6.49494 4.49978C5.39315 4.49981 4.49999 5.39299 4.49999 6.49478L4.49998 18.3483C4.49998 18.9842 5.01549 19.4997 5.6514 19.4997C5.8787 19.4997 6.10091 19.4324 6.29004 19.3063L10.5 16.5Z" fill="currentColor"/></svg><a href="https://arthurvandermerwe.com/2015/01/04/typical-cryptography-in-as2805-explained/#comments">3 Comments<span class="screen-reader-text"> on Typical Cryptography in AS2805 Explained</span></a></span> </footer> </article> <article id="post-75" class="post-75 post type-post status-publish format-standard hentry category-financial-switching category-hsm tag-as-2805-part-3 tag-as2805 tag-as2805-pk-command tag-c2-command tag-c4-command tag-dea2 tag-dea3 tag-dukpt tag-ei-host-command tag-eo-command tag-h2-command tag-h4-command tag-h6-command tag-h8-command tag-interchange tag-kca tag-kek tag-kekr tag-keks tag-kti tag-mac tag-oi-command tag-ok-command tag-ou-command tag-ow-command tag-pi-command tag-po-host-command tag-rsa tag-session-keys tag-tmk1 tag-tmk2 tag-triple-des entry"> <header class="entry-header default-max-width"> <h2 class="entry-title"><a href="https://arthurvandermerwe.com/2014/12/02/thales-9000-and-as2805-interchange-commands/" rel="bookmark">Thales 9000 with AS2805 Interchange & RSA EFTPOS Commands.</a></h2> </header> <div class="entry-content"> <h3><b>Interchange Cryptographic Keys </b></h3> <p>Interchange keys are used to protect financial transactions initiated at Acquirer eftpos / ATM Terminals while in transit to the Issuer institution. Interchange keys may be either:</p> <p>(a) PIN encrypting keys – used to protect the customer PIN from the point of origin to the point of authorisation. PIN encrypting keys are a specific instance of session keys;</p> <p>(b) Session keys – used to secure, validate and protect the financial message. Session keys can be further qualified into those used in the terminal to Acquirer environment (terminal session keys) or on node to node links (interchange session keys);</p> <p>(c) Key Encrypting Keys (KEK) – used to protect other keys (e.g. session keys) during exchange; or</p> <p>(d) Transport Keys – used to protect keys (e.g. KEKs) during transport to the partner institution.</p> <h3><b>Cryptographic Algorithms </b></h3> <p>DEA3 and DEA2 are the only approved algorithms for the protection of interchange information (full details of these algorithms may be found in the Australian standard AS 2805 part 5).</p> <p>DEA3 keys are 128 bits in length (effectively 112 bits) and are generally referred to as triple DES or 3DES keys (the corresponding encryption algorithm is specified in AS 2805 part 5.4). Triple DES may also be acceptably implemented using a key length of 192 bits (effectively 168 bits).</p> <p>DEA3 with a key length of 128 bits and DEA2 with key lengths equal to, or greater than 2048 bits are the minimum acceptable requirements for the effective protection of interchange information at the time of the issuance of this document.</p> <p>In accordance with AS 2805 part 3, DEA3 must be used for PIN encipherment.</p> <h3><b> Interchange Links </b></h3> <p>For all Interchange Links, Issuers and Acquirers must ensure that:</p> <p>(a) Security for Transactions processed over that Interchange Link complies with AS2805 Part 6;</p> <p>(b) Message formats comply with AS2805 Part 2;</p> <p>(c) Security of transactions from terminal to Acquirer and from Acquirer to Issuer complies with AS2805 Part 6;</p> <p>(d) PIN security and encryption complies with AS2805 Parts 3 and 5.4;</p> <p>(e) Key management practices comply with AS2805 Part 6.1;</p> <p>In each case and as more particularly set out in Part 8:</p> <p>(a) Message Authentication must apply to all Interchange Links;</p> <p>(b) The Message Authentication Code (MAC) must be calculated using, as a minimum, a DEA 3 (128-bit) key, Triple DES and an algorithm conforming to AS2805 Part 4; and</p> <p>(c) all interchange PIN and MAC cryptographic functions must be performed within a Tamper-responsive SCM</p> <h3>The Actual process using an Thales 9000 HSM (CECS Approved)</h3> <p>Now what we are clear on the actual requirements of CECS and APCA, lets attempt to do this using a Thales 9000.</p> <p><strong>Generate a Sponsor RSA key pair</strong></p> <p>This command is the first step as would be required to do this for all terminal commands.</p> <ul> <li>This is done my using the <strong>HSM EI host Command</strong>, from the HSM base manual. <ul> <li>The input is the length of the RSA key set required, and the length go the public key modulus.</li> </ul> </li> <li>The Public Key Verification Code should now be generated. This is done using the <strong>HSM H2 Command</strong> from the Australian Standards Support Manual.</li> </ul> <p>The Public Key and the PVC are sent to your Interchange Partner via different paths, as per their direction. (lets call this <strong>OUR-Key</strong> and <strong>OUR-PVC</strong>)</p> <p>Your Interchange partner will now do the same process and provide you with a Public Key and a PVC. (lets call this <strong>THEIR-Key</strong> and <strong>THEIR-PVC</strong>)</p> <p>When we receive this Public Key from our Interchange Partner, the following should happen:</p> <ul> <li>The PVC for the Key should be generated using the<strong> HSM H2 Command</strong> from the Australian Standards Support Manual.</li> <li>The MAC for the Key should be generated using the <strong>HSM EO command</strong> from the HSM Base Manual.</li> </ul> <p>We now have public keys exchanged and have them ready for use!!</p> <p>Our Database should be looking like this:</p> <p>|<strong>OUR-Key|OUR-PVC|THEIR-Key|THEIR-PVC|THEIR-MAC|GEN-PVC|</strong></p> <p>Now we have the Public keys exchanged and ready for use, we can generate our KEKs & send to Interchange Partner, and receive our KEKr from Interchange Partner;</p> <ul> <li>To send our KEKs we will use the<strong> H4 command</strong> from the Australian Standards support manual.</li> <li>To receive our KEKr we will use the <strong>H6 command</strong> from the Australian Standards support manual.</li> </ul> <p>Once these are decrypted and stored in our key database we can generate and exchange our session MAC and PIN keys.</p> <ol> <ul> <li>To generate and store our send keys we use the <strong>OI command</strong> from the Australian Standards support manual.</li> <li>To receive and store our receive keys we use the <strong>OK command</strong> from the Australian Standards support manual.</li> </ul> </ol> <p>Now we have all the keys in place we can start to process transactions.</p> <ol> <ul> <li>To generate the MAC on a message there are a number of commands available, however as we are using the AS2805 standards we always recommend our customers use the <strong>C2 command</strong> from the Australian Standards support manual. This provides all the options required for the Australian environment.</li> </ul> </ol> <p>Similarly to verify the MAC on a message there are a number of commands available, however as we are using the AS2805 standards we always recommend our customers use the <strong>C4 command</strong> from the Australian Standards support manual. This provides all the options required for the Australian environment.</p> <h4>Terminal Commands</h4> <p>Terminal Manufacturer will be injecting into the PINpads their Manufacturer Public Key. The MPK will be transmitted to SPONSOR securely. The MPK validity should be checked by verifying the PVC, this is achieved by generating a Public Key Verification Code This is done using the <strong>H2 command</strong> from the Australian Standards support manual. And the two values compared.</p> <ul> <li>We also need to generate a PPASN, this is achieved using the AS2805 <strong>PK command</strong>.</li> <li>The host will now send the SPK to the PINpad, the PINpad will now generate the KI (also known as KTI), and send to the host. This is recovered using the AS2805 <strong>host H8 command</strong>, which also returns the KCA, the KCA is encrypted under the LMK and the KTI.</li> <li>Now we have the MPK and have verified it is genuine, we now need to generate a MAC for the Public Key, this is achieved using the <strong>Host EO command</strong>, this is used in subsequent processing. Note: this command is only available when the HSM is in Authorised State. We can now recover the PINpad Public from the MSK. This is achieved using the AS2805 H0 host command.</li> <li>KCA is now used to create the TMK1 and TMK2 (also known as KEK1 & KEK2). These are generated using the C0 command.</li> <li>Now we have the TMK’s in place we can use the TMK update commands.</li> </ul> <p>Updating the Keys</p> <ul> <li>When updating only TMK1 the AS2805 <strong>OU command</strong> is used.</li> <li>When updating both TMK1 and TMK2 then the <strong>OW command</strong> is used.</li> </ul> <p>Now we have the TMK’s in place and able to be updated, we can generate the Session Keys to be used for the PIN, MAC & optional encryption keys if required.</p> <p>This is achieved using the AS2805 PI command. The <strong>PI command</strong> will generate the PIN, MAC, and optional Encryption keys.</p> <ul> <li>Now we can have the session keys in place we can Decrypt the data, verify the MAC & verify the pin. The decrypt data & verify MAC steps depend on how it has been handled by the terminal. Has the terminal done the MAC first then encrypted the required data or has the terminal encrypted the data & then done the MAC. We have assumed that the Encrypt was done first.</li> </ul> <ul> <li>Verify the MAC’s on the transactions from the terminal using the AS2805 <strong>C4</strong>.</li> </ul> <ul> <li>Once the MAC has been verified we can then decrypt the required data with the AS2805 host command PW.</li> </ul> <ul> <li>Now we have the required decrypted data you will need to either verify the PIN or Translate the PIN, to translate the PIN assuming the transaction is a debit card transaction. This is achieved using the AS2805 <strong>PO host command</strong>. To verify the PIN will use one of the following <strong>F0 or F2</strong>.</li> </ul> <p>If you have translated the PIN we can form the message and generate a MAC for the message to be sent to Interchange Partner, this is achieved using the <strong>C2 command</strong> as detailed above in the Interchange messages.</p> <p><em>The biggest problem we see with this are around the KEKs & KEKr is people get them around the wrong way. Your KEKs becomes the remote KEKr & vice versa. The AS2805 commands are designed to swap them over automatically. </em></p> <p><em>The other gotcha is we split the terminal side & the interchange side of the HSM, TMK (terminal master key) is like a KEK (ZMK (Zone master key)) but used on the terminal side of the network where a ZMK (KEKs & KEKr) is used for interchange side of the network.</em></p> <p><em> easy as Pie!</em></p> <div id="geo-post-75" class="geo geo-post" style="display: none"> <span class="latitude">-33.787535</span> <span class="longitude">151.200220</span> </div> </div> <footer class="entry-footer default-max-width"> <span class="byline"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M15 7.5C15 9.15685 13.6569 10.5 12 10.5C10.3431 10.5 9 9.15685 9 7.5C9 5.84315 10.3431 4.5 12 4.5C13.6569 4.5 15 5.84315 15 7.5ZM16.5 7.5C16.5 9.98528 14.4853 12 12 12C9.51472 12 7.5 9.98528 7.5 7.5C7.5 5.01472 9.51472 3 12 3C14.4853 3 16.5 5.01472 16.5 7.5ZM19.5 19.5V16.245C19.5 14.729 18.271 13.5 16.755 13.5L7.245 13.5C5.72898 13.5 4.5 14.729 4.5 16.245L4.5 19.5H6L6 16.245C6 15.5574 6.5574 15 7.245 15L16.755 15C17.4426 15 18 15.5574 18 16.245V19.5H19.5Z" fill="currentColor"/></svg><span class="screen-reader-text">Posted by</span><span class="author vcard"><a class="url fn n" href="https://arthurvandermerwe.com/author/arthurvdmerwe/">arthurvdmerwe</a></span></span><span class="posted-on"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M19.5 7.5H4.5V19.0005C4.5 19.2764 4.72363 19.5 4.9995 19.5H19.0005C19.2764 19.5 19.5 19.2764 19.5 19.0005V7.5ZM3 7.5V4.9995V4.995C3 3.89319 3.89319 3 4.995 3H4.9995H19.0005H19.005C20.1068 3 21 3.89319 21 4.995V4.9995V7.5V19.0005C21 20.1048 20.1048 21 19.0005 21H4.9995C3.89521 21 3 20.1048 3 19.0005V7.5ZM7.5 10.5H9V12H7.5V10.5ZM9 15H7.5V16.5H9V15ZM11.25 10.5H12.75V12H11.25V10.5ZM12.75 15H11.25V16.5H12.75V15ZM15 10.5H16.5V12H15V10.5ZM16.5 15H15V16.5H16.5V15Z" fill="currentColor"/></svg><a href="https://arthurvandermerwe.com/2014/12/02/thales-9000-and-as2805-interchange-commands/" rel="bookmark"><time class="entry-date published" datetime="2014-12-02T13:09:50+11:00">December 2, 2014</time><time class="updated" datetime="2015-05-30T15:40:30+10:00">May 30, 2015</time></a></span><span class="cat-links"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M12.1979 8.25L11.2098 6.27363C11.1259 6.10593 10.9545 6 10.767 6H4.995C4.72162 6 4.5 6.22162 4.5 6.495V17.505C4.5 17.7784 4.72162 18 4.995 18H19.0005C19.2764 18 19.5 17.7764 19.5 17.5005V8.7495C19.5 8.47363 19.2764 8.25 19.0005 8.25H12.1979ZM13.125 6.75H19.0005C20.1048 6.75 21 7.64521 21 8.7495V17.5005C21 18.6048 20.1048 19.5 19.0005 19.5H4.995C3.89319 19.5 3 18.6068 3 17.505V6.495C3 5.39319 3.89319 4.5 4.995 4.5H10.767C11.5227 4.5 12.2135 4.92693 12.5514 5.60281L13.125 6.75Z" fill="currentColor"/></svg><span class="screen-reader-text">Posted in</span><a href="https://arthurvandermerwe.com/category/financial-switching/" rel="category tag">Financial Switching</a>, <a href="https://arthurvandermerwe.com/category/hsm/" rel="category tag">HSM</a></span><span class="tags-links"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M3 12.2045C3 12.5941 3.15158 12.9684 3.42267 13.2482L9.71878 19.747C11.0769 21.1489 13.3201 21.1667 14.7003 19.7865L19.7873 14.6995C21.1677 13.319 21.1497 11.0753 19.7471 9.71731L13.2459 3.42238C12.9661 3.15147 12.5919 3 12.2025 3H4.5C3.67157 3 3 3.67157 3 4.5V12.2045ZM12.2025 4.5H4.5V12.2045L10.7961 18.7033C11.5714 19.5035 12.8518 19.5137 13.6396 18.7258L18.7266 13.6388C19.5146 12.8509 19.5043 11.5701 18.7037 10.7949L12.2025 4.5ZM8.4975 9.495C9.0484 9.495 9.495 9.0484 9.495 8.4975C9.495 7.9466 9.0484 7.5 8.4975 7.5C7.9466 7.5 7.5 7.9466 7.5 8.4975C7.5 9.0484 7.9466 9.495 8.4975 9.495Z" fill="currentColor"/></svg><span class="screen-reader-text">Tags:</span><a href="https://arthurvandermerwe.com/tag/as-2805-part-3/" rel="tag">AS 2805 part 3</a>, <a href="https://arthurvandermerwe.com/tag/as2805/" rel="tag">AS2805</a>, <a href="https://arthurvandermerwe.com/tag/as2805-pk-command/" rel="tag">AS2805 PK command</a>, <a href="https://arthurvandermerwe.com/tag/c2-command/" rel="tag">C2 command</a>, <a href="https://arthurvandermerwe.com/tag/c4-command/" rel="tag">C4 command</a>, <a href="https://arthurvandermerwe.com/tag/dea2/" rel="tag">DEA2</a>, <a href="https://arthurvandermerwe.com/tag/dea3/" rel="tag">DEA3</a>, <a href="https://arthurvandermerwe.com/tag/dukpt/" rel="tag">dukpt</a>, <a href="https://arthurvandermerwe.com/tag/ei-host-command/" rel="tag">EI host Command</a>, <a href="https://arthurvandermerwe.com/tag/eo-command/" rel="tag">EO command</a>, <a href="https://arthurvandermerwe.com/tag/h2-command/" rel="tag">H2 Command</a>, <a href="https://arthurvandermerwe.com/tag/h4-command/" rel="tag">H4 command</a>, <a href="https://arthurvandermerwe.com/tag/h6-command/" rel="tag">H6 command</a>, <a href="https://arthurvandermerwe.com/tag/h8-command/" rel="tag">H8 command</a>, <a href="https://arthurvandermerwe.com/tag/interchange/" rel="tag">Interchange</a>, <a href="https://arthurvandermerwe.com/tag/kca/" rel="tag">KCA</a>, <a href="https://arthurvandermerwe.com/tag/kek/" rel="tag">KEK</a>, <a href="https://arthurvandermerwe.com/tag/kekr/" rel="tag">KEKr</a>, <a href="https://arthurvandermerwe.com/tag/keks/" rel="tag">KEKs</a>, <a href="https://arthurvandermerwe.com/tag/kti/" rel="tag">KTI</a>, <a href="https://arthurvandermerwe.com/tag/mac/" rel="tag">MAC</a>, <a href="https://arthurvandermerwe.com/tag/oi-command/" rel="tag">OI command</a>, <a href="https://arthurvandermerwe.com/tag/ok-command/" rel="tag">OK command</a>, <a href="https://arthurvandermerwe.com/tag/ou-command/" rel="tag">OU command</a>, <a href="https://arthurvandermerwe.com/tag/ow-command/" rel="tag">OW command</a>, <a href="https://arthurvandermerwe.com/tag/pi-command/" rel="tag">PI command</a>, <a href="https://arthurvandermerwe.com/tag/po-host-command/" rel="tag">PO host command</a>, <a href="https://arthurvandermerwe.com/tag/rsa/" rel="tag">RSA</a>, <a href="https://arthurvandermerwe.com/tag/session-keys/" rel="tag">session keys</a>, <a href="https://arthurvandermerwe.com/tag/tmk1/" rel="tag">TMK1</a>, <a href="https://arthurvandermerwe.com/tag/tmk2/" rel="tag">TMK2</a>, <a href="https://arthurvandermerwe.com/tag/triple-des/" rel="tag">Triple DES</a></span><span class="comments-link"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M10.0458 15.0001L5.99998 17.697L5.99999 6.49478C5.99999 6.22141 6.2216 5.99979 6.49498 5.99978L17.505 5.99951C17.7784 5.9995 18 6.22113 18 6.49451L18 14.5046C18 14.778 17.7784 14.9996 17.505 14.9996L10.0458 15.0001ZM10.5 16.5L17.5051 16.4996C18.6069 16.4995 19.5 15.6063 19.5 14.5046L19.5 6.49451C19.5 5.39268 18.6068 4.49948 17.5049 4.49951L6.49494 4.49978C5.39315 4.49981 4.49999 5.39299 4.49999 6.49478L4.49998 18.3483C4.49998 18.9842 5.01549 19.4997 5.6514 19.4997C5.8787 19.4997 6.10091 19.4324 6.29004 19.3063L10.5 16.5Z" fill="currentColor"/></svg><a href="https://arthurvandermerwe.com/2014/12/02/thales-9000-and-as2805-interchange-commands/#comments">4 Comments<span class="screen-reader-text"> on Thales 9000 with AS2805 Interchange & RSA EFTPOS Commands.</span></a></span> </footer> </article> <article id="post-72" class="post-72 post type-post status-publish format-standard hentry category-financial-switching category-hsm tag-thales entry"> <header class="entry-header default-max-width"> <h2 class="entry-title"><a href="https://arthurvandermerwe.com/2014/08/06/thales-key-exchange-examples-and-troubleshooting/" rel="bookmark">Thales Key Exchange Examples and Troubleshooting</a></h2> </header> <div class="entry-content"> <p>Judging from the searches done to locate this blog, it’s clear many of us share the following opinion: although Thales (formerly RACAL) is a market leader with its 7000 and 8000 series of HSM devices, their documentation falls painfully short in two areas: there are NO COMMAND EXAMPLES (!!!) in the manuals (an appalling omission); and the troubleshooting assistance is also distressingly thin. As a result, we had to lean heavily on our local Thales distributor for guidance on how commands really get pieced together. And, man, is it ever esoteric….see my earlier posts regarding the ‘KSN Descriptor’ for evidence of that. Moreover, our distributor provided us with some outstanding troubleshooting support to get us through the all important FA/FB key exhange. So, I’ll post our experience here in hopes that others can benefit from it. </p> <p>The FA/FB is the command exchange to “Translate a ZPK from ZMK to LMK Encryption.” We had this working internally with some simulated stuff, but once we tried this command ‘for real’ with our Debit/EBT gateway partner , we consistently received parity errors back from our Thales 8000 HSM (i.e., the FB returned with some result code != 0).</p> <p>There are three possible issues / resolution paths to explore in these situations:</p> <p>Your switching partner has employed an Atalla HSM and you’ve not taken it into account. When a Thales/RACAL HSM ‘talks’ to an Atalla, your box commands must specify an Atalla Variant.</p> <p>Your switching partner didn’t specify a Key Scheme in its ZPK creation, and the default is X9.17 (‘X’). If you specify the RACAL Scheme (‘U’) in your ‘FA’ and the ZPK under ZMK provided to the box was created via the X9.17 scheme, you’ll get a parity error.</p> <p>You created the ZMK cryptogram internally using one key scheme and now are trying to employ it in the FA command specifying (inadvertantly) the other variant scheme.</p> <p>You want to try to resolve each of these in turn.</p> <p>The “test solution” path for Item #1 is as follows…</p> <p>Let’s assume your FA command is constructed like so:</p> <p>FAU2D775BFD****************FABE0D7CU6C0FDE16D22FF2D95273E3741AF4E187</p> <p>[NOTE: I’ve obscured the ZMK Cryptogram here for blogging purposes only. The actual value is a 32-position hexidecimal string.]</p> <p>If you discover that the other side is using an Atalla, you need to specify an “Atalla Variant,” which you do by specifying a ‘1’ at the end of the ‘FA’ command string:</p> <p>FAU2D775BFD****************FABE0D7CU6C0FDE16D22FF2D95273E3741AF4E1871</p> <p>The “test solution” path for Item #2 is as follows…</p> <p>We find some endpoint partners have no idea which Key Scheme (X9.17 or Racal Native) they employed to create their keys. So, you may have to experiment. This FA command string says that the ZMK and ZPK were created using the RACAL native scheme (‘U’):</p> <p>FAU2D775BFD****************FABE0D7CU6C0FDE16D22FF2D95273E3741AF4E187</p> <p>To specify that the ZPK was created using the X9.17 scheme, you’d do the following:</p> <p>FAU2D775BFD****************FABE0D7CX6C0FDE16D22FF2D95273E3741AF4E187</p> <p>The “test solution” path for Item #3 is as follows…</p> <p>When you created your ZMK (probably during a key ceremony involving a reconstitution of key parts provided by your endpoint gateway), you specify (or otherwise let default) your ZMK Key Scheme. Again, this can be either the RACAL Native Scheme (‘U’) or X9.17 (‘X’). [I believe the default is X9.17.] For example, if you created the ZMK using the ‘X’ approach, and then submitted an ‘FA’ command that looks like this:</p> <p>FAU2D775BFD****************FABE0D7CU6C0FDE16D22FF2D95273E3741AF4E187</p> <p>…it’s gonna fail. You absolutely must maintain consistency from the creation of the ZMK cryptogram through its subsequent usage. So, the command would change to look like this:</p> <p>FAX2D775BFD****************FABE0D7CU6C0FDE16D22FF2D95273E3741AF4E187</p> <p>[NOTE: I’m not advocating ‘X’ over ‘U’ here…just showing you an example. In a recent concluded project, we assumed the incoming ZPK was of the RACAL native variety, but it arrived from the remote partner as created under the X9.17 scheme. Thing is, the gateway team had no idea they had done that and could not articulate the difference. So, be prepared to experiment with every permutation of what I’ve described herein before ‘unlocking’ the solution.]</p> </div> <footer class="entry-footer default-max-width"> <span class="byline"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M15 7.5C15 9.15685 13.6569 10.5 12 10.5C10.3431 10.5 9 9.15685 9 7.5C9 5.84315 10.3431 4.5 12 4.5C13.6569 4.5 15 5.84315 15 7.5ZM16.5 7.5C16.5 9.98528 14.4853 12 12 12C9.51472 12 7.5 9.98528 7.5 7.5C7.5 5.01472 9.51472 3 12 3C14.4853 3 16.5 5.01472 16.5 7.5ZM19.5 19.5V16.245C19.5 14.729 18.271 13.5 16.755 13.5L7.245 13.5C5.72898 13.5 4.5 14.729 4.5 16.245L4.5 19.5H6L6 16.245C6 15.5574 6.5574 15 7.245 15L16.755 15C17.4426 15 18 15.5574 18 16.245V19.5H19.5Z" fill="currentColor"/></svg><span class="screen-reader-text">Posted by</span><span class="author vcard"><a class="url fn n" href="https://arthurvandermerwe.com/author/arthurvdmerwe/">arthurvdmerwe</a></span></span><span class="posted-on"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M19.5 7.5H4.5V19.0005C4.5 19.2764 4.72363 19.5 4.9995 19.5H19.0005C19.2764 19.5 19.5 19.2764 19.5 19.0005V7.5ZM3 7.5V4.9995V4.995C3 3.89319 3.89319 3 4.995 3H4.9995H19.0005H19.005C20.1068 3 21 3.89319 21 4.995V4.9995V7.5V19.0005C21 20.1048 20.1048 21 19.0005 21H4.9995C3.89521 21 3 20.1048 3 19.0005V7.5ZM7.5 10.5H9V12H7.5V10.5ZM9 15H7.5V16.5H9V15ZM11.25 10.5H12.75V12H11.25V10.5ZM12.75 15H11.25V16.5H12.75V15ZM15 10.5H16.5V12H15V10.5ZM16.5 15H15V16.5H16.5V15Z" fill="currentColor"/></svg><a href="https://arthurvandermerwe.com/2014/08/06/thales-key-exchange-examples-and-troubleshooting/" rel="bookmark"><time class="entry-date published" datetime="2014-08-06T10:20:07+10:00">August 6, 2014</time><time class="updated" datetime="2015-03-10T22:28:56+11:00">March 10, 2015</time></a></span><span class="cat-links"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M12.1979 8.25L11.2098 6.27363C11.1259 6.10593 10.9545 6 10.767 6H4.995C4.72162 6 4.5 6.22162 4.5 6.495V17.505C4.5 17.7784 4.72162 18 4.995 18H19.0005C19.2764 18 19.5 17.7764 19.5 17.5005V8.7495C19.5 8.47363 19.2764 8.25 19.0005 8.25H12.1979ZM13.125 6.75H19.0005C20.1048 6.75 21 7.64521 21 8.7495V17.5005C21 18.6048 20.1048 19.5 19.0005 19.5H4.995C3.89319 19.5 3 18.6068 3 17.505V6.495C3 5.39319 3.89319 4.5 4.995 4.5H10.767C11.5227 4.5 12.2135 4.92693 12.5514 5.60281L13.125 6.75Z" fill="currentColor"/></svg><span class="screen-reader-text">Posted in</span><a href="https://arthurvandermerwe.com/category/financial-switching/" rel="category tag">Financial Switching</a>, <a href="https://arthurvandermerwe.com/category/hsm/" rel="category tag">HSM</a></span><span class="tags-links"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M3 12.2045C3 12.5941 3.15158 12.9684 3.42267 13.2482L9.71878 19.747C11.0769 21.1489 13.3201 21.1667 14.7003 19.7865L19.7873 14.6995C21.1677 13.319 21.1497 11.0753 19.7471 9.71731L13.2459 3.42238C12.9661 3.15147 12.5919 3 12.2025 3H4.5C3.67157 3 3 3.67157 3 4.5V12.2045ZM12.2025 4.5H4.5V12.2045L10.7961 18.7033C11.5714 19.5035 12.8518 19.5137 13.6396 18.7258L18.7266 13.6388C19.5146 12.8509 19.5043 11.5701 18.7037 10.7949L12.2025 4.5ZM8.4975 9.495C9.0484 9.495 9.495 9.0484 9.495 8.4975C9.495 7.9466 9.0484 7.5 8.4975 7.5C7.9466 7.5 7.5 7.9466 7.5 8.4975C7.5 9.0484 7.9466 9.495 8.4975 9.495Z" fill="currentColor"/></svg><span class="screen-reader-text">Tags:</span><a href="https://arthurvandermerwe.com/tag/thales/" rel="tag">Thales</a></span><span class="comments-link"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M10.0458 15.0001L5.99998 17.697L5.99999 6.49478C5.99999 6.22141 6.2216 5.99979 6.49498 5.99978L17.505 5.99951C17.7784 5.9995 18 6.22113 18 6.49451L18 14.5046C18 14.778 17.7784 14.9996 17.505 14.9996L10.0458 15.0001ZM10.5 16.5L17.5051 16.4996C18.6069 16.4995 19.5 15.6063 19.5 14.5046L19.5 6.49451C19.5 5.39268 18.6068 4.49948 17.5049 4.49951L6.49494 4.49978C5.39315 4.49981 4.49999 5.39299 4.49999 6.49478L4.49998 18.3483C4.49998 18.9842 5.01549 19.4997 5.6514 19.4997C5.8787 19.4997 6.10091 19.4324 6.29004 19.3063L10.5 16.5Z" fill="currentColor"/></svg><a href="https://arthurvandermerwe.com/2014/08/06/thales-key-exchange-examples-and-troubleshooting/#respond">Leave a comment<span class="screen-reader-text"> on Thales Key Exchange Examples and Troubleshooting</span></a></span> </footer> </article> <article id="post-71" class="post-71 post type-post status-publish format-standard hentry category-financial-switching category-hsm tag-dukpt entry"> <header class="entry-header default-max-width"> <h2 class="entry-title"><a href="https://arthurvandermerwe.com/2014/08/06/testing-dukpt/" rel="bookmark">Testing DUKPT</a></h2> </header> <div class="entry-content"> <p>As an acquirer, you can validate that your PIN translation command is working correctly even if you haven’t yet established connectivity to your Debit/EBT endpoint (or if you’ve established connectivity but don’t yet have your test key parts). </p> <p>Typically when we’re pressed into this situation, this is what we do if we’re working with the Key-Up II HSM from Ian Donnelly Systems (‘IDS’):</p> <p>For simplicity’s sake, we use a weak double-length key part.</p> <p>We enter it as a single part (again, at this point, we want to keep things simple).<br /> Typically, we use 0123456789ABCDEFFEDCBA9876543210.</p> <p>We take the Cryptogram obtained out of that exercise and we use that as our Key Exchange Key (“KEK”) input.</p> <p>Now, in my reading of the Thales manuals, performing this exercise with the Thales device is quite a bit more complicated.</p> <p>[I’ll use Thales language here so we’re all on the same page…]</p> <p>GOAL: What you need to test PIN translation is a ZPK encrypted under your LMK. [Refer to my previous post for details on the CI/CJ PIN transalation request/response.]</p> <p>Note specifically where I describe “PIN Length” on the CJ command output I say:</p> <p>“Although this field is not used to build the 0200 message formatted for the processor gateway, a value like ‘04’ or ‘05’ here is a pretty good indication that the translation occurred successfully.”</p> <p>So, we can validate the workability of this command without a working endpoint or ‘real’ key parts from them, but – in order to do so – we need to construct a valid ZPK under LMK cryptogram. This value will allow you to create a completely valid CI command, assuming that:</p> <p>You’ve got one or more valid BDK cryptograms loaded in your encryption database.</p> <p>You can generate PIN-enabled Debit purchases from a test point-of-sale location.</p> <p>You have addressibility from your test server to the Thales.</p> <p>STEPS: My reading of the Thales manual is that you’ll need to execute the following steps (this is sort of ugly – numbers refer to specific sections in the Operations and Installation manual):</p> <p>6.1 to create at least two 32-positions ZMK components (or, alternatively, 6.3 if you want to use components of your own chosing).</p> <p>6.4 to get a 32-position ZMK under LMK.</p> <p>7.1 to generate random ZPK (uses 6.4 ZMK under LMK output as input here) and encrypt under ZMK and LMK. The goal is that second cryptogram that comes back, the one oddly named “ZPK encrypted for bank” in the Thales document. That’s the ZPK under the LMK that you need for your tests.</p> <p>Obtaining this information should allow you to validate the critical part of your encryption infrastructure prior to getting connectivity to your Debit/EBT gateway partner. Of course, once formal inter-system testing is established you still need to transport the encrypted PIN block in an 0200 request to your endpoint. But doing the exercise I describe above here first will allow you to eliminate any self-doubt you may have about your internal PIN translation activities prior to getting an external party involved in the testing</p> </div> <footer class="entry-footer default-max-width"> <span class="byline"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M15 7.5C15 9.15685 13.6569 10.5 12 10.5C10.3431 10.5 9 9.15685 9 7.5C9 5.84315 10.3431 4.5 12 4.5C13.6569 4.5 15 5.84315 15 7.5ZM16.5 7.5C16.5 9.98528 14.4853 12 12 12C9.51472 12 7.5 9.98528 7.5 7.5C7.5 5.01472 9.51472 3 12 3C14.4853 3 16.5 5.01472 16.5 7.5ZM19.5 19.5V16.245C19.5 14.729 18.271 13.5 16.755 13.5L7.245 13.5C5.72898 13.5 4.5 14.729 4.5 16.245L4.5 19.5H6L6 16.245C6 15.5574 6.5574 15 7.245 15L16.755 15C17.4426 15 18 15.5574 18 16.245V19.5H19.5Z" fill="currentColor"/></svg><span class="screen-reader-text">Posted by</span><span class="author vcard"><a class="url fn n" href="https://arthurvandermerwe.com/author/arthurvdmerwe/">arthurvdmerwe</a></span></span><span class="posted-on"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M19.5 7.5H4.5V19.0005C4.5 19.2764 4.72363 19.5 4.9995 19.5H19.0005C19.2764 19.5 19.5 19.2764 19.5 19.0005V7.5ZM3 7.5V4.9995V4.995C3 3.89319 3.89319 3 4.995 3H4.9995H19.0005H19.005C20.1068 3 21 3.89319 21 4.995V4.9995V7.5V19.0005C21 20.1048 20.1048 21 19.0005 21H4.9995C3.89521 21 3 20.1048 3 19.0005V7.5ZM7.5 10.5H9V12H7.5V10.5ZM9 15H7.5V16.5H9V15ZM11.25 10.5H12.75V12H11.25V10.5ZM12.75 15H11.25V16.5H12.75V15ZM15 10.5H16.5V12H15V10.5ZM16.5 15H15V16.5H16.5V15Z" fill="currentColor"/></svg><a href="https://arthurvandermerwe.com/2014/08/06/testing-dukpt/" rel="bookmark"><time class="entry-date published" datetime="2014-08-06T10:18:40+10:00">August 6, 2014</time><time class="updated" datetime="2015-03-10T22:29:09+11:00">March 10, 2015</time></a></span><span class="cat-links"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M12.1979 8.25L11.2098 6.27363C11.1259 6.10593 10.9545 6 10.767 6H4.995C4.72162 6 4.5 6.22162 4.5 6.495V17.505C4.5 17.7784 4.72162 18 4.995 18H19.0005C19.2764 18 19.5 17.7764 19.5 17.5005V8.7495C19.5 8.47363 19.2764 8.25 19.0005 8.25H12.1979ZM13.125 6.75H19.0005C20.1048 6.75 21 7.64521 21 8.7495V17.5005C21 18.6048 20.1048 19.5 19.0005 19.5H4.995C3.89319 19.5 3 18.6068 3 17.505V6.495C3 5.39319 3.89319 4.5 4.995 4.5H10.767C11.5227 4.5 12.2135 4.92693 12.5514 5.60281L13.125 6.75Z" fill="currentColor"/></svg><span class="screen-reader-text">Posted in</span><a href="https://arthurvandermerwe.com/category/financial-switching/" rel="category tag">Financial Switching</a>, <a href="https://arthurvandermerwe.com/category/hsm/" rel="category tag">HSM</a></span><span class="tags-links"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M3 12.2045C3 12.5941 3.15158 12.9684 3.42267 13.2482L9.71878 19.747C11.0769 21.1489 13.3201 21.1667 14.7003 19.7865L19.7873 14.6995C21.1677 13.319 21.1497 11.0753 19.7471 9.71731L13.2459 3.42238C12.9661 3.15147 12.5919 3 12.2025 3H4.5C3.67157 3 3 3.67157 3 4.5V12.2045ZM12.2025 4.5H4.5V12.2045L10.7961 18.7033C11.5714 19.5035 12.8518 19.5137 13.6396 18.7258L18.7266 13.6388C19.5146 12.8509 19.5043 11.5701 18.7037 10.7949L12.2025 4.5ZM8.4975 9.495C9.0484 9.495 9.495 9.0484 9.495 8.4975C9.495 7.9466 9.0484 7.5 8.4975 7.5C7.9466 7.5 7.5 7.9466 7.5 8.4975C7.5 9.0484 7.9466 9.495 8.4975 9.495Z" fill="currentColor"/></svg><span class="screen-reader-text">Tags:</span><a href="https://arthurvandermerwe.com/tag/dukpt/" rel="tag">dukpt</a></span><span class="comments-link"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M10.0458 15.0001L5.99998 17.697L5.99999 6.49478C5.99999 6.22141 6.2216 5.99979 6.49498 5.99978L17.505 5.99951C17.7784 5.9995 18 6.22113 18 6.49451L18 14.5046C18 14.778 17.7784 14.9996 17.505 14.9996L10.0458 15.0001ZM10.5 16.5L17.5051 16.4996C18.6069 16.4995 19.5 15.6063 19.5 14.5046L19.5 6.49451C19.5 5.39268 18.6068 4.49948 17.5049 4.49951L6.49494 4.49978C5.39315 4.49981 4.49999 5.39299 4.49999 6.49478L4.49998 18.3483C4.49998 18.9842 5.01549 19.4997 5.6514 19.4997C5.8787 19.4997 6.10091 19.4324 6.29004 19.3063L10.5 16.5Z" fill="currentColor"/></svg><a href="https://arthurvandermerwe.com/2014/08/06/testing-dukpt/#respond">Leave a comment<span class="screen-reader-text"> on Testing DUKPT</span></a></span> </footer> </article> </main> </section> </div> <footer id="colophon" class="site-footer default-max-width" role="contentinfo" aria-label="Footer"> <div class="widget-area"> <div class="widget-column footer-widget-1"> <section id="recent-posts-4" class="widget widget_recent_entries"> <h2 class="widget-title">Recent Posts</h2><nav aria-label="Recent Posts"> <ul> <li> <a href="https://arthurvandermerwe.com/2020/02/16/a-brief-comparison-of-as2805-and-key-blocks/">A brief comparison of AS2805 and (TR-31) Key Blocks</a> </li> <li> <a href="https://arthurvandermerwe.com/2020/01/19/what-is-the-random-oracle-model-and-why-should-you-care-part-5-a-few-thoughts-on-cryptographic-engineering/">What is the random oracle model and why should you care? (Part 5) — A Few Thoughts on Cryptographic Engineering</a> </li> <li> <a href="https://arthurvandermerwe.com/2019/02/21/attack-of-the-week-searchable-encryption-and-the-ever-expanding-leakage-function-a-few-thoughts-on-cryptographic-engineering/">Attack of the week: searchable encryption and the ever-expanding leakage function — A Few Thoughts on Cryptographic Engineering</a> </li> <li> <a href="https://arthurvandermerwe.com/2017/12/29/from-bi-linear-maps-to-searchable-encryption/">From Bi-Linear Maps to Searchable Encryption</a> </li> <li> <a href="https://arthurvandermerwe.com/2017/02/10/mutual-authentication-using-certificates/">Mutual Authentication using Certificates</a> </li> <li> <a href="https://arthurvandermerwe.com/2016/09/04/importing-zpk-and-zmk-into-thales-payshield-9000-hsm/">Importing ZPK and ZMK into Thales Payshield 9000 HSM</a> </li> <li> <a href="https://arthurvandermerwe.com/2016/07/23/signature-and-certificate-based-key-injection-for-atm/">Signature and Certificate based key injection for ATM</a> </li> <li> <a href="https://arthurvandermerwe.com/2015/07/31/the-refund-vulnerability-of-as2805-and-eftpos/">The Refund vulnerability of AS2805 and EFTPOS</a> </li> <li> <a href="https://arthurvandermerwe.com/2015/05/30/dukpt-explained-with-examples/">DUKPT Explained with examples</a> </li> <li> <a href="https://arthurvandermerwe.com/2015/05/28/eftpos-initialisation-using-rsa-cryptography/">EFTPOS Initialisation using RSA Cryptography</a> </li> <li> <a href="https://arthurvandermerwe.com/2015/05/20/atm-pin-encryption-using-3des/">ATM Pin encryption using 3DES</a> </li> <li> <a href="https://arthurvandermerwe.com/2015/03/03/implementing-as2805-part-3-using-a-thales-9000-and-python/">Implementing AS2805 Part 6 Host to Host Encryption using a Thales 9000 and Python</a> </li> <li> <a href="https://arthurvandermerwe.com/2015/01/04/typical-cryptography-in-as2805-explained/">Typical Cryptography in AS2805 Explained</a> </li> <li> <a href="https://arthurvandermerwe.com/2014/12/02/thales-9000-and-as2805-interchange-commands/">Thales 9000 with AS2805 Interchange & RSA EFTPOS Commands.</a> </li> <li> <a href="https://arthurvandermerwe.com/2014/08/06/thales-key-exchange-examples-and-troubleshooting/">Thales Key Exchange Examples and Troubleshooting</a> </li> <li> <a href="https://arthurvandermerwe.com/2014/08/06/testing-dukpt/">Testing DUKPT</a> </li> <li> <a href="https://arthurvandermerwe.com/2014/07/06/parsing-as25058583-messages/">Parsing AS2505/8583 Messages</a> </li> <li> <a href="https://arthurvandermerwe.com/2014/06/25/dynamic-key-exchange-models/">Dynamic Key Exchange Models</a> </li> <li> <a href="https://arthurvandermerwe.com/2014/06/25/doing-pin-translation/">Doing PIN Translation with DUKPT</a> </li> <li> <a href="https://arthurvandermerwe.com/2014/06/25/credit-vs-debit/">Credit vs Debit</a> </li> <li> <a href="https://arthurvandermerwe.com/2014/06/22/as2805-standards-for-eft/">AS2805 Standards for EFT</a> </li> <li> <a href="https://arthurvandermerwe.com/2014/06/22/trace-your-atm-transactions/">Trace your ATM Transactions</a> </li> </ul> </nav></section><section id="archives-6" class="widget widget_archive"><h2 class="widget-title">Archives</h2><nav aria-label="Archives"> <ul> <li><a href='https://arthurvandermerwe.com/2020/02/'>February 2020</a> (1)</li> <li><a href='https://arthurvandermerwe.com/2020/01/'>January 2020</a> (1)</li> <li><a href='https://arthurvandermerwe.com/2019/02/'>February 2019</a> (1)</li> <li><a href='https://arthurvandermerwe.com/2017/12/'>December 2017</a> (1)</li> <li><a href='https://arthurvandermerwe.com/2017/02/'>February 2017</a> (1)</li> <li><a href='https://arthurvandermerwe.com/2016/09/'>September 2016</a> (1)</li> <li><a href='https://arthurvandermerwe.com/2016/07/'>July 2016</a> (1)</li> <li><a href='https://arthurvandermerwe.com/2015/07/'>July 2015</a> (1)</li> <li><a href='https://arthurvandermerwe.com/2015/05/'>May 2015</a> (3)</li> <li><a href='https://arthurvandermerwe.com/2015/03/'>March 2015</a> (1)</li> <li><a href='https://arthurvandermerwe.com/2015/01/'>January 2015</a> (1)</li> <li><a href='https://arthurvandermerwe.com/2014/12/'>December 2014</a> (1)</li> <li><a href='https://arthurvandermerwe.com/2014/08/'>August 2014</a> (2)</li> <li><a href='https://arthurvandermerwe.com/2014/07/'>July 2014</a> (1)</li> <li><a href='https://arthurvandermerwe.com/2014/06/'>June 2014</a> (5)</li> </ul> </nav></section><section id="wpcom_social_media_icons_widget-4" class="widget widget_wpcom_social_media_icons_widget"><h2 class="widget-title">Social</h2><ul><li><a href="https://www.linkedin.com/in/arthur-van-der-merwe-a7a96a27" class="genericon genericon-linkedin" target="_blank"><span class="screen-reader-text">LinkedIn</span></a></li><li><a href="https://github.com/Arthurvdmerwe" class="genericon genericon-github" target="_blank"><span class="screen-reader-text">GitHub</span></a></li></ul></section> </div> </div> <div class="site-info"> <a class="site-name" href="https://arthurvandermerwe.com/" rel="home">Cryptography & Payments</a><span class="comma">,</span> <a href="https://wordpress.com/?ref=footer_website" rel="nofollow">Create a free website or blog at WordPress.com.</a> </div> </footer> </div>  <script src="//0.gravatar.com/js/hovercards/hovercards.min.js?ver=2024474048849247f5660a2d05b85c6fc286379897f30a1061ad46e7f037e059ed7fe7" id="grofiles-cards-js"></script> <script id="wpgroho-js-extra"> var WPGroHo = {"my_hash":""}; </script> <script crossorigin='anonymous' type='text/javascript' src='https://s2.wp.com/wp-content/mu-plugins/gravatar-hovercards/wpgroho.js?m=1610363240i'></script> <script> // Initialize and attach hovercards to all gravatars ( function() { function init() { if ( typeof Gravatar === 'undefined' ) { return; } if ( typeof Gravatar.init !== 'function' ) { return; } Gravatar.profile_cb = function ( hash, id ) { WPGroHo.syncProfileData( hash, id ); }; Gravatar.my_hash = WPGroHo.my_hash; Gravatar.init( 'body', '#wp-admin-bar-my-account', { i18n: { 'Edit your profile': 'Edit your profile', 'View profile': 'View profile', 'Sorry, we are unable to load this Gravatar profile.': 'Sorry, we are unable to load this Gravatar profile.', 'Profile not found.': 'Profile not found.', 'Too Many Requests.': 'Too Many Requests.', 'Internal Server Error.': 'Internal Server Error.', }, } ); } if ( document.readyState !== 'loading' ) { init(); } else { document.addEventListener( 'DOMContentLoaded', init ); } } )(); </script> <div style="display:none"> </div> <div id="actionbar" style="display: none;" class="actnbr-pub-seedlet actnbr-has-follow"> <ul> <li class="actnbr-btn actnbr-hidden"> <a class="actnbr-action actnbr-actn-follow " href=""> <svg class="gridicon" height="20" width="20" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20"><path clip-rule="evenodd" d="m4 4.5h12v6.5h1.5v-6.5-1.5h-1.5-12-1.5v1.5 10.5c0 1.1046.89543 2 2 2h7v-1.5h-7c-.27614 0-.5-.2239-.5-.5zm10.5 2h-9v1.5h9zm-5 3h-4v1.5h4zm3.5 1.5h-1v1h1zm-1-1.5h-1.5v1.5 1 1.5h1.5 1 1.5v-1.5-1-1.5h-1.5zm-2.5 2.5h-4v1.5h4zm6.5 1.25h1.5v2.25h2.25v1.5h-2.25v2.25h-1.5v-2.25h-2.25v-1.5h2.25z" fill-rule="evenodd"></path></svg> <span>Subscribe</span> </a> <a class="actnbr-action actnbr-actn-following no-display" href=""> <svg class="gridicon" height="20" width="20" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20"><path fill-rule="evenodd" clip-rule="evenodd" d="M16 4.5H4V15C4 15.2761 4.22386 15.5 4.5 15.5H11.5V17H4.5C3.39543 17 2.5 16.1046 2.5 15V4.5V3H4H16H17.5V4.5V12.5H16V4.5ZM5.5 6.5H14.5V8H5.5V6.5ZM5.5 9.5H9.5V11H5.5V9.5ZM12 11H13V12H12V11ZM10.5 9.5H12H13H14.5V11V12V13.5H13H12H10.5V12V11V9.5ZM5.5 12H9.5V13.5H5.5V12Z" fill="#008A20"></path><path class="following-icon-tick" d="M13.5 16L15.5 18L19 14.5" stroke="#008A20" stroke-width="1.5"></path></svg> <span>Subscribed</span> </a> <div class="actnbr-popover tip tip-top-left actnbr-notice" id="follow-bubble"> <div class="tip-arrow"></div> <div class="tip-inner actnbr-follow-bubble"> <ul> <li class="actnbr-sitename"> <a href="https://arthurvandermerwe.com"> <img loading='lazy' alt='' src='https://arthurvandermerwe.com/wp-content/uploads/2018/09/cropped-arthur4.png?w=50' srcset='https://arthurvandermerwe.com/wp-content/uploads/2018/09/cropped-arthur4.png?w=50 1x, https://arthurvandermerwe.com/wp-content/uploads/2018/09/cropped-arthur4.png?w=75 1.5x, https://arthurvandermerwe.com/wp-content/uploads/2018/09/cropped-arthur4.png?w=100 2x, https://arthurvandermerwe.com/wp-content/uploads/2018/09/cropped-arthur4.png?w=150 3x, https://arthurvandermerwe.com/wp-content/uploads/2018/09/cropped-arthur4.png?w=200 4x' class='avatar avatar-50' height='50' width='50' /> Cryptography & Payments </a> </li> <div class="actnbr-message no-display"></div> <form method="post" action="https://subscribe.wordpress.com" accept-charset="utf-8" style="display: none;"> <div class="actnbr-follow-count">Join 30 other subscribers</div> <div> <input type="email" name="email" placeholder="Enter your email address" class="actnbr-email-field" aria-label="Enter your email address" /> </div> <input type="hidden" name="action" value="subscribe" /> <input type="hidden" name="blog_id" value="70204527" /> <input type="hidden" name="source" value="https://arthurvandermerwe.com/category/hsm/" /> <input type="hidden" name="sub-type" value="actionbar-follow" /> <input type="hidden" id="_wpnonce" name="_wpnonce" value="e65172ef6c" /> <div class="actnbr-button-wrap"> <button type="submit" value="Sign me up"> Sign me up </button> </div> </form> <li class="actnbr-login-nudge"> <div> Already have a WordPress.com account? <a href="https://wordpress.com/log-in?redirect_to=https%3A%2F%2Fr-login.wordpress.com%2Fremote-login.php%3Faction%3Dlink%26back%3Dhttps%253A%252F%252Farthurvandermerwe.com%252F2016%252F09%252F04%252Fimporting-zpk-and-zmk-into-thales-payshield-9000-hsm%252F">Log in now.</a> </div> </li> </ul> </div> </div> </li> <li class="actnbr-ellipsis actnbr-hidden"> <svg class="gridicon gridicons-ellipsis" height="24" width="24" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><g><path d="M7 12c0 1.104-.896 2-2 2s-2-.896-2-2 .896-2 2-2 2 .896 2 2zm12-2c-1.104 0-2 .896-2 2s.896 2 2 2 2-.896 2-2-.896-2-2-2zm-7 0c-1.104 0-2 .896-2 2s.896 2 2 2 2-.896 2-2-.896-2-2-2z"/></g></svg> <div class="actnbr-popover tip tip-top-left actnbr-more"> <div class="tip-arrow"></div> <div class="tip-inner"> <ul> <li class="actnbr-sitename"> <a href="https://arthurvandermerwe.com"> <img loading='lazy' alt='' src='https://arthurvandermerwe.com/wp-content/uploads/2018/09/cropped-arthur4.png?w=50' srcset='https://arthurvandermerwe.com/wp-content/uploads/2018/09/cropped-arthur4.png?w=50 1x, https://arthurvandermerwe.com/wp-content/uploads/2018/09/cropped-arthur4.png?w=75 1.5x, https://arthurvandermerwe.com/wp-content/uploads/2018/09/cropped-arthur4.png?w=100 2x, https://arthurvandermerwe.com/wp-content/uploads/2018/09/cropped-arthur4.png?w=150 3x, https://arthurvandermerwe.com/wp-content/uploads/2018/09/cropped-arthur4.png?w=200 4x' class='avatar avatar-50' height='50' width='50' /> Cryptography & Payments </a> </li> <li class="actnbr-folded-customize"> <a href="https://arthurvandermerwe.wordpress.com/wp-admin/customize.php?url=https%3A%2F%2Farthurvandermerwe.wordpress.com%2Fcategory%2Fhsm%2F"> <svg class="gridicon gridicons-customize" height="20" width="20" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><g><path d="M2 6c0-1.505.78-3.08 2-4 0 .845.69 2 2 2 1.657 0 3 1.343 3 3 0 .386-.08.752-.212 1.09.74.594 1.476 1.19 2.19 1.81L8.9 11.98c-.62-.716-1.214-1.454-1.807-2.192C6.753 9.92 6.387 10 6 10c-2.21 0-4-1.79-4-4zm12.152 6.848l1.34-1.34c.607.304 1.283.492 2.008.492 2.485 0 4.5-2.015 4.5-4.5 0-.725-.188-1.4-.493-2.007L18 9l-2-2 3.507-3.507C18.9 3.188 18.225 3 17.5 3 15.015 3 13 5.015 13 7.5c0 .725.188 1.4.493 2.007L3 20l2 2 6.848-6.848c1.885 1.928 3.874 3.753 5.977 5.45l1.425 1.148 1.5-1.5-1.15-1.425c-1.695-2.103-3.52-4.092-5.448-5.977z"/></g></svg> <span>Customize</span> </a> </li> <li class="actnbr-folded-follow"> <a class="actnbr-action actnbr-actn-follow " href=""> <svg class="gridicon" height="20" width="20" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20"><path clip-rule="evenodd" d="m4 4.5h12v6.5h1.5v-6.5-1.5h-1.5-12-1.5v1.5 10.5c0 1.1046.89543 2 2 2h7v-1.5h-7c-.27614 0-.5-.2239-.5-.5zm10.5 2h-9v1.5h9zm-5 3h-4v1.5h4zm3.5 1.5h-1v1h1zm-1-1.5h-1.5v1.5 1 1.5h1.5 1 1.5v-1.5-1-1.5h-1.5zm-2.5 2.5h-4v1.5h4zm6.5 1.25h1.5v2.25h2.25v1.5h-2.25v2.25h-1.5v-2.25h-2.25v-1.5h2.25z" fill-rule="evenodd"></path></svg> <span>Subscribe</span> </a> <a class="actnbr-action actnbr-actn-following no-display" href=""> <svg class="gridicon" height="20" width="20" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20"><path fill-rule="evenodd" clip-rule="evenodd" d="M16 4.5H4V15C4 15.2761 4.22386 15.5 4.5 15.5H11.5V17H4.5C3.39543 17 2.5 16.1046 2.5 15V4.5V3H4H16H17.5V4.5V12.5H16V4.5ZM5.5 6.5H14.5V8H5.5V6.5ZM5.5 9.5H9.5V11H5.5V9.5ZM12 11H13V12H12V11ZM10.5 9.5H12H13H14.5V11V12V13.5H13H12H10.5V12V11V9.5ZM5.5 12H9.5V13.5H5.5V12Z" fill="#008A20"></path><path class="following-icon-tick" d="M13.5 16L15.5 18L19 14.5" stroke="#008A20" stroke-width="1.5"></path></svg> <span>Subscribed</span> </a> </li> <li class="actnbr-signup"><a href="https://wordpress.com/start/">Sign up</a></li> <li class="actnbr-login"><a href="https://wordpress.com/log-in?redirect_to=https%3A%2F%2Fr-login.wordpress.com%2Fremote-login.php%3Faction%3Dlink%26back%3Dhttps%253A%252F%252Farthurvandermerwe.com%252F2016%252F09%252F04%252Fimporting-zpk-and-zmk-into-thales-payshield-9000-hsm%252F">Log in</a></li> <li class="flb-report"> <a href="https://wordpress.com/abuse/?report_url=https://arthurvandermerwe.com" target="_blank" rel="noopener noreferrer"> Report this content </a> </li> <li class="actnbr-reader"> <a href="https://wordpress.com/read/feeds/22152776"> View site in Reader </a> </li> <li class="actnbr-subs"> <a href="https://subscribe.wordpress.com/">Manage subscriptions</a> </li> <li class="actnbr-fold"><a href="">Collapse this bar</a></li> </ul> </div> </div> </li> </ul> </div> <script> window.addEventListener( "load", function( event ) { var link = document.createElement( "link" ); link.href = "https://s0.wp.com/wp-content/mu-plugins/actionbar/actionbar.css?v=20241015"; link.type = "text/css"; link.rel = "stylesheet"; document.head.appendChild( link ); var script = document.createElement( "script" ); script.src = "https://s0.wp.com/wp-content/mu-plugins/actionbar/actionbar.js?v=20231122"; script.defer = true; document.body.appendChild( script ); } ); </script> <div id="jp-carousel-loading-overlay"> <div id="jp-carousel-loading-wrapper"> <span id="jp-carousel-library-loading"> </span> </div> </div> <div class="jp-carousel-overlay" style="display: none;"> <div class="jp-carousel-container">  <div class="jp-carousel-wrap swiper-container jp-carousel-swiper-container jp-carousel-transitions" itemscope itemtype="https://schema.org/ImageGallery"> <div class="jp-carousel swiper-wrapper"></div> <div class="jp-swiper-button-prev swiper-button-prev"> <svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <mask id="maskPrev" mask-type="alpha" maskUnits="userSpaceOnUse" x="8" y="6" width="9" height="12"> <path d="M16.2072 16.59L11.6496 12L16.2072 7.41L14.8041 6L8.8335 12L14.8041 18L16.2072 16.59Z" fill="white"/> </mask> <g mask="url(#maskPrev)"> <rect x="0.579102" width="23.8823" height="24" fill="#FFFFFF"/> </g> </svg> </div> <div class="jp-swiper-button-next swiper-button-next"> <svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <mask id="maskNext" mask-type="alpha" maskUnits="userSpaceOnUse" x="8" y="6" width="8" height="12"> <path d="M8.59814 16.59L13.1557 12L8.59814 7.41L10.0012 6L15.9718 12L10.0012 18L8.59814 16.59Z" fill="white"/> </mask> <g mask="url(#maskNext)"> <rect x="0.34375" width="23.8822" height="24" fill="#FFFFFF"/> </g> </svg> </div> </div>  <div class="jp-carousel-close-hint"> <svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <mask id="maskClose" mask-type="alpha" maskUnits="userSpaceOnUse" x="5" y="5" width="15" height="14"> <path d="M19.3166 6.41L17.9135 5L12.3509 10.59L6.78834 5L5.38525 6.41L10.9478 12L5.38525 17.59L6.78834 19L12.3509 13.41L17.9135 19L19.3166 17.59L13.754 12L19.3166 6.41Z" fill="white"/> </mask> <g mask="url(#maskClose)"> <rect x="0.409668" width="23.8823" height="24" fill="#FFFFFF"/> </g> </svg> </div>  <div class="jp-carousel-info"> <div class="jp-carousel-info-footer"> <div class="jp-carousel-pagination-container"> <div class="jp-swiper-pagination swiper-pagination"></div> <div class="jp-carousel-pagination"></div> </div> <div class="jp-carousel-photo-title-container"> <h2 class="jp-carousel-photo-caption"></h2> </div> <div class="jp-carousel-photo-icons-container"> <a href="#" class="jp-carousel-icon-btn jp-carousel-icon-info" aria-label="Toggle photo metadata visibility"> <span class="jp-carousel-icon"> <svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <mask id="maskInfo" mask-type="alpha" maskUnits="userSpaceOnUse" x="2" y="2" width="21" height="20"> <path fill-rule="evenodd" clip-rule="evenodd" d="M12.7537 2C7.26076 2 2.80273 6.48 2.80273 12C2.80273 17.52 7.26076 22 12.7537 22C18.2466 22 22.7046 17.52 22.7046 12C22.7046 6.48 18.2466 2 12.7537 2ZM11.7586 7V9H13.7488V7H11.7586ZM11.7586 11V17H13.7488V11H11.7586ZM4.79292 12C4.79292 16.41 8.36531 20 12.7537 20C17.142 20 20.7144 16.41 20.7144 12C20.7144 7.59 17.142 4 12.7537 4C8.36531 4 4.79292 7.59 4.79292 12Z" fill="white"/> </mask> <g mask="url(#maskInfo)"> <rect x="0.8125" width="23.8823" height="24" fill="#FFFFFF"/> </g> </svg> </span> </a> <a href="#" class="jp-carousel-icon-btn jp-carousel-icon-comments" aria-label="Toggle photo comments visibility"> <span class="jp-carousel-icon"> <svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <mask id="maskComments" mask-type="alpha" maskUnits="userSpaceOnUse" x="2" y="2" width="21" height="20"> <path fill-rule="evenodd" clip-rule="evenodd" d="M4.3271 2H20.2486C21.3432 2 22.2388 2.9 22.2388 4V16C22.2388 17.1 21.3432 18 20.2486 18H6.31729L2.33691 22V4C2.33691 2.9 3.2325 2 4.3271 2ZM6.31729 16H20.2486V4H4.3271V18L6.31729 16Z" fill="white"/> </mask> <g mask="url(#maskComments)"> <rect x="0.34668" width="23.8823" height="24" fill="#FFFFFF"/> </g> </svg> <span class="jp-carousel-has-comments-indicator" aria-label="This image has comments."></span> </span> </a> </div> </div> <div class="jp-carousel-info-extra"> <div class="jp-carousel-info-content-wrapper"> <div class="jp-carousel-photo-title-container"> <h2 class="jp-carousel-photo-title"></h2> </div> <div class="jp-carousel-comments-wrapper"> <div id="jp-carousel-comments-loading"> <span>Loading Comments...</span> </div> <div class="jp-carousel-comments"></div> <div id="jp-carousel-comment-form-container"> <span id="jp-carousel-comment-form-spinner"> </span> <div id="jp-carousel-comment-post-results"></div> <form id="jp-carousel-comment-form"> <label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label> <textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..." ></textarea> <div id="jp-carousel-comment-form-submit-and-info-wrapper"> <div id="jp-carousel-comment-form-commenting-as"> <fieldset> <label for="jp-carousel-comment-form-email-field">Email</label> <input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field" /> </fieldset> <fieldset> <label for="jp-carousel-comment-form-author-field">Name</label> <input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field" /> </fieldset> <fieldset> <label for="jp-carousel-comment-form-url-field">Website</label> <input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field" /> </fieldset> </div> <input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment" /> </div> </form> </div> </div> <div class="jp-carousel-image-meta"> <div class="jp-carousel-title-and-caption"> <div class="jp-carousel-photo-info"> <h3 class="jp-carousel-caption" itemprop="caption description"></h3> </div> <div class="jp-carousel-photo-description"></div> </div> <ul class="jp-carousel-image-exif" style="display: none;"></ul> <a class="jp-carousel-image-download" href="#" target="_blank" style="display: none;"> <svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <mask id="mask0" mask-type="alpha" maskUnits="userSpaceOnUse" x="3" y="3" width="19" height="18"> <path fill-rule="evenodd" clip-rule="evenodd" d="M5.84615 5V19H19.7775V12H21.7677V19C21.7677 20.1 20.8721 21 19.7775 21H5.84615C4.74159 21 3.85596 20.1 3.85596 19V5C3.85596 3.9 4.74159 3 5.84615 3H12.8118V5H5.84615ZM14.802 5V3H21.7677V10H19.7775V6.41L9.99569 16.24L8.59261 14.83L18.3744 5H14.802Z" fill="white"/> </mask> <g mask="url(#mask0)"> <rect x="0.870605" width="23.8823" height="24" fill="#FFFFFF"/> </g> </svg> <span class="jp-carousel-download-text"></span> </a> <div class="jp-carousel-image-map" style="display: none;"></div> </div> </div> </div> </div> </div> </div> <link crossorigin='anonymous' rel='stylesheet' id='all-css-0-2' href='https://s0.wp.com/_static/??-eJydj8EOAiEMRH9I7HLYjRfjpxiEhnSFQigN8e81Wffmxb3NNDMvHRjV+MIduUNWU5NGYoEVe3X++fUgypBL0IQC3rWigglkUMVmHsoh4dmLnOA4bM/shz95d2IPERkbfQryWx78cVCI2AWkeHLJZAzkzMaW/tqm3/LVLpfZ2nlapvUNgJiBFQ==&cssminify=yes' type='text/css' media='all' /> <script id="jetpack-carousel-js-extra"> var jetpackSwiperLibraryPath = {"url":"https:\/\/s2.wp.com\/wp-content\/mu-plugins\/jetpack-plugin\/sun\/_inc\/build\/carousel\/swiper-bundle.min.js"}; var jetpackCarouselStrings = {"widths":[370,700,1000,1200,1400,2000],"is_logged_in":"","lang":"en","ajaxurl":"https:\/\/arthurvandermerwe.com\/wp-admin\/admin-ajax.php","nonce":"c2c9eee1cd","display_exif":"1","display_comments":"1","single_image_gallery":"1","single_image_gallery_media_file":"","background_color":"black","comment":"Comment","post_comment":"Post Comment","write_comment":"Write a Comment...","loading_comments":"Loading Comments...","image_label":"Open image in full-screen.","download_original":"View full size <span class=\"photo-size\">{0}<span class=\"photo-size-times\">\u00d7<\/span>{1}<\/span>","no_comment_text":"Please be sure to submit some text with your comment.","no_comment_email":"Please provide an email address to comment.","no_comment_author":"Please provide your name to comment.","comment_post_error":"Sorry, but there was an error posting your comment. Please try again later.","comment_approved":"Your comment was approved.","comment_unapproved":"Your comment is in moderation.","camera":"Camera","aperture":"Aperture","shutter_speed":"Shutter Speed","focal_length":"Focal Length","copyright":"Copyright","comment_registration":"0","require_name_email":"0","login_url":"https:\/\/arthurvandermerwe.wordpress.com\/wp-login.php?redirect_to=https%3A%2F%2Farthurvandermerwe.com%2F2015%2F03%2F03%2Fimplementing-as2805-part-3-using-a-thales-9000-and-python%2F","blog_id":"70204527","meta_data":["camera","aperture","shutter_speed","focal_length","copyright"],"stats_query_args":"blog=70204527&v=wpcom&tz=11&user_id=0&subd=arthurvandermerwe","is_public":"1"}; </script> <script crossorigin='anonymous' type='text/javascript' src='https://s1.wp.com/_static/??-eJx9jksOwjAMBS9EMFVBiAXiKMhNTXHIT3FCxO1pEa1QFyz9PPNsqFHp4DP5DEbAhY4tqSKUcBgzxf4WtkY28MN1Ngwq2jKwF6gh9diL0hZFSKaSitmunXwnN25j6UCIeksZJj5/hJjYYXopj08eMHPwa92V5aChHFE/vjNI8XBlr6ErbHvQmML4vV2wOdg6/tc6Y6pGHdxqHL2LOzfHttm3u/ZwMm9W7HQB'></script> <script> /(trident|msie)/i.test(navigator.userAgent)&&document.getElementById&&window.addEventListener&&window.addEventListener("hashchange",function(){var t,e=location.hash.substring(1);/^[A-z0-9_-]+$/.test(e)&&(t=document.getElementById(e))&&(/^(?:a|select|input|button|textarea)$/i.test(t.tagName)||(t.tabIndex=-1),t.focus())},!1); </script> <script type="text/javascript"> (function () { var wpcom_reblog = { source: 'toolbar', toggle_reblog_box_flair: function (obj_id, post_id) { // Go to site selector. This will redirect to their blog if they only have one. const postEndpoint = `https://wordpress.com/post`; // Ideally we would use the permalink here, but fortunately this will be replaced with the // post permalink in the editor. const originalURL = `${ document.location.href }?page_id=${ post_id }`; const url = postEndpoint + '?url=' + encodeURIComponent( originalURL ) + '&is_post_share=true' + '&v=5'; const redirect = function () { if ( ! window.open( url, '_blank' ) ) { location.href = url; } }; if ( /Firefox/.test( navigator.userAgent ) ) { setTimeout( redirect, 0 ); } else { redirect(); } }, }; window.wpcom_reblog = wpcom_reblog; })(); </script> <script type="text/javascript"> // <![CDATA[ (function() { try{ if ( window.external &&'msIsSiteMode' in window.external) { if (window.external.msIsSiteMode()) { var jl = document.createElement('script'); jl.type='text/javascript'; jl.async=true; jl.src='/wp-content/plugins/ie-sitemode/custom-jumplist.php'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(jl, s); } } }catch(e){} })(); // ]]> </script><script src="//stats.wp.com/w.js?67" defer></script> <script type="text/javascript"> _tkq = window._tkq || []; _stq = window._stq || []; _tkq.push(['storeContext', {'blog_id':'70204527','blog_tz':'11','user_lang':'en','blog_lang':'en','user_id':'0'}]); _stq.push(['view', {'blog':'70204527','v':'wpcom','tz':'11','user_id':'0','subd':'arthurvandermerwe'}]); _stq.push(['extra', {'crypt':'UE5VTUIlVktzQVNtcFdrRlVoJUNZcTJRQnxOUXcyQXBGVjdTZVlnSlY3P0dzcjlxYzIrNExdSDFwWT1HLEN1ZUpvZWZWfnIxLnNwSG1MMjB6UkUwTDVFP3hObT1NX25LJjJQeDVSZkpFTS1ET2V5RHVCTFBbWW1Kbi9mMU1+VSZ5UW96L2FjQU89fGFFLiY/c2Y9PyVqXzZuXVVxTSZqLkp1TFliNWsmMytmfl9KXzI9S1U/alk2NGNYMDRfYlF8akhFSmRdWFoscl1fYytzSk5iUXE9N2tqbGJ0eHVtb2lNNzhGPStyOUE='}]); _stq.push([ 'clickTrackerInit', '70204527', '0' ]); </script> <noscript><img src="https://pixel.wp.com/b.gif?v=noscript" style="height:1px;width:1px;overflow:hidden;position:absolute;bottom:1px;" alt="" /></noscript> <script> ( function() { function getMobileUserAgentInfo() { if ( typeof wpcom_mobile_user_agent_info === 'object' ) { wpcom_mobile_user_agent_info.init(); var mobileStatsQueryString = ''; if ( wpcom_mobile_user_agent_info.matchedPlatformName !== false ) { mobileStatsQueryString += '&x_' + 'mobile_platforms' + '=' + wpcom_mobile_user_agent_info.matchedPlatformName; } if ( wpcom_mobile_user_agent_info.matchedUserAgentName !== false ) { mobileStatsQueryString += '&x_' + 'mobile_devices' + '=' + wpcom_mobile_user_agent_info.matchedUserAgentName; } if ( wpcom_mobile_user_agent_info.isIPad() ) { mobileStatsQueryString += '&x_' + 'ipad_views' + '=' + 'views'; } if ( mobileStatsQueryString != '' ) { new Image().src = document.location.protocol + '//pixel.wp.com/g.gif?v=wpcom-no-pv' + mobileStatsQueryString + '&baba=' + Math.random(); } } } document.addEventListener( 'DOMContentLoaded', getMobileUserAgentInfo ); } )(); </script> </body> </html>