[jpos-users] ARQC Generation for Test purposes

classic Classic list List threaded Threaded
28 messages Options
12
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[jpos-users] ARQC Generation for Test purposes

Billie
Hello!

Does anyone know the algorithm VISA and MasterCard uses to generate the ARQC? I know they have different algorithms, and I didn't find anything detailed enough the verify a generated ARQC. For example, http://www.emvlab.org/cryptogram/ provides an online form - but the result dosen't match. It may be that I had the wrong values for transaction data, but there is also no option for the algorithm. I've also tried the Thales Simulator, but the Implementation seems broken. The JCESecurityModule in jPOS doesn't implement the verifyARQCImpl-Method, but that's exactly what I'm looking for.

Best regards
Billie

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: [hidden email]
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to [hidden email]
To unsubscribe, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/c1481546-8157-4a2b-98a6-cd9002fcb85e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[jpos-users] Re: ARQC Generation for Test purposes

Mark Salter-5
On Monday, January 12, 2015 at 8:19:51 AM UTC, Billie wrote:
Hello!
Hi

Does anyone know the algorithm VISA and MasterCard uses to generate the ARQC? I know they have different algorithms, and I didn't find anything detailed enough the verify a generated ARQC.
You really need to dig around the scheme documentation for your answer.
 
For example, <a href="http://www.emvlab.org/cryptogram/" target="_blank" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Fwww.emvlab.org%2Fcryptogram%2F\46sa\75D\46sntz\0751\46usg\75AFQjCNGQZu9ZkQvjfNXFqn71BpH0M2s_pQ';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Fwww.emvlab.org%2Fcryptogram%2F\46sa\75D\46sntz\0751\46usg\75AFQjCNGQZu9ZkQvjfNXFqn71BpH0M2s_pQ';return true;">http://www.emvlab.org/cryptogram/ provides an online form - but the result dosen't match. It may be that I had the wrong values for transaction data, but there is also no option for the algorithm. I've also tried the Thales Simulator, but the Implementation seems broken.

Your failure on the online test/check is as likely keys as input data.

If your check with both the emvlab and Thales sim don't match your transaction - are you certain of your data and your key?

I do have the means personally, but not anything I can give away - hence my suggestion of reading the current manuals .

:-(

Perhaps someone else can be more helpful,

The JCESecurityModule in jPOS doesn't implement the verifyARQCImpl-Method, but that's exactly what I'm looking for.
Of course that is the work people often can't share and everyone needs to do for themselves in reality.

--
Mark

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: [hidden email]
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to [hidden email]
To unsubscribe, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/28ad6779-0d5e-416b-8007-52c0de3e93bc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[jpos-users] Re: ARQC Generation for Test purposes

Billie
The JCESecurityModule seems to have the code needed for generating/verifying a ARQC. There are the Methods for ICC Master Key Derivation (deriveICCMasterKey), Session Key Derivation (deriveSK_VISA, deriveCommonSK_SM) and finally Padding/MAC generation (paddingISO9797Method2, calculateMACISO9797Alg3).

The Thales sim generates the same ICC Master Key as jPOS, but I could not find where session key derivation takes place in the Thales sim sources. The emvlab.org provides no sources at all.

My major problem seems to build valid input data. Does anyone know the exact data elements (format, values, ...) used by MasterCard and or VISA for Application Cryptogram generation?

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: [hidden email]
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to [hidden email]
To unsubscribe, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/4627bc49-394f-4339-b43e-3fe9f9ed7ca1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[jpos-users] Re: ARQC Generation for Test purposes

Mark Salter-5


On Tuesday, January 13, 2015 at 2:34:10 PM UTC, Billie wrote:
The Thales sim generates the same ICC Master Key as jPOS, but I could not find where session key derivation takes place in the Thales sim sources.
They are there to find I'm sure.
 
The <a href="http://emvlab.org" target="_blank" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Femvlab.org\46sa\75D\46sntz\0751\46usg\75AFQjCNFv5Ur-rMEugmAXELHsj6B3ejQOkQ';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Femvlab.org\46sa\75D\46sntz\0751\46usg\75AFQjCNFv5Ur-rMEugmAXELHsj6B3ejQOkQ';return true;">emvlab.org provides no sources at all.
I guess they choose not to do so.
 

My major problem seems to build valid input data. Does anyone know the exact data elements (format, values, ...) used by MasterCard and or VISA for Application Cryptogram generation?
What data have you got, can you share all your test data and results you are getting, this might help us see what you are doing wrong?

The data into the ARQC is :-

Transaction Amount
Other Amount
Terminal Country Code
Terminal Verification Results
Transaction Currency Code
Transaction Date
Transaction Type
Unpredictable Number
Application Interchange Profile
Application Transaction Counter
Card Verification Results

suffixed with an added x'80' for MasterCard (the code you are using might take care of this), but is that what you mean by "exact data elements"?

I'm struggling to work out what position you are in - if you need guidance or code?

What HSMs are you using or planning to use outside of test?

--
Mark
 

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: [hidden email]
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to [hidden email]
To unsubscribe, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/fea91b05-16f6-49e4-b9e0-d4b7cc5720cd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[jpos-users] Re: ARQC Generation for Test purposes

Billie
I prefer code over specifications ;) This is my basic example, I have removed the Issuer Master Key:

    public static void main(String[] args) throws Exception {
       
byte[] amountAuhtorised = ISOUtil.hex2byte("000000001000");
       
byte[] amountOther = ISOUtil.hex2byte("000000000000");
       
byte[] terminalCountryCode = ISOUtil.hex2byte("0040");
       
byte[] terminalVerificationResults = ISOUtil.hex2byte("8000048000");
       
byte[] transactionCurrencyCode = ISOUtil.hex2byte("0978");
       
byte[] transactionDate = ISOUtil.hex2byte("100514");
       
byte[] transactionType = ISOUtil.hex2byte("01");
       
byte[] unpredictableNumber = ISOUtil.hex2byte("2E13374C");
       
byte[] applicationInterchangeProfile = ISOUtil.hex2byte("1800");
       
byte[] applicationTransactionCounter = ISOUtil.hex2byte("0014");
       
byte[] cvmResults = ISOUtil.hex2byte("020300");

       
JCESecurityModule module = new JCESecurityModule("secret.lmk", BouncyCastleProvider.class.getCanonicalName());
       
byte[] iMk = ISOUtil.hex2byte("XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX");
       
byte[] panpsn = JCESecurityModule.formatPANPSN("1234567890123456", null, MKDMethod.OPTION_A);

       
System.out.println("PAN: " + ISOUtil.byte2hex(panpsn));

       
Key key = new SecretKeySpec(iMk, "DESede");
       
Key iccMk = module.deriveICCMasterKey(key, panpsn);
       
System.out.println("iccMk: " + ISOUtil.byte2hex(iccMk.getEncoded()));

       
Key sKey = module.deriveCommonSK_SM(iccMk, applicationTransactionCounter);
       
System.out.println("sKey: " + ISOUtil.byte2hex(sKey.getEncoded()));

       
ByteArrayOutputStream outStream = new ByteArrayOutputStream();
        outStream
.write(amountAuhtorised);
        outStream
.write(amountOther);
        outStream
.write(terminalCountryCode);
        outStream
.write(terminalVerificationResults);
        outStream
.write(transactionCurrencyCode);
        outStream
.write(transactionDate);
        outStream
.write(transactionType);
        outStream
.write(unpredictableNumber);
        outStream
.write(applicationInterchangeProfile);
        outStream
.write(applicationTransactionCounter);
        outStream
.write(cvmResults);
        outStream
.write(ISOUtil.hex2byte("80"));

       
byte[] data = module.paddingISO9797Method2(outStream.toByteArray());
       
byte[] result = module.calculateMACISO9797Alg3(sKey, data);
       
System.out.println(ISOUtil.byte2hex(result));
   
}

I've also modified the JCESecurityModule a bit to get direct method access. The transaction data is valid (from a successful TIP-Test). I also have the application cryptogram (Tag 0x9F26), but the outcome from the code dosen't match the application cryptogram.

I'm working on a Java based EMV Level 2 Kernel, available at GitHub: https://github.com/AndreasFagschlunger/O2Xfs

The goal is know a card simulator which behaves like a real card for testing, and therefor I need my card to generate a valid cryptogram. The greater idea is to simulate all the TIP/ADV Testing cards and get the kernel tested automatically.

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: [hidden email]
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to [hidden email]
To unsubscribe, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/b830c9d7-3a18-4f8e-9c84-efaf738327b9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[OT] Re: [jpos-users] Re: ARQC Generation for Test purposes

Mark Salter-5
On 14/01/2015 08:27, Billie wrote:
> I prefer code over specifications ;) This is my basic example, I have
> removed the Issuer Master Key:
Why remove the key, given that it is 'key' to the process and the test
result?

>
> |
>     publicstaticvoidmain(String[]args)throwsException{
>         byte[]amountAuhtorised =ISOUtil.hex2byte("000000001000");
>         byte[]amountOther =ISOUtil.hex2byte("000000000000");
>         byte[]terminalCountryCode =ISOUtil.hex2byte("0040");
>         byte[]terminalVerificationResults =ISOUtil.hex2byte("8000048000");
>         byte[]transactionCurrencyCode =ISOUtil.hex2byte("0978");
>         byte[]transactionDate =ISOUtil.hex2byte("100514");
>         byte[]transactionType =ISOUtil.hex2byte("01");
>         byte[]unpredictableNumber =ISOUtil.hex2byte("2E13374C");
>         byte[]applicationInterchangeProfile =ISOUtil.hex2byte("1800");
>         byte[]applicationTransactionCounter =ISOUtil.hex2byte("0014");
>         byte[]cvmResults =ISOUtil.hex2byte("020300");
>
>        
> JCESecurityModulemodule=newJCESecurityModule("secret.lmk",BouncyCastleProvider.class.getCanonicalName());
>         byte[]iMk =ISOUtil.hex2byte("XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX");
>         byte[]panpsn
> =JCESecurityModule.formatPANPSN("1234567890123456",null,MKDMethod.OPTION_A);
>
>         System.out.println("PAN: "+ISOUtil.byte2hex(panpsn));
>
>         Keykey =newSecretKeySpec(iMk,"DESede");
>         KeyiccMk =module.deriveICCMasterKey(key,panpsn);
>         System.out.println("iccMk: "+ISOUtil.byte2hex(iccMk.getEncoded()));
>
>         KeysKey
> =module.deriveCommonSK_SM(iccMk,applicationTransactionCounter);
>         System.out.println("sKey: "+ISOUtil.byte2hex(sKey.getEncoded()));
>
>         ByteArrayOutputStreamoutStream =newByteArrayOutputStream();
>         outStream.write(amountAuhtorised);
>         outStream.write(amountOther);
>         outStream.write(terminalCountryCode);
>         outStream.write(terminalVerificationResults);
>         outStream.write(transactionCurrencyCode);
>         outStream.write(transactionDate);
>         outStream.write(transactionType);
>         outStream.write(unpredictableNumber);
>         outStream.write(applicationInterchangeProfile);
>         outStream.write(applicationTransactionCounter);
>         outStream.write(cvmResults);
>         outStream.write(ISOUtil.hex2byte("80"));
>
>         byte[]data =module.paddingISO9797Method2(outStream.toByteArray());
>         byte[]result =module.calculateMACISO9797Alg3(sKey,data);
>         System.out.println(ISOUtil.byte2hex(result));
>     }
> |
>
> I've also modified the JCESecurityModule a bit to get direct method
> access. The transaction data is valid (from a successful TIP-Test). I
> also have the application cryptogram (Tag 0x9F26), but the outcome from
> the code dosen't match the application cryptogram.

I was planning to see and match your result/output step for step to
highlight the issue/differences, without either the key, your result (I
could and would run the complete code) and the 'real' ARQC I can't
easily and would need to use a test example of my own which is more work.

Can you not share the full picture so helping you find your problem is
'easy'?


--
Mark

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage.  Please support jPOS, contact: [hidden email]

Join us in IRC at http://webchat.freenode.net/?channels=jpos

You received this message because you are subscribed to the  "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to [hidden email]
To unsubscribe, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/54B6463C.1030009%40talktalk.net.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OT] Re: [jpos-users] Re: ARQC Generation for Test purposes

Billie
Hi Mark!

I found the key in an publicly available document:

https://www.paypass.com/TIP/PayPass_MTIP_UserGuide_USmarket_July2014.pdf

It's found on page 365, 7.2 DES Keys, first Key (IMK for ARQC). So here's the key and PAN:

byte[] iMk = ISOUtil.hex2byte("9E15204313F7318ACB79B90BD986AD29");
byte[] panpsn = JCESecurityModule.formatPANPSN("5413330089010012", null, MKDMethod.OPTION_A);

And the expected result, Tag 0x9F26 Application Cryptogram is: 4B68C1D3849032C7

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: [hidden email]
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to [hidden email]
To unsubscribe, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/e788ec58-df1b-4e9d-b4bf-62daadb1012c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OT] Re: [jpos-users] Re: ARQC Generation for Test purposes

Mark Salter-5
On 14/01/2015 10:59, Billie wrote:

> I found the key in an publicly available document:
>
> https://www.paypass.com/TIP/PayPass_MTIP_UserGuide_USmarket_July2014.pdf
>
> It's found on page 365, 7.2 DES Keys, first Key (IMK for ARQC). So
> here's the key and PAN:
>
> |
> byte[]iMk =ISOUtil.hex2byte("9E15204313F7318ACB79B90BD986AD29");
> byte[]panpsn
> =JCESecurityModule.formatPANPSN("5413330089010012",null,MKDMethod.OPTION_A);
> |
>
And this is the MDK that was embossed and used by a plastic - or a
simulator for the exchange you are trying to match?

> And the expected result, Tag 0x9F26 Application Cryptogram is:
> 4B68C1D3849032C7

Thanks for sharing the needed detail.  I will work this example and
compare my results to the 'real' and yours, but I can't do this right
now, but I will try to do it shortly.


--
Mark

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage.  Please support jPOS, contact: [hidden email]

Join us in IRC at http://webchat.freenode.net/?channels=jpos

You received this message because you are subscribed to the  "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to [hidden email]
To unsubscribe, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/54B64E86.7090302%40talktalk.net.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OT] Re: [jpos-users] Re: ARQC Generation for Test purposes

Mark Salter-5
On 14/01/2015 11:09, Mark Salter wrote:
> Thanks for sharing the needed detail.  I will work this example and
> compare my results to the 'real' and yours, but I can't do this right
> now, but I will try to do it shortly.
Can you share your output - this will save me changing my local version
of the supporting classes to provide the method calls you are making.

Ta

--
Mark

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage.  Please support jPOS, contact: [hidden email]

Join us in IRC at http://webchat.freenode.net/?channels=jpos

You received this message because you are subscribed to the  "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to [hidden email]
To unsubscribe, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/54B78EF0.5040601%40talktalk.net.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OT] Re: [jpos-users] Re: ARQC Generation for Test purposes

Billie
I get 4abeb01ea40719dc as Result?

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: [hidden email]
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to [hidden email]
To unsubscribe, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/76ee217a-3fe0-41f0-ada4-2ba5928814fc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OT] Re: [jpos-users] Re: ARQC Generation for Test purposes

Mark Salter-5
On 15/01/2015 10:07, Billie wrote:
> I get 4abeb01ea40719dc as Result?
I was after all of the output from your run of the code, so I can check
each step?


--
Mark

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage.  Please support jPOS, contact: [hidden email]

Join us in IRC at http://webchat.freenode.net/?channels=jpos

You received this message because you are subscribed to the  "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to [hidden email]
To unsubscribe, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/54B7A715.3070908%40talktalk.net.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OT] Re: [jpos-users] Re: ARQC Generation for Test purposes

Billie
Here it goes:

PAN: 1333008901001200
iccMk
: 4ac445704620c12ab954492f6e5e5efd4ac445704620c12a
sKey
: a8fb5816453b8392f13885c72604ecc4a8fb5816453b8392
4abeb01ea40719dc

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: [hidden email]
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to [hidden email]
To unsubscribe, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/e3608c17-d9ee-4bb2-a234-a36fe878b308%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OT] Re: [jpos-users] Re: ARQC Generation for Test purposes

Mark Salter-5
On 15/01/2015 12:05, Billie wrote:
> Here it goes:
>
> |
> PAN:1333008901001200
> iccMk:4ac445704620c12a b954492f6e5e5efd 4ac445704620c12a

I match this UDK-A/B component, but why is the UDK-A repeated here - it
is not needed?

> sKey:a8fb5816453b8392 f13885c72604ecc4 a8fb5816453b8392
Here we differ again your result is too long and I can't match on VSDC,
MCHIP or EMV2000.

I get:-

        VSDC 4ac445704620c12ab954492f6e5e5efd
        MCHIP 57cdae73d0257caea14c167594495b0e
        EMV2000 dbb3b2b715bee2b6e68d9ac6518975a4

Can you share which algorithm you are trying to replicate? From the code
it seems to be MChip, but is that wanted?

I suspect here is where your difference starts.

> 4abeb01ea40719dc
What is this value ?


I think your CVR data should include the length too, making it 03020300
instead of just 020300.

I can't discern if you have shared the ARQC that was presented by the
card (or sim) yet, but I get :-

        VSDC 35b8cf9289519754
        MCHIP 39769b06ba3d2b04
        EMV2000 6085fb6be36a9af8

In case you do get that far to be able to compare.

If none of the above ARQCs match your card's (or the simulator - as I
don't yet know what produced the ARQC you are tying to recreate) result,
then it is time for you to check the keys in use in the original, and
the PAN sequence number.  Perhaps share the original test transaction in
full - broken down into the data components too; and of course all data
relevant to the test (I'm just not sure I have pulled each part out and
back together as it is spread across multiple messages;  a single post
with all of the relevant test data might help.

Can you also share the hex dump of data[] as produced here :-

byte[] data = module.paddingISO9797Method2(outStream.toByteArray());

too please in case that is already padding (and you are getting extra
data as you are adding the x'80' manually.

--
Mark

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage.  Please support jPOS, contact: [hidden email]

Join us in IRC at http://webchat.freenode.net/?channels=jpos

You received this message because you are subscribed to the  "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to [hidden email]
To unsubscribe, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/54BBB48E.2080103%40talktalk.net.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OT] Re: [jpos-users] Re: ARQC Generation for Test purposes

Billie
Hy Mark!

The UDK-A repeats because jPos creates a 16 Bit 3DES Key-Object. The default JCE Provider from Java doesn't support 16 Byte 3DES Keys, you need at least 24 Bytes. So you append the first 8 bytes of the key to generate a valid 3 DES Key. But I'm using the Bouncy Castle Provider, which can handle 16 Bytes 3 DES Keys and does this automatically. If you remove the BouncyCastleProvider reference, a java.security.InvalidKeyException will be thrown.

The data I provides comes from an M/Chip. Is it supposed that on VSDC the iccMk and sKey are the same? As I tried to reproduce your sKey's, if matched your VSDC-Key by changing my code to the following:

        // Key sKey = module.deriveCommonSK_SM(iccMk, applicationTransactionCounter);
       
Key sKey = module.deriveSK_VISA(iccMk, applicationTransactionCounter);
       
System.out.println("sKey: " + ISOUtil.byte2hex(sKey.getEncoded()));

The output ist now

sKey: 4ac445704620c13eb954492f6e5ea1164ac445704620c13e

Which matches your sKey but is identical to the iccMk.

I suggest we focus first on generating the sMk for M/Chip. As you can see I use the org.jpos.security.jceadapter.JCESecurityModule#deriveCommonSK_SM-Method from jPos to generate the sKey. The first parameter is the iccMk-Key-Object, the second the ATC (0x0014).

Key sKey = module.deriveCommonSK_SM(iccMk, applicationTransactionCounter);

Is anything wrong here, does M/Chip use another random-Value than ATC since the rest comes from jPos.

A note to the output values, the expected Application Cryptogram is 0x4B68C1D3849032C7 (generated by M/Chip TIP Test card), 0x4abeb01ea40719dc is the (wrong) result my program generates. Here's the Hex-Dump of the transaction data as requested:

Data (before paddingISO9797Method2): 000000001000000000000000004080000480000978100514012e13374c1800001402030080
Data (after paddingISO9797Method2):  000000001000000000000000004080000480000978100514012e13374c1800001402030080800000

Hope you find some useful information.

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: [hidden email]
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to [hidden email]
To unsubscribe, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/d77d15cf-d9ec-464f-8a5d-2c0604737f1d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OT] Re: [jpos-users] Re: ARQC Generation for Test purposes

Mark Salter-5


On Monday, January 19, 2015 at 10:15:02 AM UTC, Billie wrote:
A note to the output values, the expected Application Cryptogram is 0x4B68C1D3849032C7 (generated by M/Chip TIP Test card), 0x4abeb01ea40719dc is the (wrong) result my program generates. Here's the Hex-Dump of the transaction data as requested:

Data (before paddingISO9797Method2): 000000001000000000000000004080000480000978100514012e13374c1800001402030080
Data (after paddingISO9797Method2):  000000001000000000000000004080000480000978100514012e13374c1800001402030080800000


I think here might be the problem (or part of it).  You can see that after padding an additional '80' has been added as well as rounding to a multiple of 8 bytes;  this means that you do not need to add your own x'80' padding as the function takes care of that for you, so remove the line of code that adds the 80 and try again?

Have you confirmed that you have the correct MDK the test plastic (or simulator) used to produce the ARQC you are trying to match;  this must be the next step after removing the 'manual padding'.

--
Mark

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: [hidden email]
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to [hidden email]
To unsubscribe, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/0e636dc5-b492-48ab-8ad0-ccc01c92ab5b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OT] Re: [jpos-users] Re: ARQC Generation for Test purposes

Billie
The only thing I can confirm is that the mentioned IMK is the one described in the TIP User Guide, "It should be programmed in the network simulator for online cryptograms". The transaction was approved, the particular test case was successful. So it should be the right IMK, but I don't know it for sure because I only have the card data.

Removing the manual padding just resolved into another cryptogram, which doesn't match the expected one.

e29db34f0be7d44e != 4B68C1D3849032C7


--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: [hidden email]
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to [hidden email]
To unsubscribe, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/1a4e4a5b-6273-469f-87e6-32104b407757%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[jpos-users] Re: ARQC Generation for Test purposes

Robert Demski
In reply to this post by Billie

W dniu poniedziałek, 12 stycznia 2015 09:19:51 UTC+1 użytkownik Billie napisał:
Hello!

Does anyone know the algorithm VISA and MasterCard uses to generate the ARQC? I know they have different algorithms, and I didn't find anything detailed enough the verify a generated ARQC. For example, <a href="http://www.emvlab.org/cryptogram/" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Fwww.emvlab.org%2Fcryptogram%2F\46sa\75D\46sntz\0751\46usg\75AFQjCNGQZu9ZkQvjfNXFqn71BpH0M2s_pQ';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Fwww.emvlab.org%2Fcryptogram%2F\46sa\75D\46sntz\0751\46usg\75AFQjCNGQZu9ZkQvjfNXFqn71BpH0M2s_pQ';return true;">http://www.emvlab.org/cryptogram/ provides an online form - but the result dosen't match. It may be that I had the wrong values for transaction data, but there is also no option for the algorithm. I've also tried the Thales Simulator, but the Implementation seems broken. The JCESecurityModule in jPOS doesn't implement the verifyARQCImpl-Method, but that's exactly what I'm looking for.
Now you may look at https://github.com/jpos/jPOS/pull/82

Best regards
Billie

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: [hidden email]
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to [hidden email]
To unsubscribe, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/541c98e8-e634-4d71-b426-fcb9c6effc51%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OT] Re: [jpos-users] Re: ARQC Generation for Test purposes

Mark Salter-5
In reply to this post by Billie
On 23/01/2015 15:28, Billie wrote:
> The only thing I can confirm is that the mentioned IMK is the one
> described in the TIP User Guide, "It should be programmed in the network
> simulator for online cryptograms". The transaction was approved, the
> particular test case was successful. So it should be the right IMK, but
> I don't know it for sure because I only have the card data.
Card data - that which is in the authorisation message - can you share
that in full?

>
> Removing the manual padding just resolved into another cryptogram, which
> doesn't match the expected one.
Did you also adjust the CVR data component as I suggested?

Perhaps start over, share each input and output so that you have the
full story presented here?

--
Mark

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage.  Please support jPOS, contact: [hidden email]

Join us in IRC at http://webchat.freenode.net/?channels=jpos

You received this message because you are subscribed to the  "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to [hidden email]
To unsubscribe, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/54C3EFFA.7070107%40talktalk.net.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OT] Re: [jpos-users] Re: ARQC Generation for Test purposes

Billie
I checked out the code from Robert Demski, I made a demo with the data from the JUnit-Tests and it matches. However, my MChip TIP-Test data doesn't work, also with VISA ADVT data I didn't get a match.

Here is the P55-Data from MChip:
iMK: 9E 15 20 43 13 F7 31 8A CB 79 B9 0B D9 86 AD 29
PAN
: 5413330089010012
820218008407A0000000041010950580000480009A031005149C01015F2A0209789F02060000000010009F090200029F10120212A0000F240000000000000000000000FF9F1A0200409F1E0833533459524D56469F26084B68C1D3849032C79F2701809F33036040209F34030203009F3501149F360200149F37042E13374C9F41030015209F53015A



Here P55-Data for VISA:
PAN: 4761739001010176
MDK A
: 2315 208C 9110 AD40
MDK B
: 2315 208C 9110 AD40
820208008407A0000000031010950580800080009A031002239C01015F2A0209789F02060000000010009F090201409F100706000C03A010009F1A0200409F1E0833533459524D56469F26086E32F3724A2EDE179F2701809F33036040209F34033F00009F3501149F360200069F37043F2C0E4F9F4103000188



One thing I noticed, the CVR I originally provided (020300) is wrong - 020300 are the CVM results. The CVR should be encoded in the Issuer Application Data (9F10), but I don't know how exactly. I tried some variants, but still no match. Maybe we are missing some information to reproduce the ARQC.

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: [hidden email]
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to [hidden email]
To unsubscribe, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/2cd43829-5ec0-4d19-acad-0fce2ab209ed%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OT] Re: [jpos-users] Re: ARQC Generation for Test purposes

Mark Salter-5
The CVR/CVM certainly won't have helped :-) .

Can you confirm:-

- that the PAN sequence number is 00 (P-23)
- the clear MDK for the 541333 again please?

As you have P-55 below, given the confirmation above, I should be able to match the ARQC.

I am just checking 476173 now.

-- 
Mark

On Tuesday, January 27, 2015 at 9:52:15 AM UTC, Billie wrote:
I checked out the code from Robert Demski, I made a demo with the data from the JUnit-Tests and it matches. However, my MChip TIP-Test data doesn't work, also with VISA ADVT data I didn't get a match.

Here is the P55-Data from MChip:
iMK: 9E 15 20 43 13 F7 31 8A CB 79 B9 0B D9 86 AD 29
PAN
: 5413330089010012
820218008407A0000000041010950580000480009A031005149C01015F2A0209789F02060000000010009F090200029F10120212A0000F240000000000000000000000FF9F1A0200409F1E0833533459524D56469F26084B68C1D3849032C79F2701809F33036040209F34030203009F3501149F360200149F37042E13374C9F41030015209F53015A



Here P55-Data for VISA:
PAN: 4761739001010176
MDK A
: 2315 208C 9110 AD40
MDK B
: 2315 208C 9110 AD40
820208008407A0000000031010950580800080009A031002239C01015F2A0209789F02060000000010009F090201409F100706000C03A010009F1A0200409F1E0833533459524D56469F26086E32F3724A2EDE179F2701809F33036040209F34033F00009F3501149F360200069F37043F2C0E4F9F4103000188



One thing I noticed, the CVR I originally provided (020300) is wrong - 020300 are the CVM results. The CVR should be encoded in the Issuer Application Data (9F10), but I don't know how exactly. I tried some variants, but still no match. Maybe we are missing some information to reproduce the ARQC.

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: [hidden email]
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to [hidden email]
To unsubscribe, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/cedde4f2-047a-4843-a9ed-890d868182d1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
12
Loading...