The BP-Tools set consist of applications supporting payment transaction service development, testing and benchmarking. It currently consists of following components: Cryptographic Calculator and HSM Commander.
EFTlab distributes BP-Tools under Creative Commons Legal Code Attribution-NoDerivs 3.0 Unported and completely free. This package does come with a full support and monthly releases instantly bringing new features.
This tutorial focuses on Cryptographic Calculator functionality and is provided in six separated parts as per functionality topics covered by its main menu – Generic, Cipher, Keys, Payments, EMV and Development tools. This tutorial also aspires to provide bits of basic history on algorithms in use.
Keys Cryptography
This set of tools focuses on working with keys generation and validation related to their practical usage.
Keys DEA
Have you ever been looking for DEA key generator? A way how to combine a key from multiple components? Or found yourself in a need of checking key’s parity & generating key check value (KCV)? Then this tool does all of this for you: Generates cryptographic keys, allows users to XOR key combination and do a key validation. Key generator uses libGcrypt library and it’s powerful random number generator set to level GCRY_STRONG_RANDOM. This setting is strong enough for all random number requirements.
Key Generator
The Key generator make use of so-called entropy gathering modules built-in your operation system and all operations are being carried in a secured memory allocated specially for this feature with SECMEM settings. This generator is suitable for any test to production system key generation as being reliable and well secured. All keys are generated with a Checksum value so their lodgement in a payment system can be immediately validated.
Options available are a number of keys to generate, final key length and key parity forcing option. Keys to generate option allows generating up to 1000 random keys, which might be handy for generating large batches of terminal keys etc. Key length option provides generation algorithm with key’s output length. Values 64-bit (16H), 128-bit (32-H), 192-bit (48H) and 256-bit (64H) correspond key standard having key lengths defined as Single, Dual, Triple and 256-bit. The last option – Key parity tells application whether some parity should be forced on a key generated. Dual key length and Odd parity are default settings.
The second tab “Key combination” enables users to combine (XOR) up to 9 keys. This feature is handy for forming a key from several components. Even this screen allows up to 9 components to be used only first two are compulsory for key operation. Application for will also guard that the keys have all input digits as hexadecimals (0-9 | A-F) and that key lengths are 16, 32, 48 or 64 characters.
Sometimes you might find your keys need to be of some parity to continue with another calculation. So we prepared an easy screen that modifies your key to meet the requested parity check.
Output from this screen should read like this:
DEA Keys: Key validation finished **************************************** Key: B02310D37A8A9D7952C1C1D5F8F73D61 Key length: 32 Parity enforced: Even New key: B12211D27B8B9C7853C0C0D4F9F63C60 KCV: FAE09C
Validation
The last tab “Validation” provides a basic check to be carried on a key provided. Application will check whether it can detect any parity and will also generate appropriate key Checksum. Application input is again limited to hexadecimal digits (0-9 | A-F) and that key lengths allowed are 16, 32, 48 or 64 characters.
Allows insecure and Secure option for a key splitting. Note that all ‘secure’ operations are happening in a PA:DSS compliant memory container and your operation won’t leave any trace in a system when finished.
Keys HSM
Developing a payment system employing the Hardware Security Modules (HSMs) can sometimes prove challenging. Whilst in production HSMs provide a priceless service, in testing and development environments having a black box where cryptography is silently performed can make it hard to diagnose issues since ensuring the correct keys are loaded is an issue. Now with BP-Cryptographic Calculator you can easily check the loaded keys.
Keys Futurex
Key Encryption/Decryption
Encrypts/ Decrypts provided key under a Futurex test MFK and its modifier.
Tries to decrypt provided key under all Test MFKs and find a match with KCV value or parity.
Futurex Keys: Lookup finished – 217 records found matching filter criteria **************************************** Input Key: 4090670C3EE229C3E9BAA71EC0BCB974 Input KCV: Not checked Input Parity: Any —————————————- MFK [Modifier]: Plain key KCV Parity MFK single [00]: FB44403370B3E3822C79AEBEB9436E40 4C0CD2 No parity KEK single [00]: 47A647689869C42969E37519AD5D5756 87B95D No parity MFK double [00]: 70CF6478F6F55F6E98A7365262F933CE C5D708 No parity KEK double [00]: 6DDA764A3F26B5AC8E4DD813A06362BD A66979 No parity MFK triple [00]: E2F60DBA0B85234BB8294778A9270623 7E9311 No parity KEK triple [00]: 9EF86E6CDE9AB64FE7BCF4075FF4F43D 7A83FA No parity MFK single [00]: BAF3360C5ED84B1F420AF5B6652B7A07 12ADD9 No parity MFK single [01]: 4FC633DD0783F8C16D874C02E691B0E7 9E793B No parity KEK single [01]: 8C871084DB62A79DA6B5D18331741227 BED558 No parity MFK double [01]: 4E0D9628642BB073A949F1E1B17B29B6 7CE8EE No parity KEK double [01]: 0A28F9F148CCDE7CA93C50FD7F6A996C B7B140 No parity MFK triple [01]: D6E65EC0E3F72F19D7DA668A0F87BFA7 BA0C6D No parity KEK triple [01]: ACE46163908ED8D620E4B4A788B2D51B 5C3230 No parity MFK single [01]: 3B040B6FCCB2B9B64FD5DE748E6EEE5F 0E7C89 No parity MFK single [02]: F082B204850536F3D49095892AC4CEB3 CD3188 No parity KEK single [02]: 941F5BFB13ABA84C1E5CCBB225F8ADE5 3F09DA No parity MFK double [02]: 8BD7DCD035E989D1866218FD98707964 60062E No parity …
BP-Cryptographic Calculator also includes an option to log all operations performed that can be useful when looking for a key and not knowing the KCV, just knowing the parity or even better not knowing anything. From the experience of the EFTlab team in testing, it’s frequently found that test keys are not randomly generated, but are more likely a sequence of hexadecimal digits, making them easy to spot. This functionality is demonstrated in the figure below:
Keys Microfocus (HPE Atalla)
Key Encryption
Encrypts provided working key under a HP Atalla test MFK.
Tries to decrypt provided SafeNet Host-stored key under test KM and find a match with KCV value or parity.
SafeNet Keys: Lookup finished – 34 records found matching filter criteria **************************************** Input Key: 1113AFD9FD6D4C1B83B98FAE02D1900E2955 Input KCV: Not checked Input Parity: Any —————————————- Variant [Type]: Plain key KCV Parity Desc. 00 [1113]: 722737E2FCC3238690143EA428B370DF 0B91E9 No parity DPK 01 [1113]: B153759D6D0DF4D824E0C06A798E74EB 23D7BB No parity PPK 02 [1113]: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF CAAAAF Even MPK 03 [1113]: 738B993D7164F52EF244EDF3BC0F9350 1A599F No parity KIS 04 [1113]: 9EB697AF5B918318336C6E6E093DECB8 D4843C No parity KIR 05 [1113]: 70875FA3D55B4CA2FECC591E9CBBFE38 155C1C No parity KTM 06 [1113]: F7C78CC32756A6FF796F59AEA2B13AEA AFC2DA No parity CSCK 07 [1113]: 56F3CA5819B6DF9BF5E9FEC42CA9B0C5 F7284F No parity KPV, DT 08 [1113]: B7760EC907C975F293C143B82FBFD506 729607 No parity KPVV 09 [1113]: F14D8AFA5F879FF5FC4B0EC87A60565C E4069C No parity KCVV 10 [1113]: 893F353058C1C5B1B2B535F3452FBD27 3C5A62 No parity KI 12 [1113]: B7667AEC047C14AB35BFDAD99CFC6F01 85A395 No parity MAC Residue …
BP-Cryptographic Calculator also includes an option to log all operations performed that can be useful when looking for a key and not knowing the KCV, just knowing the parity or even better not knowing anything. From the experience of the EFTlab team in testing, it’s frequently found that test keys are not randomly generated, but are more likely a sequence of hexadecimal digits, making them easy to spot. This functionality is demonstrated in the figure below:
Keys Thales
Key Encryption/Decryption
Developing a payment system employing the Thales Hardware Security Modules (HSMs) can sometimes prove challenging. Whilst in production HSMs provide a priceless service, in testing and development environments having a black box where cryptography is silently performed can make it hard to diagnose issues since ensuring the correct keys are loaded is an issue. Now with BP- Cryptographic Calculator you can easily check the loaded keys.
Firstly the Thales HSM allows configuration of up to 20 Local Master Keys (LMKs). To reduce the risk of a key becoming compromised Thales employs five schemes and seven variants. These are represented by a binary mask used atop the key prior to use in cryptographic operations. Using the appropriate key results in key pair selection, a XOR operation with the scheme and finally another XOR with a key variant. Simply said out of the original 20 keys there can be 700 completely different keys for any cryptographic purpose.
However setting a key under the LMK, scheme, variant or retrieving a key is intentionally complex. This is why EFTlab have developed the Thales key encoding and decoding functionality for the default Thales key set.
When working with Thales HSMs in development developers and testers often need to verify keys to ensure a system is processing correctly. Payment systems are often full of keys making it difficult to find what parameters are being used for their decryption to reveal their clear value. Usually what’s left is just a key preceded with a scheme letter and checksum (KCV) of hidden key; how can developers and testers reveal the original key?
In short there are two ways; the first (and quickest) is to search through documentation hoping for a lucky draw. The second is to brute force using all available HSM keys, their schemes and variants to attempt to reveal key candidates and follow with KCV operation on top of those. Whilst hypothetically brute-force operations should just take too long, we have prepared a tool making this possible on an environment where the default Thales key sets are loaded. As demonstrated on the figure below, with BP-Cryptographic Calculator it takes only a few milliseconds to reveal the clear key.
BP-Cryptographic Calculator also includes an option to log all operations performed that can be useful when looking for a key and not knowing the KCV, just knowing the parity or even better not knowing anything. From the experience of the EFTlab team in testing, it’s frequently found that test keys are not randomly generated, but are more likely a sequence of hexadecimal digits, making them easy to spot. This functionality is demonstrated in the figure below:
Key Blocks
Cryptographic Key Blocks – the use of cryptographic key blocks for the secure exchange of keys is a means of using one or more blocks to bind key parts with information about the resulting key – e.g., an identifier, a purpose/function code, or an origin authenticator. The use of cryptographic key blocks, especially as it applies to Triple Data Encryption Algorithm (TDEA) keys, is known as key bundling; however, more generally, it includes key wrapping.
Thales Key Block
The Thales key block mechanism is based on, but refines and extends, the TR-31 key block that has been standardized for key exchange between communicating parties. The key types that may be included in a Thales key block are DES and 3-DES keys, HMAC keys and RSA public and private keys. Note that an RSA public key is not encrypted, but the key block is still authenticated.
Thales Key Block: Key block decode operation finished **************************************** KBPK: 9B71333A13F9FAE72F9D0E2DAB4AD6784718012F9244033F3F26A2DE0C8AA11A Thales Key block: S10096B0TN00E0002D87DC769C95B18C8017242E4B561E9774FB2039ED4F621776752866E1640FE1D39EE161BB3732437 —————————————- Thales Header: 10096B0TN00E0002 —————————————- Version Id: 1 Block Length: 0096 Key Usage: B0 Algorithm: T Mode of Use: N Key Version No.: 00 Exportability: E Num. of Opt. blocks: 00 LMK ID: 02 Optional Blocks: Thales Encrypted key: D87DC769C95B18C8017242E4B561E9774FB2039ED4F621776752866E1640FE1D Thales MAC: 39EE161BB3732437 —————————————- Plain Key: 0123456789ABCDEFFEDCBA9876543210 KCV: 08D7B4
TR-31 Key Block
A TR-31 key block is a format defined by the American National Standards Institute (ANSI).
The TR-31 key block supports the interchange of keys in a secure manner with key attributes included in the exchanged data. The TR-31 key block format has a set of defined key attributes that are securely bound to the key so that they can be transported together between any two systems that both understand the TR-31 format.
In this article, we went through the functionality of Cryptographic Calculator covered by the Keys Menu.
Cryptographic Calculator and other tools covered in BP-Tools suite were designed to help and assist payment industry people in their day to day tasks and make their work the most effective. Our team would be grateful if you would suggest any improvements to our applications or report completely new functionality needed. Feedback from our users like this is exactly what drives the development of its and helps us to share our experience to wide public.