Variant Command Ref Manual V2 0 (Ax160) C8Z37 9000A

User Manual: Pdf

Open the PDF directly: View PDF .
Page Count: 1

What’s New in This Manual
- New and changed information
About This Manual
- Who Should Read This Manual
- Your comments invited
- Related documents
- Type conventions
1 Introduction
- Cryptographic functions
- Operating overview
- Command and response
- Programming guidelines
  - Sample program
2 Using DES keys
- Master File Key
- Key Exchange Key
- Working keys
- Key variants
  - Supported key types.
- Key generation and translation
- Non-volatile key table
- Volatile table
- Procedure to replace the current MFK with the pending MFK
- Security precautions
3 DES key management
- Quick reference
4 Processing Personal Identification Numbers
- About PIN Processing
- PIN Processing Tasks
- PIN Sanity Error
- PIN Block Types
- PIN Processing Commands
5 Processing Transaction Data
- Data Processing Tasks
- Encrypting and Decrypting Data
  - Supported Encryption/Decryption Methods
  - Using Initialization Vectors
- Data Processing Commands
6 Authenticating Transaction Data
- About Data Authentication
- Data Authentication Commands
7 Authorizing VISA, MasterCard, American Express, and Discover Cards
- About CVVs, CVCs, and CSCs
- CVV, dCVV, CVC, CVC3, and CSC Commands
8 Processing EMV and Visa Stored Value Cards
- EMV Master Key Derivation
- VSVC Signatures
- DES Key Management for VSVC
9 Storing Values in the Volatile Table
- About the Volatile Table
  - Referencing a location
- Volatile Table Tasks
- Volatile Table Commands
10 Printing Commands
- Letter template file
- Printing an encrypted PIN
- Printing a key component
- Printing a test page
- HP Printers
- Combine Key Components (Command 15E)
- Generate PIN Printing Key (Command 160)
- Print PIN Letter (Command 161)
- PIN Issuance: IBM 3624 Method (Command 162)
- PIN Issuance: Visa Method (Command 163)
- Divide a Key into Components (Command 16E)
- Print Component Letter (Command 16F)
11 Utility Commands
- Quick Reference
12 Error Messages
- Application Error Messages
  - Detailed Errors
A Introduction to Cryptography
- Data Encryption Standard (DES)
- Message Authentication
- Triple DES (3DES)
- Key Attributes
- Sample Clear-text Key Component Form
B Understanding Financial Interchange Networks
- Overview
- Initializing the Financial Interchange Network
  - Purpose
  - Initialization Checklist
C Summary of Commands and Options
- Network Security Processor Options
  - Recommended settings for security options
D Contacting Atalla
- 24-hour Support
- On-site Support
Glossary
Index

NSP Command Reference Manual

Abstract

The NSP Command Reference Manual defines the command and response syntax for

standard cryptographic functions in the A10160-V, A9160-V and A8160-V Network

Security Processors that support the Atalla Variant key management method. The

command syntax for Network Security Processors that support the Atalla Key Block

(AKB) key management method is documented in the NSP Atalla Key Block Command

Reference Manual.

Network Security Processors are designed for use in Automated Teller Machine (ATM),

Electronic Funds Transfer (EFT), and Point Of Sale (POS) networks. They can also be

used for other types of applications that require Data Encryption Standard (DES) or

triple DES (3DES) support.

Commands that support Public key cryptography are not supported in this product.

Customer specific commands are not documented in this manual.

Network Security Processor version 2.0 requires the use of a Secure Configuration

Assistant-3 and version 2.0 Security Administrator Smart cards.

Product Version

Ax160 NSP Variant Version 2.00

Part Number Published

C8Z37-9000A May 2013

Document History

Part Number Product Version Published

587397-002 version 1.00 November 2009

AJ556-9004A version 1.10 April 2010

AJ556-9004B version 1.11 June 2010

AJ556-9004C version 1.13 October 2010

AJ556-9004D version 1.17 May 2011

AJ556-9004E version 1.30 July 2011

Hewlett-Packard Company—C8Z37-9000A

NSP Command Reference

Manual

Glossary Index Figures Tables

What’s New in This Manual xix

New and changed information xix

About This Manual xxiii

Who Should Read This Manual xxiii

Your comments invited xxiv

Related documents

Installation and Operations Guide for the Ax160 NSP

If you purchase a Secure Configuration Assistant-3, you will receive the following

document:

Atalla Secure Configuration Assistant-3 Users Guide

Type conventions

Hypertext links

Blue underline is used to indicate a hypertext link within text. By clicking a passage of

text with a blue underline, you are taken to the location described.

For example:

See Data formats on page 1-4 for information on how to include these special

characters in your command data.

Key presses

Keys you press are shown in boldface Helvetica type.

About This Manual

NSP Command Reference Manual—C8Z37-9000A

xxv

Type conventions

Example: Press the clear key to return to the Main Menu.

Emphasis

Words that are emphasized are shown in italic or bold.

Example: You must create a Master File Key (MFK).

Key cryptogram notation

Key values are sent to the Network Security Processor in an encrypted form. The

notation:

EMFK.V(Working Key)

The first character (either E or D) indicates the DES operation (encryption or

decryption). The subscripted value is the encrypting/decrypting key and any variant.

The value in parenthesis is being operated on. The example above indicates that the

Working Key has been encrypted under a specific variant of the Master File Key.

To aid readability, long strings of characters, such as key cryptograms, will be split into

groups of four characters. Do not include these spaces when sending commands. For

example:

The clear-text key value: 0123456789ABCDEF will be shown as:

0123 4567 89AB CDEF

Examples

Examples and explanations are shown in Courier type.

Example:

COMMAND=<101#023E#>

RESPONSE=<201#Y#>

Optional fields

Fields in the command and response syntax descriptions that are surrounded by

square brackets are optional. The location of the closing square bracket is significant. If

the field delimiter (#), precedes the closing square bracket the entire field is optional. If

the field delimiter (#) follows the closing square bracket the field is required but can be

empty. For example:

The key length field is optional:

<10#Variant#EMFK.0(KEK)#[Key Length#]>

The key length field is required but can be empty:

<10#Variant#EMFK.0(KEK)#[Key Length]#>

About This Manual

NSP Command Reference Manual—C8Z37-9000A

xxvi

Type conventions

Even page numbering

Each section in this manual ends on an even page, even if the page is blank. This

practice enables each section to start on an odd-numbered page, which helps give the

manual a consistent appearance.

NSP Command Reference Manual—C8Z37-9000A

1-1

1Introduction

This section describes the cryptographic functions supported by the Network Security

Processor, the command and response message format, error reporting, and data

formats.

Cryptographic functions

Network Security Processor support the following cryptographic functions:

DES key management - key generation and key translation.

Processing Personal Identification Numbers - encrypting, translating, and verifying

PINs.

Processing Transaction Data - encrypting and decrypting data.

Authenticating Transaction Data - generating and verifying Message Authentication

codes.

Authorizing VISA, MasterCard, American Express, and Discover Cards -

generating and verifying credit and debit authorization codes

Processing EMV and Visa Stored Value Cards - generating and verifying

Authorization Request Cryptograms, generating message authentication codes,

and generating and verifying VCSC signatures.

Operating overview

The Network Security Processor must be initialized with a Master File Key before it can

process a cryptographic command. Utility Commands do not require the Network

Security Processor to be initialized with a Master File Key.

Network Security Processor operation occurs in three phases:

Command. The host application writes the command to the Network Security

Processor.

Processing. The Network Security Processor performs the requested actions

based on the specific commands received.

Response. The Network Security Processor returns the response. The host reads

the response.

Command and response

The application programming interface consists of a set of specific commands to which

a response or error message is returned. The host application must send the

command as a contiguous strings of characters. The TCP/IP message that contains

Introduction

NSP Command Reference Manual—C8Z37-9000A

1-2

Command and response

the command to be processed by the Network Security Processor must end with the

“#>” end-of-command characters.

To fit the page layout of this manual, command and response syntax descriptions, and

examples, are when necessary, split into multiple lines usually at a field boundary. The

response to the second example below is typical of a multi-line response.

Commands are identified by an ID and have the following format:

where:

Characters preceding the “<“ start of command character are ignored. Characters

following the “>” end of command character are also ignored. These four characters

(“<“, “#”, “^”, and “>”) have special meaning to the Network Security Processor, and

therefore cannot be included in the command data fields. In Ethernet TCP/IP

communications, the carriage return (CR) character is also a special character that is

interpreted as an end-of-command, it also cannot be included in the command data.

See Data formats on page 1-4 for information on how to include these special

characters in your command data.

Any cryptographic command can include an additional field after all required fields.

This field is optional, and can be used to supply “context” information which is returned

with the response message. The first character of this field must be ASCII hexadecimal

5E (^). The remaining data can be variable in length but it may not contain the #, >, <,

or CR characters, or exceed the maximum command length of 5,000 characters.

The response format is identical to the command format with the exception that a

carriage return CR (hexadecimal 0D) and a line feed LF (hexadecimal 0A) may follow

the “>”. The carriage return and line feed are denoted as CRLF. This capability is

configurable, the default is CRLF is appended to the response; see option 023 to

remove the CRLF from the response.

Input commands have odd-numbered first digits; the corresponding response

commands are ten digits higher. For example, if 10 is the command ID, then 20 is the

response ID; if 31 is the command ID, then 41 is the response ID. See Appendix C,

Summary of Commands and Options for a listing of commands.

Note. The host application must not send any additional characters after the “#>”

end-of-command characters.

<CMDID#FIELD 1#FIELD 2#FIELD N#[^Context Tag#]>

< Starts the command

CMDID Is the two, three, or four character Command ID

# Is a delimiter after each command field (including the last field)

Field Is the command data (fields vary in length and number)

^ Context Tag

> Ends the command

Introduction

NSP Command Reference Manual—C8Z37-9000A

1-3

Error responses

The following example shows the command and response for Command 10, notice

that the CRLF is appended to the response:

Command

Response

The following example shows the command and response for Command 10 using a

context tag:

Command

Response

Error responses

If the Network Security Processor encounters an error, an error response message is

returned. Use the information below to decode the error response. If you are contacting

Atalla Technical support for assistance please be sure to provide the exact command

and error response.

The format of the error response is:

<00#XXYYZZ#>

The response ID of 00 indicates an error is being returned.

XX-indicates the error number, Table 12-1, Error Types, on page 12-1 lists the error

number and its description.

YY – the first field found to be in error. The command ID field is field zero. If this field

returns the value 00, then any of the following may be true:

The command specified an invalid command number.

A necessary MFK or KEK is missing.

In response to an echo (Command (ID = 00) command.

<10#1#F6F4D93F55860571#>

<20#4110AD1F7EE6239A#F65C09AA7CD28F8A#82E1#>CRLF

<10#1#F6F4D93F55860571#^Generate KPE for ATM 325#>

<20#4110AD1F7EE6239A#F65C09AA7CD28F8A#82E1#

^Generate KPE for ATM 325#>CRLF

Introduction

NSP Command Reference Manual—C8Z37-9000A

1-4

Detailed errors

ZZ – the software version of the cryptographic command processor. This field returns a

two digit software version number, use command <1101#> for more complete

information on the software version.

Here is an example of an invalid command 10, (field 2 contains 15 characters instead

of 16).

Command

Response

The error indicates length out of range in field 2, software version is 1.00.

Detailed errors

The detailed error is appended as a separate field after the error field (XXYYZZ).

Detailed errors are included if option 021 is enabled. Table 12-2, Detailed Application

Errors, on page 12-2 describes the detailed application error messages.

Here is an example of an invalid command that returns an error and a detailed error.

Command

Response

The error indicates value out of range in field 0, software version is 1.00. The detailed

error (201) indicates Invalid Command.

Data formats

Commands and responses usually contain only hexadecimal characters. Each

character is one byte. The Network Security Processor requires ASCII characters.

There are a limited number of commands that do not have fields that specify data type

and length, the command Generate MAC and Encrypt or Translate Data

(Command 59) is an example. In some instances the data to be processed may be

Note. If a binary zero is present in an field that does not allow binary data the context tag will

not be present in the error response.

<10#1#F6F4D93F5586057#>

<00#010210#>CRLF

<20#1#F6F4D93F55860571#>

<00#030010#0201##>CRLF

Introduction

NSP Command Reference Manual—C8Z37-9000A

1-5

Programming guidelines

unprintable, or contain control characters for some protocols, or include the special

characters (“<“, “#”, “^”, “>”, carriage return and line feed). For example, to encrypt or

authenticate this message:

Sell stock when price is > $50.

The “>” character causes the Network Security Processor to incorrectly terminate the

message. There are two ways to resolve this issue:

The host application converts each data character to ASCII hexadecimal. This

allows all possible characters to be processed. The example data “Sell stock when

price is > $50.” would be converted to:

53656C6C2073746F636B207768656E207072696365206973203E20

2435302E

Use a command that supports binary data and includes data type and data length

fields such as Generate MAC (Command 98).

Programming guidelines

If your host application is running on a NonStop Himalaya system, you can use Boxcar

or the Atalla Resource Manager (ARM) to manage the host to Network Security

Processor TCP/IP Ethernet interface. See the Boxcar Reference Guide for information

on configuring Boxcar. See the Atalla Resource Manager (ARM) Installation,

Operations, and Reference Manual for more information on ARM.

The remainder of this section applies to a Unix host environment. Communicating with

the Network Security Processor using Ethernet TCP/IP involves the following basic

steps:

Setting up the application

Opening the socket interface

Connecting the socket to the Network Security Processor

Sending the command

Receiving the response

Closing the socket

The following subsections explain each of the above programming steps.

Setting Up the application

The host application should interact with the Network Security Processor in a single-

threaded manner. This means you must send a command and wait for a response.

Also, if you are using the C programming language in a UNIX environment, be sure to

include the following files:

sys\types.h

Introduction

NSP Command Reference Manual—C8Z37-9000A

1-6

Sample program

sys\socket.h

netinet\in.h

stdio.h

Opening the socket interface

The socket system call requires the domain, socket type, and protocol. The Network

Security Processor socket should be coded to use Internet domain (AF_INET), a

stream socket (SOCK_STREAM), and the default protocol (0) for SOCK_STREAM.

Connecting a socket to the NSP

The connect system call is used to establish the connection. When connecting the

socket to the Network Security Processor, you need to specify the IP address of the

Network Security Processor and the TCP port number. The Network Security

Processor supports a maximum of 64 sockets. Requests to open additional sockets will

immediately receive a close socket from the Network Security Processor.

Sending commands to the NSP

Use the send system call to send the command to the Network Security Processor.

Receiving responses

Use the recv system call to received the Network Security Processor response. Since

a response from the Network Security Processor can exceed the length of a single

Ethernet frame, it is important to code your application in a way that ensures that you

have received the entire response from the Network Security Processor. All commands

end with these two characters “#>”. If option 23 is disabled, a carriage return and line

feed 0x0D and 0x0A are appended after the “#>” characters. A response to a

command that contains binary data may have the” #>” characters as part of the

response data, therefore if you use Network Security Processor commands with binary

data you will need to code your application to check the response data length field to

be sure you have read all the data from the Network Security Processor response

message.

Closing a socket

The close system call is used to terminate the session with the Network Security

Processor. The application should close the sockets before the application terminates.

Sockets that are not closed remain open, thereby reducing the number of sockets

available. Opening and closing a socket for each command is not recommended.

Sample program

Here is a sample program that can be used to communicate with an Ax160 NSP over

TCP/IP.

Introduction

NSP Command Reference Manual—C8Z37-9000A

1-7

Sample program

/ * Example code for Ax160 TCP/IP communication */

#include <stdio.h>

#include <sys/types.h>

#include <sys/socket.h>

#include <netinet/in.h>

#define MAX_MSG 8192

* Assume the Ax160 NSP response will be returned in 10 byte chucks. This will

* demonstrate how to look for the end of a command across multiple packets.

#define PKT_READ_SIZE 10

int

main(void)

{

char ipaddr[40]; /* IP address */

int portnumber = 0; /* IP Port number */

char message[MAX_MSG]; /* Buffer of message being sent */

char msgrsp[PKT_READ_SIZE]; /* Buffer of message being read back */

char retmsg[MAX_MSG]; /* Buffer that contains response */

int msglen = 0;

int rcvlen = 0;

int msg_done = 0;

int rsp_start = 0;

int socketnum = 0;

struct sockaddr_in aname;

int status = 0;

int rsp_ptr = 0;

* Load IP address, port number, and message

sprintf(ipaddr, "%s", "192.168.1.100");

portnumber = 7000;

sprintf(message, "%s", "<1101#>");

msglen = strlen(message);

* Create a socket

socketnum = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);

if (socketnum < 0)

{

printf("Unable to obtain socket number\n");

exit(2);

}

* Set socket infomation in the socket structure

aname.sin_family = AF_INET;

aname.sin_port = htons(portnumber);

aname.sin_addr.s_addr = inet_addr(ipaddr);

* Connect to the target Ax160

if (connect(socketnum, &aname, sizeof(aname)) < 0 )

{

Introduction

NSP Command Reference Manual—C8Z37-9000A

1-8

Sample program

printf("Connection error");

close(socketnum);

exit(2);

}

* Send the message

status = send(socketnum, message, msglen, 0);

if (status < 0)

{

printf("Unable to send to socket\n");

close(socketnum);

exit(2);

}

* Fetch the response

rsp_start = 0;

{

int i = 0;

rcvlen = recv(socketnum, msgrsp, (size_t)(PKT_READ_SIZE), 0);

if (rcvlen < 0)

{

printf("Unable to receive from socket\n");

close(socketnum);

exit(2);

}

if (rcvlen == 0)

{

printf("Received 0 length message\n");

close(socketnum);

exit(2);

}

i = 0;

if (rsp_start == 0)

{

* Search for the start of the response

for (; i<rcvlen; i++)

{

if (msgrsp[i] == '<')

{

* Found the start of the response

rsp_start = 1;

break;

}

if (rsp_start != 0)

{

Introduction

NSP Command Reference Manual—C8Z37-9000A

1-9

Sample program

* We are processing a response, copy characters into the output buffer

for (; i<rcvlen; i++)

{

* Error if response get too big for the buffer we allocated

if (rsp_ptr >= MAX_MSG - 1)

{

printf("Error: response would overflow buffer\n");

exit(2);

}

retmsg[rsp_ptr++] = msgrsp[i];

if (msgrsp[i] == '>')

{

msg_done = 1;

break;

}

* Continue to perform socket reads until we get the whole response

} while (msg_done == 0);

* Null terminate the response string for printf

retmsg[rsp_ptr] = 0;

* Output the response

printf("Message: %s\n", message);

printf("Response: %s\n", retmsg);

close(socketnum);

}

Introduction

NSP Command Reference Manual—C8Z37-9000A

1-10

Sample program

NSP Command Reference Manual—C8Z37-9000A

2-1

2Using DES keys

A secure financial system network has several types of DES keys, each of which are

used for a specific purpose. The majority of these keys are generated by the Network

Security Processor, and returned to the host application in two forms. One form is for

use by the Network Security Processor. In this form the DES key is encrypted under

the Master File Key and stored in the host application’s key database. The second

form is for use by the remote system. In this form the DES key is encrypted under the

Key Exchange Key. The most common uses of these DES keys are to encrypt,

translate, and verify PINs, encrypt and decrypt data, generate and verify message

authentication codes, and generate and verify card verification values.

The Network Security Processor will not accept or return clear-text DES key values. All

DES keys must be supplied encrypted under the Master File Key which resides within

the secure boundary of the Network Security Processor. When importing a DES key

that was generated on a remote system, the DES must be encrypted under a Key

Exchange Key.

DES keys contain 64 bits; they are called single-length keys. Triple DES keys contain

128 bits; they are called double-length or 2key-3DES keys. In the variant personality

only the Master File key can triple-length (192 bits), all other keys must be either single

or double length. For more information on DES keys, see Key Attributes on page A-4.

Master File Key

The Master File Key (MFK) encrypts Key Exchange Keys and working keys. The MFK

is never used to encrypt PINs or data and is never shared with another node. The

length of the MFK must be equal to or greater than the length of the Key Exchange

Keys and working keys it protects. Security Officers use the Secure Configuration

Assistant-3 (SCA-3) to create components of the Master File Key, and then send them

to the Network Security Processor. These components are combined to form a secret

key which is stored in the Network Security Processor’s Non-volatile key table. To

minimize downtime, a Pending MFK (PMFK) can be loaded into the Network Security

Processor using the same procedure. For more information, see Procedure to replace

the current MFK with the pending MFK on page 2-5.

Key Exchange Key

To maintain secrecy, working keys are encrypted under a key called a Key Exchange

Key (KEK) before they are sent from one node to another. Key Exchange Keys are

unique for each network node. The length of the Key Exchange Key must be equal to

or greater than the length of the working keys it protects.

Working keys

Working keys are types of keys used to perform specific cryptographic operations, PIN

Encryption Keys and Message Authentication Keys are two examples of working keys

Using DES keys

NSP Command Reference Manual—C8Z37-9000A

2-2

Key variants

used for a specific purpose. Working keys are not stored in the non-volatile key table,

they are stored on a host database encrypted using a specific variant of the MFK.

This encrypted form of the key is called a key cryptogram. When a particular working

key is needed to process a transaction, the host sends the cryptogram of the working

key to the Network Security Processor where it is decrypted by the MFK and then used

to process the transaction data. Most commands accept either 1key-3DES (single-

length) or 2key-3DES (double-length) keys, however several commands support only

1key-3DES (single-length) working keys. See the specific command documentation to

confirm the key lengths supported. Working keys can also be stored in the Volatile

table.

Key variants

Secure cryptography requires that keys be separated according to their intended use.

For example, a key may be used as a PIN Encryption Key (KPE) or a Data Key (KD),

but not both. This strict categorization is intended to prevent system compromise by

substitution or misuse. Each type of key is encrypted by a specific variant of either the

MFK or a KEK. Variants are produced by performing an exclusive-OR with a fixed

value and the first – that is, most significant – byte of each half of the MFK or KEK.

Each type of working key is encrypted by a unique version of the MFK or a KEK. The

command syntax sections of this manual contain notations similar to this:

EMFK.V(Working Key)

This represents the working key encrypted under a specific variant of the MFK. For

example, a PIN Encryption Key (KPE) is encrypted under variant 1 of the MFK. The

notation would be:

EMFK.1(KPE)

Some commands require the variant to be specified. See Table 2-1 on page 2-3 for a

complete list of supported key types.

Variants are unique to Atalla Network Security Processors. When importing or

exporting working keys from a node that does not use the Atalla variant method,

ensure that the appropriate working key cryptograms are created without variants.

See commands:

Generate VISA Working Key (Command 18) on page 3-44

Translate Communications Key for Local Storage (Command 19) on page 3-46

Translate Working Key for Distribution to Non-Atalla Node (Command 1A) on

page 3-49

Translate Communications Key for Local Storage Using a Specific Variant

(Command 1D) on page 3-52.

Using DES keys

NSP Command Reference Manual—C8Z37-9000A

2-3

Supported key types.

Table 2-1. Supported key types (page1of2)

Variant Working Key Abbrev.

0 Key Exchange Key KEK, KEK-IN

1 PIN Encryption Key KPE

2 Data or Communication Key KC

3 Message Authentication Code key KMAC

3 VISA Card Verification Value

Mastercard Card Validation Code

KCVV

KCVC

4 PIN Verification Key KPV

5ATM A key AATM

5ATM B key BATM

5 ATM master key KMATM

5 Object Key KOP

6 Initialization Vector IV

6 Decimalization/Conversion Table DECTAB

7 Challenge Response Authentication Key KMACR

8 Derivation Key DK

9 Visa VSVC Master Key / EMV Master Key VSVCMK / MK

10 PIN Encryption Key - Encrypt Only KPE-EO

11 Custom MK-DL

12 Custom PMK

13 Master Message Authentication Key KMAC-MK

14 Custom none

15 none none

16 Data Encrypt Only ENC

17 Data Decrypt Only DEC

18 Generate Message Authentication Code only GMAC

19 Verify Message Authentication Code only VMAC

20 PIN Encryption Key - Decrypt Only KPE - DO

21 Custom none

22 Custom none

23 Custom none

24 Custom none

25 Custom none

Using DES keys

NSP Command Reference Manual—C8Z37-9000A

2-4

Key generation and translation

A common use of the Network Security Processor is to protect sensitive information as

it travels through an insecure network. DES encryption is typically used for this

purpose. A random DES key is used to encrypt the sensitive information at the origin,

and the same DES key must be used at the receiving node to successfully decrypt the

information. This means that both the origin and destination must share the same DES

key. When establishing working keys, a special purpose key called a Key Exchange

Key (KEK) is created, and exchanged out-of-band; that is, it is not transmitted over the

network. Once both nodes have the same KEK, they can use it to encrypt working keys

for transmission between the two nodes.

Ideally, working keys such as PIN Encryption Keys (KPEs), Data Encryption and

Decryption (KDs) and Message Authentication Keys (KMACs) are system generated,

this insures no one individual knows the key. The Network Security Processor supports

a generic key generation command Generate Working Key, Any Type (Command 10)

on page 3-4 that can be used to generate any type of key. The generated key is

encrypted in two forms one for local storage and use (encrypted under the MFK) and

one for export to the remote node (encrypted under the KEK).

To receive an encrypted working key from a remote node it must be translated from

encryption under the KEK to encryption under the MFK. See Section 3, DES key

management for more information on key generation and key translation commands.

Non-volatile key table

The Network Security Processor has a non-volatile key table that stores the Master

File Key and Pending Master File Key. Keys stored in the non-volatile key table are

maintained without external power for up to five years. Once loaded into the non-

volatile key table, they cannot be extracted, transmitted, or downloaded in clear-text

form. Securing the Network Security Processor involves using the Secure

Configuration Assistant-3 (SCA-3) to either add an Network Security Processor to an

existing security association or create a new security association for the Network

Security Processor, and defining and sending a Master File Key to the Network

Security Processor. See Security Processor Status Key (Command 9A) on page 11-25

for the command syntax to determine what keys are stored in the non-volatile key

26 Custom none

27 Custom none

28 Custom none

29 Custom none

30 Challenge Data none

31 Key Exchange Key - Outgoing KEK-OUT

Table 2-1. Supported key types (page2of2)

Variant Working Key Abbrev.

Using DES keys

NSP Command Reference Manual—C8Z37-9000A

2-5

Volatile table

table. See the SCA-3 Users Guide for the procedures to load keys into the non-volatile

key table.

Volatile table

Early model Network Security Processors supported only asynchronous or

bisynchronous communications at a maximum baud rate of 19,200 bits per second.

Performance was limited by the communications interface. To minimize the number of

characters sent in a command, a volatile table was created. The host application was

able to preload keys into the table. When a specific key was needed, the index into the

table was provided in the command, instead of the 16 character key cryptogram,

reducing the length of the command. The benefit was better performance, however the

host application became more complex as it now had to manage the table. The

Ethernet TCP/IP interface is fast enough such that there is no performance benefit in

using the table. The Verify PIN – Diebold (Command 32) on page 4-56, is the only

command that requires the use of the volatile table.

See Section 9, Storing Values in the Volatile Table if you decide to use the volatile

table. The volatile table can store up to 9,999 1key-3DES (single-length) keys and

Diebold Number Tables or 4,998 2key-3DES (double-length) keys.

Procedure to replace the current MFK with the

pending MFK

All working key cryptograms encrypted under the current MFK must be translated to

encryption to the new MFK. This task can be accomplished manually with the SCA-3,

or a more efficient process is to follow the procedure below. The new MFK must be

loaded as a pending MFK. This procedure assumes working keys exist encrypted

under the current MFK which resides in the Network Security Processor.

1. Using the SCA-3 define and load the pending MFK into the Network Security

Processor.

2. Translate all working keys from encryption under the current MFK to the Pending

MFK. See Translate Working Key for Local Storage Under the Current MFK to the

Pending MFK (Command 9E) on page 3-63 for the command syntax required to

perform this task.

3. Replace the current MFK with the pending MFK. See Replace the Current MFK

with the Pending MFK (Command 9F) on page 3-66 for the command syntax

required to perform this task.

4. Configure the host application to use the new key cryptograms generated in step 2

above.

Using DES keys

NSP Command Reference Manual—C8Z37-9000A

2-6

Security precautions

The Network Security Processor is only as secure as you and your procedures make it.

Many attempts to obtain confidential information are performed by employees or other

individuals with access to, or knowledge of, security related equipment. Here are some

recommendations on keeping your Network Security Processor secure:

Always keep production cryptographic keys secret. Key components should

recorded and stored in a secure location.

Always define production keys with multiple key components. Never let one

individual have access to an entire production key.

Make sure that key component holders are restricted to their one key component.

They should never be allowed to assume the role of another key component holder

which would give them access to the entire secret key value.

Never allow a test key to be used in the same system that has production keys.

Before migrating a test unit into production, always insure that all test keys have

been deleted.

Whenever possible choose 2key-3DES (double-length) keys.

When not in use, keep the SCA-3 locked in a secure location.

The passwords for the SCA-3 Security Administrator and Shareholder smart cards

must be kept secret. Each Security Administrator should possess only one smart

card.

Keep the front bezel and access door locked. Store the keys in a secure location.

Do not keep the keys in the locks.

Never use the SCA-3 calculate cryptogram feature to encrypt a key that is known

by a single individual. Always validate the source of the key and the business

requirement, before you allow it to be entered into your system.

Configure and secure your system such that only authorized individuals and host

applications have access to the Network Security Processor.

Only enable commands that you have confirmed are required by your host

application, all other commands should be disabled by the Network Security

Processor’s security policy. Do not enable commands and options listed as a high

security exposure until you have confirmed that there is a legitimate business

requirement to do so.

NSP Command Reference Manual—C8Z37-9000A

3-1

3DES key management

This section contains the information on commands used to support the initialization

and management of cryptographic keys in a financial interchange network, see

Initializing the Financial Interchange Network on page B-2 for an overview.

Quick reference

Table 3-1 identifies each command by number, name, and purpose. While the table

organizes the initialization commands by category, the commands themselves are

presented in numerical order.

Table 3-1. Initialization commands (page 1 of 3)

Command

Number Name Purpose

Key generating commands

10 Generate Working Key,

Any Type

Generates a variety of working keys. The

command returns the generated key in two

forms: one for storing locally, encrypted under

the specified variant of the MFK, and one for

transmitting to another Atalla node, encrypted

under the specified variant of the KEK.

18 Generate VISA Working

Key

Generates a PIN Encryption Key for use with

VISA security processors. The command returns

PIN Encryption Key key in two forms: one for

storing locally, encrypted under variant 1 of the

MFK, and one for transmitting to a non-Atalla

node, encrypted under a KEK without a variant.

1E Generate New Initial Key

for PIN Pad Using VISA

DUKPT

Reinitializes PIN pads that perform VISA

Derived Unique Key Per Transaction (DUKPT)

key management.

11D Generate ATM MAC or

Data Encryption Key

Generates either a MAC or Data Encryption Key.

Key translating commands

11 Translate Working Key for

Distribution

Exports a working key. This command translates

a working key from encryption using the

specified variant of the MFK, to encryption using

the specified variant of any KEK.

13 Translate Working Key for

Local Storage, Switch-to-

Switch

Imports a working key. This command translates

a working key from encryption using the

specified variant of any KEK, to encryption using

the specified variant of the MFK.

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-2

Quick reference

19 Translate Working Key

from a Non-Atalla Node for

Local Storage

Imports a working key from a non-Atalla node.

This command translates a working key from

encryption using a base key without a variant, to

encryption using a specified variant of the MFK.

1A Translate Working Key for

Distribution to Non-Atalla

Node

Exports a working key to a non-Atalla Node.

This command translates a working key from

encryption using the specified variant of the

MFK, to encryption using any KEK without a

variant.

1D Translate Communications

Key for Local Storage

Using a Specific Variant

Imports a working key from a non-Atalla node.

This command translates a communications key

from encryption using a base key without a

variant, to encryption using the specified variant

of the MFK.

9E Translate Key using

Pending MFK

Translates a working key from encryption under

the MFK to encryption under the PMFK.

113 Translate Key between

modes of DES

Translates a KEK encrypted working key from

ECB to CBC, or CBC to ECB mode of DES.

ATM-key loading commands

14 Load ATM Master Key –

Diebold

Encrypts the ATM Master Key for downloading

to Diebold ATMS.

14 Load ATM Master Key –

IBM 3624

Encrypts the ATM Master Key for downloading

to IBM 3624 ATMs.

14 Load ATM Master Key –

IBM 4731

Encrypts the ATM Master Key for downloading

to IBM 4731 ATMs.

ATM-key changing commands

15 Change ATM

Communications Key –

Diebold

Encrypts a Communications Key for

downloading to Diebold ATMs.

15 Change ATM

Communications Key –

Docutel

Encrypts a Communications Key for

downloading to Docutel ATMs.

15 Change ATM

Communications Key –

IBM 3624

Encrypts a Communications Key for

downloading to an IBM 3624 ATM.

15 Change ATM

Communications Key –

IBM 4731

Encrypts a Communications key for

downloading to an IBM 4731 ATM.

Financial institution table enrypting commands

16 Encrypt Financial Institution

Table – Diebold

Encrypts keys for downloading to Diebold ATMs

financial institution tables.

Table 3-1. Initialization commands (page 2 of 3)

Command

Number Name Purpose

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-3

Quick reference

16 Encrypt Financial Institution

Table – Docutel

Encrypts keys for downloading to Docutel ATMs

financial institution’s tables.

16 Encrypt Financial Institution

Table – IBM 3624

Encrypts keys for downloading to IBM 3624

ATMs financial institution tables.

Generate Check Digit Command

7E Generate Check Digits Generates check digits for a key encrypted

under the MFK.

Promote Pending MFK Command

9F Make Pending MFK

Current

Replaces the current MFK with the Pending

MFK.

Table 3-1. Initialization commands (page 3 of 3)

Command

Number Name Purpose

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-4

Generate Working Key, Any Type (Command 10)

Command 10 generates a variety of working keys that are either 1key-3DES (single-

length) or 2key-3DES (double-length). The odd-parity key is generated in two forms:

one for storing locally, encrypted under the appropriate variant of the MFK, and one for

transmitting to another network node encrypted under the appropriate variant of the

KEK.

This command is enabled in the Network Security Processor’s default security policy.

Command

Response

Calling Parameters

Field 0, the command identifier.

Variant

Field 1, the MFK and KEK variant (v) used to encrypt the generated working key,

thus establishing its function. This field can be one or two bytes long and can

contain the numbers 0 - 31. See Key variants on page 2-2 for a list of supported

variants.

[EMFK.0(KEK)]

Field 2, the KEK encrypted under variant zero of the MFK. This key is used to

encrypt the randomly generated working key. This field can contain a 16 or 32 byte

hexadecimal value, a volatile table location, or can be empty. If this field is empty

field 2 of the response will also be empty.

[Key Length#]

Field 3, an optional field used to specify the length of the generated working key. A

value of “S” indicates a 1key-3DES (single-length) working key. A value of “D”

indicates a 2key-3DES (double-length) working key. If this field contains a “D”, then

field 2 must be 32 bytes, or reference a volatile table location that contains a 2key-

3DES (double-length) key. If this field is not included, a 1key-3DES (single-length)

working key will be generated.

<10#Variant#[EMFK.0(KEK)]#[Key Length#]>

<20#EMFK.V(Working Key)#EKEK.V(Working Key)#

Working Key Check Digits#>[CRLF]

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-5

Generate Working Key, Any Type (Command 10)

Responding Parameters

Field 0, the response identifier.

EMFK.V(Working Key)

Field 1, the working key encrypted using the variant of the MFK specified when you

issued the command. The host application stores this cryptogram on its local

database for subsequent use. This field contains a 16 or 32 byte hexadecimal

value.

EKEK.V(Working Key)

Field 2, the working key encrypted using the variant of the KEK specified in field

one of the command. The host application transmits this cryptogram to the network

node that uses this KEK. This field contains either 16 or 32 byte hexadecimal

value, or if field 2 of the command is empty this field will be empty.

Working Key Check Digits

Field 3, check digits; the first four digits that result from encrypting zeros using the

working key. If option 88 is enabled, this field will contain the first six digits of the

result.

Usage Notes

Generate the KEK and obtain the cryptogram of it encrypted under variant zero of

the MFK. Store this cryptogram in your host application database.

Table 3-2. Command 10: Generate Working Key, Any Type

Field # Contents Length (bytes) Legal Characters

0 Command identifier 2 10

1 Variant (V) 1, 2 0 - 31

MFK.0(KEK)* 0, 16, 32 0 - 9, A - F

3 Key Length 0,1 S,D

*Can be a volatile table location.

Table 3-3. Response 20: Generate Working Key, Any Type

Field # Contents Length (bytes) Legal Characters

0 Response identifier 2 20

MFK.V(Working Key) 16, 32 0 - 9, A - F

KEK.V(Working Key) 0, 16, 32 0 - 9, A - F

3 Working Key Check Digits 4 or 6 0 - 9, A - F

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-6

Generate Working Key, Any Type (Command 10)

Examples

Master File Key = 2ABC3DEF45670189 98107645FEDCBA2, check digits = 057A.

See 2key-3DES Key (Double-Length) on page A-5 for component values.

This command generates a random working key therefore your test results will not

match these examples.

Generate a 1key-3DES (single-length) PIN Encryption Key.

Variant: 1.

Clear-text KEK: 0123 4567 89AB CDEF.

The KEK encrypted under variant 0 of the MFK: 9007 B875 1BB7 AB4E.

The command looks like this:

<10#1#9007B8751BB7AB4E#>

The Network Security Processor returns the following response:

<20#35F25A7EBD9F789A#80AD2AE8BCA3D9B6#255E#>

Generate a 2key-3DES (double-length) PIN Encryption Key.

Variant: 1.

Clear-text KEK: 0123 4567 89AB CDEF FEDC BA98 7654 3210.

The KEK encrypted under variant 0 of the MFK: 9007 B875 1BB7 AB4E 0B17

6C3E BEED 18AF.

The command looks like this:

<10#1#9007B8751BB7AB4E0B176C3EBEED18AF#D#>

The Network Security Processor returns the following response:

<20#10A0EA9CFCA1A165BF18BB2A3528DFD9#

335A6BA90E2D4B400C61C650F4699ED6#6F93#>

Generate a 2key-3DES (double-length) PIN Verification Key that is not encrypted

under the KEK.

Variant: 4.

The command looks like this:

<10#4##D#>

The Network Security Processor returns the following response:

<20#2A5133BC5DC0297BBEA70E1E2CF8DDEE##6F93#>

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-7

Translate Working Key For Distribution

(Command 11)

Translate Working Key For Distribution (Command 11)

Command 11 translates a working key of any type, from encryption using the specified

variant of the MFK to encryption using the specified variant of the KEK. Use this

command to export a working key to another node that uses Atalla Variant Network

Security Processors. Your node and the remote node must have the same KEK. This

command translates both 1key-3DES (single-length) and 2key-3DES (double-length)

working keys.

This command is enabled in the Network Security Processor’s default security policy.

Command

Response

Calling Parameters

Field 0, the command identifier.

Variant

Field 1, the variant (V) of the MFK under which the working key has been

encrypted, and the variant to be applied when generating the output cryptogram

(Field 1 of the response). This field can be one or two bytes long and can contain

the numbers 0-31. See Key variants on page 2-2 for a list of supported variants.

EMFK.0(KEK)

Field 2, the cryptogram of the KEK on the network node to which this working key

will be transmitted. This field contains a 16 or 32 byte hexadecimal value, or a

volatile table location.

EMFK.V(Working Key)

Field 3, the cryptogram of the working key encrypted using the variant of the MFK

specified in Field 1. If this field contains a 2key-3DES (double-length) key, then

Field 2 must also contain a 2key-3DES (double-length) key, or a reference to a

volatile table location that contains a 2key-3DES (double-length) key. This field

contains a 16 or 32 byte hexadecimal value, or a volatile table location.

<11#Variant#EMFK.0(KEK)#EMFK.V(Working Key)#>

<21#EKEK.V(Working Key)#Working Key Check Digits#>[CRLF]

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-8

Translate Working Key For Distribution

(Command 11)

Responding Parameters

Response identifier.

EKEK.V(Working Key)

Field 1, the working key encrypted using the variant of the KEK specified in field

one of the command. This field contains a 16 or 32 byte hexadecimal value.

Working Key Check Digits

Field 2, check digits; the first four digits that result from encrypting zeros using the

working key. If option 88 is enabled, this field will contain the first six digits of the

result.

Usage Notes

This command is used for transmitting a working key from one network node to

another. Both nodes must use Atalla Variant Network Security Processors and

have the same KEK.

Generate the working key to be transmitted.

Table 3-4. Command 11: Translate Working Key for Distribution

Field # Contents Length (bytes) Legal Characters

0 Command identifier 2 11

1 Variant (V) 1, 2 0 - 31

MFK.0(KEK)* 16, 32 0 - 9, A - F

MFK.V(Working Key)* 16, 32 0 - 9, A - F

*Can be a volatile table location.

Table 3-5. Response 21: Translate Working Key for Distribution

Field # Contents Length (bytes) Legal Characters

0 Response identifier 2 21

KEK.V(Working Key) 16, 32 0 - 9, A - F

2 Working Key Check Digits 4 or 6 0 - 9, A - F

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-9

Translate Working Key For Distribution

(Command 11)

Examples

Master File Key = 2ABC3DEF45670189 98107645FEDCBA2, check digits = 057A.

See 2key-3DES Key (Double-Length) on page A-5 for component values.

Translating a 1key-3DES (single-length) PIN Encryption Key (KPE).

Variant (V): 1.

Clear-text KEK: 1111 1111 1111 1111.

The KEK encrypted under variant 0 of the MFK: 4791 B313 B61D AC09.

Clear-text KPE: 0123 4567 89AB CDEF.

The KPE encrypted under variant 1 of the MFK: AE86 D417 E64E 07E0.

The command looks like this:

<11#1#4791B313B61DAC09#AE86D417E64E07E0#>

The Network Security Processor returns the following response:

<21#C1691433AA138864#D5D4#>

Translating a 2key-3DES (double-length) PIN Encryption Key (KPE).

Variant (V): 1.

Clear-text KEK: 1111 1111 1111 1111 2222 2222 2222 2222.

The KEK encrypted under variant 0 of the MFK: 4791 B313 B61D AC09 370B

E7D9 20BF 774C.

Clear-text KPE: 0123 4567 89AB CDEF FEDC BA98 7654 3210.

The KPE encrypted under variant 1 of the MFK: AE86 D417 E64E 07E0 BC62

A2AD 7251 6EA1.

The command looks like this:

<11#1#4791B313B61DAC09370BE7D920BF774C#

AE86D417E64E07E0BC62A2AD72516EA1#>

The Network Security Processor returns the following response:

<21#A7CD84EEB2AA0737EFD23931DC36DEFF#08D7#>

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-10

Translate Working Key For Local Storage

(Command 13)

Translate Working Key For Local Storage (Command 13)

Command 13 translates a working key from encryption using any KEK to encryption

using the MFK. Use this command to import a working key from another node that

uses Atalla Variant Network Security Processors. Your node and the remote node must

have the same KEK. This command translates both1key-3DES (single-length) and

2key-3DES (double-length) working keys.

This command is enabled in the Network Security Processor’s default security policy.

Command

Response

Calling Parameters

Field 0, the command identifier.

Variant

Field 1, the variant (V) of the KEK under which the working key has been

encrypted, and also the variant to be applied to the MFK when generating the

output cryptogram (Field 1 of the response). This field can by one or two bytes long

and can contain the numbers 0 to 31. See Key variants on page 2-2 for a list of

supported variants.

Variant 0 is supported if option 65 is enabled.

EMFK.0(KEK)

Field 2, the KEK encrypted under variant 0 of the MFK. This key is used to protect

the working key during a key exchange with the transmitting node. This field

contains a 16 or 32 byte hexadecimal value, or a volatile table location. If field 3,

contains a 2key-3DES (double-length) key, this field must also be a 2key-3DES

(double-length) key, or a reference to a volatile table location that contains a 2key-

3DES (double-length) key.

EKEK.V(Working Key)

Field 3, the cryptogram of the working key sent from the remote node. It is

encrypted using the variant of the KEK specified in Field 1. This field contains a 16

or 32 byte hexadecimal value, or a volatile table location.

<13#Variant#EMFK.0(KEK)#EKEK.V(Working Key)#>

<23#EMFK.V(Working Key)#Working Key Check Digits#>[CRLF]

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-11

Translate Working Key For Local Storage

(Command 13)

Responding Parameters

Field 0, the response identifier.

EMFK.V(Working Key)

Field 1, the working key, decrypted using the variant specified when you issued the

command and re-encrypted using the same variant of the MFK. This field contains

a 16 or 32 byte hexadecimal value

Working Key Check Digits

Field 2, check digits; the first four digits that result from encrypting zeros using the

working key. If option 88 is enabled, this field will contain the first six digits of the

result.

Usage Notes

This command is used to receive a working key that has been transmitted from

another node that uses Atalla Variant Network Security Processors.

Generate the Key Exchange Key.

Table 3-6. Command 13: Translate Working Key for Local Storage Switch-to-

Switch

Field # Contents Length (bytes) Legal Characters

0 Command identifier 2 13

1 Variant (V) 1, 2 0 - 31

MFK.0(KEK)* 16, 32 0 - 9, A - F

KEK.V(Working Key)* 16, 32 0 - 9, A - F

*Can be a volatile table location.

Table 3-7. Response 23: Translate Working Key for Local Storage Switch-to-

Switch

Field # Contents Length (bytes) Legal Characters

0 Response identifier 2 23

MFK.V(Working Key) 16, 32 0 - 9, A - F

2 Working Key Check Digits 4 or 6 0 - 9, A - F

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-12

Translate Working Key For Local Storage

(Command 13)

Examples

Master File Key = 2ABC3DEF45670189 98107645FEDCBA2, check digits = 057A.

See 2key-3DES Key (Double-Length) on page A-5 for component values.

Translating a 1key-3DES (single-length) PIN Encryption Key.

Variant (V): 1.

Clear-text KEK: 1111 1111 1111 1111.

The KEK encrypted under variant 0 of the MFK: 4791 B313 B61D AC09.

Clear-text KPE: 0123456789ABCDEF.

The KPE encrypted under variant 1 of the KEK: C169 1433 AA13 8864.

The command looks like this:

<13#1#4791B313B61DAC09#C1691433AA138864#>

The Network Security Processor returns the following response:

<23#AE86D417E64E07E0#D5D4#>

Translating a 2key-3DES (double-length) PIN Encryption Key.

Variant (V): 1.

Clear-text KEK: 1111 1111 1111 1111 2222 2222 2222 2222.

The KEK encrypted under variant 0 of the MFK: 4791 B313 B61D AC09 370B

E7D9 20BF 774C.

Clear-text KPE: 0123 4567 89AB CDEF FEDC BA98 7654 3210.

The KPE encrypted under variant 1 of the KEK: A7CD 84EE B2AA 0737 EFD2

3931 DC36 DEFF.

The command looks like this:

<13#1#4791B313B61DAC09370BE7D920BF774C#

A7CD84EEB2AA0737EFD23931DC36DEFF#>

The Network Security Processor returns the following response:

<23#AE86D417E64E07E0BC62A2AD72516EA1#08D7#>

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-13

Load ATM Master Key – Diebold (Command 14)

Command 14 – Diebold, encrypts the ATM master key using an Encryption Key for

downloading to Diebold ATMs. This command supports 1key-3DES (single-length) or

2key-3DES (double-length) working keys.

This command has a high security exposure, it is not enabled in the Network Security

Processor’s default security policy.

Command

Response

Calling Parameters

Field 0, the command identifier.

Field 1, the ATM identifier; in this command, Diebold.

Variants

Field 2, the MFK variants, I and V, appropriate for the input keys. The I value

pertains to the master key to be downloaded; the V value pertains to the encryption

key already established in the ATM.

The following types of keys and their corresponding variants can be downloaded.

Types of ATM Master Key to be Downloaded:

<14#1#Variants#EMFK.I(Master Key)#EMFK.V(Encryption Key)#>

<24#1#EEncryption Key(Master Key)#Master Key Check Digits#>

[CRLF]

Key Type Variant

MAC Master Key 1

PIN Master Key 5

VISA Master Key 5

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-14

Load ATM Master Key – Diebold (Command 14)

The following keys and their corresponding variants can exist in the ATMs:

EMFK.I(Master Key)

Field 3, the ATM master key encrypted using the proper variant of the MFK. This

field contains a 16 or 32 byte hexadecimal value, or a volatile table location. This

key can not be a replicated 1key-3DES (single-length) key.

EMFK.V(Encryption Key)

Field 4, the cryptogram of the key under which the ATM master key is to be

encrypted. This key is encrypted using the proper variant of the MFK. This field

contains a 16 or 32 byte hexadecimal value, or a volatile table location. The length

of this key has to be equal or greater than the length of the Master Key and can not

be a replicated 1key-3DES (single-length) key.

Responding Parameters

Field 0, the response identifier.

Field 1, the ATM identifier; in this command, Diebold.

EEncryption Key(Master Key)

Field 2, the master key value encrypted using the encryption key. No variant is

associated with this encryption because the ATM does not support key variants.

This field contains a 16 byte hexadecimal value.

Key Type Variant

Communications Key, KC 1

ATM A Key 5

PIN Master Key-1 5

VISA Master Key-1 5

Table 3-8. Command 14: Load ATM Master Key – Diebold

Field # Contents Length (bytes) Legal Characters

0 Command identifier 2 14

1 ATM identifier (Diebold) 1 1

2 Variants (I, V) 2 1, 5

MFK.I(Master Key)* 16, 32 0 - 9, A - F

MFK.V(Encryption Key)* 16, 32 0 - 9, A - F

*Can be a volatile table location.

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-15

Load ATM Master Key – Diebold (Command 14)

Master Key Check Digits

Field 3, check digits; the first four digits that result from encrypting zeros using the

master key. If option 88 is enabled, this field will contain the first six digits of the

result.

Usage Notes

Perform the following tasks before using Command 14:

Manually load the ATM with its initial keys.

Generate the appropriate key for encrypting the ATM master key and encrypt it

using the proper variant of the MFK.

Generate the ATM master key.

Example

Master File Key = 2ABC3DEF45670189 98107645FEDCBA2, check digits = 057A.

See 2key-3DES Key (Double-Length) on page A-5 for component values.

Loading an ATM master key.

Variant (I): 1.

Variant (V): 5.

Clear-text Master Key: 3333 3333 3333 3333 5555 6666 7777 8888.

The Master Key encrypted under variant 1 of the MFK:3219 92E9 44B0 F423

1DE1 CF68 9E96 99D6.

Clear-text Encryption Key: 1111 1111 1111 1111 0123 4567 89AB CDEF.

The Encryption Key encrypted under variant 5 of the MFK:118A 17BA 953B D16C

608FC3DD BDDA 3E56.

The command looks like this:

<14#1#15#321992E944B0F4231DE1CF689E9699D6#118A17BA953BD16C608

FC3DDBDDA3E56#>

The Network Security Processor returns the following response:

<24#1#CA652727D7ECC3FF29D072B935BEC86E#B15B#>

Table 3-9. Response 24: Load ATM Master Key – Diebold

Field # Contents

Length

(bytes) Legal Characters

0 Response identifier 2 24

1 ATM identifier (Diebold) 1 1

Encryption Key(Master Key) 16, 32 0 - 9, A - F

3 Master Key Check Digits 4 or 6 0 - 9, A - F

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-16

Load ATM Master Key – IBM 3624 (Command 14)

Command 14 – IBM 3624, encrypts the ATM master key for downloading to an

IBM 3624 ATM. This command supports only 1key-3DES (single-length) working keys.

This command has a high security exposure, it is not enabled in the Network Security

Processor’s default security policy.

Command

Response

Calling Parameters

Field 0, the command identifier.

Field 1, the ATM identifier; in this command, IBM 3624.

EMFK.5(KM)

Field 2, the ATM master key encrypted under variant 5 of the MFK. This field

contains a 16 byte hexadecimal value, or a volatile table location.

EMFK.1(K1)

Field 3, the ATM A key (K1) encrypted under variant 1 of the MFK. This field

contains a 16 byte hexadecimal value, or a volatile table location.

EMFK.2(K2)

Field 4, the ATM communications key (K2) encrypted under variant 2 of the MFK.

This field contains a 16-byte hexadecimal value, or a volatile table location.

Message

Field 5, bytes five to eight in the IBM 3624 request message, represented as eight

hexadecimal characters.

<14#3#EMFK.5(KM)#EMFK.1(K1)#EMFK.2(K2)#Message#>

<24#3#IBM 3624 Message#>[CRLF]

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-17

Load ATM Master Key – IBM 3624 (Command 14)

Responding Parameters

Field 0, the response identifier.

Field 1, the ATM identifier; in this command, IBM 3624.

IBM 3624 Message

Field 2, the result of the partial double-encryption process defined in IBM key

management. This result is formed using the following steps.

1. First, the ATM master key is encrypted using the ATM A key. This is denoted

as EK1(KM), where K1 is the ATM A key and KM is the ATM master key to be

downloaded.

2. Let L4 represent the leftmost 4 bytes of EK1(KM) and let R4 represent the

rightmost 4 bytes of EK1(KM). Each value – L4 and R4 – is 8 hexadecimal

characters long.

The four variable bytes in Field 5 of the command are concatenated to the left

of L4, forming an eight byte (that is, 16 hexadecimal character) field, denoted

as follows.

[(4 Var Bytes) || L4]

This field is then encrypted using the ATM communication key, K2. The result

of this encryption is denoted as follows.

EK2[(4 Var Bytes) || L4]

Table 3-10. Command 14: Load ATM Master Key – IBM 3624

Field # Contents Length (bytes) Legal Characters

0 Command Identifier 2 14

1 ATM identifier (IBM 3624) 1 3

MFK.5(KM)* 16 0-9, A-F

MFK.1(K1)* 16 0 - 9, A - F

MFK.2(K2)* 16 0 - 9, A - F

5 Message 8 0 - 9, A - F

*Can be a volatile table location.

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-18

Load ATM Master Key – IBM 3624 (Command 14)

3. R4 is concatenated to the right of the encrypted result of step two, denoted as

follows.

EK2[(4 Var Bytes) || L4] || R4

This result is the 12 byte (that is, 24 hexadecimal character) field that is sent to

the IBM 3624 ATM.

Usage Notes

Before using Command 14, generate the ATM Master Key (MK), ATM A key (K1) and

the ATM communications key (K2).

Example

Master File Key = 2ABC3DEF45670189 98107645FEDCBA2, check digits = 057A.

See 2key-3DES Key (Double-Length) on page A-5 for component values.

Loading an ATM master key.

Clear-text Master Key: 1111 1111 1111 1111.

The Master Key encrypted under variant 5 of the MFK: 118A 17BA 953B D16C.

Clear-text ATM A Key (K1): 2222 2222 2222 2222.

The ATM A Key (K1) encrypted under variant 1 of the MFK: C880 88CB 8FE8

46FE.

Clear-text ATM Communications Key (K2): 3333 3333 3333 3333.

The ATM Communications Key (K2) encrypted under variant 2 of the MFK: C22F

5A1F 22D1 ABF1.

Message: 56789ABC.

The command looks like this:

<14#3#118A17BA953BD16C#C88088CB8FE846FE#C22F5A1F22D1ABF1#

56789ABC#>

The Network Security Processor returns the following response:

<24#3#2B41AE49E5C8E28F811DA672#>

Table 3-11. Response 24: Load ATM Master Key – IBM 3624

Field # Contents Length (bytes) Legal Characters

0 Response identifier 2 24

1 ATM identifier (IBM 3624) 1 3

2 IBM 3624 Message 24 0 - 9, A - F

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-19

Load ATM Master Key – IBM 4731 (Command 14)

Command 14 – IBM 4731, generates an IBM 4731 ATM master key (KM). This

command supports 1key-3DES (single-length) or 2key-3DES (double-length) working

keys.

This command has a high security exposure, it is not enabled in the Network Security

Processor’s default security policy.

Command

Response

Calling Parameters

Field 0, the command identifier.

Field 1, the ATM identifier; in this command, IBM 4731.

EMFK.0(Exchange Key)

Field 2, the Exchange Key encrypted under variant 0 of the MFK. This key is used

to encrypt the cryptogram of the generated ATM master key encrypted under the

Initial Master Key. This field contains a 16 or 32 byte hexadecimal value, or a

volatile table location. The length of this key has to be equal or greater than the

length of the Initial Master Key. If the Key Length field contains a value of 2

(generate 2key-3DES working key), the KEK has to be 2key-3DES (double-length)

and can not be a replicated 1key-3DES (single-length) key.

<14#4#EMFK.0(Exchange Key)#EMFK.0(Initial Master Key)#

Message#[Key Length#]>

<24#4#EMFK.1(ATM Master Key)#

EMFK.2(EInitial Master Key(ATM Master Key))#

EExchange Key(EInitial Master Key(ATM Master Key))#

E(EInitial Master Key(ATM Master Key))(message type/date)#

Exchange Key Check Digits#Initial Master Key Check Digits#

ATM Master Key Check Digits#

ATM Master Key encrypted under Initial Master Key Check

Digits#>

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-20

Load ATM Master Key – IBM 4731 (Command 14)

EMFK.0(Initial Master Key)

Field 3, the Initial Master Key encrypted under variant 0 of the MFK. This key is

used to encrypt the generated ATM Master Key. This field contains a 16 or 32 byte

hexadecimal value, or a volatile table location. The length of this key has to be

equal or greater than the length of the ATM Master Key. If the Key Length field

contains a value of 2 (generate 2key-3DES working key), the Master Key has to be

2key-3DES (double-length) and can not be a replicated 1key-3DES (single-length)

key.

Message

Field 4, the message type/date in binary form. This field contains an 8 byte binary

value, where each character represents one byte.

[Key Length#]

Field 5, length of the generated IBM 4731 ATM master key. This is an optional

field. If used, it can be one byte long and can be empty, or contain the numbers 1

(to generate 1key-3DES key) or 2 (to generate 2key-3DES key). If this field is not

present in the command, the default 1key-3DES key will be generated.

Responding Parameters

Field 0, the response identifier.

Field 1, the ATM identifier; in this command, IBM 4731.

EMFK.1(ATM Master Key)

Field 2, the generated ATM Master Key encrypted under variant 1 of the MFK. This

field contains a 16 or 32 byte hexadecimal value.

Table 3-12. Command 14: Load ATM Master Key – IBM 4731

Field # Contents Length (bytes) Legal Characters

0 Command identifier 2 14

1 ATM identifier (IBM 4731) 1 4

MFK.0(Exchange Key)* 16, 32 0 - 9, A - F

MFK.0(Initial Master Key)* 16, 32 0 - 9, A - F

4 Message 8 Binary

5 [Key Length] 0,1 empty, 1-2

*Can be a volatile table location.

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-21

Load ATM Master Key – IBM 4731 (Command 14)

EMFK.2(EInitial Master Key(ATM Master Key))

Field 3, the generated ATM Master Key encrypted under the Initial Master Key.

This cryptogram is then encrypted under variant 2 of the MFK. This field contains a

16 or 32 byte hexadecimal value.

EExchange Key(EInitial Master Key(ATM Master Key))

Field 4, the generated ATM Master Key encrypted under the Initial Master Key.This

cryptogram is then encrypted under the Exchange Key. This field contains a 16 or

32 byte hexadecimal value.

E(EInitial Master Key(ATM Master Key))(message type/date)

Field 5, the generated ATM Master Key encrypted under the Initial Master Key.

This cryptogram is then used to encrypt the message type/date. This field contains

a 16 byte hexadecimal value.

Exchange Key Check Digits

Field 6, check digits; the first four digits that result from encrypting zeros using the

Exchange Key. If option 88 is enabled, this field will contain the first six digits of the

result.

Initial Master Key Check Digits

Field 7, check digits; the first four digits that result from encrypting zeros using the

Initial Master Key. If option 88 is enabled, this field will contain the first six digits of

the result.

Master Key Check Digits

Field 8, check digits; the first four digits that result from encrypting zeros using ATM

Master Key. If option 88 is enabled, this field will contain the first six digits of the

result.

Cryptogram Check Digits

Field 9, check digits; the first four digits that result from encrypting zeros using the

cryptogram of the ATM Master Key encrypted under the Initial Master Key. If option

88 is enabled, this field will contain the first six digits of the result.

Table 3-13. Response 24: Load ATM Master Key – IBM 4731 (page 1 of 2)

Field # Contents Length (bytes) Legal Characters

0 Response identifier 2 24

1 ATM identifier (IBM 4731) 1 4

MFK.1(Master Key) 16, 32 0 - 9, A - F

MFK.2(EInitial Master Key(Master Key)) 16, 32 0 - 9, A - F

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-22

Load ATM Master Key – IBM 4731 (Command 14)

Usage Notes

Before using Command 14, generate the Initial Master Key (KI) and the KEK (KX).

Example

Master File Key = 2ABC3DEF45670189 98107645FEDCBA2, check digits = 057A.

See 2key-3DES Key (Double-Length) on page A-5 for component values.

This example generates a random ATM Master Key your result will be different.

Generating an IBM 4731 ATM Master Key.

Clear-text Exchange Key (KX): 0123 4567 89AB CDEF FEDC BA98 7654 3210.

The Exchange Key encrypted under variant 0 of the MFK: 9007 B875 1BB7 AB4E

0B176C3EBEED18AF.

Clear-text Initial Master key (KI): 1111 2222 3333 4444 0123 4567 89AB CDEF.

The Initial Master Key encrypted under variant 0 of the MFK: 45ED 2536 2B16

0750 9007 B875 1BB7 AB4E.

Message: 01234567

The command looks like this:

<14#4#9007B8751BB7AB4E0B176C3EBEED18AF#45ED25362B1607509007B8

751BB7AB4E#01234567#1#>

The Network Security Processor returns the following response:

<24#4#C74B7C95BACD75BC#E2DE3E4599DE60F3#0466F2C849DDA497#

06E639A3F8267CBD#08D7#0389#9024#D8F0#>

Exchange Key(EInitial Master Key(ATM

Master Key))

16, 32 0 - 9, A - F

5E(E

Initial Master Key(ATM Master Key))

(message type/date)

16 0 - 9, A - F

6 Exchange Key Check Digits 4 or 6 0 - 9, A - F

7 Initial Master Key Check Digits 4 or 6 0 - 9, A - F

8 ATM Master Key Check Digits 4 or 6 0 - 9, A - F

9 Cryptogram Check Digits 4 or 6 0 - 9, A - F

Table 3-13. Response 24: Load ATM Master Key – IBM 4731 (page 2 of 2)

Field # Contents Length (bytes) Legal Characters

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-23

Change ATM Communications Key – Diebold

(Command 15)

Change ATM Communications Key – Diebold (Command 15)

Command 15 – Diebold, encrypts a communications key for downloading to a Diebold

ATM. This command supports 1key-3DES (single-length) or 2key-3DES (double-

length) working keys.

This command has a high security exposure, it is not enabled in the Network Security

Processor’s default security policy.

Command

Response

Calling Parameters

Field 0, the command identifier.

Field 1, the ATM identifier; in this command, Diebold.

Variant

Field 2, the MFK variant, V, (1 or 5) under which the encrypting key was encrypted.

This field contains a 1 byte decimal value which can be either 1 or 5.

EMFK.1(KC)

Field 3, the new Communications Key encrypted under variant 1 of the MFK. This

field contains a 16 or 32 byte hexadecimal value, or a volatile table location and

can not be a replicated 1key-3DES (single-length) key.

EMFK.V(P)

Field 4, the encryption key encrypted under variant 1 or 5 of the MFK. This key is

used to encrypt the new communications key. If the variant specified in Field 2 is 1,

then P represents the old communications key. If the variant specified in Field 2 is

5, then P represents the PIN master key. The length of this key has to be equal or

greater than the length of the Communication Key, and can not be a replicated

1key-3DES (single-length) key.

<15#1#Variant#EMFK.1(Communications Key)#EMFK.V(P)#>

<25#1#EP(KC)#Communications Key Check Digits#>[CRLF]

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-24

Change ATM Communications Key – Diebold

(Command 15)

Responding Parameters

Field 0, the response identifier.

Field 1, the ATM identifier; in this command, Diebold.

EP(KC)

Field 2, the new Communications Key encrypted using the encryption key for

downloading.

Communications Key Check Digits

Field 3, check digits; the first four digits that result from encrypting zeros using the

communications key. If option 88 is enabled, this field will contain the first six digits

of the result.

Table 3-14. Command 15: Change ATM Communications Key – Diebold

Field # Contents Length (bytes) Legal Characters

0 Command identifier 2 15

1 ATM identifier 1 1

2 Variant (V) 1 1, 5

MFK.V(KC)* 16, 32 0 - 9, A - F

MFK.V(P)* 16, 32 0 - 9, A - F

*Can be a volatile table location.

Table 3-15. Response 25: Change ATM Communications Key – Diebold

Field # Contents Length (bytes) Legal Characters

0 Response identifier 2 25

1 ATM identifier (Diebold) 1 1

P(KC) 16, 32 0 - 9, A - F

3 Communications Key Check Digits 4 or 6 0 - 9, A - F

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-25

Change ATM Communications Key – Diebold

(Command 15)

Usage Notes

The communications key in a Diebold ATM is used to encrypt PINs; therefore,

although the term communications key is used for this key, it is supported in the

Atalla key management scheme as a PIN encryption key.

Generate the encryption key which will be used to encrypt the new

Communications Key. That is, either the previous communications key or the PIN

master key.

Generate the new Communications Key (KC). The communications key can be

randomly generated using Command 10.

Example

Master File Key = 2ABC3DEF45670189 98107645FEDCBA2, check digits = 057A.

See 2key-3DES Key (Double-Length) on page A-5 for component values.

Changing an ATM Communications Key.

Variant: 1.

Clear-text new Communications Key: 0123456789ABCDEF 1111222233334444.

The new Communications Key encrypted under variant 1 of the MFK:

AE86D417E64E07E0 D538A881DE91EAF1.

Clear-text Encryption Key (P):3333 3333 3333 3333 5555 6666 7777 8888.

The Encryption Key encrypted under variant 1 of the MFK: 321992E944B0F423

1DE1CF689E9699D6.

The command looks like this:

<15#1#1#AE86D417E64E07E0D538A881DE91EAF1#321992E944B0F4231DE1

CF689E9699D6#>

The Network Security Processor returns the following response:

<25#1#4DEB22EE1652AA8A216FF8BA794E8AFD#4E15#>

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-26

Change ATM Communications Key – Docutel

(Command 15)

Change ATM Communications Key – Docutel (Command 15)

Command 15 – Docutel, encrypts a Communications Key for downloading to a Docutel

ATM. This command supports 1key-3DES (single-length) or 2key-3DES (double-

length) working keys.

This command has a high security exposure, it is not enabled in the Network Security

Processor’s default security policy.

Command

Response

Calling Parameters

Field 0, the command identifier.

Field 1, the ATM identifier; in this command, Docutel.

EMFK.1(KC)

Field 2, the Communications Key encrypted under variant 1 of the MFK. This is the

key to be downloaded to the ATM. This field contains a 16 or 32 byte hexadecimal

value, or a volatile table location and can not be a replicated 1key-3DES (single-

length) key.

EMFK.5(KM)

Field 3, the ATM Master Key encrypted under variant 5 of the MFK. This key is

used to encrypt the new Communications Key. This field contains a 16 or 32 byte

hexadecimal value, or a volatile table location and can not be a replicated 1key-

3DES (single-length) key. If field 2 contains a 2key-3DES (double-length) key this

field must also contain a 2key-3DES key.

<15#2#EMFK.1(Communications Key)#EMFK.5(ATM Master Key)#>

<25#2#EMaster Key(Communications Key)#

Communications Key Check Digits#>[CRLF]

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-27

Change ATM Communications Key – Docutel

(Command 15)

Responding Parameters

Field 0, the response identifier.

Field 1, the ATM identifier; in this command, Docutel.

EMaster Key(Communications Key)

Field 2, the Communications Key encrypted under the ATM master key. This field

contains a 16 byte hexadecimal value.

Communications Key Check Digits

Field 3, the result of encrypting 0123 4567 89AB CDEF using the Communications

Key. This field contains a 16 byte hexadecimal value.

Usage Notes

The communications key on a Docutel ATM is used to encrypt PINs; therefore,

although the term communications key is used for this key, it is supported in the

Atalla key management scheme as a PIN encryption key (KPE).

Generate the ATM master key.

Generate the new communications key (KC). The communications key can be

randomly generated using Command 10.

Table 3-16. Command 15: Change ATM Communications Key – Docutel

Field # Contents Length (bytes) Legal Characters

0 Command identifier 2 15

1 ATM identifier (Docutel) 1 2

MFK.1(Communications Key)* 16 or 32 0 - 9, A - F

MFK.5(ATM Master Key)* 16 or 32 0 - 9, A - F

*Can be a volatile table location.

Table 3-17. Response 25: Change ATM Communications Key – Docutel

Field # Contents Length (bytes) Legal Characters

0 Response identifier 2 25

1 ATM identifier (Docutel) 1 2

KM(KC) 16 or 32 0 - 9, A - F

KC(01234...EF) 16 0 - 9, A - F

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-28

Change ATM Communications Key – Docutel

(Command 15)

Example

Master File Key = 2ABC3DEF45670189 98107645FEDCBA2, check digits = 057A.

See 2key-3DES Key (Double-Length) on page A-5 for component values.

Changing the primary node's ATM communications key.

Clear-text Communications Key: 1111 1111 1111 1111.

The Communications Key encrypted under variant 1 of the MFK: C628 3830

AE9E 875A.

Clear-text ATM Master Key: 2222 2222 2222 2222.

The ATM Master Key encrypted under variant 5 of the MFK: EA45 F59C 6242

F687.

The command looks like this:

<15#2#C6283830AE9E875A#EA45F59C6242F687#>

The Network Security Processor returns the following response:

<25#2#08024FCF811DA672#8A5AE1F81AB8F2DD#>

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-29

Change ATM Communications Key – IBM 3624

(Command 15)

Change ATM Communications Key – IBM 3624 (Command 15)

Command 15 – IBM 3624, encrypts a communications key for downloading to an IBM

3624 ATM. This command supports only 1key-3DES (single-length) working keys.

This command has a high security exposure, it is not enabled in the Network Security

Processor’s default security policy.

Command

Response

Calling Parameters

Field 0, the command identifier.

Field 1, the ATM identifier; in this command, IBM 3624.

EMFK.2(Communications Key)

Field 2, the Communications Key encrypted under variant 2 of the MFK. This field

contains a 16 byte hexadecimal value, or a volatile table location.

EMFK.V(P)

Field 3, either the ATM Master Key (KM) encrypted under variant 1 of the MFK, or

the old communications key (KC-1) encrypted under variant 2 of the MFK. This

field contains a 16 byte hexadecimal value, or a volatile table location. The

contents of this field depend on the value of Field 6.

EMFK.2(Communications Key-1)

Field 4, the old Communications Key (KC-1) encrypted under variant 2 of the MFK.

This field contains a 16-byte hexadecimal value, or a volatile table location.

Message

Field 5, bytes five to eight of the IBM 3624 request message, represented as eight

hexadecimal characters.

<15#3#EMFK.2(Communications Key)#EMFK.I(P)#

EMFK.2(Communications Key-1)#Message#Variant#>

<25#3#IBM 3624 Message#>[CRLF]

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-30

Change ATM Communications Key – IBM 3624

(Command 15)

Variant

Field 6, the variant that applies to Field 3. This field contains a 1 byte decimal

value which can be either 1 or 2.

Responding Parameters

Field 0, the response identifier.

Field 1, the ATM identifier; in this command, IBM 3624.

IBM 3624 Message

Field 2, the result of the partial double encryption process defined in IBM key

management. This is formed using the following steps.

1. First, the communications key, KC, is encrypted using the appropriate key, P.

The result, EP(KC), is divided into two parts, L4 and R4.

2. The four variable bytes of Field 5 in the command are concatenated to the left

of L4, denoted as follows.

(4 Var Bytes) || L4

The result is then encrypted using the old communications key, KC-1, denoted

as follows.

EKC-1[(4 Var Bytes) || L4]

3. R4 is then concatenated to the right of this encrypted result to obtain KC-1,

denoted as follows.

Table 3-18. Command 15: Change ATM Communications Key – IBM 3624

Field # Contents Length (bytes) Legal Characters

0 Command identifier 2 15

1 ATM identifier (IBM 3624) 1 3

MFK.2(Communications Key)* 16 0 - 9, A - F

MFK.V(P)* 16 0 - 9, A - F

MFK.2(old Communications Key)* 16 0 - 9, A - F

5 Message 8 0 - 9, A - F

6 Variant (V) 1 1, 2

*Can be a volatile table location.

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-31

Change ATM Communications Key – IBM 3624

(Command 15)

EKC-1[(4 Var Bytes) || L4] || R4

This result is the 12 byte (that is, 24 hexadecimal character) field that is sent to

the 3624 ATM.

Usage Notes

The communications key on an IBM 3624 ATM is used to encrypt data; therefore it

is encrypted under variant 2 of the MFK.

Generate the encryption key to be downloaded.

Generate both the old and new communications keys.

Example

Master File Key = 2ABC3DEF45670189 98107645FEDCBA2, check digits = 057A.

See 2key-3DES Key (Double-Length) on page A-5 for component values.

Changing the primary node's ATM communications key.

Clear-text Communications Key (KC): 0123 4567 89AB CDEF.

The Communications Key encrypted under variant 2 of the MFK: 80BC DEAC

5703 BC84.

Clear-text ATM Master Key: 3333 3333 3333 3333.

The ATM Master Key encrypted under variant 1 of the MFK:3219 92E9 44B0 F423.

Clear-text old Communications Key (KC-1): 0123456789ABCDEF.

The old Communications Key (KC-1) encrypted under variant 2 of the MFK: 80BC

DEAC 5703 BC84.

IBM 3624 request message: 12345678.

Variant: 1.

The command looks like this:

<15#3#80BCDEAC5703BC84#321992E944B0F423#80BCDEAC5703BC84#

12345678#1#>

The Network Security Processor returns the following response:

<25#3#11581BCF707F368E06463E6C#>

Table 3-19. Response 15: Change ATM Communications Key – IBM 3624

Field # Contents Length (bytes) Legal Characters

0 Response identifier 2 25

1 ATM identifier (IBM 3624) 1 3

2 IBM 3624 message 24 0 - 9, A - F

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-32

Change ATM Communications Key – IBM 4731

(Command 15)

Change ATM Communications Key – IBM 4731 (Command 15)

Command 15 – IBM 4731, generates a random communication key (KC) for

downloading to an IBM 4731 ATM. This command supports 1key-3DES (single-length)

or 2key-3DES (double-length) working keys.

This command has a high security exposure, it is not enabled in the Network Security

Processor’s default security policy.

Command

Response

Calling Parameters

Field 0, the command identifier.

Field 1, the ATM identifier; in this command, IBM 4731.

EMFK.0(Exchange Key)

Field 2, the Exchange Key encrypted under variant 0 of the MFK. This key is used

to encrypt the generated Communications Key. This field contains a 16 or 32 byte

hexadecimal value. The length of this Exchange Key has to be equal or greater

than the length of the Communications Key. If the Key Length field contains a value

of 2 (generate 2key-3DES working key), the Exchange Key has to be 2key-3DES

(double-length) and can not be a replicated 1key-3DES (single-length) key.

Message

Field 3, the message type/date in binary form. This field contains an 8 byte binary

value.

[Key Length]

Field 4, length of the generated IBM 4731 ATM master key. This is an optional

field. If used, it can be one byte long and can be empty, or contain the number 1 (to

<15#4#EMFK.0(Exchange Key)#Message#[Key Length]#>

<25#4#EMFK.3(Communications Key)#

EExchange Key(Communications Key)#ECommunications Key(message)#

Communications Key Check Digits#>

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-33

Change ATM Communications Key – IBM 4731

(Command 15)

generate 1key-3DES key) or 2 (to generate 2key-3DES key). If this field is not

present in the command, the default 1key-3DES key will be generated.

Responding Parameters

Field 0, the response identifier.

Field 1, the ATM identifier; in this command, IBM 4731.

EMFK.3(KC)

Field 2, the generated Communications Key (KC) encrypted under variant 3 of the

MFK. This field contains a 16 or 32 byte hexadecimal value.

EKX(KC)

Field 3, the generated Communications Key (KC) encrypted under the Exchange

Key. This field contains a 16 or 32 byte hexadecimal value.

EKC(message)

Field 4, the message type/date encrypted under the generated Communications

Key (KC). This field contains a 16 byte hexadecimal value.

Communications Key Check Digits

Field 5, check digits; the first four digits that result from encrypting zeros using the

Communications Key. If option 88 is enabled, this field will contain the first six digits

of the result.

Table 3-20. Command 15: Change ATM Communications Key – IBM 4731

Field # Contents Length (bytes) Legal Characters

0 Command identifier 2 15

1 ATM identifier (IBM 4731) 1 4

MFK.0(Exchange Key)* 16, 32 0 - 9, A - F

3 Message 8 any (binary)

4 [Key Length] 0, 1 empty, 1-2

*Can be a volatile table location.

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-34

Change ATM Communications Key – IBM 4731

(Command 15)

Usage Notes

Before using the command, generate the Exchange Key.

Example

Master File Key = 2ABC3DEF45670189 98107645FEDCBA2, check digits = 057A.

See 2key-3DES Key (Double-Length) on page A-5 for component values.

This command generates a random communications key, your test results will be

different.

Changing the primary node's ATM communications key.

Clear-text Exchange Key (KX): 0123 4567 89AB CDEF 1111 2222 3333 4444.

The Exchange Key (KX) encrypted under variant 0 of the MFK: 9007 B875 1BB7

AB4E 45ED 2536 2B16 0750.

Message: 01234567

The command looks like this:

<15#4#9007B8751BB7AB4E45ED25362B160750#01234567#1#>

The Network Security Processor returns the following response:

<25#4#9986C1DB8ABE561D#CE7A35D9A2787D86#60EF4DE29208C532#

E6C0#>

Table 3-21. Response 25: Change ATM Communications Key – IBM 4731

Field # Contents Length (bytes) Legal Characters

0 Response identifier 2 25

1 ATM identifier (IBM 4731) 1 4

MFK.3(KC) 16, 32 0 - 9, A - F

Exchange Key(Communications Key) 16, 32 0 - 9, A - F

Communications Key(Message) 16 0 - 9, A - F

5 Communications Key Check Digits 4 or 6 0 - 9, A - F

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-35

Encrypt Financial Institution Table – Diebold

(Command 16)

Encrypt Financial Institution Table – Diebold (Command 16)

Command 16 – Diebold, encrypts keys to be downloaded to Diebold ATMs’ financial

institution tables (FITs). This command supports only 1key-3DES (single-length)

working keys.

This command has a high security exposure, it is not enabled in the Network Security

Processor’s default security policy.

Command

Response

Calling Parameters

Field 0, the command identifier.

Field 1, the ATM identifier; in this command, Diebold.

Variant

Field 2, the variant (V) to be applied to the MFK when encrypting the key to be

downloaded. This field contains a 1 byte decimal value which can be either 2 or 5.

EMFK.V(P)

Field 3, the key to be downloaded to the ATM, encrypted using the variant of the

MFK specified in Field 2. This field contains a 16 byte hexadecimal value, or a

volatile table location.

EMFK.5(Q)

Field 4, the key used to encrypt the Financial Institution Table entry. This key is

encrypted under variant 5 of the MFK. This field contains a 16 byte hexadecimal

value, or a volatile table location.

<16#1#Variant#EMFK.V(P)#EMFK.5(Q)#>

<26#1#EQ(P)#Check Digits of P#>[CRLF]

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-36

Encrypt Financial Institution Table – Diebold

(Command 16)

Responding Parameters

Field 0, the response identifier.

Field 1, the ATM identifier; in this case, Diebold.

EQ(P)

Field 2, the FIT key to be downloaded, encrypted using either the PIN master key

(PMK) or the VISA master key (VMK). This field contains a 16 byte hexadecimal

value.

Check Digits of P

Field 3, check digits; the first four digits that result from encrypting zeros using the

encrypting key. If option 88 is enabled, this field will contain the first six digits of the

result.

Usage Notes

Each execution of this command encrypts a single key for a FIT entry.

Generate the encrypting key.

Table 3-22. Command 16: Encrypt Financial Institution Table – Diebold:

Field # Contents Length (bytes) Legal Characters

0 Command identifier 2 16

1 ATM identifier (Diebold) 1 1

2 Variant (V) 1 2, 5

MFK.V(P)* 16 0 - 9, A - F

MFK.5(Q)* 16 0 - 9, A - F

*Can be a volatile table location.

Table 3-23. Response 26: Encrypt Financial Institution Table – Diebold

Field # Contents Length (bytes) Legal Characters

0 Response identifier 2 26

1 ATM identifier (Diebold) 1 1

Q(P) 16 0 - 9, A - F

3 Check Digits of P 4 or 6 0 - 9, A - F

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-37

Encrypt Financial Institution Table – Diebold

(Command 16)

Example

Master File Key = 2ABC3DEF45670189 98107645FEDCBA2, check digits = 057A.

See 2key-3DES Key (Double-Length) on page A-5 for component values.

Changing the primary node's ATM communications key.

Clear-text FIT Key (P): 3333 3333 3333 3333.

The FIT Key encrypted under variant 2 of the MFK: C22F 5A1F 22D1 ABF1.

Clear-text Encrypting Key (Q): 1111 1111 1111 1111.

The Encrypting Key encrypted under variant 5 of the MFK:118A 17BA 953B D16C.

The command looks like this:

<16#1#2#C22F5A1F22D1ABF1#118A17BA953BD16C#>

The Network Security Processor returns the following response:

<26#1#F679786E2411E3DE#ADC6#>

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-38

Encrypt Financial Institution Table – Docutel

(Command 16)

Encrypt Financial Institution Table – Docutel (Command 16)

Command 16 – Docutel, encrypts keys to be downloaded to Docutel ATM’s financial

institution tables (FITs). This command supports only 1key-3DES (single-length)

working keys.

This command has a high security exposure, it is not enabled in the Network Security

Processor’s default security policy.

Command

Response

Calling Parameters

Field 0, the command identifier.

Field 1, the ATM identifier; in this command, Docutel.

EMFK.5(PIN Verification Key)

Field 2, the PIN Verification Key (KPV) encrypted under variant 5 of the MFK. This

field contains a 16 byte hexadecimal value, or a volatile table location.

EMFK.5(ATM Master Key)

Field 3, the ATM Master Key encrypted under variant 5 of the MFK. This key is

used to encrypt the PIN Verification Key. This field contains a 16 byte hexadecimal

value, or a volatile table location.

<16#2#EMFK.5(PIN Verification Key)#EMFK.5(ATM Master Key)#>

<26#2#EATM Master Key(PIN Verification Key)#

PIN Verification Key Check Digits#>[CRLF]

Table 3-24. Command 16: Encrypt Financial Institution Table – Docutel

Field # Contents Length (bytes) Legal Characters

0 Command identifier 2 16

1 ATM identifier (Docutel) 1 2

MFK.5(PIN Verification Key)* 16 0 - 9, A - F

MFK.5(ATM Master Key)* 16 0 - 9, A - F

*Can be a volatile table location.

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-39

Encrypt Financial Institution Table – Docutel

(Command 16)

Responding Parameters

Field 0, the response identifier.

Field 1, the ATM identifier; in this command, Docutel.

EKM(KP)

Field 2, the PIN Verification Key encrypted under the ATM Master Key. This field

contains a 16 byte hexadecimal value.

PIN Verification Key Check Digits

Field 3, check digits; the first four digits that result from encrypting zeros using the

PIN Verification Key. If option 88 is enabled, this field will contain the first six digits

of the result.

Usage Notes

Before using Command 16, generate the PIN Verification Key (KPV) and the ATM

Master Key (KM).

Example

Master File Key = 2ABC3DEF45670189 98107645FEDCBA2, check digits = 057A.

See 2key-3DES Key (Double-Length) on page A-5 for component values.

Changing the primary node's ATM communications key.

Clear-text PIN Verification Key: 2222 2222 2222 2222.

The PIN Verification Key encrypted under variant 5 of the MFK: EA45 F59C 6242

F687.

Clear-text ATM Master Key: 1111 1111 1111 1111.

The ATM Master Key encrypted under variant 5 of the MFK: 118A 17BA 953B

D16C.

Table 3-25. Response 26: Encrypt Financial Institution Table – Docutel

Field # Contents Length (bytes) Legal Characters

0 Response identifier 2 26

1 ATM identifier (Docutel) 1 2

ATM Master Key(PIN Verification Key) 16 0 - 9, A - F

3 PIN Verification Key Check Digits 4 or 6 0 - 9, A - F

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-40

Encrypt Financial Institution Table – Docutel

(Command 16)

The command looks like this:

<16#2#EA45F59C6242F687#118A17BA953BD16C#>

The Network Security Processor returns the following response:

<26#2#950973182317F80B#0096#>

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-41

Encrypt Financial Institution Table – IBM 3624

(Command 16)

Encrypt Financial Institution Table – IBM 3624 (Command 16)

Command 16 – IBM 3624 encrypts keys to be downloaded to IBM 3624 ATMs'

financial institution tables (FITs). This command supports only 1key-3DES (single-

length) working keys.

This command has a high security exposure, it is not enabled in the Network Security

Processor’s default security policy.

Command

Response

Calling Parameters

Field 0, the command identifier.

Field 1, the ATM identifier; in this command, IBM 3624.

EMFK.5(KPV)

Field 2, the PIN Verification Key encrypted under variant 5 of the MFK. This field

contains a 16 byte hexadecimal value, or a volatile table location.

EMFK.1(ATM Master Key)

Field 3, the ATM Master Key encrypted under variant 1 of the MFK. This field

contains a 16 byte hexadecimal value, or a volatile table location.

<16#3#EMFK.5(PIN Verification Key)#EMFK.1(ATM Master Key)#>

<26#3#EATM Master Key(PIN Verificatin Key)#

PIN Verification Key Check Digits#>[CRLF]

Table 3-26. Command 16: Encrypt Financial Institution Table – IBM 3624

Field # Contents Length (bytes) Legal Characters

0 Command identifier 2 16

1 ATM identifier (IBM 3624) 1 3

MFK.5(PIN Verification Key)* 16 0 - 9, A - F

MFK.1(ATM Master Key)* 16 0 - 9, A - F

*Can be a volatile table location.

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-42

Encrypt Financial Institution Table – IBM 3624

(Command 16)

Responding Parameters

Field 0, the response identifier.

Field 1, the ATM identifier; in this command, IBM 3624.

EKM(KP)

Field 2, the PIN Verification Key encrypted under the ATM Master Key. This field

contains a 16 byte hexadecimal value.

PIN Verification Key Check Digits

Field 3, check digits; the first four digits that result from encrypting zeros using the

PIN Verification Key. If option 88 is enabled, this field will contain the first six digits

of the result.

Usage Notes

Before using Command 16, generate the PIN Verification Key (KPV) and the ATM

Master Key (KM).

Example

Master File Key = 2ABC3DEF45670189 98107645FEDCBA2, check digits = 057A.

See 2key-3DES Key (Double-Length) on page A-5 for component values.

Changing the primary node's ATM communications key.

Clear-text PIN Verification Key: 2222 2222 2222 2222.

The PIN Verification Key encrypted under variant 5 of the MFK: EA45 F59C 6242

F687.

Clear-text ATM Master Key: 1111 1111 1111 1111.

The ATM Master Key encrypted under variant 1 of the MFK: C628 3830 AE9E

875A.

Table 3-27. Response 26: Encrypt Financial Institution Table – IBM 3624

Field # Contents Length (bytes) Legal Characters

0 Response identifier 2 26

1 ATM identifier (IBM 3624) 1 3

ATM Master Key(PIN Verification Key) 16 0 - 9, A - F

3 PIN Verification Key Check Digits 4 or 6 0 - 9, A - F

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-43

Encrypt Financial Institution Table – IBM 3624

(Command 16)

The command looks like this:

<16#3#EA45F59C6242F687#C6283830AE9E875A#>

The Network Security Processor returns the following response:

<26#3#950973182317F80B#0096#>

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-44

Generate VISA Working Key (Command 18)

Command 18 generates an odd parity 1key-3DES (single-length) acquirer or issuer

PIN Encryption Key – for use with VISA security processors. The Network Security

Processor generates two cryptograms: one for local storage and one to transmit to

another network node.

This command has a high security exposure, it is not enabled in the Network Security

Processor’s default security policy.

Command

Response

Calling Parameters

Field 0, the command identifier.

EMFK.0(Key Exchange Key)

Field 1, the Key Exchange Key encrypted under variant 0 of the MFK. Visa refers

to this key as a Zone Control Master Key (ZCMK). This field contains a 16 or 32

byte hexadecimal value, or a volatile table location.

Responding Parameters

Field 0, the response identifier.

<18#EMFK.0(Key Exchange Key)#>

<28#EKEK.0(VISA Working Key)#EMFK.1(VISA Working Key)#

VISA Working Key Check Digits#>[CRLF]

Table 3-28. Command 18: Generate VISA Working Key

Field # Contents Length (bytes) Legal Characters

0 Command identifier 2 18

MFK.0(Key Exchange Key)* 16, 32 0 - 9, A - F

*Can be a volatile table location.

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-45

Generate VISA Working Key (Command 18)

EKEK(VISA Working Key)

Field 1, the VISA working key encrypted under the KEK. The host application

transmits this value to the VISA network switch. This field contains a 16 byte

hexadecimal value.

EMFK.1(VISA Working Key)

Field 2, the VISA working key encrypted using variant 1 of the MFK. The host

application stores this cryptogram on its local data base for subsequent use. This

field contains a 16 byte hexadecimal value.

VISA Working Key Check Digits

Field 3, check digits; that is, the first six digits that result from encrypting zeros

using the VISA working key. This field contains a six byte hexadecimal value.

Usage Notes

Generate a KEK (VISA refers to this as a Zone Control Master Key or ZCMK).

Example

Master File Key = 2ABC3DEF45670189 98107645FEDCBA2, check digits = 057A.

See 2key-3DES Key (Double-Length) on page A-5 for component values.

This command generates a random value therefore your results will be different.

Generating a VISA working key.

Clear-text Key Exchange Key: 0123 4567 89AB CDEF.

The Key Exchange Key encrypted under variant 0 of the MFK: 9007 B875 1BB7

AB4E.

The command looks like this:

<18#9007B8751BB7AB4E#>

The Network Security Processor returns the following response:

<28#EA3310FF19DB4F4C#6CE476EF7B6E4776#7DE170#>

Table 3-29. Response 28: Generate VISA Working Key

Field # Contents

Length

(bytes) Legal Characters

0 Response identifier 2 28

KEK.0(VISA Working Key) 16 0 - 9, A - F

MFK.1(VISA Working Key) 16 0 - 9, A - F

3 VISA Working Key Check Digits 6 0 - 9, A - F

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-46

Translate Communications Key for Local Storage

(Command 19)

Translate Communications Key for Local Storage (Command 19)

Command 19 translates a working key from base key encryption (without a variant) to

MFK encryption for local storage and subsequent use. This command is used to import

a working key from a network that does not use Atalla variants. This command

supports both 1key-3DES (single-length) and 2key-3DES (double-length) working

keys.

This command is not enabled in the Network Security Processor’s default factory

security policy.

This command has a high security exposure if support for variant zero is enabled. The

Network Security Processor’s security policy must enable option 65 to allow variant

zero to be used in this command. Option 65 must be purchased and enabled with a

command 105, then added to the Network Security Processor’s security policy.

Command

Response

Calling Parameters

Field 0, the command identifier.

Variant

Field 1, the MFK variant under which the working key will be encrypted. This field

contains a 1 or 2 byte decimal value in the range of 0 to 31. See Key variants on

page 2-2 for a list of supported variants.

EMFK.V(Base Key)

Field 2, the base key encrypted under the variant of the MFK specified in field 1.

The base key is used to encrypt the working key. This field contains a 16 or 32 byte

hexadecimal value, or a volatile table location.

EBase Key(Working Key)

Field 3, the working key encrypted under the base key. This field contains a 16 or

32 byte hexadecimal value, or a volatile table location.

<19#Variant#EMFK.V(Base Key)#EBase Key(Working Key)#>

<29#EMFK.V(Working Key)#Working Key Check Digits#>[CRLF]

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-47

Translate Communications Key for Local Storage

(Command 19)

Responding Parameters

Field 0, the response identifier.

EMFK.V(Working Key)

Field 1, the cryptogram of the translated key.

Working Key Check Digits

Field 2, check digits; the first four digits that result from encrypting zeros using the

working key. If option 88 is enabled, this field will contain the first six digits of the

result.

Usage Notes

Option 65 must be enabled in the Network Security Processor’s security policy to

use variant 0.

This command is typically used to receive a working key transmitted from a non-

Atalla node.

Encrypt the Base Key under the appropriate variant of the MFK.

Table 3-30. Command 19: Translate Communications Key for Local Storage

Field # Contents Length (bytes) Legal Characters

0 Command identifier 2 19

1 Variant (V) 1, 2 0 - 31

MFK.V(Base Key)* 16, 32 0 - 9, A - F

Base Key(Working Key)* 16, 32 0 - 9, A - F

*Can be a volatile table location.

Table 3-31. Response 29: Translate Communications Key for Local Storage

Field # Contents Length (bytes) Legal Characters

0 Response identifier 2 29

MFK.V(Working Key) 16, 32 0 - 9, A - F

2 Working Key Check Digits 4 or 6 0 - 9, A - F

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-48

Translate Communications Key for Local Storage

(Command 19)

Example

Master File Key = 2ABC3DEF45670189 98107645FEDCBA2, check digits = 057A.

See 2key-3DES Key (Double-Length) on page A-5 for component values.

Translating a PIN Encryption Key for local storage.

Variant: 1.

Clear-text Base Key: 0123 4567 89AB CDEF.

The Base Key encrypted under variant 1 of the MFK: AE86 D417 E64E 07E0.

Clear-text PIN Encryption Key: FEDC BA98 7654 3210.

The PIN encryption key encrypted under the Base Key: 12C6 26AF 058B 433B.

The command looks like this:

<19#1#AE86D417E64E07E0#12C626AF058B433B#>

The Network Security Processor returns the following response:

<29#BC62A2AD72516EA1#A68C#>

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-49

Translate Working Key for Distribution to Non-Atalla

Node (Command 1A)

Translate Working Key for Distribution to Non-Atalla Node

(Command 1A)

Command 1A translates a working key from encryption under a specified variant of the

MFK, to KEK encryption without a variant for distributing to a non-Atalla network. This

command supports both 1key-3DES (single-length) and 2key-3DES (double-length)

keys.

This command has a high security exposure, it is not enabled in the Network Security

Processor’s default security policy.

Command

Response

Calling Parameters

Field 0, the command identifier.

Variant

Field 1, the MFK variant under which the working key has been encrypted. This

field contains a 1 or 2 byte decimal value which can be in the range of 0 to 31. See

Key variants on page 2-2 for a list of supported variants.

EMFK.0(KEK)

Field 2, the Key Exchange Key (KEK) encrypted under variant 0 of the MFK. This

key will be used to encrypt the working key for transmission to the non-Atalla

network. This field contains a 16 or 32 byte hexadecimal value, or a volatile table

location.

EMFK.V(Working Key)

Field 3, the working key encrypted using the variant of the MFK specified in Field

1. This field contains a 16 or 32 byte hexadecimal value, or a volatile table location.

<1A#Variant#EMFK.0(Key Exchange Key)#EMFK.V(Working Key)#>

<2A#EKey Exchange Key.0(Working Key)#Working Key Check Digits#>

[CRLF]

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-50

Translate Working Key for Distribution to Non-Atalla

Node (Command 1A)

Responding Parameters

Field 0, the response identifier.

EKey Exchange Key(Working Key)

Field 1, the working key encrypted under the KEK. No variant is applied to the

KEK. This field contains a 16 or 32 byte hexadecimal value.

Working Key Check Digits

Field 2, check digits; that is, the first six digits that result from encrypting zeros

using the working key. This field contains a six byte hexadecimal value.

Usage Notes

This command is used for distributing a working key to a non-Atalla network.

Generate the working key cryptograms.

Table 3-32. Command 1A: Translate Working Key for Distribution to Non-Atalla

Node

Field # Contents Length (bytes) Legal Characters

0 Command identifier 2 1A

1 Variant (V) 1, 2 0 - 31

MFK.0(Key Exchange Key)* 16, 32 0 - 9, A - F

MFK.V(Working Key)* 16, 32 0 - 9, A - F

*Can be a volatile table location.

Table 3-33. Response 2A: Translate Working Key for Distribution to Non-Atalla

Node

Field # Contents Length (bytes) Legal Characters

0 Response identifier 2 2A

KEK.0(Working Key) 16, 32 0 - 9, A - F

2 Working Key Check Digits 6 0 - 9, A - F

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-51

Translate Working Key for Distribution to Non-Atalla

Node (Command 1A)

Example

Master File Key = 2ABC3DEF45670189 98107645FEDCBA2, check digits = 057A.

See 2key-3DES Key (Double-Length) on page A-5 for component values.

Translating a PIN Encryption Key for distributing to a non-Atalla node.

Variant: 1.

Clear-text Key Exchange Key (KEK): 0123 4567 89AB CDEF.

The Key Exchange Key encrypted under variant 0 of the MFK: 9007 B875 1BB7

AB4E.

Clear-text PIN Encryption Key (KPE): 0123 4567 89AB CDEF.

The PIN Encryption Key (KPE) encrypted under variant 1 of the MFK: AE86 D417

E64E 07E0.

The command looks like this:

<1A#1#9007B8751BB7AB4E#AE86D417E64E07E0#>

The Network Security Processor returns the following response:

<2A#56CC09E7CFDC4CEF#D5D44F#>

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-52

Translate Communications Key for Local Storage

Using a Specific Variant (Command 1D)

Translate Communications Key for Local Storage Using a

Specific Variant (Command 1D)

Command 1D translates a working key from encryption using a base key without a

variant to encryption using the MFK. This command is restricted to importing working

keys that use variants 1, 2 or 3. This command supports only 1key-3DES (single-

length) working keys.

This command has a high security exposure, it is not enabled in the Network Security

Processor’s default security policy.

Command

Response

Calling Parameters

Field 0, the command identifier.

Variant

Field 1, the variant (V) of the MFK under which the working key will be encrypted.

This field contains a 1 byte decimal value with a range of 1 - 3. See Key variants

on page 2-2 for a list of supported variants.

EMFK.2(Base Key)

Field 2, the Base Key encrypted under variant 2 of the MFK. This key is used by

the transmitting node to encrypt the working key. This field contains a 16 byte

hexadecimal value, or a volatile table location.

EBase Key(Working Key)

Field 3, the Working Key encrypted under the Base Key. This field contains a 16

byte hexadecimal value, or a volatile table location.

<1D#Variant#EMFK.2(Base Key)#EBase Key(Working Key)#>

<2D#EMFK.V(Working Key)#Working Key Check Digits#>[CRLF]

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-53

Translate Communications Key for Local Storage

Using a Specific Variant (Command 1D)

Responding Parameters

Field 0, the response identifier.

EMFK.V(Working Key)

Field 1, the Working Key encrypted under the MFK using the variant specified in

field 1 of the command. This field contains a 16 byte hexadecimal value.

Working Key Check Digits

Field 2, the check digits; the first four digits that result from encrypting zeros using

the working key. If option 88 is enabled, this field will contain the first six digits of

the result.

Table 3-34. Command 1D: Translate Communications Key for Local Storage

Using Specific Variant

Field # Contents Length (bytes) Legal Characters

0 Command identifier 2 1D

1 Variant (V) 1 1, 2 or 3

MFK.2(Base Key)* 16 0 - 9, A - F

Base Key(Working Key)* 16 0 - 9, A - F

*Can be a volatile table location.

Table 3-35. Response 2D: Translate Communications Key for Local Storage

Using Specific Variant

Field # Contents Length (bytes) Legal Characters

0 Response identifier 2 2D

MFK.V(Working Key) 16 0 - 9, A - F

2 Working Key Check Digits 4 or 6 0 - 9, A - F

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-54

Translate Communications Key for Local Storage

Using a Specific Variant (Command 1D)

Example

Master File Key = 2ABC3DEF45670189 98107645FEDCBA2, check digits = 057A.

See 2key-3DES Key (Double-Length) on page A-5 for component values.

Translating a PIN Encryption Key

Variant: 1.

Clear-text Base Key: 1010 2020 4040 8080.

The Base Key encrypted under variant 2 of the MFK: 1693 C76D 5493 D733.

Clear-text PIN Encryption Key: E0E0 D0D0 B0B0 7070.

The PIN Encryption Key encrypted under the Base Key: 3758 EB8D B208 C875.

The command looks like this:

<1D#1#1693C76D5493D733#3758EB8DB208C875#>

The Network Security Processor returns the following response:

<2D#F0224DB34CB2E9B9#19D7#>

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-55

Generate New Initial Key for PIN Pad Using VISA

DUKPT (Command 1E)

Generate New Initial Key for PIN Pad Using VISA DUKPT

(Command 1E)

Command 1E re-initializes PIN pads that perform VISA Derived Unique Key Per

Transaction (DUKPT) key management.

This command by default will generate a 1key-3DES (single-length) session key. Use

option A2 to control the length of the generated session key. A new optional field,

session key length, has been added as the last field of the command. When option A2

is set to “B”, the host application must include the New Base Derivation key field and

the session key length field. If there is no new Base Derivation Key, include the field,

but leave it empty.

You must purchase this command in the form of a command 105, and then enable it in

the Network Security Processor’s security policy.

Command

Response

Calling Parameters

Field 0, the command identifier.

EMFK.8(Derivation Key)

Field 1, the Derivation Key encrypted under variant 8 of the MFK. This field

contains a 16 or 32 byte hexadecimal value, or a volatile table location. This key

should be a 2key-3DES (double-length) key. It can be a 1key-3DES (single-length)

key only if option A2 is set to “S”.

Current Key Serial Number

Field 2, this value is used with the Derivation Key specified in Field 1 to derive the

current PIN pad key. This field contains a 10 to 20 byte hexadecimal value.

Leading Fs will be suppressed.

<1E#EMFK.8(Derivation Key)#Current Key Serial Number#

New Key Serial Number#[EMFK.8(New Derivation Key)#]>

[Session Key Length#]>

<2E#ECurrent Key(New Initial PIN Encryption Key)#

Check Value#>[CRLF]

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-56

Generate New Initial Key for PIN Pad Using VISA

DUKPT (Command 1E)

New Key Serial Number

Field 3, the new key serial number for the PIN pad, left-padded with Fs. If a new

Derivation Key is defined in Field 4, then this field generates the new initial key

serial number; otherwise, the Derivation Key in Field 1 is used. This field contains

a 16 byte hexadecimal value.

[EMFK.8(New Derivation Key)#]

Field 4, the new Derivation Key encrypted under variant 8 of the MFK. This field is

required only if option A2 is set to “B”, for all other cases this field is optional. If it

exists, this field contains a 16 or 32 byte hexadecimal value, or a volatile table

location. This key should be a 2key-3DES (double-length) key. It can be a 1key-

3DES (single-length) key only if option A2 is set to “S”. This field is required, but

can be empty, if option A2 is set to “B”35 TD0 Tc0 Tw( i Tm Tc.00[SessDerivatiLinglen Key)#])Tj/TT4 1 Tf1.75 -1.665 TD-.0005 4c.0007 Tw5(s)-.7(, this“S”. ThisTj9.055 0 TD-.002 Tc-.0029 Tw(requirey only if option )Tj0 9E)Tj17.83 0 TD-.002 Tc0 Tw(A2324ET487.12 535.78 14.7 .47998 refBT12 339 12 490.76 538.02 Tm0 D-.0001 TTc.0011 Tw( is s)129(B()4.1(”)129(,)74.9(.o “B12 Tw(al)129(l other casea 1key-ey )Tj-28.01 -1.17 TD-.0004 Tc.0007 Tw(field is option. Thi17.695 0 TD-.0005TD-.0[(al.6 Tw[(ex3st)emptynal.is key field c3nt)1 seFK.)6(8.36j8.885 0 TD-.0003 Tc”ey ocan be 28 Tw(3DES (single0 d, but0.36j-22.11 -1.165 Tc.00sessDerikation is [(15 Tw(gdl val“D”ey okey-3DE665 )Tj10 0 TD-.0006 Tc.00uld be a 25 Tw[(S (dtherwist)Tj8.055 0 TD-.0004 Tc.00ingle0 sessDerikati If it )Tf26.495 -1.165 TD-.00051D-.00on is [(15 Tw(gdptionnly if option )Tj0 (8.39g10.26 0 TD-.002 Tc0 Tw(A2)54.88 448.12 535.74 184 Tc.47998 refBT12 060 12 442.76 538.02 0-.0004 Tc.0015 Tw( is sD”,4, then this fie9E)9j9.055 0 TD-.0001 Tc-.0002 Tnot field c7nt)1 t 8 ecima set,18(ains 3.Tj-28.01 -1.17 TD-.0006 TD.00mm)ey only if option )Tj0 5)Tf3.775 0 TD.003 Tc0 Tw(A213.8.74431 12 535.78 14.7 .47998 refBT12 180 12 436.78 538.02 Tm0 9-.002 Tc-.00011()4.7st)129(lw( is sei)6.7(”,4, t()4.7st)129(ln th()4.7s.8(adde9E)Tj17.83 0 TD-.0007 Tc.0012 Tnot field c1nt)1 t 8 ecima sDt t.6(00A)]TJ/TT25[E)Tj9.25[E)T0 0198.3 625.6212m0 g0 Tc-.00Respond(s)1Parametersto “B”35 TD01 1 Tf12 0 0163.76TD-m.335 TD0 Tc2EKey)#])Tj/TT4 1 Tf1.7 -1.665 TD-.0005 4c.0[007 Tw0Field response identin tr)57mpt..1(1E))]TJ/F1 1 Tf-1.75 -2.335 TD0 Tc0 Tw([E)Tj9.96 0 01.]TJKe)]8 625.62 Tm.002Curre[(TwKSNFK.)6(8)]TJ12 057m 4c114ETTD-m.3 0 TD-.0003 3-.0025 TwIe new ivatioKey)#]

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-57

Generate New Initial Key for PIN Pad Using VISA

DUKPT (Command 1E)

Check Value

Field 2, the new initial key's check value. The length of this field depends on the

length of the session key. It will contain 8 hexadecimal digits if the session key is a

1key-3DES (single-length) key. It will contain 16 hexadecimal digits if the session

key is a 2key-3DES (double-length) key.

Usage Notes

This command is typically used to load a new initial key serial number and a new

initial key into a PIN pad without taking the PIN pad out of service. You will use this

command in a number of circumstances, including when the PIN pad exceeds its

million-transaction limit, when the PIN pad's initial key serial number has been

changed, or when the acquirer's Derivation Key has been changed. This command

can be used only with PIN pads that support it.

Before using Command 1E, generate the Derivation Key and set option A2

appropriately.

Examples

Master File Key = 2ABC3DEF45670189 98107645FEDCBA2, check digits = 057A.

See 2key-3DES Key (Double-Length) on page A-5 for component values.

Generating a new initial key.

Option A2 is set to “S”.

Clear-text Derivation Key: 1334 1334 1334 1334.

The Derivation Key encrypted under variant 8 of the MFK: 4A79 F2A0 E61F EECF.

The current Key Serial Number: FFFF 9876 5432 10E0 0001.

The new Initial Key Serial Number: 0123 4567 89.

The command looks like this:

<1E#4A79F2A0E61FEECF#9876543210E00001#FFFFFF0123456789#>

The Network Security Processor returns the following response:

<2E#F90FB12DC2CD138D#1567922B#>

Table 3-37. Response 2E: Generate New Initial Key for PIN Pad Using VISA

DUKPT

Field # Contents Length (bytes) Legal Characters

0 Response identifier 2 2E

Current KSN(New Initial

Key)*

16 0 - 9, A - F

2 Check Value 8,16 0 - 9, A - F

*E refers to special encryption defined by VISA.

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-58

Generate New Initial Key for PIN Pad Using VISA

DUKPT (Command 1E)

This example shows the syntax when the option A2 is set to “B” or “S”, and a new

Base Derivation Key is included in field 4. The clear text value of the new Base

Derivation Key is 0123456789ABCDEF.

<1E#4A79F2A0E61FEECF#9876543210E00001#FFFFFF0123456789#AAA57E

4E99AE9B03#S#>

The Network Security Processor returns the following response:

<2E#1C96A87EDC8672CF#3AE4C948#>

Generating a new initial key using a 2key-3DES (double-length) session key.

Option A2 is set to “D”.

Clear-text Base Derivation Key: 1334 1334 1334 1334 5678 5678 5678 5678

The Base Derivation Key encrypted under variant 8 of the MFK:

4A79F2A0E61FEECF24103C06FD668967

The current Key Serial Number: FFFF 9876 5432 10E0 0001.

The new Initial Key Serial Number: 0123 4567 89.

The command looks like this:

<1E#4A79F2A0E61FEECF24103C06FD668967#9876543210E00001#FFFFFF0

123456789#>

The Network Security Processor returns the following response:

<2E#0C92829F9CDE4DA3#1FBB8F5B87EF5FA0#>

This example shows the syntax when the option A2 is set to “B” or “D”.

<1E#4A79F2A0E61FEECF24103C06FD668967#9876543210E00001#FFFFFF0

123456789##D#>

The Network Security Processor returns the following response:

<2E#0C92829F9CDE4DA3#1FBB8F5B87EF5FA0#>

This example shows the syntax when the option A2 is set to “B” or “D”, and a new

Base Derivation Key is included in field 4.

The clear text value of the new Base Derivation Key is 0123456789ABCDEF

FEDCBA9876543210.

The New Base Derivation Key encrypted under variant 8 of the MFK:

AAA57E4E99AE9B0328F6BA950E1664FA

<1E#4A79F2A0E61FEECF24103C06FD668967#9876543210E00001#FFFFFF0

123456789#AAA57E4E99AE9B0328F6BA950E1664FA#D#>

The Network Security Processor returns the following response:

<2E#1B80BEC57C9C0286#FF3C341951FEE2CF#>

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-59

Generate Check Digits (Command 7E)

This command generates check digits in order to confirm that two parties hold the

same key value. Each party calculates the check digits from the key using the same

algorithm and then compares results. This command supports both 1key-3DES (single-

length) and 2key-3DES (double-length) working keys.

In version 1.30 and above option 4F controls methods I and R.

This command is enabled in the Network Security Processor’s default security policy.

Command

Response

Calling Parameters

Field 0, the command identifier.

Check Digit Method

Field 1, the check digit method. This field contains 1 byte. The possible values are

listed in the following table:

* Method R is allowed only when option 4F is enabled. When option 4F is enabled, method I is not

allowed.

Variant

Field 2, the variant used to encrypt the working key. This field can be one or two

bytes long and can contain the numbers 0 to 31. See Key variants on page 2-2 for

a list of supported variants.

<7E#Check Digit Method#Variant#EMFK.V(Working Key)#

[Adjusted Variant#]>

<8E#Check Digit Method#Generated Check Digits#>

Method Description Value

adjustedkey(0000000000000000) leftmost 6

key(0123456789ABCDEF) leftmost 4

I* Ekey(key) rightmost 4

R* (EKEY(KEY)) XOR KEY rightmost 4

key(000000000000000) leftmost 4

key(000000000000000) leftmost 6

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-60

Generate Check Digits (Command 7E)

EMFK.V(Working Key)

Field 3, the working key encrypted under the specified variant of the MFK. This

field contains a 16 or 32 byte hexadecimal value, or a volatile table location.

[Adjusted Variant#]

Field 4, this field is only present if field 1 contains the letter A. The Adjusted Variant

is exclusive-OR with the decrypted working key. This field can contain either a 1 or

2 byte decimal value in the range of 0 to 31 inclusive.

Responding Parameters

Field 0, the response identifier.

Check Digit Method

Field 1, the check digit method supplied in field 1 of the command.

Generated Check Digits

Field 2, the calculated check digits. This field contains a four or six byte

hexadecimal value.

Table 3-38. Command 7E: Generate Check Digits

Field # Contents Length (bytes) Legal Characters

0 Command Identifier 2 7E

1 Check Digit method 1 A, F, I, R, S, V

2 Variant V 1, 2 0 - 31

MFK.V(Working Key)* 16, 32 0 - 9, A - F

4 Adjusted Variant** 1, 2 0 - 31

*Can be a volatile table location

**This field is present only if field 1 contains the letter A.

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-61

Generate Check Digits (Command 7E)

Examples

Master File Key = 2ABC3DEF45670189 98107645FEDCBA2, check digits = 057A.

See 2key-3DES Key (Double-Length) on page A-5 for component values.

Variant 4

Clear-text PIN Verification Key: 0000 0000 5555 6666.

The PIN Verification Key encrypted under variant 4 of the MFK: BEFB 77D6 B00C

DC17.

Check digit method: A.

The key is exclusive-OR’d with the adjusted variant then encrypts zeros. The leftmost 6

digits of the result are the check digits.

The command looks like this:

<7E#A#4#BEFB77D6B00CDC17#4#>

The Network Security Processor returns the following response:

<8E#A#E7B8A6#>

Check digit method: F.

The key encrypts 0123456789ABCDEFF. The leftmost 4 digits of the result are the

check digits.

The command looks like this:

<7E#F#4#BEFB77D6B00CDC17#>

The Network Security Processor returns the following response:

<8E#F#E1E3#>

Check digit method: IBM method (I).

The key encrypts itself. The rightmost 4 digits of the result are the check digits.

The command looks like this:

<7E#I#4#BEFB77D6B00CDC17#>

The Network Security Processor returns the following response:

<8E#I#46A5#>

Check digit method: R.

The key encrypts itself, this cryptogram is XOR’d with the key. The rightmost 4 digits of

the result are the check digits.

The command looks like this:

<7E#R#4#BEFB77D6B00CDC17#>

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-62

Generate Check Digits (Command 7E)

The Network Security Processor returns the following response:

<8E#R#20C3#>

Check digit method: Standard Atalla method (S).

The key encrypts zeros. The leftmost 4 digits of the result are the check digits.

The command looks like this:

<7E#S#4#BEFB77D6B00CDC17#>

The Network Security Processor returns the following response:

<8E#S#3BAF#>

Check digit method: VISA method (V).

The key encrypts zeros. The leftmost 6 digits of the result are the check digits.

The command looks like this:

<7E#V#4#BEFB77D6B00CDC17#>

The Network Security Processor returns the following response:

<8E#V#3BAFC4#>

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-63

Translate Working Key for Local Storage Under the

Current MFK to the Pending MFK (Command 9E)

Translate Working Key for Local Storage Under the Current MFK

to the Pending MFK (Command 9E)

Command 9E translates a working key from encryption under the current MFK to

encryption under the pending MFK. This command supports both 1key-3DES (single-

length) and 2key-3DES (double-length) keys.

This command is enabled in the Network Security Processor’s default security policy.

Command

Response

Calling Parameters

Field 0, the command identifier.

Variant

Field 1, the variant of the current MFK under which the working key has been

encrypted. This field can be one or two bytes long and can contain the numbers 0

to 31.

EMFK.V(Working Key)

Field 2, the working key encrypted using the variant of the MFK specified in field

one. This field contains a 16 or 32 byte hexadecimal value, or a volatile table

location.

<9E#Variant#EMFK.V(Working Key)#>

<AE#EPending MFK.V(Working Key)#Working Key Check Digits#>

[CRLF]

Table 3-39. Command 9E: Translate Working Key for Local Storage Under

Current MFK to Pending MFK

Field # Contents Length (bytes) Legal Characters

0 Command identifier 2 9E

1 Variant (V) 1, 2 0 - 31

MFK.V(Working Key)* 16, 32 0 - 9, A - F

*Can be a volatile table location.

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-64

Translate Working Key for Local Storage Under the

Current MFK to the Pending MFK (Command 9E)

Responding Parameters

Field 0, the response identifier.

EPending MFK.V(Working Key)

Field 1, the working key decrypted using the variant of the current MFK specified in

field one of the command and re-encrypted using the same variant of the pending

MFK. This field contains a 16 or 32 byte hexadecimal value.

Working Key Check Digits

Field 2, check digits; that is the first four digits that result from encrypting zeros

using the working key. If option 88 is enabled, this field will contain the first six

digits of the result.

Usage Notes

Load the pending MFK (PMFK1) into the Network Security Processor non-volatile

key table.

Example

Master File Key = 2ABC3DEF45670189 98107645FEDCBA2, check digits = 057A.

See 2key-3DES Key (Double-Length) on page A-5 for component values. The pending

MFK is 98107645FED3BCA2 2ABC3DEF45670189.

Translating a data encryption key (KD).

 Variant: 2

Clear-text Data Encryption Key (KD): 0123 4567 89AB CEDF.

The Data Encryption Key encrypted under variant 2 of the MFK: 80BC DEAC 5703

BC84.

The command looks like this:

<9E#2#80BCDEAC5703BC84#>

Table 3-40. Response AE: Translate Working Key for Local Storage Under

Current MFK to Pending MFK

Field # Contents Length (bytes) Legal Characters

0 Response identifier 2 AE

Pending MFK.V(Working Key) 16, 32 0 - 9, A - F

2 Working Key Check Digits 4 or 6 0 - 9, A - F

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-65

Translate Working Key for Local Storage Under the

Current MFK to the Pending MFK (Command 9E)

The Network Security Processor returns the following response:

<AE#7B8CA7B9B6E17408#D5D4#>

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-66

Replace the Current MFK with the Pending MFK

(Command 9F)

Replace the Current MFK with the Pending MFK (Command 9F)

Command 9F replaces the current MFK with the pending MFK. When the pending

MFK is promoted to the MFK, the name of the new MFK increments.

This command is enabled in the Network Security Processor’s default security policy.

Command

Response

Calling Parameters

Field 0, the command identifier.

MFK Name

Field 1, the current MFK’s name.

MFK Check Digits

Field 2, the current MFK’s check digits; that is the result of encrypting zeros using

the MFK. This field contains a four byte hexadecimal number.

Pending MFK Name

Field 3, the pending MFK’s name, PMFK1.

Pending MFK Check Digits

Field 4, the pending MFK’s check digits; that is the result of encrypting zeros using

the pending MFK. This field contains a four byte hexadecimal value.

Note. Upon successful execution of this command, all keys in the volatile table are erased.

<9F#MFK Name#MFK Check Digits#Pending MFK Name#

Pending MFK Check Digits#>

<AF#OK#>[CRLF]

Table 3-41. Command 9F: Replace Current MFK with Pending MFK (page 1 of 2)

Field # Contents Length (bytes) Legal Characters

0 Command identifier 2 9F

1 MFK name 0, 4 0 -9, A- Z

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-67

Replace the Current MFK with the Pending MFK

(Command 9F)

Responding Parameters

Field zero, the response identifier.

Field one, an indicator that the current MFK has been replaced and the volatile

table has been erased.

Usage Notes

Load the pending MFK and translate all working keys using the pending MFK, see

Translate Working Key for Local Storage Under the Current MFK to the Pending MFK

(Command 9E) on page 3-63.

Command 9F increments the MFK name to the next value in this list: “MFK2”, “MKF3”,

“MFK4”, “MFK5”, “MFK6”, “MFK7”, “MFK8”, “MFK9”, “MFKA”, “MFKB”, “MFKC”….

“MFKZ”, “MFK2”, “MFK3” …

For Example:

If the current MFK name is “MFK1” after command 9F it will be “MFK2”.

If the current MFK name is “MFK2” after command 9F it will be “MFK3”.

If the current MFK name is “MFKZ” after command 9F it will be “MFK2”.

NOTE: The MFK name will not increment to “MFK1”. It will not be used by command

9F. This name is reserved for use with the SCA-3.

Example

Master File Key = 2ABC3DEF45670189 98107645FEDCBA2, check digits = 057A.

See 2key-3DES Key (Double-Length) on page A-5 for component values. The pending

MFK clear-text value is 98107645FED3BCA2 2ABC3DEF45670189.

Replacing the current MFK with a pending MFK.

2 MFK Check Digits 4 0 - 9, A - F

3 Pending MFK name 5 PMFK1

4 Pending MFK Check Digits 4 0 - 9, A - F

Table 3-42. Response AF: Replace Current MFK with Pending MFK

Field # Contents Length (bytes) Legal Characters

0 Response identifier 2 AF

1 Verification indicator 2 OK

Table 3-41. Command 9F: Replace Current MFK with Pending MFK (page 2 of 2)

Field # Contents Length (bytes) Legal Characters

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-68

Replace the Current MFK with the Pending MFK

(Command 9F)

Current MFK’s name: MFK1.

Current MFK’s check digits: 057A.

Pending MFK’s name: PMFK1.

Pending MFK’s check digits: 6270.

The command looks like this:

<9F#MFK1#057A#PMFK1#6270#>

The Network Security Processor returns the following response:

<AF#OK#>

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-69

Translate an encrypted key between ECB and CBC

modes (command 113)

Translate an encrypted key between ECB and CBC modes

(command 113)

Command 113 changes the encryption mode used to encrypt a working key. This

command supports Electronic Code Book (ECB) and Cipher Block Chaining (CBC)

modes. The CBC initialization vector is binary zeros. It is not supplied in the command.

The working key should be a 2key-3DES (double-length) key. The working key can be

a 1key-3DES (single-length) key if option 6A is enabled in the Network Security

Processor’s security policy.

This command is enabled in the Network Security Processor’s default security policy.

Command

Response

Calling Parameters

113

Field 0, the command identifier.

Variant V

Field 1, the variant applied to the KEK prior to encrypting the working key. This

field contains a 1 or 2 digit value in the range of 0 through 31.

EMFK.0(KEK)

Field 2, the Key Exchange Key encrypted using ECB under variant zero of the

MFK. This field should contain a 32 character hexadecimal value or a volatile table

location that contains a 2key-3DES key (double-length). It can contain a 16

character hexadecimal value or a volatile table location of a 1key-3DES (single-

length) key, only if option 6A is enabled in the Network Security Processor’s

security policy and if field 3 contains a 1key-3DES key. If field 3 contains a 2key-

3DES key, this field must contain a 2key-3DES key, or a volatile table location that

contains a 2key-3DES key.

EKEK.V(Working Key)

Field 3, the working key encrypted, using the mode specified in field 4, under the

variant specified in field 1, of the Key Exchange Key. This field should contain a 32

<113#Variant V#EMFK.0(KEK)#EKEK.V(Working Key)#[Mode#]>

<213#EKEK.V(Working Key)#Working Key Check Digits#>[CRLF]

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-70

Translate an encrypted key between ECB and CBC

modes (command 113)

character hexadecimal value. It can contain a 16 character hexadecimal value only

if option 6A is enabled in the Network Security Processor’s security policy.

[Mode#]

Field 4, the mode of DES used in the translation of the working key. This field is

optional. If not present the working key will be translated from ECB to CBC mode

of DES. If present this field consists of two characters:

1# - indicates translate the working from ECB to CBC mode of DES.

2# - indicates translate the working key from CBC to ECB mode of DES.

Responding Parameters

213

Field zero, the response identifier.

EKEK.V(Working Key)

Field 1, the working key encrypted, using the mode specified in command field 4,

under the variant specified in command field 1, of the Key Exchange Key. The

length of this field is the same length as field 3 in the command.

Working Key Check Digits

Field 2, the first four digits that result from encrypting zeros using the working key.

This field contains a four byte hexadecimal value. If Option 88 is enabled then a 6-

digit check digit will be returned.

Table 3-43. Translate an encrypted key between ECB and CBC modes

Field # Contents Length (bytes) Legal Characters

0 Command identifier 3 113

1 Variant V 1, 2 0 - 31

MFK.0(KEK)* 16, 32 0 - 9, A - F

KEK.V(Working Key) 5 0 - 9, A - F

4 [Mode#] empty, 2 1# or 2#

* Can be a volatile table location

Table 3-44. Response 213: Translate an encrypted key between ECB and CBC

modes

Field # Contents Length (bytes) Legal Characters

0 Response identifier 3 213

KEK.V(Working Key) 16, 32 0 - 9, A - F

2 Working Key Check Digits 4,6 0 - 9, A - F

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-71

Translate an encrypted key between ECB and CBC

modes (command 113)

Usage Notes

Encrypt the KEK under variant 0 of the MFK.

Examples

Master File Key = 2ABC3DEF45670189 98107645FEDCBA2, check digits = 057A.

See 2key-3DES Key (Double-Length) on page A-5 for component values.

The KEK clear-text value: 0123 4567 89AB CDEF FEDC BA98 7654 3210, check

digits 08D7.

The KEK encrypted under variant 0 of the MFK:

9007B8751BB7AB4E0B176C3EBEED18AF

The working key clear-text value: 1234123412341234 5678567856785678, check

digits DB82

ECB to CBC Translation

The working key, ECB encrypted, under variant 1 of the KEK:

65F36EFD9E5518DDEEAB6E607C3E6EA7

The command looks like this:

<113#1#9007B8751BB7AB4E0B176C3EBEED18AF#65F36EFD9E5518DDEEAB6

E607C3E6EA7#>

The Network Security Processor’s response is:

<213#65F36EFD9E5518DDF479C816D90734E8#DB82#>

CBC to EBC Translation

The working key, CBC encrypted, under variant 1 of the KEK:

65F36EFD9E5518DDF479C816D90734E8

The command looks like this:

<113#1#9007B8751BB7AB4E0B176C3EBEED18AF#65F36EFD9E5518DDF479C

816D90734E8#2#>

The Network Security Processor’s response is:

<213#65F36EFD9E5518DDEEAB6E607C3E6EA7#DB82#>

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-72

Generate ATM MAC or Data Encryption Key

(Command 11D)

Generate ATM MAC or Data Encryption Key (Command 11D)

Command 11D allows a PIN Encryption Key, Data Encryption Key, or MAC key to be

generated, and in addition to being encrypted under a specified MFK variant (1, 2 or 3),

it will be encrypted under variant 0 of a Key Exchange Key (KEK). The KEK is provided

encrypted under a specified variant (0 or 5) of the MFK. This command generates a

1key-3DES (single-length) or 2key-3DES (double-length) working key.

This command is not enabled in the Network Security Processor’s default factory

security policy. You must purchase this command in the form of a command 105, and

enable it in the Network Security Processor’s security policy.

Command

Response

Calling Parameters

11D

Field 0, the command identifier.

Variant V

Field 1, the variant (V) of the MFK under which the generated working key will be

encrypted. This field contains a 1 byte decimal value which can be either 1, 2, or 3.

Variant K

Field 2, the variant (K) of the MFK under which the KEK has been stored. This field

contains a 1 byte decimal value which can be either 0 or 5.

EMFK.K(KEK)

Field 3, the Key Exchange Key encrypted using the variant of the MFK specified in

Field 2. This field contains a 16 byte or 32 byte hexadecimal value, or a volatile

table location. If the Key Length field contains a value of 2 (generate 2key-3DES

working key), the KEK has to be 2key-3DES (double-length). This KEK can not be

a replicated 1key-3DES (single-length) key.

<11D#Variant V#Variant K#EMFK.K(Key Exchange Key)#

[Key Length]#>

<21D#EMFK.V(Working Key)#EKey Exchange Key(Working Key)#

Working Key Check Digits#>

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-73

Generate ATM MAC or Data Encryption Key

(Command 11D)

[Key Length]

Field 4, length of the generated Working Key. This is an optional field. If used, it is

one byte long and can be empty, or contain the number 1 (to generate 1key-3DES

key) or 2 (to generate 2key-3DES key). If this field is not present in the command,

a 1key-3DES key will be generated.

Responding Parameters

21D

Field 0, the response identifier.

EMFK.V(Working Key)

Field 1, the working key encrypted using the variant of the MFK specified in Field 1

of the command. This field contains a 16 or 32 byte hexadecimal value.

EKey Exchange Key(Working Key)

Field 2, the working key encrypted under the KEK. This field contains a 16 or 32

byte hexadecimal value.

Working Key Check Digits

Field 3, check digits; the first four digits that result from encrypting zeros using the

Working Key. If option 88 is enabled, this field will contain the first six digits of the

result.

Table 3-45. Command 11D: Generate ATM MAC or Data Encryption Key

Field # Contents Length (bytes) Legal Characters

0 Command identifier 3 11D

1 Variant V 1 1,2,3

2 Variant K 1 0,5

MFK.K(Key Exchange Key)* 16, 32 0 - 9, A - F

*Can be a volatile table location.

Table 3-46. Response 21D: Generate ATM MAC or Data Encryption Key

Field # Contents Length (bytes) Legal Characters

0 Response identifier 3 21D

MFK.V (Working Key)* 16, 32 0 - 9, A - F

Key Exchange Key(Working Key) 16, 32 0 - 9, A - F

3 Working Key Check Digits 4 or 6 0 - 9, A - F

DES key management

NSP Command Reference Manual—C8Z37-9000A

3-74

Generate ATM MAC or Data Encryption Key

(Command 11D)

Usage Notes

Encrypt the Key Exchange Key under variant zero of the MFK.

Examples

Master File Key = 2ABC3DEF45670189 98107645FEDCBA2, check digits = 057A.

See 2key-3DES Key (Double-Length) on page A-5 for component values.

This command generates a random key therefore your results will be different.

Generating an ATM MAC Key.

Variant V: 3

Variant K: 5

Key Length: 1

Clear-text Key Encryption Key (KEK): 0000 1111 2222 3333.

The Key Exchange Key encrypted under variant 5 of the MFK: 784D DF5F 89FB

9EBF.

The command looks like this:

<11D#3#5#784DDF5F89FB9EBF#>

The Network Security Processor returns the following response:

<21D#8FC5F6000E039870#94F5064C96FE9841#2D3D#>

Example 2

Generating an ATM MAC Key.

Variant V: 3

Variant K: 5

Key Length: 2

Clear-text Key Encryption Key (KEK): 0000 1111 2222 3333 4444 5555 6666 7777.

The Key Exchange Key encrypted under variant 5 of the MFK: 784D DF5F 89FB

9EBF CDCB 224A E777 56B2.

The command looks like this:

<11D#3#5#784DDF5F89FB9EBFCDCB224AE77756B2#2#>

The Network Security Processor returns the following response:

<21D#25166617EC743AB125166617EC743AB1#F8C6AB5B46CFD570F8C6AB5

B46CFD570#D5D4#>

NSP Command Reference Manual—C8Z37-9000A

4-1

4Processing Personal

Identification Numbers

This section outlines the tasks involved in processing PINs and describes the PIN

processing commands supported in the Network Security Processor.

To skip this introduction go to Table 4-10 for a list of commands.

About PIN Processing

The personal identification number – or PIN – is the secret, unique number that

identifies a consumer who is transacting business on an automated teller machine

(ATM) or point of sale (POS) network.

The following list outlines the processes that a PIN typically undergoes, starting with its

entry into an ATM or PIN pad and ending with its verification by the issuing host.

1. The PIN is entered into an ATM or PIN pad.

2. The ATM or PIN pad formats the PIN into a PIN block.

3. The ATM or PIN pad encrypts the PIN block and sends it to the host.

4. The host determines whether the PIN corresponds to an account that belongs to its

own financial institution or to another institution.

a. If the PIN corresponds to an account at this financial institution (making it an

“on-us” transaction), then the host verifies the PIN and confirms whether

sufficient funds are available for the requested transaction.

b. If the PIN does not correspond to an account at this financial institution

(making it a “not-on-us” transaction), then the host translates the PIN and

sends it to the switch encrypted under the acquirer’s working key. The switch

determines the issuing financial institution, then translates the PIN block and

sends it to another switch or to the issuing financial institution encrypted under

the issuer working key. When the PIN block arrives at the issuer, the host

verifies it and confirms whether sufficient funds are available for the requested

transaction.

The following section explains the programming tasks that you must accomplish to

facilitate PIN processing.

PIN Processing Tasks

Processing PINs typically involves the following tasks.

Encrypting PINs or PIN blocks

Translating PIN blocks

Verifying incoming PIN blocks and authorizing or denying transaction requests.

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-2

Encrypting PINs

This subsection explains how PINs are encrypted in ATM networks and VISA DUKPT

POS networks.

PIN Encryption in ATM Networks

In ATM networks, PINs can be encrypted at two different places:

The point of capture (an ATM) or

At the host using a Network Security Processor.

Encrypting PINs at an ATM involves two steps:

1. The ATM formats the PIN into a PIN block. PIN blocks are packages of data that

contain the PIN, pad characters, and sometimes other information like the length of

the PIN. The Network Security Processor supports a variety of PIN Block Types.

2. Once the PIN has been formatted into a PIN block, the ATM encrypts it using a PIN

Encryption Key that is common to both the ATM and its host. To encrypt PINs at

the host's Network Security Processor, the clear-text PIN must travel from the ATM

to the host. If the host is unable to verify the PIN, then the PIN is formatted into a

PIN block and encrypted using a PIN Encryption Key. Formatting and encrypting

the PIN enables it to be transmitted to a node that can verify it.

The point to remember is that PINs never pass to the switch in clear-text format when

they have passed first through an intercepting processor.

PIN Encryption In VISA DUKPT Networks

In networks that use VISA DUKPT key management, PIN pads are always responsible

for encrypting PINs. The difference between PIN encryption on VISA DUKPT networks

and PIN encryption at the ATM in ATM networks is that on VISA DUKPT networks, the

PIN Encryption Key used is unique for every transaction.

Translating PIN Blocks

Once an ATM or PIN pad receives a PIN, the objective is to verify that it corresponds to

a valid account. If this verification is not done at the ATM or PIN pad, then the PIN

block must travel to the host or switch to be verified. If the PIN is verified at the switch

or issuer host, then the PIN block must be translated each time it stops at an

intermediary, or intercept, processor. Translation refers simply to the process of

changing the PIN block's type or the PIN Encryption Key in use so that the PIN block

can travel from one processor to the next. Typically, the first intercept processor

receives the PIN block encrypted in the type supported by the sending ATM or PIN

pad, then translates it into an ANSI PIN block. Most networks require ANSI PIN blocks.

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-3

Verifying Incoming PIN Blocks

PINs are not verified directly. The PIN is known only to the card holder; no one else –

not even the issuing financial institution – knows the PIN's clear-text value. PIN

verification is facilitated by means of the PIN verification number (PVN). The PIN

verification number is derived from an algorithm that takes as its input the PIN and the

Primary Account Number (PAN). The result is in turn operated on by the PIN

Verification Key; the result is a calculated PIN verification number. The PIN verification

number calculated at the verifying node is compared to the PVN that is encoded on

consumer's credit or debit card, or stored on a host database. If the two values match,

then the PIN has been verified.

The Network Security Processor supports the following methods of PIN verification:

Identikey

IBM 3624

Visa

Atalla DES Bilevel

Diebold

NCR

Atalla 2x2

Burroughs

PIN Sanity Error

When an encrypted PIN is translated or verified, it is decrypted with the incoming PIN

Encryption Key. The Network Security Processor examines the format of the decrypted

PIN block. Option 4B specifies the type of PIN sanity test to be performed. If the

Network Security Processor determines that the decrypted PIN block is not valid it

returns a PIN Sanity error in the response. The usual causes of PIN sanity errors are:

The wrong key was specified as the incoming PIN Encryption Key. Or the correct

key was specified, however this key was not encrypted under variant 1 of the MFK.

The PIN length is incorrect. Option A0 can be used to configure the Network

Security Processor for a specific minimum PIN length, the default is 4 digits. The

maximum PIN length is fixed at 12 digits. If the decrypted PIN does not fall within

minimum and maximum range a sanity error will be returned. Option A1 configures

the Network Security Processor to return an “L” if the decrypted PIN is less than

the minimum PIN length. The Network Security Processor does not allow a PIN

greater than 12 digits. When the Network Security Processor decrypts a PIN that is

greater than 12 digits, it will always return a sanity error even if option A1 is set to

“L”.

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-4

PIN Block Types

Wrong data in the PIN data block. For example, the ANSI PIN block requires the

rightmost 12 digits of the account number excluding the check digit. If the origin

and destination do not use the exact same 12 digits in the PIN data block, a sanity

error will be returned.

PIN Block Types

The Network Security Processor supports a variety of PIN block types; not all PIN

block types are supported in all commands. Each PIN block type requires a specific set

of data. This data is provided as separate fields at the end of the command. Each of

these extra fields is delimited with a “#”, just like any other field in the command.

The following sections define the contents of the PIN Block Data for each supported

PIN block type.

PIN Block Type Value PIN block data fields added to

the end of the command.

ANSI PIN Block 1 1, labeled Field A

IBM 3624 PIN Block 2 3, labeled Fields A, B, and C

PIN/Pad PIN Block 3 2, labeled Fields A and B

Docutel PIN Block 3 2, labeled Fields A and B

IBM Encrypting PIN Pad PIN Block 4 1, labeled Field A

Burroughs PIN Block 5 2, labeled Fields A and B

VISA Derived Unique Key Per

Transaction PIN Block

7 3, labeled Fields, A, B, and C

ISO-3 PIN Block 8 1, labeled Field A

IBM 4731 PIN Block 9 4, labeled Fields A, B, C, and D

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-5

ANSI PIN Block

The ANSI PIN block is also referred to as an ISO-0 PIN block. The ANSI PIN block

format 1 is not supported in the Network Security Processor.

PIN Block Data

The ANSI PIN Block requires one PIN Block Data field; the last field of the command.

Constructing an ANSI PIN Block

The ANSI PIN block is the result of performing an exclusive-OR on two data blocks,

the PIN block and the account number block.

The control field. A four bit value; hexadecimal 0.

The length of the PIN. A four bit hexadecimal value 4 to 9, A, B, or C. A ten digit

PIN is represented as A, an 11 digit PIN is represented as B, and a 12 digit PIN is

represented as C.

PIN digit. A four bit hexadecimal value in the range of 0 through 9.

Pad character. A four bit value; hexadecimal F.

P/F

A PIN digit or a pad character, depending on the length of the PIN.

Table 4-1. ANSI - PIN Block Data

Field # Contents Length (bytes) Legal Characters

A Twelve rightmost PAN digits

(excluding check digits)

12 0 - 9

Figure 4-1. PIN Block

C N P P P P P/F P/F P/F P/F P/F P/F P/F P/F F F

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-6

ANSI PIN Block

Pad character. A four bit value; hexadecimal 0.

A1 to A12

The 12 rightmost digits of the Primary Account Number (PAN), excluding the

check digit. A1 is the most significant digit; A12 is the digit that immediately

precedes the Primary Account Number's check digit.

Example

PIN = 1234

Primary Account Number = 5999997890123457

PIN Block = 041234FFFFFFFFFF

Account Number Block = 0000999789012345

exclusive-OR

the PIN and

Account Number Blocks

ANSI PIN Block = 0412AD6876FEDCBA

Figure 4-2. Account Number Block

0 0 0 0 A1 A2 A3 A4 A5 A6 A7 A8 A9 A10 A11 A12

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-7

IBM 3624 PIN Block

This encrypted PIN block is 18 hexadecimal characters. When a command contains an

encrypted IBM 3624 PIN block, the last field of the Network Security Processor’s

response will be the two digit sequence number.

PIN Block Data

The IBM 3624 PIN block requires three PIN Block Data fields; the last three fields of

the command.

PIN Block

The IBM 3624 PIN block is produced in two steps:

1. Encrypt the eight rightmost bytes (16 hexadecimal characters) using the PIN

Encryption Key (KPE).

2. Encrypt the eight leftmost bytes (16 hexadecimal characters) using the

Communications Key.

The resulting cryptogram is written as EKC(EKPE(PIN Block)).

V1 V2

Sequence number; two hexadecimal characters.

Table 4-2. IBM 3624 - PIN Block Data

Field # Contents Length (bytes) Legal Characters

A Pad character* 1 0 - 9, A - F, X, W

B Twelve digit; required but

only used in command 39.

12 0 - 9

MFK.2(KC)** 16 0 - 9, A - F

* Legal pad characters are a hexadecimal value, X and W. The value X indicates that the pad

character is unspecified but can be any hexadecimal character. The value W indicates that the sanity

check, which tests for the existence of pad digits and valid PIN digits, will not be performed.

** Can be a volatile table location.

Figure 4-3. IBM 3624 PIN Block

V1 V2 P P P P P/D P/D P/D P/D P/D P/D P/D P/D D D D D

Encrypted Using KC

Encrypted Using KPE

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-8

IBM 3624 PIN Block

PIN digit. A four bit hexadecimal value in the range of 0 through 9.

Pad character. A four bit hexadecimal value.

P/D

A PIN digit or a pad character, depending on the PIN's length.

Example

KPE = 1111 1111 1111 1111

KC = 2222 2222 2222 2222

PIN = 1234

Pad = B

Sequence Number = FF

Figure 4-4. Encrypted IBM 3624 PIN Block

Clear PIN Block: 1234BBBBBBBBBBBB

KPE: 1111111111111111

FED6DCFA1A3F6547

FFFED6DCFA1A3F65

Encrypt

EncryptKC: 2222222222222222

5F087319FADF613A

Resulting IBM 3624

PIN Block: 5F087319FADF613A47

Add Sequence Number

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-9

PIN/Pad PIN Block

This PIN block is used by Diebold and some other ATM and PIN pad vendors.

PIN Block Data

The PIN/pad character PIN block requires two PIN Block Data fields; the last two fields

of the command.

PIN Block

PIN digit. A four bit hexadecimal value in the range of 0 through 9.

Pad character. A four bit hexadecimal value. All pad characters must be the same

value.

P/D

A PIN digit or a pad character, depending on the PIN's length.

Example

PIN = 1234

Pad = F

PIN Pad PIN block = 1234FFFFFFFFFFFF

Table 4-3. PIN/Pad - PIN Block Data

Field # Contents Length (bytes) Legal Characters

A Pad character* 1 0 - 9, A - F, X, W

B Twelve digit; required but

only used in command 39.

12 0 - 9

* Legal pad characters are a hexadecimal value, X and W. The value X indicates that the pad

character is unspecified but can be any hexadecimal character. The value W indicates that the sanity

check, which tests for the existence of pad digits and valid PIN digits, will not be performed.

Figure 4-5. PIN/Pad Character PIN Block

P P P P P/D P/D P/D P/D P/D P/D P/D P/D D D D D

Encrypted Using KPE

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-10

Docutel PIN Block

The PIN digits are followed by a single character F and numeric pad characters.

PIN Block Data

The Docutel PIN block requires two PIN Block Data fields; the last two fields of the

command.

PIN Block

PIN digit. A four bit hexadecimal value in the range of 0 through 9.

The four bit hexadecimal character F. This PIN block can contain only one F; it

delimits the PIN.

Pad character. A four bit hexadecimal value in the range of 0 through 9.

Example

PIN = 1234

Pad = 10897645231

Docutel PIN block = 1234F10897645231

Table 4-4. Docutel - PIN Block Data

Field # Contents Length (bytes) Legal Characters

A Pad character* 1 0 - 9, X, W

B Twelve digit; required but only

used in command 39.

12 0 - 9

* Legal pad characters are a 0 through 9, X and W. The value X indicates that the pad character is

unspecified but can be any hexadecimal character. The value W indicates that the sanity check,

which tests for the existence of pad digits and valid PIN digits, will not be performed.

Figure 4-6. Docutel PIN Block

P P P P P/F P/F/D P/F/D P/F/D P/F/D P/F/D P/F/D P/F/D F/D D D D

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-11

IBM Encrypting PIN Pad PIN Block

PIN Block Data

The IBM encrypting PIN pad PIN block requires one PIN Block Data data field; the last

field of the command.

PIN Block

The length of the PIN. A four bit hexadecimal value 4 to 9, A, B, or C. A ten digit

PIN is represented as A, an 11 digit PIN is represented as B, and a 12 digit PIN is

represented as C.

PIN digit. A four bit hexadecimal value in the range of 0 through 9.

Pad character. A four bit value; hexadecimal F.

P/F

A PIN digit or a pad character, depending on the PIN’s length.

The sequence number. Two 4 bit hexadecimal characters.

Example

PIN = 1234

Sequence Number = 07

Pin Block = 41234FFFFFFFFF07

Table 4-5. IBM Encrypting PIN Pad - PIN Block Data

Field # Contents Length (bytes) Legal Characters

A Twelve digit; required but only

used in command 39.

12 0 - 9

Figure 4-7. IBM Encrypting PIN Pad

C P P P P P/F P/F P/F P/F P/F P/F P/F P/F F S S

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-12

Burroughs PIN Block

This PIN block is similar to the PIN/pad character PIN block, except that the PIN digits

are ASCII hexadecimal characters instead of four bit hexadecimal values. A Burroughs

PIN Block supports a maximum of eight PIN digits.

PIN Block Data

The Burroughs PIN block requires two PIN Block Data fields; the last two fields of the

command.

PIN Block

PIN digit. Each PIN digit is converted to an ASCII hexadecimal value, 30 through

39 represents the values 0 through 9.

Pad character. A four bit hexadecimal value.

P/D

A PIN digit or a pad character, depending on the PIN's length.

Example

PIN = 1234

Pad = F

Burroughs PIN block = 31323334FFFFFFFF

Table 4-6. Burroughs - PIN Block Data

Field # Contents Length (bytes) Legal Characters

A Pad character* 1 0 - 9, A - F, X, W

B Twelve digit; required but

only used in command 39.

12 0 - 9

* Legal pad characters are a hexadecimal value, X and W. The value X indicates that the pad

character is unspecified but can be any hexadecimal character. The value W indicates that the sanity

check, which tests for the existence of pad digits and valid PIN digits, will not be performed.

Figure 4-8. Burroughs PIN Block Type

P P P P P/D P/D P/D P/D P/D P/D P/D P/D

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-13

ISO-3 PIN Block

The ISO-3 PIN block is the result of performing an exclusive-OR on two data blocks,

the PIN block and the account number block.

PIN Block Data

The ISO-3 PIN block requires one PIN Block Data field; the last field of the command.

PIN Block

The control field. A four bit value; hexadecimal 3.

PIN length. A four bit hexadecimal value in the range of 4 through 9, A, B, or C.

PIN digit. A four bit hexadecimal value in the range of 0 through 9.

Random pad character. A four bit hexadecimal value in the range of A through F.

Pad character. A four bit hexadecimal value 0.

A1 to A12

The 12 rightmost digits of the Primary Account Number (PAN), excluding the

check digit. A1 is the most significant digit; A12 is the digit that immediately

precedes the Primary Account Number's check digit.

Table 4-7. ISO-3 - PIN Block Data

Field # Contents Length (bytes) Legal Characters

A Twelve rightmost PAN digits

(excluding check digits)

12 0 - 9

Figure 4-9. ISO-3 PIN Block

C N P P P P P/R P/R P/R P/R P/R P/R P/R P/R R R

Figure 4-10. ISO-3 Account Number Block

0 0 0 0 A1 A2 A3 A4 A5 A6 A7 A8 A9 A10 A11 A12

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-14

ISO-3 PIN Block

Example

PIN = 1234

Primary Account Number = 5999997890123457

Random Pad = DBFFAEBACE

PIN Block = 341234DBFFAEBACE

Account Number Block = 0000999789012345

exclusive-OR

the PIN and

Account Number Blocks

ISO-3 PIN Block = 3412AD4C76AF998B

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-15

IBM 4731 PIN Block

The ATM Master Key encrypts the PIN, it is not provided in the command.

PIN Block Data

The IBM 4731 PIN block requires four PIN Block Data fields; the last four fields of the

command.

PIN Block

PIN digit. A four bit hexadecimal value in the range of 0 through 9.

Pad character. A four bit hexadecimal value.

S1 to S16

A 16 hexadecimal character value.

Table 4-8. IBM 4731 - PIN Block Data

Field # Contents Length (bytes) Legal Characters

A Pad Character* 1 0 - 9, A - F, X, W

B PAN 12 0 - 9

MFK.3(KC)*** 16 0 - 9, A - F

D ICV 16 0 - 9, A - F

* Legal pad characters are a hexadecimal value, X and W. The value X indicates that the pad

character is unspecified but can be any hexadecimal character. The value W indicates that the sanity

check, which tests for the existence of pad digits and valid PIN digits, will not be performed.

*** Can be a volatile table location.

Figure 4-11. IBM 4731 PIN Block

Figure 4-12. IBM 4731 ICV

P P P P P/D P/D P/D P/D P/D P/D P/D P/D D D D D

Encrypted Using Communications Key

S1 S2 S3 S4 S5 S6 S7 S8 S9 S10 S11 S12 S13 S14 S15 S16

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-16

IBM 4731 PIN Block

Example

Master Key = C8B3 047C F7A4 2A70

Communication Key = 68D5 9437 1067 794F

ICV = 0000 1560 0065 0039

PIN = 6731

Pad = F

Figure 4-13. Encrypted IBM 4731 PIN Block

Resulting IBM 4731 PIN Block:

D E 4 5 A 1 6 1 F 3 7 1 9 3 4 6

6 7 3 1 F F F F F F F F F F F F

Clear PIN Block:

Encrypt

ICV:

6 8 D 5 9 4 3 7 1 0 6 7 7 9 4 F

Exclusive Or

A B 0 2 4 8 6 6 2 6 8 0 4 0 7 A

0 0 0 0 1 5 6 0 0 0 6 5 0 0 3 9

Communications Key (KC):

Master Key: C 8 B 3 0 4 7 C F 7 A 4 2 A 7 0

A B 0 2 5 D 0 6 2 6 E 5 4 0 4 3

Encrypt

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-17

VISA Derived Unique Key Per Transaction PIN

Block

VISA Derived Unique Key Per Transaction PIN Block

PIN Block Data

The VISA DUKPT PIN block requires three PIN Block Data fields; the last three fields

of the command.

PIN Block

To better understand the example below, it is important to understand specific terms

that are unique to the VISA DUKPT methodology.

Derivation Key (DK)

A 2key-3DES (double-length) key used to encrypt the Initial Key Serial Number

(IKSN) to obtain the Initial PIN Encryption Key (IPEK).

Key Serial Number (KSN)

A 20 character value that is transmitted from the EFT/POS terminal to the host. It

allows the host to determine the key used to encrypt the PIN. The KSN consists of

the Initial Key Serial Number (59 bits) + the Encryption Counter (21 bits).

Initial Key Serial Number (IKSN)

The leftmost 64 bits of the Key Serial Number.

Initial PIN Encryption Key (IPEK)

Table 4-9. VISA DUKPT - PIN Block Data

Field # Contents Length (bytes) Legal Characters

A PAN digits for ANSI PIN block 12 0 - 9

B Key serial number required to generate

current PIN Encryption Key.

10 - 20 0 - 9, A - F

C PIN encryption key derivation algorithm.

When option A2 set to “B”, the Network

Security Processor generates a 1key-3DES

(single-length) session key when this field

contains either a “1” or “S”, it generates a

2key-3DES (double-length) session key

when this field contains the letter “D”.

When option A2 is set to “S”, this field must

contain the number “1” or the letter “S”.

When option A2 is set to “D”, this field must

contain the number “1” or the letter “D”.

The length of the Base Derivation Key must

be greater than or equal to the length of the

session key.

1 1, S, D

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-18

VISA Derived Unique Key Per Transaction PIN

Block

The result of encrypting the IKSN with the DK. (This value is not used to encrypt

PIN); see Current PIN Encryption Key.

Current Key

The result of encryption of the KSN with the IPEK.

Current PIN Encryption Key

Exclusive-OR the last byte of current key with FF.

Current MAC Key (VISA)

Exclusive-OR the last two bytes of current key with FFFF.

Example

The purpose of this example is to show how the current single-DES PIN Encryption

Key is used to encrypt an ANSI PIN block and also how the Message Authentication

Codes are generated. For information on 3DES-DUKPT see ANSI x9-24-2004 Annex

The POS terminal does not use this algorithm to generate keys, see the Visa

document for a complete description of the terminal and host security module

algorithms.

Generate the current single-DES PIN Encryption Key and encrypt an ANSI PIN

Block

Input data

KSN: FFFF 9876 5432 10E0 0001

Derivation Key (DK): 1334 1334 1334 1334

PIN = 1234 5678 901

PAN = 0002 3456 7890

ANSI PIN Block = 0B12 3454 4CC6 676F

To generate the Initial Key Serial Number (IKSN) take the leftmost 16 characters of

the KSN. IKSN = FFFF 9876 5432 10E0.

To generate the Initial PIN Encryption Key (IPEK) encrypt IKSN with the DK.

IPEK = 3466 11AE D3F1 23B4.

To generate the current key encrypt (using the special VISA technique) the

rightmost 16 characters of the KSN with the IPEK.

1. Exclusive-OR IPEK with KSN = AC10 459C C311 23B5

2. Encrypt the step 1 result with IPEK = 3D95 A124 8CC9 B178

3. Exclusive-OR step 2 result with IPEK = 09F3 B08A 5F38 92CC. This is the

Current Key.

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-19

VISA Derived Unique Key Per Transaction PIN

Block

To generate the current PIN Encryption Key exclusive-OR the rightmost byte of the

current key with FF = 09F3 B08A 5F38 9233.

This is the Current PIN Encryption Key.

To generate VISA DUKPT encrypted ANSI PIN Block:

1. Exclusive-Or the ANSI PIN Block with the current PIN Encryption Key.

0B12 3454 4CC6 676F exclusive-OR 09F3 B08A 5F38 9233 = 02E1 84DE

13FE F55C.

2. Encrypt the step 1 result with the current PIN Encryption Key.

Encrypt 02E1 84DE 13FE F55C with 09F3 B08A 5F38 9233 = CFD0 BB26

8F94 D378.

3. Exclusive-Or the step 2 result with the Current PIN Encryption Key.

CFD0 BB26 8F94 D378 exclusive-OR 09F3 B08A 5F38 9233 = C623 0BAC

D0AC 414B. This is the VISA DUKPT PIN Block.

Generate the current MAC Key and MAC1, MAC2 and MAC3

PAN: 1234 1234

Debit/Credit Indicator: 567

Amount: $85,678

To generate the current MAC Key exclusive-OR the rightmost two bytes of the

current key with FFFF.

09F3 B08A 5F38 6D33, this is the Current MAC Key.

To generate VISA DUKPT MAC1, MAC2, MAC3:.

1. Concatenate PAN, Debit/Credit Indicator/Amount 1234 1234 5678 5678

Note: Pad with F to provide a multiple of 16 digits.

2. Exclusive-OR step 1 result with the Current MAC Key.

1234 1234 5678 5678 exclusive-OR 09F3 B08A 5F38 6D33 = 1BC7 A2BE

0940 3B4B.

3. Encrypt step 2 with the Current MAC Key.

Encrypt 1BC7 A2BE 0940 3B4B with 09F3 B08A 5F38 6D33 = 6B9B A42D

1303 A43D.

4. Exclusive-Or step 3 with the Current MAC Key.

6B9B A42D 1303 A43D exclusive-OR 09F3 B08A 5F38 6D33 = 6268 14A7

4C3B C90E.

If the result in step 1 above is 16 digits, then the VISA UKPT MAC1 is the first

8 digits (6268 14A7). To compute MAC2 and MAC3, skip to step 8. If the result

in step 1 above is 32 digits then perform steps 5, 6, and 7.

5. Exclusive-Or the rightmost 16 digits of the step 1 result with the step 4 result.

Take this result and exclusive-OR with the current MAC Key.

6. Encrypt the step 5 result with the Current MAC Key.

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-20

VISA Derived Unique Key Per Transaction PIN

Block

7. Exclusive-OR Or the step 6 result with the Current MAC Key. This is the VISA

UKPT MAC1.

8. Exclusive-Or the result from step 4 or step 8 with the Current MAC Key. In

this example the step 4 result is used since step 1 result is 16 digits.

6268 14A7 4C3B C90E exclusive-OR 09F3 B08A 5F38 6D33 = 6B9B A42D

1303 A43D.

9. Encrypt the step 8 result with the Current MAC Key.

Encrypt 6B9B A42D 1303 A43D with 09F3 B08A 5F38 6D33 = 05D5 DCBD

42D2 D2B6.

10. Exclusive-Or the step 9 result with the Current MAC Key.

05D5 DCBD 42D2 D2B6 exclusive-OR 09F3 B08A 5F38 6D33 = 0C26 6C37

1DEA BF85. The leftmost 8 digits (0C26 6C37) is MAC2. The rightmost 8 digits

(1DEA BF85) is MAC3.

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-21

PIN Processing Commands

The remainder of this section contains the command and response syntax for the

Network Security Processor PIN processing commands.

Quick Reference

Table 4-10 identifies each command by number, name, and purpose. While Tab l e 4 -1 0

organizes the PIN processing commands by category, the commands themselves are

presented in numerical order.

Table 4-10. PIN Processing Commands (page1of2)

Command Name Purpose

PIN encrypting and decrypting commands

30 Encrypt PIN Formats a clear-text PIN in the ANSI PIN

Block, and encrypts it under a KPE.

90 Decrypt PIN Decrypts an incoming PIN block and returns

the clear-text PIN.

PIN translating commands

31 Translate PIN This command supports a variety of PIN block

types. It outputs the PIN in an ANSI PIN

block. It also translates the PIN from one key

to encryption under another key. Support for

Visa DUKPT PIN block requires option 62 to

be enabled.

33 Translate PIN Same as command 31 above, except the

outgoing PIN Block is not limited to an ANSI

PIN Block.

35 Translate PIN Same as command 31 above, except the

incoming and outgoing PIN block may be

double encrypted.

39 Translate PIN and

Generate MAC

Translates the PIN using 1key-3DES (single-

length) DES keys and Generates a MAC

using 1key-3DES (single-length) KMAC key.

The outgoing PIN Block type is ANSI.

BA PIN Translate ANSI to

PLUS and Generate MAC

Translates the PIN using 1key-3DES (single-

length) DES keys and Generates a MAC

using 1key-3DES (single-length) KMAC key.

The outgoing PIN Block type is PLUS.

BB PIN Translate ANSI to

PLUS and VerifyMAC

Translates the PIN using 1key-3DES (single-

length) DES keys and Verifies a MAC using

1key-3DES (single-length) KMAC key. The

outgoing PIN Block type is PLUS.

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-22

Quick Reference

BD Translate PIN and

Generate MAC

Translates the PIN and Generates a MAC.

The outgoing PIN Block type is ANSI it can be

included in the MAC generation process.

335 PIN Translate Supports multiple incoming and outgoing PIN

block types.

PIN Verify and PIN Change commands

32 Verify PIN Decrypts an incoming PIN and verifies it using

a variety of PIN algorithms. Support for the

Visa DUKPT requires option 63 to be

enabled.

32C Verify ePIN Verifies the entered ePIN using the ePIN

Object.

36 Verify Double-Encrypted

Decrypts an incoming double-encrypted PIN

and verifies it according to the specified PIN

algorithm.

37 PIN Change Decrypts an incoming PIN and verifies the old

PIN using a variety of PIN algorithms, and

calculates new PVN using the new PIN.

D0 Verify Clear PIN Verifies a clear PIN using either the Identikey,

IBM 3624, or Visa PIN algorithms.

Offset/PVN Generation commands

3D Generate PVN and Offset Generates an Identikey PVN and IBM 3624

Offset for a PIN and account number.

11E Generate Atalla 2x2 PVN Generates an Atalla 2x2 PVN based on clear-

text input.

30A Calculate PIN Offset Generates a new PIN Offset based on the

PIN.

37B Generate ePIN Offset Generates an ePIN offset based on the ePIN

and PAN.

Table 4-10. PIN Processing Commands (page2of2)

Command Name Purpose

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-23

Encrypt PIN - ANSI Format 0 (Command 30)

Command 30 encrypts a clear-text PIN. This command supports 1key-3DES (single-

length) or 2key-3DES (double-length) PIN Encryption Keys (KPE)s.

This command has a high security exposure, it is not enabled in the Network Security

Processor’s default security policy. You must purchase this command in the form of a

command 105, and then enable it in the Network Security Processor’s security policy.

Command

Response

Calling Parameters

Field 0, the command identifier.

EMFK.1(KPE)

Field 1, the PIN Encryption Key (KPE). This field contains a 16 or 32 byte

hexadecimal value, or a volatile table location. If option 6A is enabled, this field can

contain a replicated 1key-3DES (single-length) key.

Field 2, the clear-text PIN. This field contains a numeric value. Option A0 defines

the minimum PIN length. The maximum PIN length is 12 digits.

PAN

Field 3, the Primary Account Number (PAN) digits used to form the ANSI PIN

block; the 12 rightmost digits, excluding the check digit. This field contains a 12

digit numeric value.

<30#EMFK.1(KPE)#PIN#PAN#>

<40#EKPE(ANSI PIN Block)#>[CRLF]

Table 4-11. Command 30: Encrypt PIN (page 1 of 2)

Field # Contents Length (bytes) Legal Characters

0 Command identifier 2 30

MFK.1(KPE)* 16, 32 0 - 9, A - F

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-24

Encrypt PIN - ANSI Format 0 (Command 30)

Responding Parameters

Field 0, the response identifier.

EKPE(ANSI PIN Block)

Field 1, the encrypted ANSI PIN block. This field contains 16 hexadecimal

characters.

Usage Notes

Generate the PIN Encryption Key.

Example

Master File Key = 2ABC3DEF45670189 98107645FEDCBA2, check digits = 057A.

See 2key-3DES Key (Double-Length) on page A-5 for component values.

Encrypt PIN

Clear-text PIN Encryption Key (KPE): 0000 1111 2222 3333 5555 6666 7777 8888.

The PIN Encryption Key (KPE) encrypted under variant 1 of the MFK:

47F102C2D4DE29C41DE1CF689E9699D6

PIN: 12345678901

Twelve rightmost digits of the Primary Account Number excluding the check digit:

000234567890

The command looks like this:

<30#47F102C2D4DE29C41DE1CF689E9699D6#12345678901#000234567890

2 PIN 4 - 12 0 - 9

3 PAN 12 0 - 9

*Can be a volatile table location.

Table 4-12. Response 40: Encrypt PIN

Field # Contents Length (bytes) Legal Characters

0 Response identifier. 2 40

KPE(ANSI PIN Block). 16 0- 9, A - F

Table 4-11. Command 30: Encrypt PIN (page 2 of 2)

Field # Contents Length (bytes) Legal Characters

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-25

Encrypt PIN - ANSI Format 0 (Command 30)

The Network Security Processor returns the following response:

<40#054935D6E2DA00E2#>

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-26

Translate PIN (Command 31)

Command 31 translates an encrypted PIN block from encryption under an incoming

PIN Encryption Key to an outgoing PIN Encryption Key. The translated PIN block will

be in ANSI PIN Block format. The incoming PIN Encryption key is designated as KPEI,

and the outgoing PIN Encryption Key is designated as KPE0. This command supports

1key-3DES (single-length) or 2key-3DES (double-length) PIN Encryption Keys (KPE)s.

This command is enabled in the Network Security Processor’s default security policy.

Command

Response

Calling Parameters

Field 0, the command identifier.

PIN Block Type

Field 1, the incoming PIN block type. This field is 1 byte, it can contain the

numbers 1, 2, 3, 4, 5 or 9. When option 46 is enabled, this field can only contain

the value 1 (ANSI).

<31#PIN Block Type#EMFK.1(KPEI)#EMFK.1(KPEO)#

EKPEI(PIN Block)#PIN Block Data#>

<41#EKPEO(ANSI PIN Block)#Sanity Check Indicator#

[IBM 3624 Sequence Number#]>[CRLF]

PIN Block Type Numerical Code

ANSI 1

IBM 3624 2

PIN/pad character / Docutel 3

IBM encrypting PIN pad 4

Burroughs 5

IBM 4731 9

VISA DUKPT See Translate PIN – VISA DUKPT (Command 31)

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-27

Translate PIN (Command 31)

EMFK.1(KPEI)

Field 2, the Incoming PIN Encryption Key encrypted under variant 1 of the MFK.

This field can be either a 16 or 32 byte hexadecimal value, or a volatile table

location.

EMFK.1(KPEO)

Field 3, the Outgoing PIN Encryption Key encrypted under variant 1 of the MFK.

This field can be either a 16 or 32 byte hexadecimal value, or a volatile table

location. When option 49 is enabled, an error response is returned if the length of

the (KPEo) is not equal to or greater than the length of the (KPEi).

EKPEI(PIN Block)

Field 4, the incoming PIN block encrypted under the Incoming PIN Encryption Key.

This field contains a 16 or 18 byte hexadecimal value.

PIN Block Data

Field 5, PIN Block data. The content and number of fields depend on the PIN block

type. See PIN Block Types on page 4-4 for information on PIN block data.

Responding Parameters

Field 0, the response identifier.

EKPEO(ANSI PIN Block)

Field 1, the PIN in ANSI PIN block format, encrypted under the Outgoing PIN

Encryption Key. This field contains 16 hexadecimal characters. When a PIN sanity

error is detected, the value in this field may not be correct. When a PIN sanity error

is detected, and option 4B is enabled, this field will contain 16 zeros.

Table 4-13. Command 31: Translate PIN

Field # Contents Length (bytes) Legal Characters

0 Command identifier 2 31

1 PIN block type 1 1 - 5, 9

MFK.1(KPEI)* 16,32 0 - 9, A - F

MFK.1(KPEO)* 16,32 0 - 9, A - F

KPEI(PIN Block) 16, 18 0 - 9, A - F

5 PIN block data**

*Can be a volatile table location.

**See PIN Block Types on page 4-4 for information on PIN block data.

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-28

Translate PIN (Command 31)

Sanity Check Indicator

Field 2, the sanity check indicator. Option 4B specifies the type of PIN sanity test to

be performed on the incoming PIN block. This field can contain one of the following

values:

Y – PIN block passes the sanity check.

N – PIN block failed the sanity test. Or the length of the PIN is out of range and

PIN-length error reporting has not been enabled. See PIN Sanity Error and

option A1.

L – the length of the PIN is out of range.

[IBM 3624 Sequence Number#]

Field 3, the IBM 3624 sequence number. This field is returned only if the PIN block

type is IBM 3624. When present, this field contains 2 hexadecimal characters.

Usage Notes

Generate the incoming and outgoing PIN Encryption Keys.

Generate the ATM Communications Key if the incoming PIN block is IBM 3624.

Example

Master File Key = 2ABC3DEF45670189 98107645FEDCBA2, check digits = 057A.

See 2key-3DES Key (Double-Length) on page A-5 for component values.

Translating a PIN in an ANSI PIN Block.

Clear-text Incoming PIN Encryption Key: 2233 2233 2233 2233.

The Incoming PIN Encryption Key encrypted under variant 1 of the MFK: 8C2A

7691 A708 A88D.

Clear-text Outgoing PIN Encryption Key: 4455 4455 4455 4455.

The Outgoing PIN Encryption Key encrypted under variant 1 of the MFK: 72E7

AEF6 9147 1872.

Clear-text ANSI PIN block: 0512 AC29 ABCD EFED. The PIN is 12345.

The encrypted incoming PIN block: 7B58 719B 354B 147A.

Table 4-14. Response 41: Translate PIN

Field # Contents Length (bytes) Legal Characters

0 Response identifier 2 41

KPEO(ANSI PIN Block) 16 0 - 9, A - F

2 Sanity check indicator 1 Y, N, L

3 IBM 3624 sequence number* 2 0 - 9, A - F

*Optional field; returned only if the PIN block type is IBM 3624.

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-29

Translate PIN (Command 31)

PIN block data; in this case, the 12 rightmost digits of the Primary Account Number

excluding the check digit: 9876 5432 1012.

The command looks like this:

<31#1#8C2A7691A708A88D#72E7AEF691471872#7B58719B354B147A#

987654321012#>

The Network Security Processor returns the following response:

<41#06087B12E397F5B6#Y#>

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-30

Translate PIN – VISA DUKPT (Command 31)

Command 31 – VISA DUKPT translates an ANSI PIN block that is encrypted using a

VISA DUKPT session key to an ANSI PIN block encrypted under a single or 2key-

3DES (double-length) outgoing PIN Encryption Key.

This command, by default, will generate a 1key-3DES (single-length) session key. Use

option A2 and field 7-Algorithm, to control the length of the generated session key.

This command is a standard command and is enabled in the Network Security

Processor’s default security policy.

Command

Response

Calling Parameters

Field 0, the command identifier.

Field 1, the ANSI PIN block encrypted under a DUKPT key. This field contains a 1

byte decimal value of 7.

EMFK.8(Derivation Key)

Field 2, the single or 2key-3DES (double-length) Derivation Key encrypted under

variant 8 of the MFK. This key should be a 2key-3DES (double-length) key. It can

be a 1key-3DES (single-length) key only if option A2 is set to “S”.

EMFK.1(KPEO)

Field 3, the Outgoing PIN Encryption Key encrypted under variant 1 of the MFK.

This field contains a 16 or 32 byte hexadecimal value, or a volatile table location.

When option 49 is enabled, an error response is returned if the length of the

outgoing PIN encryption key is not equal to or greater than the length of the

session key used to encrypt the incoming PIN.

<31#7#EMFK.8(Derivation Key)#EMFK.1(KPEO)#EKPEn(PIN Block)#

PAN Digits#Key Serial Number#Algorithm#>

<41#EKPEO(ANSI PIN Block)#Sanity Check Indicator#>[CRLF]

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-31

Translate PIN – VISA DUKPT (Command 31)

EKPEn(PIN Block)

Field 4, the incoming PIN, encrypted using the VISA DUKPT session key

management technique. This field contains 16 hexadecimal characters.

PAN Digits

Field 5, the 12 PAN digits used to form the ANSI PIN block. This field contains a 12

byte decimal value.

Key Serial Number

Field 6, the 10 to 20 digit Key Serial Number (KSN) from the PIN pad. This field

contains a 10 to 20 byte hexadecimal value.

Algorithm

Field 7, this field is used to determine the length of the session key only when

option A2 is set to “B”. With option A2 set to “B” the Network Security Processor

will generate a 1key-3DES (single-length) session key when this field contains

either a “1” or “S”, and will generate a 2key-3DES (double-length) session key

when this field contains the letter “D”.

The Network Security Processor will always generate a 1key-3DES (single-length)

session key when option A2 is set to “S”, therefore this field must contain the

number “1” or the letter “S”.

The Network Security Processor will always generate a 2key-3DES (double-length)

session key when option A2 is set to “D”, therefore this field must contain the

number “1” or the letter “D”.

Table 4-15. Command 31: Translate PIN – VISA DUKPT

Field # Contents Length (bytes) Legal Characters

0 Command identifier 2 31

1 PIN block type 1 7

MFK.8(Derivation key)* 16, 32 0 - 9, A - F

MFK.1(KPEo)* 16, 32 0 - 9, A - F

KPEn(PIN block) 16 0 - 9, A - F

5 PAN digits for ANSI PIN

block

12 0 - 9

6 Key serial number to

generate current PIN

Encryption Key

10 - 20 0 - 9, A - F

7 Algorithm 1 1, S, D

* Can be a volatile table location.

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-32

Translate PIN – VISA DUKPT (Command 31)

Responding Parameters

Field 0, the response identifier.

EKPEO(ANSI PIN Block)

Field 1, the PIN formatted in an ANSI PIN block, encrypted under the outgoing PIN

Encryption Key. This field contains 16 hexadecimal characters. When a PIN sanity

error is detected, the value in this field may not be correct. When a PIN sanity error

is detected, and option 4B is enabled, this field will contain 16 zeros.

Sanity Check Indicator

Field 2, the sanity check indicator. Option 4B specifies the type of PIN sanity test to

be performed on the incoming PIN block. This field can contain one of the following

values:

Y – PIN block passes the sanity check.

N – PIN block failed the sanity test. Or the length of the PIN is out of range and

PIN-length error reporting has not been enabled. See PIN Sanity Error and

option A1.

L – the length of the PIN is out of range.

Usage Notes

Generate the outgoing PIN Encryption Key and the Derivation key.

To use this command option 62 must be enabled in the NSP’s security policy.

Example

Master File Key = 2ABC3DEF45670189 98107645FEDCBA2, check digits = 057A.

See 2key-3DES Key (Double-Length) on page A-5 for component values.

Translating a PIN in a VISA DUKPT PIN block.

Option A2 is set to “S” or “B” in the Network Security Processor’s security policy.

Clear-text Derivation Key: 1334 1334 1334 1334.

The Derivation Key encrypted under variant 8 of the MFK: 4A79 F2A0 E61F EECF.

Table 4-16. Response 41: Translate PIN – VISA DUKPT

Field # Contents Length (bytes) Legal Characters

0 Response indicator 2 41

KPEO(ANSI PIN Block) 16 0 - 9, A - F

2 Sanity check indicator 1 Y, N, L

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-33

Translate PIN – VISA DUKPT (Command 31)

Clear-text Outgoing PIN Encryption Key: 4455 4455 4455 4455.

The Outgoing PIN Encryption Key encrypted under variant 1 of the MFK: 72E7

AEF6 9147 1872.

Clear-text ANSI PIN Block: 0512 AC29 ABCD EFED.

The DUKPT encrypted PIN block: 8AED F7F9 5963 F4D8.

PIN block data:

Twelve rightmost Primary Account Number digits: 9876 5432 1012.

Key serial number: 9876 5432 10E0 0008.

PIN encryption key derivation algorithm number: 1.

The command looks like this:

<31#7#4A79F2A0E61FEECF#72E7AEF691471872#8AEDF7F95963F4D8#

987654321012#9876543210E00008#1#>

The Network Security Processor returns the following response:

<41#06087B12E397F5B6#Y#>

This example shows the syntax when the option A2 is set to “B” or “S” and field 7 is set

to “S”.

<31#7#AAA57E4E99AE9B0328F6BA950E1664FA#BC62A2AD72516EA1AE86D4

17E64E07E0#BC14A8602228A412#000234567890#9876543210E00008#S#>

The Network Security Processor returns the following response:

<41#50DD506F53C3828A#Y#>

Translating a PIN in a VISA DUKPT PIN block using a 2key-3DES (double-length)

session key.

Option A2 is set to “B”.

Clear-text Base Derivation Key: 0123456789ABCDEF FEDCBA9876543210

The Base Derivation Key encrypted under variant 8 of the MFK:

AAA57E4E99AE9B0328F6BA950E1664FA

Clear-text Outgoing PIN Encryption Key: 4455 4455 4455 4455

The Outgoing PIN Encryption Key encrypted under variant 1 of the MFK:

72E7AEF691471872

Clear-text ANSI PIN block: 041274EDCBA9876F. The PIN is 1270.

Twelve rightmost digits of the Primary Account Number excluding the check digit:

0412 3456 7890. The encrypted incoming PIN block: 7A21BD10F36DC41D.

PIN block data:

Twelve rightmost Primary Account Number digits: 0412 3456 7890.

Key serial number: 9876 5432 10E0 0012.

PIN encryption key derivation algorithm number: D

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-34

Translate PIN – VISA DUKPT (Command 31)

The command looks like this:

<31#7#AAA57E4E99AE9B0328F6BA950E1664FA#72E7AEF691471872#7A21B

D10F36DC41D#041234567890#9876543210E00012#D#>

The Network Security Processor returns the following response:

<41#8E3D883AB4FD13A7#Y#>

This example shows the syntax when the option A2 is set to “D” and field 7 is set to “1”.

<31#7#AAA57E4E99AE9B0328F6BA950E1664FA#72E7AEF691471872#7A21B

D10F36DC41D#041234567890#9876543210E00012#1#>

The Network Security Processor returns the following response:

<41#8E3D883AB4FD13A7#Y#>

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-35

Verify PIN – Identikey (Command 32)

Command 32 – Identikey decrypts an incoming encrypted PIN block and verifies it

using the Atalla Identikey PIN verification method. This command supports 1key-3DES

(single-length) or 2key-3DES (double-length) PIN Encryption Keys (KPE)s.

This command is enabled in the Network Security Processor’s default security policy.

Command

Response

Calling Parameters

Field 0, the command identifier.

Field 1, the PIN verification method; Identikey.

PIN Block Type

Field 2, incoming PIN block type. This field is 1byte, it can contain the numbers 1,

2, 3, 4, 5, 7 or 9.

EKPE(PIN Block)

Field 3, the encrypted PIN. This field contains a 16 or 18 byte hexadecimal value.

<32#1#PIN Block Type#EKPE(PIN Block)#EMFK.1(KPE)#

Bank ID#PVN#Comparison Indicator#Partial PAN#PIN Block Data#>

<42#Sanity Check Indicator/Verification Flag#

[IBM 3624 Sequence Number#]>[CRLF]

PIN Block Type Numerical Code

ANSI 1

IBM 3624 2

PIN/pad character / Docutel 3

IBM encrypting PIN pad 4

Burroughs 5

VISA DUKPT 7

IBM 4731 9

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-36

Verify PIN – Identikey (Command 32)

EMFK.1(KPE)

Field 4, the Incoming PIN Encryption Key encrypted under variant 1 of the MFK.

This field can be either a 16 or 32 byte hexadecimal value, or a volatile table

location.

When the PIN block type is VISA DUKPT (field 2 =7), this field will contain the

Derivation Key encrypted under variant 8 of the MFK. This key should be a 2key-

3DES (double-length) key. It can be a 1key-3DES (single-length) key only if option

A2 is set to “S”.

Bank ID

Field 5, the Bank ID; clear-text or encrypted. The clear-text Bank ID is specified by

the issuer, it can be a 2, 6, or 8 digit number.

The encrypted Bank ID is a 16 hexadecimal character value comprised of the

following four data fields ll, bbbbbbbb, p, and cc. It is encrypted under variant 4 of

the MFK.

ll - a two-digit number; the length of the Bank ID:

02 – The Bank ID in backward index format; the algorithm number must be

less than 65.

06 – The Bank ID is a six digit ISO number.

08 – The Bank ID is an eight digit route-and-transfer number.

bbbbbbbb - The bank ID number (digits 0 - 9); must be the same length as ll.

p - The pad character F, right pads the combined length of the bank ID length (ll)

and the bank ID value (bb - bbbbbbbb) resulting in 14 hexadecimal characters.

Four pad characters are required when the bank ID is an eight digit value. Six pad

characters are required when the bank ID is an six digit value. Ten pad characters

are required when the bank ID is a two digit value.

cc - The two hexadecimal character comparison indicator. This field specifies the

group (left, middle, or right) of four digits of the six-digit Identikey PIN Verification

Number that will be used for the comparison.

4C – Compare the leftmost four digits.

4D – Compare the middle four digits.

52 – Compare the rightmost four digits.

Bank ID Allowable Size (bytes)

Backward index (algorithm number less than 65) 2

ISO number 6

Route and transfer number 8

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-37

Verify PIN – Identikey (Command 32)

PVN

Field 6, the PIN Verification Number. The PVN can be four, six, or eight digits in

length, containing the numbers 0 to 7.

Comparison Indicator

Field 7, a comparison indicator that specifies which four digits (left, middle, or right)

of the six-digit PVN will be compared. This field is 1 byte, and can contain the

character L, M, or R. When the PVN is six or eight digits in length or field 5

contains an encrypted bank ID, the value of this field is not evaluated by the

Network Security Processor.

Partial PAN

Field 8, the portion of the Primary Account Number to be used for verification. This

field contains a 4 to 19 byte decimal value.

PIN Block Data

Field 9, PIN block data. The content and number of fields depend on the PIN block

type. See PIN Block Types on page 4-4 for information on PIN block data.

Responding Parameters

Field 0, the response identifier.

Table 4-17. Command 32: Verify PIN – Identikey

Field # Contents Length (bytes) Legal Characters

0 Command identifier 2 32

1 Identikey 1 1

2 PIN block type 1 1 - 5, 7, 9

KPE(PIN block) 16, 18 0 - 9, A - F

MFK.1(KPE)* or

EMFK.8(DK)*

16, 32 0 - 9, A - F

5 Bank ID 2, 6, 8, or 16 0 - 9 or 0 - 9, A - F

6 PIN verification number 4, 6, 8 0 - 7

7 Comparison indicator 1 L, M, R

8 Partial PAN 4 - 19 0 - 9

9 PIN block data**

*Can be a volatile table location.

**See PIN Block Types on page 4-4 for information on PIN block data.

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-38

Verify PIN – Identikey (Command 32)

Sanity Check Indicator/Verification Flag

Field 1, the sanity check indicator and verification flag. Option 4B specifies the type

of PIN sanity test to be performed on the incoming PIN block. If the PIN block

passes the sanity check the verification check is conducted. This field can contain

one of the following values:

Y – PIN verification was successful.

N – PIN verification failed.

S – PIN block failed the sanity test. Or the PIN length is out of range and PIN-

length error reporting has not been enabled. See PIN Sanity Error and option

A1.

L – the length of the PIN is out of range.

[IBM 3624 Sequence Number#]

Field 2, the IBM 3624 sequence number. This field is returned only if the PIN block

type is IBM 3624. When present, this field contains 2 hexadecimal characters.

Usage Notes

Generate the PIN Encryption Key.

Generate the ATM Communications Key if the incoming PIN block is IBM 3624.

Generate the Derivation Key when the incoming PIN block is VISA DUKPT.

Example

Master File Key = 2ABC3DEF45670189 98107645FEDCBA2, check digits = 057A.

See 2key-3DES Key (Double-Length) on page A-5 for component values.

Identikey PIN Verification - clear-text Bank ID

Verification method: Identikey (1).

PIN block type: ANSI (1).

Clear-text PIN block: 0B12 3454 4CC6 676F.

The Encrypted PIN block: 48E8 8008 12B0 C9EF.

Table 4-18. Response 42: Verify PIN – Identikey

Field # Contents Length (bytes) Legal Characters

0 Response identifier 2 42

1 Sanity check indicator/verification flag 1 Y, N, S, L

2 IBM 3624 sequence number* 2 0 - 9, A - F

*Optional field; returned only if the PIN block type is IBM 3624.

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-39

Verify PIN – Identikey (Command 32)

Clear-text PIN Encryption Key: 0000 1111 2222 3333.

The PIN Encryption Key encrypted under variant 1 of the MFK: 47F1 02C2 D4DE

29C4.

Bank ID: 9876 5432.

PIN verification number: 7532 75.

Comparison indicator: L (not used).

Partial PAN: 2345 6789 0.

PIN block data; in this case, the 12 rightmost digits of the Primary Account Number

excluding the check digit: 0002 3456 7890.

The command looks like this:

<32#1#1#48E8800812B0C9EF#47F102C2D4DE29C4#98765432#753275#L#

234567890#000234567890#>

The Network Security Processor returns the following response:

<42#Y#>

Identikey PIN Verification - encrypted Bank ID

This example uses the same data values as shown above.

Encrypted Bank ID: A1D9408A417D925D

The command looks like this:

<32#1#1#48E8800812B0C9EF#47F102C2D4DE29C4#A1D9408A417D925D#

753275#L#234567890#000234567890#>

The Network Security Processor returns the following response:

<42#Y#>

Identikey PIN Verification - DUKPT encrypted PIN block

Option A2 is set to “B”.

Verification method: Identikey (1).

PIN block type: VISA DUKPT (7).

Clear-text PIN block: 0B12 3454 4CC6 676F.

The encrypted PIN Block: C623 0BAC D0AC 414B.

Clear-text Derivation Key: 1334 1334 1334 1334 1334 1334 1334 1334.

The Derivation Key encrypted under variant 8 of the MFK: 4A79 F2A0 E61F EECF

4A79 F2A0 E61F EECF.

Identikey data:

Bank ID: 9876 5432.

PIN verification number: 7532 75.

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-40

Verify PIN – Identikey (Command 32)

Comparison indicator: L.

Partial PAN: 2345 6789 0.

Twelve rightmost digits of the Primary Account Number: 0002 3456 7890.

Key serial number: 9876 5432 10E0 0001.

Algorithm: 1.

The command looks like this:

<32#1#7#C6230BACD0AC414B#4A79F2A0E61FEECF4A79F2A0E61FEECF#

98765432#753275#L#234567890#000234567890#9876543210E00001#1#>

The Network Security Processor returns the following response:

<42#Y#>

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-41

Verify PIN – IBM 3624 (Command 32)

Command 32 – IBM 3624 decrypts an incoming encrypted PIN block and verifies it

using the IBM 3624 PIN Verification method. This command supports single or 2key-

3DES (double-length) PIN Encryption Keys (KPE)s.

This command is enabled in the Network Security Processor’s default security policy.

Command

Response

Calling Parameters

Field 0, the command identifier.

Field 1, the PIN verification method; IBM 3624.

PIN Block Type

Field 2, the incoming PIN block type. This field is 1byte, it can contain the numbers

1, 2, 3, 4, 5, 7 or 9.

<32#2#PIN Block Type#EKPE(PIN Block)#EMFK.1(KPE)#

Conversion Table#Offset#Validation Data#Pad#

Check-Length#EMFK.4(KPV)#PIN Block Data#>

<42#Sanity Check Indicator/Verification Flag#

[IBM 3624 Sequence Number#]>[CRLF]

PIN Block Type Numerical Code

ANSI 1

IBM 3624 2

PIN/pad character / Docutel 3

IBM encrypting PIN pad 4

Burroughs 5

VISA DUKPT 7

IBM 4731 9

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-42

Verify PIN – IBM 3624 (Command 32)

EKPE(PIN Block)

Field 3, the encrypted PIN. This field contains a 16 or 18 byte hexadecimal value.

EMFK.1(KPE)

Field 4, the Incoming PIN Encryption Key encrypted under variant 1 of the MFK.

This field can be either a 16 or 32 byte hexadecimal value, or a volatile table

location.

When the PIN block type is VISA DUKPT (field 2 = 7), this field will contain the

Derivation Key encrypted under variant 8 of the MFK. This key should be a 2key-

3DES (double-length) key. It can be a 1key-3DES (single-length) key only if option

A2 is set to “S”.

Conversion Table

Field 5, a table that maps hexadecimal digits (0 through 9, A through F) to decimal

digits (0 through 9). This field contains a 16 byte decimal value containing the

clear-text Conversion Table or a volatile table location. When option 48 is enabled,

this field contains a 16 hexadecimal character value (the conversion table

encrypted under variant 6 of the MFK) or a volatile table location. Conversion

Tables stored in the volatile table must be encrypted under variant 6 of the MFK.

When option 4E is enabled, all three forms of the conversion table (clear-text,

decrypted, or value stored in volatile table location) to be processed by the

Network Security Processor must adhere to these rules:

The conversion table must have at least eight unique digits.

No single digit can occur more than four times.

Offset

Field 6, an offset value applied to the algorithm-generated PIN before comparing it

with the customer-entered PIN. This field contains a 4 to 16 byte decimal value.

Validation Data

Field 7, validation data. This value is unique for each card holder and is typically

the account number. This field contains a 4 to 16 byte hexadecimal value. When

the PIN block type is ANSI (field 1 = 1) and option 4C is enabled, the value

supplied in this field must be 12 digits in length and equal to the PIN Block Data

value supplied in field 11.

Pad

Field 8, the pad character used to right-pad the validation data. This field contains

a one byte hexadecimal value. The pad character is only used if the validation data

is less than 16 digits.

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-43

Verify PIN – IBM 3624 (Command 32)

Check-Length

Field 9, the check-length. This value is typically the PIN length and determines the

number of PIN digits to be compared. This field contains one hexadecimal

character in the range of 4 through C.

EMFK.4(KPV)

Field 10, the PIN Verification Key (KPV) encrypted under variant 4 of the MFK.

This field contains either a 16 or 32 byte hexadecimal value, or a volatile table

location.

PIN Block Data

Field 11, PIN block data. The content and number of fields depend on the PIN

block type. See PIN Block Types for information on PIN block data.

Responding Parameters

Field 0, the response identifier.

Table 4-19. Command 32: Verify PIN – IBM 3624

Field # Contents Length (bytes) Legal Characters

0 Command identifier 2 32

1 PIN verification method (IBM

3624)

2 PIN block type 1 1 - 5, 7, 9

KPE(PIN Block) 16, 18 0 - 9, A - F

MFK.1(KPE)* or

EMFK.8(DK)*

16, 32 0 - 9, A - F

5 Conversion table* 16 0 - 9

6 Offset 4 - 16 0 - 9

7 Validation data 4 - 16 0 - 9, A - F

8 Pad 1 0 - 9, A - F

9 Check-length 1 4 - 9, A - C

10 EMFK.4(KPV)* 16, 32 0 - 9, A - F

11 PIN block data**

*Can be a volatile table location.

**See PIN Block Types on page 4-4 for information on PIN block data.

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-44

Verify PIN – IBM 3624 (Command 32)

Sanity Check Indicator/Verification Flag

Field 1, the sanity check indicator and verification flag. Option 4B specifies the type

of PIN sanity test to be performed on the incoming PIN block. If the PIN block

passes the sanity check the verification check is conducted. This field can contain

one of the following values:

Y – PIN verification was successful.

N – PIN verification failed.

S – PIN block failed the sanity test. Or the length of the PIN is out of range and

PIN-length error reporting has not been enabled. See PIN Sanity Error and

option A1.

L – the length of the PIN is out of range.

[IBM 3624 Sequence Number#]

Field 2, the IBM 3624 sequence number. This field is returned only if the PIN block

type is IBM 3624. When present, this field contains 2 hexadecimal characters.

Usage Notes

Generate the incoming PIN Encryption Key.

Generate the ATM Communications Key if the incoming PIN block is IBM 3624.

Generate the Derivation Key when the incoming PIN block is VISA DUKPT.

Example

Master File Key = 2ABC3DEF45670189 98107645FEDCBA2, check digits = 057A.

See 2key-3DES Key (Double-Length) on page A-5 for component values.

Verifying an encrypted ANSI PIN block using the IBM 3624 verification method.

PIN block type: ANSI (1).

Clear-text ANSI PIN block: 0936 1436 270E EEEE.

The encrypted ANSI PIN block: 0558 007D 2156 C394.

Table 4-20. Response 42: Verify PIN – IBM 3624

Field # Contents Length (bytes) Legal Characters

0 Response identifier 2 42

1 Sanity check indicator/verification flag 1 Y, N, S, L

2 IBM 3624 sequence number* 2 0 - 9, A - F

*Optional field; returned only if the PIN block type is IBM 3624.

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-45

Verify PIN – IBM 3624 (Command 32)

Clear-text PIN Encryption Key (KPE): 0000 1111 2222 3333.

The PIN Encryption Key (KPE) encrypted under variant 1 of the MFK: 47F1 02C2

D4DE 29C4.

Conversion table: 8351 2964 7746 1538.

Offset: 6694 537.

Validation data: 3333 3333.

Pad character: D.

Check-length: 7.

Clear-text PIN Verification Key (KPV): 89B0 7B35 A1B3 F47E.

The PIN Verification Key encrypted under variant 4 of the MFK: BB79 3110 FD6D

9BB4.

PIN block data; in this case, the 12 rightmost digits of the Primary Account

Number: 0000 3331 1111.

The command looks like this:

<32#2#1#0558007D2156C394#47F102C2D4DE29C4#8351296477461538#

6694537#33333333#D#7#BB793110FD6D9BB4#000033311111#>

The Network Security Processor returns the following response:

<42#Y#>

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-46

Verify PIN – VISA (Command 32)

Command 32 decrypts an incoming encrypted PIN block and verifies it using the VISA

Verification Method. This command supports single or 2key-3DES (double-length) PIN

Encryption Keys (KPE)s.

This command is enabled in the Network Security Processor’s default security policy.

Command

Response

Calling Parameters

Field 0, the command identifier.

Field 1, the verification method; VISA.

PIN Block Type

Field 2, the incoming PIN type. This field is 1byte, it can contain the numbers 1, 2,

3, 4, 5, 7 or 9.

<32#3#PIN Block Type#EKPE(PIN Block)#EMFK.1(KPE)#

EMFK.4(Key Left)#EMFK.4(Key Right)#PVV#PVKI#PAN#

PIN Block Data#>

<42#Sanity Check Indicator/Verification Flag#

[IBM 3624 Sequence Number#]>[CRLF]

PIN Block Type Numerical Code

ANSI 1

IBM 3624 2

PIN/pad character / Docutel 3

IBM encrypting PIN pad 4

Burroughs 5

VISA DUKPT 7

IBM 4731 9

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-47

Verify PIN – VISA (Command 32)

EKPE(PIN Block)

Field 3, the incoming PIN. This field contains a 16 or 18 byte hexadecimal value.

EMFK.1(KPE)

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-48

Verify PIN – VISA (Command 32)

Responding Parameters

Field 0, the response identifier.

Sanity Check Indicator/Verification Flag

Field 1, the sanity check indicator and verification flag. Option 4B specifies the type

of PIN sanity test to be performed on the incoming PIN block. If the PIN block

passes the sanity check the verification check is conducted. This field can contain

one of the following values:

Y – PIN verification was successful.

N – PIN verification failed.

S – PIN block failed the sanity test. Or the PIN length is out of range and PIN-

length error reporting has not been enabled. See PIN Sanity Error and option

A1.

L – the length of the PIN is out of range.

[IBM 3624 Sequence Number#]

Field 2, the IBM 3624 sequence number. This field is returned only if the PIN block

type is IBM 3624. When present, this field contains 2 hexadecimal characters.

Table 4-21. Command 32: Verify PIN – VISA

Field # Contents Length (bytes) Legal Characters

0 Command identifier 2 32

1 Verification method (VISA) 1 3

2 PIN block type 1 1 - 5, 7, 9

KPE(PIN Block) 16, 18 0 - 9, A - F

MFK.1(KPE)* or

EMFK.8(DK)*

16, 32 0 - 9, A - F

MFK.4(Key Left)* 16 0 - 9, A - F

MFK.4(Key Right)* 16 0 - 9, A - F

7 PVV 4 0 - 9

8 PVKI 1 0 - 9

9PAN 11 0 - 9

10 PIN block data**

*Can be a volatile table location.

**See PIN Block Types on page 4-4 for information on PIN block data.

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-49

Verify PIN – VISA (Command 32)

Usage Notes

Generate the incoming PIN Encryption Key.

Generate the ATM Communications Key if the incoming PIN block is IBM 3624.

Generate the PIN Verification Key pair, KL and KR.

Example

Master File Key = 2ABC3DEF45670189 98107645FEDCBA2, check digits = 057A.

See 2key-3DES Key (Double-Length) on page A-5 for component values.

Verifying an encrypted ANSI PIN block using the VISA verification method.

PIN block type: ANSI (1).

Clear-text ANSI PIN block: 0638 7283 FFFF FFFF.

The ANSI PIN block encrypted under the PIN Encryption Key: 0129 001C E625

BA43.

Clear-text PIN Encryption Key (KPE): 0000 1111 2222 3333.

The PIN Encryption Key (KPE) encrypted under variant 1 of the MFK: 47F1 02C2

D4DE 29C4.

Clear-text Key Left: 4CA2 1616 37D0 133E.

The Key Left encrypted under variant 4 of the MFK: 026C A1B5 23BE 5DC4.

Clear-text Key Right: 5E15 1AEA 45DA 2A16.

The Key Right (KR) encrypted under variant 4 of the MFK: 96D9 3C11 D370 53E2.

PIN verification value: 3691.

PIN Verification Key indicator: 3.

The 11 rightmost digits of the Primary Account Number excluding the check digit:

1234 5678 901.

PIN block data; in this case, the 12 rightmost digits of the Primary Account

Number: 1234 5678 9019.

Table 4-22. Response 42: Verify PIN – VISA

Field # Contents Length (bytes) Legal Characters

0 Response identifier 2 42

1 Sanity check indicator/verification flag 1 Y, N, S, L

2 IBM 3624 sequence number* 2 0 - 9, A - F

*Optional field; returned only if the PIN block type is IBM 3624.

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-50

Verify PIN – VISA (Command 32)

The command looks like this:

<32#3#1#0129001CE625BA43#47F102C2D4DE29C4#026CA1B523BE5DC4#

96D93C11D37053E2#3691#3#12345678901#123456789019#>

The Network Security Processor returns the following response:

<42#Y#>

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-51

Verify PIN – Atalla DES BiLevel (Command 32)

Command 32 – Atalla DES Bilevel decrypts an incoming PIN and verifies it using the

Atalla DES Bilevel method. This command supports single or 2key-3DES (double-

length) PIN Encryption Keys (KPE)s.

This command is enabled in the Network Security Processor’s default security policy.

Command

Response

Calling Parameters

Field 0, the command identifier.

Field 1, the PIN verification method; Atalla DES Bilevel.

PIN Block Type

Field 2, incoming PIN block type. This field is 1 byte, it can contain the numbers 1,

2, 3, 4, 5, 7 or 9.

<32#4#PIN Block Type#EKPE(PIN Block)#EMFK.1(KPE)#Bank ID#

Partial PAN#EMFK.4(KPV)#PVN-2#PVN-2 Type#PVN-1 Flag#

PVN-2 Start-Compare Flag#PIN Block Data#>

<42#Sanity Check Indicator/Verification Flag#

[IBM Sequence Number#]>[CRLF]

PIN Block Type Numerical Code

ANSI 1

IBM 3624 2

PIN/pad character / Docutel 3

IBM encrypting PIN pad 4

Burroughs 5

VISA DUKPT 7

IBM 4731 9

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-52

Verify PIN – Atalla DES BiLevel (Command 32)

EKPE(PIN Block)

Field 3, the encrypted PIN. This field contains a 16 or 18 byte hexadecimal value.

EMFK.1(KPE)

Field 4, the Incoming PIN Encryption Key encrypted under variant 1 of the MFK.

This field can be either a 16 or 32 byte hexadecimal value, or a volatile table

location.

When the PIN block type is VISA DUKPT (field 2 =7), this field will contain the

Derivation Key encrypted under variant 8 of the MFK. This key should be a 2key-

3DES (double-length) key. It can be a 1key-3DES (single-length) key only if option

A2 is set to “S”.

Bank ID

Field 5, the bank ID field for the Identikey card issuer. The ID is specified by the

issuer, it can be a two-, six-, or eight byte decimal value.

Partial PAN

Field 6, validation data. This value is unique for each card holder, and in the case

of this command, is the partial Primary Account Number (PAN). This field contains

a 4 to 19 byte decimal value.

EMFK.4(KPV)

Field 7, the PIN Verification Key encrypted under variant 4 of the MFK. This field

contains a 16 byte hexadecimal value, or a volatile table location.

PVN-2

Field 8, the PIN Verification Number to be verified. This field contains a 4 to 16

byte hexadecimal value.

PVN-2 Type

Field 9, the PVN-2 type. This field indicates whether the PVN-2 should be

converted to a decimal value. This field is 1 byte, and contains the numbers 0 or 1.

The following table identifies the numerical code for each type of PVN-2.

Data Type Allowable Size (bytes)

Backward index (algorithm number less than 65) 2

ISO number 6

Route and transfer number 8

Action Code

Convert PVN-2 to a decimal value 0

Don't convert PVN-2; leave it as a hexadecimal value 1

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-53

Verify PIN – Atalla DES BiLevel (Command 32)

PVN-1 Flag

Field 10, a flag that indicates that 8 digits of the PVN-1 value should be used to

compute the PVN-2. This field is 1 byte, and contains the number 8.

PVN-2 Start-Compare Flag

Field 11, a flag that specifies the starting position within the generated PVN-2 for

the comparison. This field is 1 byte, and contains the number 1.

PIN Block Data

Field 12, PIN block data. The content and number of fields depend on the PIN

block type. See PIN Block Types on page 4-4 for information on PIN block data.

Responding Parameters

Field 0, the response identifier.

Sanity Check Indicator/Verification Flag

Field 1, the sanity check indicator and verification flag. Option 4B specifies the type

of PIN sanity test to be performed on the incoming PIN block. If the PIN block

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-54

Verify PIN – Atalla DES BiLevel (Command 32)

passes the sanity check the verification check is conducted. This field can contain

one of the following values:

Y – PIN verification was successful.

N – PIN verification failed.

S – PIN block failed the sanity test. Or the PIN length is out of range and PIN-

length error reporting has not been enabled. See PIN Sanity Error and option

A1.

L – the length of the PIN is out of range.

[IBM 3624 Sequence Number#]

Field 2, the IBM 3624 sequence number. This field is returned only if the PIN block

type is IBM 3624. When present, this field contains 2 hexadecimal characters.

Usage Notes

Generate the incoming PIN Verification Key.

Generate the ATM Communications Key if the incoming PIN block is IBM 3624.

Generate the PIN Verification Key.

Example

Master File Key = 2ABC3DEF45670189 98107645FEDCBA2, check digits = 057A.

See 2key-3DES Key (Double-Length) on page A-5 for component values.

Verifying an encrypted ANSI PIN block using Atalla DES Bilevel.

PIN block type: ANSI (1).

Clear-text ANSI PIN block: 0512 345F FFFF FFFF.

The ANSI PIN block encrypted under the PIN Encryption Key (KPE): D492 0F0B

1BF0 39F2.

Clear-text PIN Encryption Key (KPE): 0000 1111 2222 3333.

The PIN Encryption Key (KPE) encrypted under variant 1 of the MFK: 47F1 02C2

D4DE 29C4.

Bank ID: 591210.

Table 4-24. Response 42: Verify PIN – Atalla DES Bilevel

Field # Contents Length (bytes) Legal Characters

0 Response identifier 2 42

1 Sanity check indicator/verification flag 1 Y, N, S, L

2 IBM 3624 sequence number* 2 0 - 9, A - F

*Optional field; returned only if the PIN block type is IBM 3624.

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-55

Verify PIN – Atalla DES BiLevel (Command 32)

Validation data: 5678901.

Clear-text PIN Verification Key (KPV): ABCD EF01 2345 6789.

The PIN Verification Key (KPV) encrypted under variant 4 of the MFK: 2BDA 26A1

D559 FF71.

PVN-2: 6341 6081 3974 3500.

PVN-2 type: 0.

PVN-1 flag: 8.

PVN-2 start-compare flag: 1.

PIN block data; in this case, the 12 rightmost digits of the Primary Account

Number: 0000 0000 0000.

The command looks like this:

<32#4#1#D4920F0B1BF039F2#47F102C2D4DE29C4#591210#5678901#

2BDA26A1D559FF71#6341608139743500#0#8#1#000000000000#>

The Network Security Processor returns the following response:

<42#Y#>

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-56

Verify PIN – Diebold (Command 32)

Command 32 – Diebold decrypts an incoming encrypted PIN block and verifies it using

the Diebold PIN Verification method. This command supports single or 2key-3DES

(double-length) PIN Encryption Keys (KPE)s.

This command is enabled in the Network Security Processor’s default security policy.

Command

Response

Calling Parameters

Field 0, the command identifier.

Field 1, the PIN verification method; Diebold.

PIN Block Type

Field 2, incoming PIN block type. This field is 1 byte, it can contain the numbers 1,

2, 3, 4, 5, 7 or 9. When option 46 is enabled, this field can only contain the value 1

(ANSI).

<32#5#PIN Block Type#EKPE(PIN Block)#EMFK.1(KPE)#

Validation Data#Offset#Algorithm Number#

Diebold Key Table Location#PIN Block Data#>

<42#Sanity Check Indicator/Verification Flag#

[IBM 3624 Sequence Number#]>[CRLF]

PIN Block Type Numerical Code

ANSI 1

IBM 3624 2

PIN/pad character / Docutel 3

IBM encrypting PIN pad 4

Burroughs 5

VISA DUKPT 7

IBM 4731 9

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-57

Verify PIN – Diebold (Command 32)

EKPE(PIN Block)

Field 3, the encrypted PIN. This field contains a 16 or 18 byte hexadecimal value.

EMFK.1(KPE)

Field 4, the Incoming PIN Encryption Key encrypted under variant 1 of the MFK.

This field can be either a 16 or 32 byte hexadecimal value, or a volatile table

location.

When the PIN block type is VISA DUKPT (field 2 =7), this field will contain the

Derivation Key encrypted under variant 8 of the MFK. This key should be a 2key-

3DES (double-length) key. It can be a 1key-3DES (single-length) key only if option

A2 is set to “S”.

Validation Data

Field 5, validation data. This value is unique for each card holder, and in the case

of this command, is the Primary Account Number (PAN). This field contains a 4 to

19 byte decimal value.

Offset

Field 6, an offset value applied to the algorithm-generated PIN before comparing it

with the customer-entered PIN. This field contains a 4 byte decimal value.

Algorithm Number

Field 7, the Diebold algorithm number. This field is 2 byte decimal value.

Diebold Key Table Location

Field 8, the index to the first volatile table location where the Diebold number table

is stored. Thirty-two contiguous table locations hold the Diebold number table. This

field contains a 1 to 4 byte decimal value.

PIN Block Data

Field 9, PIN block data. The content and number of fields depend on the PIN block

type. See PIN Block Types on page 4-4 for information on PIN block data.

Table 4-25. Command 32: Verify PIN – Diebold (page1of2)

Field # Contents Length (bytes) Legal Characters

0 Command identifier 2 32

1 PIN verification method

(Diebold)

2 PIN block type 1 1 - 5, 7, 9

KPE(PIN block) 16, 18 0 - 9, A - F

MFK.1(KPE)* or

EMFK.8(DK)*

16, 32 0 - 9, A - F

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-58

Verify PIN – Diebold (Command 32)

Responding Parameters

Field 0, the response identifier.

Sanity Check Indicator/Verification Flag

Field 1, the sanity check indicator and verification flag. Option 4B specifies the type

of PIN sanity test to be performed on the incoming PIN block. If the PIN block

passes the sanity check the verification check is conducted. This field can contain

one of the following values:

Y – PIN verification was successful.

N – PIN verification failed.

S – PIN block failed the sanity test. Or the PIN length is out of range and PIN-

length error reporting has not been enabled. See PIN Sanity Error and option

A1.

L – the length of the PIN is out of range.

INVALID NUMBER TABLE – Diebold number table is invalid (it is empty or

contains data other than the Diebold number table). This error usually indicates

that the Diebold Number Table was not properly loaded into the volatile table.

[IBM 3624 Sequence Number#]

Field 2, the IBM 3624 sequence number. This field is returned only if the PIN block

type is IBM 3624. When present, this field contains 2 hexadecimal characters.

5 Validation data 4 - 19 0 - 9

6Offset 4 0 - 9

7 Algorithm number 2 0 - 9

8 Diebold key table location 1 - 4 0 - 9

9 PIN block data.**

*Can be a volatile table location.

**See PIN Block Types on page 4-4 for information on PIN block data.

Table 4-25. Command 32: Verify PIN – Diebold (page2of2)

Field # Contents Length (bytes) Legal Characters

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-59

Verify PIN – Diebold (Command 32)

Usage Notes

Preload the Diebold number table using thirty-two command 74s.

Generate the ATM Communications Key if the incoming PIN block is IBM 3624.

By default, this command processes the leftmost four PIN digits. Enable option 027

to process the rightmost four PIN digits.

Example

Master File Key = 2ABC3DEF45670189 98107645FEDCBA2, check digits = 057A.

See 2key-3DES Key (Double-Length) on page A-5 for component values.

This example uses a specific Diebold Number Table your test results will be different.

Verifying an encrypted ANSI PIN block using the Diebold verification method.

PIN block type: ANSI (1).

Clear-text ANSI PIN block: 0464 56ED CB4 876F.

The ANSI PIN block encrypted under the PIN Encryption Key: AFC5 C290 4C92

2280.

Clear-text PIN Encryption Key (KPE): 0123 4567 89AB CDEF.

The PIN Encryption Key encrypted under variant 1 of the MFK: AE86 D417 E64E

07E0.

Validation data: 1234 5678 90.

Offset: 0000.

Algorithm number: 82.

Diebold key table location: 250.

PIN block data; in this case, the 12 rightmost digits of the Primary Account

Number: 0012 3456 7890.

The command looks like this:

<32#5#1#AFC5C2904C922280#AE86D417E64E07E0#1234567890#0000#82#

250#001234567890#>

Table 4-26. Response 42: Verify PIN – Diebold

Field # Contents Length (bytes) Legal Characters

0 Response identifier 2 42

1 Sanity check indicator/verification flag 1, 15 Y, N, S, L, INVALID

NUMBER TABLE

2 IBM 3624 sequence number* 2 0 - 9, A - F

*Optional field; returned only if the PIN block type is IBM 3624.

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-60

Verify PIN – Diebold (Command 32)

The Network Security Processor returns the following response:

<42#Y#>

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-61

Verify PIN – NCR (Command 32)

Command 32 – NCR decrypts an incoming encrypted PIN block and verifies it using

the NCR method of verification. This command supports single or 2key-3DES (double-

length) PIN Encryption Keys (KPE)s.

This command is enabled in the Network Security Processor’s default security policy.

Command

Response

Calling Parameters

Field 0, the command identifier.

Field 1, the PIN verification method; NCR.

PIN Block Type

Field 2, incoming PIN block type. This field is 1byte, it can contain the numbers 1,

2, 3, 4, 5, 7 or 9.

<32#6#PIN Block Type#EKPE(PIN Block)#EMFK.1(KPE)#

Conversion Table#Offset#Validation Data#Pad#PLEN#EMFK.4(KPV)#

Padding Flag#Counting Flag#Start-Count Position#

Select-PLEN Position#PIN Block Data#>

<42#Sanity Check Indicator/Verification Flag#

[IBM 3624 Sequence Number#]>[CRLF]

PIN Block Type Numerical Code

ANSI 1

IBM 3624 2

PIN p

IBM encrypming PIN p

ISA DUKtPTl

Processing Personal Identification Numbers

NSP Command Reference Manual—C8Z37-9000A

4-62