EFT

Detailed description

Electronic funds transfer operations.

See the HSM technical documentation.

Functions
String	generateDUKPT (byte[] baKSI, byte[] baDID_CTR, int dwParam) throws TacException
	It generates a DUKPT key within the HSM using a KSI (Key Serial Identification), a DID (Device ID) and a CTR (Transaction Counter) from the same KSN (Key Serial Number).
String	generateDUKPTName (byte[] baKSI, byte[] baDID_CTR) throws TacException
	Generates the name of the DUKPT from an entered KSI and CTR.
String	generateBDKName (byte[] baKSI) throws TacException
	Generates the BDK name from a KSI (Key Serial Identification).
byte[]	translatePINBlock (String srcPEK, String dstPEK, int transBlockType, String PAN, byte[] inPINBlock) throws TacException
	It translates a PIN block, decrypting it with one key and encrypting it with another.
byte[]	exportTR31 (String kbpk, String key, int usage, byte mode, byte export) throws TacException
	Exports a key in TR-31 format according to the ASC X9 TR 31-2018 standard.
void	importTR31 (String kbpk, String key, int keyAttributes, byte[] keyBlock) throws TacException
	Import a key in TR-31 format according to the ASC X9 TR 31-2018 standard.

Functions

generateDUKPT()

String generateDUKPT	(	byte[]	baKSI,
		byte[]	baDID_CTR,
		int	dwParam ) throws TacException

It generates a DUKPT key within the HSM using a KSI (Key Serial Identification), a DID (Device ID) and a CTR (Transaction Counter) from the same KSN (Key Serial Number).

Parameters

baKSI	Buffer of size TacNDJavaLib.MIN_KSI_LEN containing the KSI (first 05 bytes of the KSN).
baDID_CTR	Buffer of size TacNDJavaLib.MIN_CTR_LEN containing the DID and CTR (last 05 bytes of the KSN).
dwParam	Operating flags according to the table below. Value Meaning TacNDJavaLib.NEW_DUKPT_MODE_DUK Generates a standard DUK (Derived Unique Key) according to the ISO X9.24-1-2004 manual. TacNDJavaLib.NEW_DUKPT_MODE_PEK Generates a PEK key (PIN Encryption Key) according to the ISO X9.24-1-2004 A-1,A-6 manual by applying the XOR of the 0000 0000 0000 FF00 mask to the parts of the key. TacNDJavaLib.NEW_DUKPT_MODE_MEK Generates a MEK key (MAC Encryption Key) according to the ISO X9.24-1-2004 A-1,A-6 manual by applying the XOR of the 0000 0000 0000 00FF mask to the parts of the key. TacNDJavaLib.NEW_DUKPT_MODE_DE Diversifies the generated key in Data Encryption format. It applies an XOR of the 0000 0000 00FF 0000 0000 00FF 0000 mask to the generated DUKPT key, encrypts the left key of the DUKPT using the generated DUKPT and repeats the encryption with the right key. After this operation, it joins the encrypted left and right parts to form the Data Encryption Key. As described in IDTECH USER MANUAL SecureMag Encrypted MagStripe Reader (80096504-001 RevL 06/19/14). It must be used in combination (via OR operation) with one of the flags: TacNDJavaLib.NEW_DUKPT_MODE_DUK, TacNDJavaLib.NEW_DUKPT_MODE_PEK or TacNDJavaLib.NEW_DUKPT_MODE_MEK. TacNDJavaLib.NEW_DUKPT_MODE_EXP Generates an exportable DUKPT key. This is an attribute flag and should be used in combination with other flags. Only use if specifically required. TacNDJavaLib.NEW_DUKPT_MODE_TMP Generates a temporary DUKPT key. This is an attribute flag and should be used in combination with other flags.

Return

Returns the name of the generated DUKPT key.

Exceptions

TacException

generateDUKPTName()

String generateDUKPTName	(	byte[]	baKSI,
		byte[]	baDID_CTR ) throws TacException

Generates the name of the DUKPT from an entered KSI and CTR.

Parameters

baKSI	Buffer of size TacNDJavaLib.MIN_KSI_LEN containing the KSI (first 05 bytes of the KSN).
baDID_CTR	Buffer of size TacNDJavaLib.MIN_CTR_LEN containing the DID and CTR (last 05 bytes of the KSN).

Return

Returns the name of the DUKPT key.

Exceptions

TacException

generateBDKName()

String generateBDKName

(

byte[]

baKSI

)

throws TacException

Generates the BDK name from a KSI (Key Serial Identification).

Parameters

baKSI

Buffer of size TacNDJavaLib.MIN_KSI_LEN containing the KSI (first 05 bytes of the KSN).

Return

Returns the name of the BDK key.

Exceptions

TacException

translatePINBlock()

byte[] translatePINBlock	(	String	srcPEK,
		String	dstPEK,
		int	transBlockType,
		String	PAN,
		byte[]	inPINBlock ) throws TacException

It translates a PIN block, decrypting it with one key and encrypting it with another.

The incoming block format is identified automatically, and the outgoing block format can be defined by the caller, as long as the format change is not from a PAN Unbound to a PAN Bound. PAN Bound formats are those that use PAN information in their composition. It is therefore possible to perform both key translation and format translation. The caller can perform a forced validation of the format by indicating for the outgoing format, the same one they are using in the incoming PIN Block.

Parameters

srcPEK	Identifier of the decryption key within the HSM.
dstPEK	Identifier of the encryption key within the HSM.
transBlockType	Output block format identifier. According to the table below. Value Meaning TacNDJavaLib.TP_TRANSLATE_TYPE_AUTO It performs an opaque conversion, translating from the block with the source key to the block with the target key, without analyzing the format or content of the block. PAN Bound: does not apply. TacNDJavaLib.TP_TRANSLATE_TYPE_ISO_0 Uses ISO PIN Block Format 0 (equivalent to ANSI PIN Block Format 0 and VISA PIN Block Format 1). PAN Bound: yes. TacNDJavaLib.TP_TRANSLATE_TYPE_ISO_1 Uses ISO PIN Block Format 1. PAN Bound: no. TacNDJavaLib.TP_TRANSLATE_TYPE_ISO_3 Uses ISO PIN Block Format 3. PAN Bound: yes. TacNDJavaLib.TP_TRANSLATE_TYPE_IBM_3624 IBM 3624 block type used. Not implemented.
PAN	PAN (Primary Account Number).
inPINBlock	PIN Block input. The buffer must have the size of a PIN Block, TacNDJavaLib.DES_BLOCK (8 bytes)

Return

PIN block output.

Exceptions

TacException

Notes

In the case of a non-opaque conversion, i.e. a format translation, if the input PIN Block format cannot be recognized, a D_ERR_OPERATION_FAILED error will be returned.
The ISO PIN Block Format 2 method is not implemented in the HSM, as this format is intended to be used to protect the PIN when it is submitted from the chip card reader.

exportTR31()

byte[] exportTR31	(	String	kbpk,
		String	key,
		int	usage,
		byte	mode,
		byte	export ) throws TacException

Exports a key in TR-31 format according to the ASC X9 TR 31-2018 standard.

Parameters

kbpk	Name of the KBPK key (Key Block Protection Key) used to derive the encryption and authentication keys.
key	Name of the key to be exported from the HSM.
usage	Key usage identifier, as described in ASC X9 TR 31-2018 Section A.5.1 table 6. The following options are accepted. Value Meaning TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_AUTO Sets the identifier automatically. The following values are used: TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_D0 for symmetric key and TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_D1 for asymmetric key. TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_B0 BDK Base Derivation Key TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_B1 Initial DUKPT Key TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_B2 Base Key Variant Key TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_C0 CVK Card Verification Key TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_D0 Symmetric Key for Data Encryption TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_D1 Asymmetric Key for Data Encryption TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_D2 Data Encryption Key for Decimalization Table TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_E0 EMV/chip Issuer Master Key: Application cryptograms TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_E1 EMV/chip Issuer Master Key: Secure Messaging for Confidentiality TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_E2 EMV/chip Issuer Master Key: Secure Messaging for Integrity TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_E3 EMV/chip Issuer Master Key: Data Authentication Code TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_E4 EMV/chip Issuer Master Key: Dynamic Numbers TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_E5 EMV/chip Issuer Master Key: Card Personalization TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_E6 EMV/chip Issuer Master Key: Other TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_I0 Initialization Vector (IV) TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_K0 Key Encryption or wrapping TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_K1 TR-31 Key Block Protection Key TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_K2 TR-34 Asymmetric key TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_K3 Asymmetric key for key agreement/key wrapping TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_M0 ISO 16609 MAC algorithm 1 (using TDEA) TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_M1 ISO 9797-1 MAC Algorithm 1 TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_M2 ISO 9797-1 MAC Algorithm 2 TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_M3 ISO 9797-1 MAC Algorithm 3 TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_M4 ISO 9797-1 MAC Algorithm 4 TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_M5 ISO 9797-1:1999 MAC Algorithm 5 TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_M6 ISO 9797-1:2011 MAC Algorithm 5/CMAC TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_M7 HMAC TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_M8 ISO 9797-1:2011 MAC Algorithm 6 TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_P0 PIN Encryption TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_S0 Asymmetric key pair for digital signature TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_S1 Asymmetric key pair, CA key TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_S2 Asymmetric key pair, non-X9.24 key TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_V0 PIN verification, KPV, other algorithm TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_V1 PIN verification, IBM 3624 TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_V2 PIN Verification, VISA PVV TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_V3 PIN Verification, X9.132 algorithm 1 TacNDJavaLib.EFT_ME_TR31_EXP_USAGE_V4 PIN Verification, X9.132 algorithm 2
mode	Key usage mode identifier, as described in ASC X9 TR 31-2018 Section A.5.3 table 8. The following options are accepted. Value Meaning TacNDJavaLib.EFT_ME_TR31_EXP_MODE_AUTO Sets the usage mode identifier automatically. The following value is used TacNDJavaLib.EFT_ME_TR31_EXP_MODE_N. TacNDJavaLib.EFT_ME_TR31_EXP_MODE_B Both Encryption & Decryption / Wrap & Unwrap TacNDJavaLib.EFT_ME_TR31_EXP_MODE_C Both Generation & Verification TacNDJavaLib.EFT_ME_TR31_EXP_MODE_D Decryption / Unwrap Only TacNDJavaLib.EFT_ME_TR31_EXP_MODE_E Encryption / Wrap Only TacNDJavaLib.EFT_ME_TR31_EXP_MODE_G Generation Only TacNDJavaLib.EFT_ME_TR31_EXP_MODE_N No special restrictions (except those defined by the key usage identifier) TacNDJavaLib.EFT_ME_TR31_EXP_MODE_S Signature Only TacNDJavaLib.EFT_ME_TR31_EXP_MODE_T Both Signature & Decryption TacNDJavaLib.EFT_ME_TR31_EXP_MODE_V Verification only TacNDJavaLib.EFT_ME_TR31_EXP_MODE_X Key used to derive other key(s) TacNDJavaLib.EFT_ME_TR31_EXP_MODE_Y Key used to create key variants
export	Key exportability identifier, as described in ASC X9 TR 31-2018 Section A.5.5 table 10. The following options are accepted. Value Meaning TacNDJavaLib.EFT_ME_TR31_EXP_AUTO Defines the exportability identifier automatically. The following value is used TacNDJavaLib.EFT_ME_TR31_EXP_X9_24. TacNDJavaLib.EFT_ME_TR31_EXP_X9_24 Exportable under a KEK (Key Encryption Key) in a format meeting that defined in the requirements of X9.24 Parts 1 or 2. TacNDJavaLib.EFT_ME_TR31_EXP_NON_EXPORTABLE Not exportable by the recipient of the Key Block, or storage location. Does not prevent the export of keys derived from a non-exportable key. TacNDJavaLib.EFT_ME_TR31_EXP_KEK_EXPORTABLE Sensitive, Exportable under a KEK (Key Encryption Key) in a format not necessarily in accordance with the requirements of X9.24 Parts 1 or 2.

Return

key block

Exceptions

TacException

Notes

This API exports a key using the methods for generating key_block below.

KBPK algorithm	Export method
3DES	5.3.2.1 Key Derivation Binding Method - TDEA
AES	5.3.2.3 Key Block Binding Method - AES

importTR31()

void importTR31	(	String	kbpk,
		String	key,
		int	keyAttributes,
		byte[]	keyBlock ) throws TacException

Import a key in TR-31 format according to the ASC X9 TR 31-2018 standard.

Parameters

kbpk	Name of the KBPK key (Key Block Protection Key) used to derive the encryption and authentication keys.
key	Name of the key to be imported into the HSM.
keyAttributes	Additional key parameters. See the options in the createKey() method.
keyBlock	key block

Exceptions

TacException

Notes

This API imports keys protected by the generation methods of the key_block.

KBPK algorithm	Method
3DES	5.3.2.1 Key Derivation Binding Method - TDEA
AES	5.3.2.3 Key Block Binding Method - AES