Product Documentation

The ReencryptPINBlock (RPB) operation decrypts a hex-encoded PIN block ciphertext string using a PIN encryption key derived from the BDK and KSN. The algorithm to use with the PIN encryption key is specified as a parameter to determine the type of decryption to be performed. The decrypted PIN block is then encrypted again using another derived PIN-encryption key. This second PIN encryption key is derived from the specified Terminal PIN Key (TPK) using the same KSN (as was specified for PIN decryption) and will re-encrypt the PIN Block using the same algorithm as before. Note that the TPK is used in an identical manner as the BDK for the re-encryption process. The RPB web service operation requires eight parameters:

DID

The unique encryption domain identifier.

username

The username (service credential) within the encryption domain with the authorization to call this web service. The user requires the Decryption privilege to execute this operation.

password

The password of the username to authenticate the credential of the requester.

bdktoken

The token that references the BDK. The BDK is used to decrypt the supplied ciphertext.

tpktoken

The token that references the TPK. The TPK is used to re-encrypt the decrypted PIN block. Note that the escrow of the TPK is handled as a separate web service operation in the Key Management Service module of the SAKA; the TPK token must exist in SAKA for the RPB web service to be executed successfully.

ksn

The KSN to use to generate a derived key. This must be exactly 10 bytes sent to the web service, and must be formatted as a hex-encoded string.

ciphertext

The PIN Block ciphertext to be decrypted. The ciphertext must be sent to the web service as a hex-encoded string.

algorithm

The algorithm to use for this decryption. Valid choices are “TDES” and “AES” with the default value being “TDES”. Alternatively, a full transform can be specified in the form of “AES/CBC/ZeroBytePadding” if the default mode and padding of each derived key type needs to be overwritten. Continue reading the description of the web service mechanics for more details.

 

When SAKA receives the request, it verifies the credentials presented against its internal database— or an optional LDAP directory server—and determines their authorization to request the ReencryptPINBlock service by verifying if they are a member of the DecryptionAuthorized group. Note that if using LDAP, this group and its members must be created in the LDAP directory as a distinct task of the SAKA installation process; when using the internal database on SAKA, this group is created automatically.

If the requester is authorized, SAKA proceeds to recover the BDK for this operation based on the BDK Token parameter. Using the BDK and portions of the provided KSN, an IPEK is derived. Using the IPEK, the derived key (of the type requested for this transaction) is generated based on other portions of the KSN.

The default cryptographic mode and padding for the RPB web service is the Electronic Code Book (ECB) and NoPadding, respectively with the TDES algorithm. While you can override this by specifying the full cryptographic algorithm, mode and padding in the web service parameter, most banking infrastructure use the “DESede/ECB/NoPadding” cryptographic transform for PIN block transaction processing. In this situation, specifying either “TDES” or not specifying any parameter for the algorithm parameter of the web service operation produces the same result.

DID

The unique encryption doomain identifier for the domain that serviced this request.

SRID

A unique request identifier for this transaction.

KSN

The KSN used to service this request.

ENCPIN

The hex-encoded PIN block ciphertext as encrypted by the TPK using this KSN.