ZPK Session Key Handling

Use your Encrypted ZMK and the Encrypted ZPK Session Key gotten from successful key exchange response, to get your own Clear ZPK Session Key, that you'd use in encrypting PIN Blocks of tranactions before forwarding to respective issuers. Note that this Encrypted ZPK Session Key is a more secure Double Variant, hence a normal 3DES Decryption won't suffice, this shows a step by step process how to go about it with an example

  1. Assuming 98EEA376A14DF58578E7D77585512DF3230BEF0000000000 is the Field 53 of a successful KE Response. The first 32 characters 98EEA376A14DF58578E7D77585512DF3 will be the Encrypted ZPK Session Key, the next 6 characters 230BEF will be the KCV of your final Clear ZPK Session you'd arrive at, the next 10 characters 0000000000 are just padding.

  2. The Encrypted ZPK Session Key from key exchange response 98EEA376A14DF58578E7D77585512DF3. Divide it into two parts i.e 16 characters each (A & B) Part A == 98EEA376A14DF585 and Part B == 78E7D77585512DF3

  3. Assuming the Encrypted ZMK gotten from the 2 clear ZMK components shared with you is 63E4880A2D502DD8E835C68DD8061BBB. Divide it also into two parts i.e 16 characters each (A & B). Part A == 63E4880A2D502DD8 and Part B == E835C68DD8061BBB

  4. Apply Variant on ZMK Part B (XOR A6 with first two characters of ZMK Part B i.e E8 ===> A6 ^ E8 = 4E). We can now get a varianted ZMK that looks like this when divided into 2 parts 63E4880A2D502DD8 4E35C68DD8061BBB, note the E8 was replaced with 4E gotten from the XOR operation. THEN do a 3DES DECRYPT of ZPK PART A WITH VARIANTED ZMK WE JUST GOT. THIS GIVES US 1A6B0B08DFC7AB4A 93359B61A7A122E7 ==> RESULT 1

  5. Apply Variant on ZMK Part B (XOR 5A with first two characters of ZMK Part B i.e E8 ===> 5A ^ E8 = B2). We can now get a varianted ZMK that looks like this when divided into 2 parts 63E4880A2D502DD8 B235C68DD8061BBB, note the E8 was replaced with B2 gotten from the XOR operation. THEN do a 3DES DECRYPT of ZPK PART B WITH VARIANTED ZMK WE JUST GOT. THIS GIVES US C7153E524C07643D 6650483FBDDFE212 ==> RESULT 2

  6. FINAL RESULT IS A CONCATENATION OF PART A OF BOTH RESULT 1 from STEP 3 AND RESULT 2 from STEP 4 ====> 1A6B0B08DFC7AB4AC7153E524C07643D = FINAL RESULT CLEAR ZPK SESSION KEY

  7. IF YOU GENERATE A KCV OF OFF FINAL RESULT GOTTEN IN STEP 5, IT SHOULD MATCH KCV OF ZPK IN STEP 1