dukpt 0.0.1

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gemspec

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2012 Shopify
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,36 @@
+# DUKPT
+
+This library implements a decrypter for ciphertext originating from a device using a Derived Unique Key Per Transaction (DUKPT) scheme.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'dukpt'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install dukpt
+
+## Usage
+
+    # Instantiate a decrypter with your base derivation key (BDK)
+    decrypter = DUKPT::Decrypter.new("0123456789ABCDEFFEDCBA9876543210")
+  
+    # Pass the ciphertext and the current Key Serial Number (KSN), as hex encoded strings, to the decryptor to get back the plaintext
+    ksn = "FFFF9876543210E00008"
+    ciphertext = "C25C1D1197D31CAA87285D59A892047426D9182EC11353C051ADD6D0F072A6CB3436560B3071FC1FD11D9F7E74886742D9BEE0CFD1EA1064C213BB55278B2F12"
+  
+    plaintext = decrypter.decrypt(ciphertext, ksn) # => "%B5452300551227189^HOGAN/PAUL      ^08043210000000725000000?\x00\x00\x00\x00"
+  
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Added some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,12 @@
+#!/usr/bin/env rake
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+task :default => :test
+
+Rake::TestTask.new(:test) do |t|
+  t.pattern = 'test/**/*_test.rb'
+  t.ruby_opts << '-rubygems'
+  t.libs << 'test'
+  t.verbose = true
+end

data/dupkt.gemspec

@@ -0,0 +1,17 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/dukpt/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["David Seal", "Cody Fauser"]
+  gem.email         = ["david.seal@shopify.com", "cody@shopify.com"]
+  gem.description   = %q{Implements a Derived Unique Key Per Transaction (DUKPT) decrypter}
+  gem.summary       = %q{Implements a Derived Unique Key Per Transaction (DUKPT) decrypter}
+  gem.homepage      = ""
+
+  gem.files         = `git ls-files`.split($\)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.name          = "dukpt"
+  gem.require_paths = ["lib"]
+  gem.version       = DUKPT::VERSION
+end

data/lib/dukpt.rb

@@ -0,0 +1,3 @@
+require 'dukpt/encryption'
+require 'dukpt/decrypter'
+require "dukpt/version"

data/lib/dukpt/decrypter.rb

@@ -0,0 +1,17 @@
+module DUKPT
+  class Decrypter
+    include Encryption
+    
+    attr_reader :bdk
+    def initialize(bdk)
+      @bdk = bdk
+    end
+
+    def decrypt(cryptogram, ksn)
+      ipek = derive_IPEK(bdk, ksn)
+      pek = derive_PEK(ipek, ksn)
+      decrypted_cryptogram = triple_des_decrypt(pek, cryptogram)
+      [decrypted_cryptogram].pack('H*')
+    end
+  end
+end

data/lib/dukpt/encryption.rb

@@ -0,0 +1,106 @@
+require 'openssl'
+
+module DUKPT
+  module Encryption
+    REG3_MASK       = 0x1FFFFF
+    SHIFT_REG_MASK  = 0x100000
+    REG8_MASK       = 0xFFFFFFFFFFE00000
+    LS16_MASK       = 0x0000000000000000FFFFFFFFFFFFFFFF
+    MS16_MASK       = 0xFFFFFFFFFFFFFFFF0000000000000000
+    KEY_MASK        = 0xC0C0C0C000000000C0C0C0C000000000
+    PEK_MASK        = 0x00000000000000FF00000000000000FF
+    KSN_MASK        = 0xFFFFFFFFFFFFFFE00000
+    
+    def derive_key(ipek, ksn)
+      ksn_current = ksn.to_i(16)
+      
+      # Get 8 least significant bytes
+      ksn_reg = ksn_current & LS16_MASK
+
+      # Clear the 21 counter bits
+      ksn_reg = ksn_reg & REG8_MASK
+      
+      # Grab the 21 counter bits
+      reg_3 = ksn_current & REG3_MASK
+      shift_reg = SHIFT_REG_MASK
+      
+      #Initialize "curkey" to be the derived "ipek"
+      curkey = ipek.to_i(16)
+      while (shift_reg > 0)
+      	if shift_reg & reg_3 > 0
+      	  ksn_reg = shift_reg | ksn_reg          
+          curkey = keygen(curkey, ksn_reg)
+      	end
+      	shift_reg = shift_reg >> 1
+      end
+      hex_string_from_val(curkey, 16)
+    end
+
+    def keygen(key, ksn)
+      cr1 = ksn
+      cr2 = encrypt_register(key, cr1)      
+      
+      key2 = key ^ KEY_MASK
+      
+      cr1 = encrypt_register(key2, cr1)
+
+      [hex_string_from_val(cr1, 8), hex_string_from_val(cr2, 8)].join.to_i(16)      
+    end
+
+    def pek_from_key(key)
+      hex_string_from_val((key.to_i(16) ^ PEK_MASK), 16)
+    end
+
+    def derive_PEK(ipek, ksn)
+      pek_from_key(derive_key(ipek, ksn))      
+    end
+
+    def derive_IPEK(bdk, ksn)
+    	ksn_cleared_count = (ksn.to_i(16) & KSN_MASK) >> 16
+    	left_half_of_ipek = triple_des_encrypt(bdk, hex_string_from_val(ksn_cleared_count, 8)) 
+    	xor_base_derivation_key = bdk.to_i(16) ^ KEY_MASK
+    	right_half_of_ipek = triple_des_encrypt(hex_string_from_val(xor_base_derivation_key, 8), hex_string_from_val(ksn_cleared_count, 8))
+    	ipek_derived = left_half_of_ipek + right_half_of_ipek
+    end
+    
+    def triple_des_decrypt(key, message)
+    	openssl_encrypt("des-ede-cbc", key, message, false)
+    end
+    
+    def triple_des_encrypt(key, message)
+    	openssl_encrypt("des-ede-cbc", key, message, true)
+    end
+    
+    def des_encrypt(key, message)
+    	openssl_encrypt("des-cbc", key, message, true)
+    end
+    
+    private
+    
+    def hex_string_from_val val, bytes
+      val.to_s(16).rjust(bytes * 2, "0")
+    end
+    def encrypt_register(curkey, reg_8)
+      left_key_half = (curkey & MS16_MASK) >> 64
+  	  right_key_half = curkey & LS16_MASK
+
+  		message = right_key_half ^ reg_8
+  		ciphertext = des_encrypt(hex_string_from_val(left_key_half, 8), hex_string_from_val(message, 8)).to_i(16)
+  		result = right_key_half ^ ciphertext
+
+      result
+    end
+    
+    def openssl_encrypt(cipher_type, key, message, is_encrypt)
+    	cipher = OpenSSL::Cipher::Cipher::new(cipher_type)
+    	is_encrypt ? cipher.encrypt : cipher.decrypt
+    	cipher.padding = 0
+    	cipher.key = [key].pack('H*')
+    	# No Initial Vector is used in the process.
+    	cipher_result = ""
+    	cipher_result << cipher.update([message].pack('H*'))
+    	cipher_result << cipher.final
+    	cipher_result.unpack('H*')[0]
+    end
+  end
+end

data/lib/dukpt/version.rb

@@ -0,0 +1,3 @@
+module DUKPT
+  VERSION = "0.0.1"
+end

data/test/decrypter_test.rb

@@ -0,0 +1,17 @@
+require 'bundler/setup'
+require 'test/unit'
+require 'dukpt'
+
+class DUKPT::DecrypterTest < Test::Unit::TestCase  
+  
+  def test_decrypt_track_data
+    bdk = "0123456789ABCDEFFEDCBA9876543210"
+    ksn = "FFFF9876543210E00008"
+    ciphertext = "C25C1D1197D31CAA87285D59A892047426D9182EC11353C051ADD6D0F072A6CB3436560B3071FC1FD11D9F7E74886742D9BEE0CFD1EA1064C213BB55278B2F12"
+    plaintext = "%B5452300551227189^HOGAN/PAUL      ^08043210000000725000000?\x00\x00\x00\x00"
+    
+    decrypter = DUKPT::Decrypter.new(bdk)
+    assert_equal plaintext, decrypter.decrypt(ciphertext, ksn)
+  end
+  
+end

data/test/encryption_test.rb

@@ -0,0 +1,93 @@
+require 'test/unit'
+require 'bundler/setup'
+require 'dukpt'
+
+class DUKPT::EncryptionTest < Test::Unit::TestCase
+  include DUKPT::Encryption
+  
+  def test_least_signinficant_16_nibbles_mask
+    expected = 0x00009876543210E00008
+    actual   = 0xFFFF9876543210E00008 & LS16_MASK
+    assert_equal expected, actual
+  end
+  
+  def test_register_8_mask
+    expected = 0x00009876543210e00000
+    actual   = 0xFFFF9876543210E00008 & REG8_MASK
+    assert_equal expected, actual
+  end
+  
+  def test_register_3_mask
+    expected = 0x1FFFFF
+    actual   = 0xFFFFFFFFFFFFFFFFFFFF & REG3_MASK
+    assert_equal expected, actual
+  end
+  
+  def test_derive_ipek
+    ksn = "FFFF9876543210E00008"
+    bdk = "0123456789ABCDEFFEDCBA9876543210"
+    ipek = derive_IPEK(bdk, ksn)
+    assert_equal '6ac292faa1315b4d858ab3a3d7d5933a', ipek
+  end
+  
+  def test_derive_pek
+    ksn = "FFFF9876543210E00008"
+    pek = derive_PEK('6ac292faa1315b4d858ab3a3d7d5933a', ksn)
+    assert_equal '27f66d5244ff621eaa6f6120edeb427f', pek
+  end
+  
+  def test_derive_key_3
+    ksn = "FFFF9876543210E00003"
+    key = derive_key('6ac292faa1315b4d858ab3a3d7d5933a', ksn)
+    assert_equal '0DF3D9422ACA56E547676D07AD6BADFA', key.upcase
+  end
+
+  def test_derive_pek_counter_3
+    ksn = "FFFF9876543210E00003"
+    pek = derive_PEK('6ac292faa1315b4d858ab3a3d7d5933a', ksn)
+    assert_equal '0DF3D9422ACA561A47676D07AD6BAD05', pek.upcase
+  end
+
+  def test_derive_pek_counter_7
+    ksn = "FFFF9876543210E00007"
+    pek = derive_PEK('6ac292faa1315b4d858ab3a3d7d5933a', ksn)
+    assert_equal '0C8F780B7C8B492FAE84A9EB2A6CE69F', pek.upcase
+  end
+
+  def test_derive_pek_counter_F
+    ksn = "FFFF9876543210E0000F"
+    pek = derive_PEK('6ac292faa1315b4d858ab3a3d7d5933a', ksn)
+    assert_equal '93DD5B956C4878B82E453AAEFD32A555', pek.upcase
+  end
+
+  def test_derive_pek_counter_10
+    ksn = "FFFF9876543210E00010"
+    pek = derive_PEK('6ac292faa1315b4d858ab3a3d7d5933a', ksn)
+    assert_equal '59598DCBD9BD943F94165CE453585FA8', pek.upcase
+  end
+
+  def test_derive_pek_counter_13
+    ksn = "FFFF9876543210E00013"
+    pek = derive_PEK('6ac292faa1315b4d858ab3a3d7d5933a', ksn)
+    assert_equal 'C3DF489FDF11534BF03DE97C27DC4CD0', pek.upcase
+  end
+
+def test_derive_pek_counter_EFF800
+    ksn = "FFFF9876543210EFF800"
+    pek = derive_PEK('6ac292faa1315b4d858ab3a3d7d5933a', ksn)
+    assert_equal 'F9CDFEBF4F5B1D61B3EC12454527E189', pek.upcase
+  end
+
+  def test_triple_des_decrypt
+    ciphertext = "C25C1D1197D31CAA87285D59A892047426D9182EC11353C051ADD6D0F072A6CB3436560B3071FC1FD11D9F7E74886742D9BEE0CFD1EA1064C213BB55278B2F12"
+    data_decrypted = triple_des_decrypt('27f66d5244ff621eaa6f6120edeb427f', ciphertext)
+    assert_equal '2542353435323330303535313232373138395e484f47414e2f5041554c2020202020205e30383034333231303030303030303732353030303030303f00000000', data_decrypted
+  end
+  
+  def test_unpacking_decrypted_data
+    data_decrypted = '2542353435323330303535313232373138395e484f47414e2f5041554c2020202020205e30383034333231303030303030303732353030303030303f00000000'
+    expected = "%B5452300551227189^HOGAN/PAUL      ^08043210000000725000000?\x00\x00\x00\x00"
+    assert_equal expected, [data_decrypted].pack('H*')
+  end
+    
+end

metadata

@@ -0,0 +1,61 @@
+--- !ruby/object:Gem::Specification
+name: dukpt
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+  prerelease: 
+platform: ruby
+authors:
+- David Seal
+- Cody Fauser
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-03-18 00:00:00.000000000 Z
+dependencies: []
+description: Implements a Derived Unique Key Per Transaction (DUKPT) decrypter
+email:
+- david.seal@shopify.com
+- cody@shopify.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- dupkt.gemspec
+- lib/dukpt.rb
+- lib/dukpt/decrypter.rb
+- lib/dukpt/encryption.rb
+- lib/dukpt/version.rb
+- test/decrypter_test.rb
+- test/encryption_test.rb
+homepage: ''
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.25
+signing_key: 
+specification_version: 3
+summary: Implements a Derived Unique Key Per Transaction (DUKPT) decrypter
+test_files:
+- test/decrypter_test.rb
+- test/encryption_test.rb