Capturing and decoding encrypted serial data 2

[robd2002]

Hi,

I've been asked to decode serial data passing between a point of sale system (fancy name for fancy cash register) and a gasoline fuel controller. Data typically consists of commands from the POS to the controller such as "what is your status", "you are auhorized to dispense fuel", "how much fuel did you dispense", etc. and things are easy when the baud, data bits, parity, etc. are fixed. I've got a micro-based board that measures pulse widths, sets the baud rate, then runs through combinations of data bits, parity, etc. until no parity or framing errors happen. Crude perhaps but it works on a "well-behaved" data stream. However, the new challenge is to decode the data from a "PCI compliant" data stream that contains encrypted credit card information. The encryption confounds my device. What is the proper way to decode this data?

Thank you,

Rob

 

[MikeHalloran]

I'm guessing your answer lies here:

https://www.pcisecuritystandards.org/security_standards/documents.php

I couldn't figure out from the sample that I read if they dynamically mess with the baud rate and such, or not. I'm guessing, not, so fixing the parameters in your box may work.

Beyond that, I don't think discussion is appropriate in a global public forum like this one.


Mike Halloran
Pembroke Pines, FL, USA

 

[MacGyverS2000]

Rob,

I've read your other posts and the one thing I can glean from them is you're pretty fresh as an engineer. What you're getting into with this project will challenge you, to say the least.

I'll add that what you are attempting to do may very well be illegal (on a federal level), it is likely against the TOS (Terms of Service) for most (all?) processing companies, and it certainly opens up a door for hacking. Playing "man in the middle" to an encrypted PCI data stream and decoding it is a very dangerous position to be in.

As Mike said, this is not exactly a discussion for an open forum. Hackers get enough help as it is (I particularly like the new breed of card skimmers that transmit their data over BlueTooth so the hacker doesn't need to re-acquire the skimmer to grab his data). If this is a legitimate product, I highly recommend you check with your company's lawyers first, and then bring in a consultant EE to help (if not do it for you outright).

Dan - Owner

http://www.Hi-TecDesigns.com

 

[robd2002]

Mike,

Thank you for the link and I agree the content is not suitable. I should not have included the acronym. I don't see any way to delete or edit the post as I surely would. The general question was how to go about decoding "dynamic" RS-232 serial communication.

Regards,

Rob

 

[robd2002]

Mac,

Thank you for the reply and assessment of my abilities. The reality is that I'm about the only engineer at my company and have had to resort to professing my ignorance to the world out of sheer desperation - nobody here with whom to truly collaborate. That said, I have found an uncanny outcome of asking dumb questions - sometimes once I ask them the answer comes to me. I chalk that up to what I'll call the magic of synergy.

I think I'm more capable than you give me credit for, but agree that I have much to learn. Believe it or not I knew almost nothing after 10 years working with dozens of engineers at a large defense contractor. Luckily I landed a job at this small company and under the tutelage of a now deceased mentor I began to learn how to be an engineer, and to realize how little I actually knew after earning a BSEE and an MSEE. My problem is that I'm not an "engineer's engineer", do not make circuits at home for the fun of it. I can do that at work but not at home. Problem was the defense contractor job had no work of that kind, and the education was all about theory and passing tests.

That said it is time for me to move on and find some new mentors and engineers with whom to collaborate.

Best regards,

Rob

 

[MikeHalloran]

Let me see if I understand what you are trying to do.
Your employer sells magic boxes that monitor a data stream, and record or report gasoline sales data, without altering the data stream, and without modification to or cooperation from the transmitter or the receiver.

But now the boxes are getting confused by encrypted credit card data passing through the data link.

If the gasoline sales data, pump commands, etc., are still unencrypted, then your box just has to get smart enough to identify and completely ignore encrypted data that is of no interest to it. That sounds like a soluble problem.

If the entire data stream is encrypted, you are screwed, for now.



Mike Halloran
Pembroke Pines, FL, USA

 

[robd2002]

Mike,

You are spot on about the magic box that extracts what it needs from a data stream without effect on the data. Sender and receiver are unaware of its presence. And yes, the box will not work in this new data path. My guess is that all of the data is encrypted, as the output is total garbage. Otherwise I'd expect to see data packets missing the first few bytes.

Thanks again and given the subject matter let's close this one, as I'm convinced there's not some "off the shelf" solution, which is what I was looking for.

Best,

Rob

 

[VEBill]

See similar thread:

Communication with Point of sale terminal (POS)