HSM – Atalla simulator/emulator (Hardware Security Module)

My very first experience with an Atalla was with an old PCI card version of the ATALLA 10000 that was used in an issuer system for CVV and CVV2 verification. Having access to an HSM for development and testing is really a good thing , and is also a requirement is you are building a PIN based debit system, and since not everyone has access to HSM’s in their labs 🙂

A friend has recently shared the following link: # that includes “BogoAtalla”

This is an Atalla emulator (or simulator). This software emulation (simulation) of the well-known Atalla Hardware Security Module (HSM) that is used by banks and processors for cryptographic operations, such as verifying/translating PIN blocks, authorizing transactions by verifying CVV/CSC numbers, and performing key exchange procedures, was produced for testing purposes. This implementation is not of the complete HP Atalla command set, but rather the just portions that I myself needed. That being said, it is complete enough if you are performing acquiring and/or issuing processing functions, and are using more modern schemes such as Visa PVV and DUKPT, and need to do generation, verification, and translation.

This runs as a listening socket server and handles the native Atalla command set. I have taken some liberties with the error return values and have not striven for high-fidelity there (i.e., you may get a different error response from native hardware), but definitely should get identical positive responses. Some features implemented here would normally require purchasing premium commands, but all commands here implemented are available. Examples are generating PVV values and encrypting/decrypting plaintext PIN values.

I gave it a very quick shot in a test virtual machine:



Let’s see — my first error message, invalid character/message 🙂

And if you are a real geek– you can use the WRTG version: BogoAtalla for Linksys — makes a great portable HSM.

I’ll probably play a little more with this in the future.

[edit] 8/19/2008 : Previously I could not seem to get more then the error message set back, so it looks like it has very limited functionality. I’ve revisited the # website and notice it lists what commands are implemented, and a few examples, I downloaded a new zip file and ran the examples from the website and get what is expected. Ziggurat29 lists the following implemented commands: 00, 10, 11, 13, 1A, 30, 31, 32, 37, 5D, 5E, 7E, 90, 93, 97, 98, 99, 9E, 11B, 1111, 1226 – At some point I’ll need to try these other commands, but as per the example 31 and 32 appear to work.

Here is a short test of cut and pasting a command via telnet to 7000


  1. Very good topic.

    I’m quite interested in that technology, to add more security to the payments I receive. I tried this emulator, but unfortunately, I didn’t manage to use it properly. Can you please drop me an e-mail with some practical examples ? You would be an angel, kiss :*

  2. idem!!!!

    I tried this emulator, but unfortunately, I didn’t manage to use it properly. Can you please drop me an e-mail with some practical examples ?


  3. Does anyone have any practical examples for this , I’ve searched everywhere and can’t find anything.

  4. Hello David, We started using the Bogo Atalla simulator for our development unit testing of our Payment Switch…Since we are supporting EMV transactions as well, do you know if Bogo Atalla will have support for commands 350 and 352 as well? Lots of great work and useful information on the paymentsystemsblog….Best Regards/Shanmuga

  5. does anyone know how to calculate MFK from key components? or if the source code of this simulator is available

  6. you can compute an MFK (or any other key) from components by XORing the components. In a pinch, you can use Windows Calculator, when you view in Scientific mode, and put it in Hex. You have to do this one block at a time.

    On the site there is also a tool, ‘des’ which supports components. You can enter components, and use the –showkey or –showcheck option to display the resultant key and check digits.

  7. Ho David,
    I started using Bogo for a development testing but commands seems to be very different from the one I use to have (A9000 series.) Do you know (or you may have) the manual for the HSM that covers the commands on this simulator ? much appreciated … Damian

  8. I tried this emulator, but unfortunately, I didn’t manage to use it properly. Can you please drop me an e-mail with some practical examples ?


  9. Same here, im not able to find a working link to download it. Can someone put it somewhere to download?

    tanks. grat blog.

  10. Looking for BogoAtalla or equivalent, or the Third Party to whom it was assigned. Alternernatively contact info for Ziggurat29 — anybody know anything on this. Really looking for an Atalla NSP simulator for limited commands. Thanks- contact direct eMail please..