snowch / hsm-guide Goto Github PK

Dear,
We use KE and input encrypted key ZMK and PVK keys. But shows key parity error

Hi,

After going through Key generation can you guide me about PIN Block generation on remote site.
I have read thales documentation but unable to understand following operation.

Things required for PIN block generation.
Plain ZPK/TPK
Encrypted ZPK/TPK

how to generate plain and encrypted ZPK/TPK under ZMK/TMK?

I have a problem to import key using ZMK.
Generated ZMK successfully from Thales Console and KCV is matched.
But can't import PEK by using IK command.

Generated ZMK : U09C26D8449DFB036466CBE693CA244A0
PEK : 56C8DACE4447FFC02D9F385D67072A88
KCV : 142623

Sending command: HeadA6002U09C26D8449DFB036466CBE693CA244A0X56C8DACE4447FFC02D9F385D67072A88U00
Response: HeadA726, Error code : 26 means Invalid Key Scheme

Tried with below commands also but same result. Sending commands are

HeadA6002U09C26D8449DFB036466CBE693CA244A0U56C8DACE4447FFC02D9F385D67072A88U00
HeadA6002U09C26D8449DFB036466CBE693CA244A0T56C8DACE4447FFC02D9F385D67072A88U00
HeadA6002U09C26D8449DFB036466CBE693CA244A0Z56C8DACE4447FFC02D9F385D67072A88U00
HeadA6002U09C26D8449DFB036466CBE693CA244A0E56C8DACE4447FFC02D9F385D67072A88U00
HeadA6002U09C26D8449DFB036466CBE693CA244A0S56C8DACE4447FFC02D9F385D67072A88U00

Response are same for all command. Response is HeadA726

Thank you for your hsm-guide book this is very helpful understanding working of HSM and also work with Thales Simulator. After following your guide and tried to generate ZMK with simulator console. But when send FK command to console and enter pre generated ZMK components console give error "INVALID KEY".

Thales simulator version 0.9.6
OS Windows 8.1

See console logs

Connected - Type in commands followed by ENTER.
GC
Key length [1,2,3]: 2
Key Type: 000
Key Scheme: U
Clear Component: 0275 76E5 07A7 CB3B FB32 0D07 40BA DC51
Encrypted Component: U FE61 44E1 4EB2 BC48 4888 7E19 A592 D7B3
Key check value: E341 91
GC
Key length [1,2,3]: 2
Key Type: 000
Key Scheme: U
Clear Component: 616E 32A8 F7CB 0461 20A7 B583 1007 A273
Encrypted Component: U 0E40 2740 82B5 0098 5051 B8B8 1070 E5A0
Key check value: 2605 25
GC
Key length [1,2,3]: 2
Key Type: 000
Key Scheme: U
Clear Component: 191A 547C 0B3B 045E AB8C 3E51 92D0 15DC
Encrypted Component: U E4EF C72D 2EB6 FC0C 5C8B 9FFC 760E 80F2
Key check value: 39E9 9C

FK
Key length [1,2,3]: 2
Key Type: 000
Key Scheme: U
Component type [X,H,E,S]: E
Enter number of components (2-9): 3
Enter component #1: U FE61 44E1 4EB2 BC48 4888 7E19 A592 D7B3
INVALID KEY

I have a pdf titled "HSM and Thales Basics using the Thales
Simulator" at https://groups.google.com/d/msg/jpos-users/KsDT_DAQwn8/wW4vivhY3WcJ
You may find some useful things in there that you could use.

-chhil

Dear,
We have generate issuer public key using hsm and request IPK certificate from Mastercard. And mastercard provide us IPK certificate which we import through perso software.
Now we want to export RSA certificate through Thales 9000 HSM.
Could you please suggest us how to export it.

Dear,
VISA has been provided ZCMK three clear component.
Also VISA send us MDK. VISA provide us MDK clear component. We need to encrypt this MDK under ZMK.
We take below mention steps,

1. Using "FK" command we generate ZMK from ZCMK.
2. Using "FK" command we encrypt MDK from clear component MDK.
3. Using "KE" command we encrypt MDK under ZMK. But the KCV isn't same as VISA provided.
   Could you please help us.

I need to "Generate ZMK using Clear components". Could you please let me know how to generate ZMK using clear components using software. Is HSM (hardware ) mandatory for this or it is possible using software as well? If yes how?

From README: To view the book in print format, go here

It's not there!

In the example you indicate usage of X (XOR components). I believe if X is used you need to use the clear keys output from the GC commands. In the example you are using the encrypted components to form the key, so instead of the X I think it should be an E (encrypted components and XOR).

As an example
Encrypt a clear key of 09's to get Encrypted component and check digits.

EC
Key Type: 000
Key Scheme: U
Enter component: 09090909090909090909090909090909
Encrypted Component: U 0A26 760B D078 7102 6B67 02C5 F9BA 25B3 
Key check value: D6A8 75

Now do a form key from encrypted components (3 components of the same type are used to fool it into using one component as XOR'ing something odd number of times will result in the original value)

FK
Key length [1,2,3]: 2
Key Type: 000
Key Scheme: U
Component type [X,H,E,S]: E
Enter number of components (2-9): 3
Enter component #1: U0A26760BD07871026B6702C5F9BA25B3
Enter component #2: U0A26760BD07871026B6702C5F9BA25B3
Enter component #3: U0A26760BD07871026B6702C5F9BA25B3
Encrypted key: U 0A26 760B D078 7102 6B67 02C5 F9BA 25B3 
Key check value: D6A8 75

As expected the encrypted value is the same as the output of the EC command.

Now try a form key from components using clear keys and xor

FK
Key length [1,2,3]: 2
Key Type: 000
Key Scheme: U
Component type [X,H,E,S]: X
Enter number of components (2-9): 3
Enter component #1: 09090909090909090909090909090909
Enter component #2: 09090909090909090909090909090909
Enter component #3: 09090909090909090909090909090909
Encrypted key: U 0A26 760B D078 7102 6B67 02C5 F9BA 25B3 
Key check value: D6A8 75

Again the output is as expected and matches the the output of the EC command.

Now if we try FK with X (xor clear components ) but use encrypted values of the EC command. The key generated is incorrect.

FK
Key length [1,2,3]: 2
Key Type: 000
Key Scheme: U
Component type [X,H,E,S]: X
Enter number of components (2-9): 3
Enter component #1: 0A26760BD07871026B6702C5F9BA25B3
Enter component #2: 0A26760BD07871026B6702C5F9BA25B3
Enter component #3: 0A26760BD07871026B6702C5F9BA25B3
Encrypted key: U B0CC 7DDD EA0A 8867 A640 CE3E E7AC 1301 
Key check value: 80DD 96

Incorrect value due to mismatch of X and encrypted value.