New Post: Thales HSM Generate key “Form key from clear components” (“FK” console command) by Host command

August 4, 2014, 12:06 am

≫ Next: New Post: Get Response from HSM using Java

≪ Previous: New Post: Get Response from HSM using Java

I have two clear components, generated by command 000A30303030413230303255 (it's a 000A0000A2002U in HEX mode. This is GC command from 1270A513 Issue 3 manual) using Java code
Now I need to generate an Encrypted key from those components. The console command for it: FK command (1270A513 Issue 3, page 5-14). I couldn't find any host commands for doing it. I used Host Command Reference manual (1270A351 Issue 6) and found only A4 - command, but this command for generating key from Encrypted components.

Is there way to generate encrypted key using clear components?

↧

New Post: Get Response from HSM using Java

August 5, 2014, 4:07 am

≫ Next: New Post: Thales HSM Generate key “Form key from clear components” (“FK” console command) by Host command

≪ Previous: New Post: Thales HSM Generate key “Form key from clear components” (“FK” console command) by Host command

Hi!

If you are using java.io.DataOuputStream, it adds software header itself and uses String. Try to send command as follows:

command = "0000A00002U";
out.writeUTF(command);
out.flush();
String response = in.readUTF();

You should receive the answer like:

A100UXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXKKKKKK

Where:

UXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX is a key
KKKKKK is a key check value

Regards,
Juris

↧

New Post: Thales HSM Generate key “Form key from clear components” (“FK” console command) by Host command

August 5, 2014, 4:11 am

≫ Next: New Post: Thales HSM Generate key “Form key from clear components” (“FK” console command) by Host command

≪ Previous: New Post: Get Response from HSM using Java

Hi!

Host can not accept plain components to form them into key. The only you can do is to use encrypted components under LMK. Plain components can be used only with HSM console interface.

Regards,
Juris

↧

New Post: Thales HSM Generate key “Form key from clear components” (“FK” console command) by Host command

August 5, 2014, 4:57 am

≫ Next: New Post: Thales HSM Generate key “Form key from clear components” (“FK” console command) by Host command

≪ Previous: New Post: Thales HSM Generate key “Form key from clear components” (“FK” console command) by Host command

Is it possible to generate encrypted components and then decrypt them using host commands for receiving their clear values? Encrypted components I will use to generate a encrypted key using A4 command.

↧

New Post: Thales HSM Generate key “Form key from clear components” (“FK” console command) by Host command

August 6, 2014, 3:19 am

≫ Next: New Post: Thales HSM Generate key “Form key from clear components” (“FK” console command) by Host command

≪ Previous: New Post: Thales HSM Generate key “Form key from clear components” (“FK” console command) by Host command

Hi!

If you want to generate a plaintext component and after form a key using HOST interface, you can use A2 command, but, plain component is possible only to print. Printer must be attached to HSM and configured. In response from HSM you will receive encrypted components which can be used to form a key.

Regards,
Juris

↧

New Post: Thales HSM Generate key “Form key from clear components” (“FK” console command) by Host command

August 6, 2014, 6:34 am

≫ Next: New Post: PIN TRANSLATION FROM TPK TO ZPK

≪ Previous: New Post: Thales HSM Generate key “Form key from clear components” (“FK” console command) by Host command

Juris, thank you for your answer.

↧

New Post: PIN TRANSLATION FROM TPK TO ZPK

August 11, 2014, 4:57 pm

≫ Next: New Post: PIN TRANSLATION FROM TPK TO ZPK

≪ Previous: New Post: Thales HSM Generate key “Form key from clear components” (“FK” console command) by Host command

Hi,

I able to generate TMK & TPK using TMK and on the POS terminal I am to form the pinblock & now we need to translate pin block encrypted under TPK to ZPK but I am getting error code 24 from HSM. Below is the complete procedure I had followed to generate TMK, TPK & ZPK , and I unable to figure out the issue so Kindly help me

My Plain TMK

Online-AUTH>gc

Enter LMK id [0-1]: 0
Enter key length [1,2,3]: 2
Enter key type: 002
Enter key scheme: u

Clear component: C14C CD94 0B46 43FE 94D3 F701 E0F2 D064

Key check value: 97E7AD

TMK under LMK

Online-AUTH>fk

Enter LMK id [0-1]: 0
Enter key length [1,2,3]: 2
Enter key type: 002
Enter key scheme: u
Enter component type [X,H,T,E,S]: x
Enter number of components [1-9]: 1

Enter component 1: ***************************************
Component 1 check value: 97E7AD
Continue? [Y/N]: y

Encrypted key: UA742 C4D5 2457 66BB CF3D D22E 2A65 9FDE
Key check value: 97E7AD

Session keys under TMK

Input to HSM : 0000HCUA742C4D5245766BBCF3DD22E2A659FDE;UU0
Output from HSM : 0000HD00UED69C077A97195F3D5741855A861B086UF7F89DAD24CE89C2A8FD4097217E8EFF

Pin Block calculated on terminal in ISO - 0 Standard

Card no - 4180879999999957(12 - digit card no 087999999995)
Pin - 1234
Encrypted Pin block block - E0A87BEC03235198

Bank ZPK

Online-AUTH>fk

Enter LMK id [0-1]: 0
Enter key length [1,2,3]: 2
Enter key type: 001
Enter key scheme: U
Enter component type [X,H,T,E,S]: X
Enter number of components [1-9]: 3

Enter component 1: ***************************************
Component 1 check value: 3C7961
Continue? [Y/N]: Y

Enter component 2: ***************************************
Component 2 check value: 88559B
Continue? [Y/N]: Y

Enter component 3: ***************************************
Component 3 check value: 0FFC48
Continue? [Y/N]: Y

Encrypted key: UFA7B BF8B 5847 0D9E 1CC8 09BC AF30 A3B3
Key check value: A7D48E

Pin Translation from TPK to TMK

Input to HSM : 0000CAUF7F89DAD24CE89C2A8FD4097217E8EFFUFA7BBF8B58470D9E1CC809BCAF30A3B312E0A87BEC032351980101087999999995
Output from HSM : 0000CB24

↧

New Post: PIN TRANSLATION FROM TPK TO ZPK

August 12, 2014, 3:39 am

≫ Next: New Post: M2 command failed

≪ Previous: New Post: PIN TRANSLATION FROM TPK TO ZPK

Hi!

When you are generating PIN key using HC command for POS terminal you should use ANSI scheme 'X' for exported key as in example below:

0000HCUA742C4D5245766BBCF3DD22E2A659FDE;XU0

If you are using Variant scheme 'U' for key under TMK the resulting key decrypted by terminal will be different than you are expecting. Thales Variant scheme a bit transforms LMK to encrypt different types and lengths of keys. 'X' scheme is the correct one to get the same key on terminal and host sides. On host side (application) you should keep the key under LMK in 'U' scheme.

Regards,
Juris

↧

New Post: M2 command failed

August 19, 2014, 9:35 am

≫ Next: New Post: M2 command failed

≪ Previous: New Post: PIN TRANSLATION FROM TPK TO ZPK

Hi All,
I am facing problem with DUKPT Decryption. I am sending the command as per THales HSM manual, but I am getting error response as: 0000M315

Please find command below, Request you to help me whats wrong with my command.

I am not sure about KSN descriptor. I am passing it as 609
MY KSN: FFFFFF85000006000162

Could you please confirm me what could be the value for KSN descriptor for my KSN

COMMAND: 0000M20011009U1BEE5C2C1820D691299B843984177A9A609FFFFFF8500000600016200E0beb0297d81e42bf9e07b1948dfaba7f8f032622173f61d2bacf6f485fa0a9babaf58637184b5e459cbae55f2b53ff9c356e4817f2efa9d70e740b27e2e089ccf42fefa56ee38c58d49f89206f9709c31e7ec616767f7638e3f853dde45af94e7cdb06502017a16c44ab472c3ce03260e

Command Details:
User Header: 0000
Command Code: M2
Mode Flag: 00
input/output format flag: 11
BDK Type: 009
BDK Encryption key: U1BEE5C2C1820D691299B843984177A9A
KSN Descriptor: 609
KSN: FFFFFF85000006000162
Data Length: 00E0
Data: beb0297d81e42bf9e07b1948dfaba7f8f032622173f61d2bacf6f485fa0a9babaf58637184b5e459cbae55f2b53ff9c356e4817f2efa9d70e740b27e2e089ccf42fefa56ee38c58d49f89206f9709c31e7ec616767f7638e3f853dde45af94e7cdb06502017a16c44ab472c3ce03260e

Thanks,
Nazir

↧

New Post: M2 command failed

August 20, 2014, 1:20 am

≫ Next: New Post: M2 command failed

≪ Previous: New Post: M2 command failed

Hi!

Use the 'Data' field in uppercase:

BEB0297D81E42BF9E07B1948DFABA7F8F032622173F61D2BACF6F485FA0A9BABAF58637184B5E459CBAE55F2B53FF9C356E4817F2EFA9D70E740B27E2E089CCF42FEFA56EE38C58D49F89206F9709C31E7EC616767F7638E3F853DDE45AF94E7CDB06502017A16C44AB472C3CE03260E

That should work.

Regards,
Juris

↧

New Post: M2 command failed

August 20, 2014, 7:11 am

≫ Next: Created Unassigned: Verify a Dynamic CVV Command (PM) [13230]

≪ Previous: New Post: M2 command failed

Thanks Juris, It's working fine now.

Thanks,
Nazir

↧

Created Unassigned: Verify a Dynamic CVV Command (PM) [13230]

August 29, 2014, 1:19 am

≫ Next: Commented Unassigned: Import Key - Invalid Key Scheme [11869]

≪ Previous: New Post: M2 command failed

I've tried to compute the CVC3 but the HSM result is wrong.

Follow the command sent to the HSM:

PM
1
2
U0FBBCA5494E5E707AA8433B95249A3B6
A
5399411100094140;
00
0385399411100094140D16072210005663032602F
00000030 -----> UN generated by Mastercard simulator
00566 -----> ATC generated by Mastercard simulator
XX326 -----> CVC3 generated by Mastercard simulator

The response obtained by the HSM is: PN0136102

I will appreciate your Help.

Regards,

↧

Commented Unassigned: Import Key - Invalid Key Scheme [11869]

September 11, 2014, 5:55 am

≫ Next: Commented Unassigned: Import Key - Invalid Key Scheme [11869]

≪ Previous: Created Unassigned: Verify a Dynamic CVV Command (PM) [13230]

Hi All,

I'm having troubles with importing key in Thales 8000, everything works correctly in Thales Simulator but on the HSM is not working.

1) First, I create my Key (ZMK ) with 3 randoms clear components

Enter LMK id [0-9]: 0
Enter key length [1,2,3]: 2
Enter key type: 000
Enter key scheme: U
Enter component type [X,H,T,E,S]: X
Enter number of components [1-9]: 3

Enter component 1: ***************************************
Enter component 2: ***************************************
Enter component 3: ****************************************

Encrypted key: U1129 9294 E211 949D FDAA 4078 EB99 6D31

2) I need to import a key from a partner.

Partner key: 9204 BC57 C145 4A9E 3E04 F137 1C20 62DA

Online-AUTH>IK

Enter LMK id [0-9]: 0
Enter key type: 001
Enter key scheme: U
Enter ZMK: U1129 9294 E211 949D FDAA 4078 EB99 6D31
Enter key: U9204 BC57 C145 4A9E 3E04 F137 1C20 62DA

Invalid key scheme

I`m getting error "Invalid Key Scheme" , when I import it on the SIMULATOR, I don`t have problems

Thanks for any help!
Comments: ** Comment from web user: agavrilenko **

I have the same issue with Thales payShield 9000. We generated ZMK and provided to a 3rd party and received ZPK. I try to import ZPK to HSM exactly the same as you and receive "Invalid key scheme" error.
How you resolved your problem?
Please advice.

↧

Commented Unassigned: Import Key - Invalid Key Scheme [11869]

September 12, 2014, 1:16 am

≫ Next: Commented Unassigned: Import Key - Invalid Key Scheme [11869]

≪ Previous: Commented Unassigned: Import Key - Invalid Key Scheme [11869]

Hi!

Show please the output of "QS" console command. I assume, you have enabled parameter "Import and Export keys in trusted format only". You must disable it. If this parameter is enabled (by default it is) the HSM awaits keys encrypted under ZMK in Thales KeyBlock scheme.

Regards,
Juris

↧

Commented Unassigned: Import Key - Invalid Key Scheme [11869]

September 12, 2014, 1:18 am

≫ Next: Commented Unassigned: Import Key - Invalid Key Scheme [11869]

≪ Previous: Commented Unassigned: Import Key - Invalid Key Scheme [11869]

Btw, next time such issues open pls in "Discussions". "Issues" tab for simualtor bug reporting.

Thank you!

Regards,
Juris

↧

Commented Unassigned: Import Key - Invalid Key Scheme [11869]

September 15, 2014, 6:14 am

≫ Next: Commented Unassigned: Import Key - Invalid Key Scheme [11869]

≪ Previous: Commented Unassigned: Import Key - Invalid Key Scheme [11869]

Hi Juris,

I checked HSM configuration - parameter "Import and Export keys in trusted format only" is enabled.
We will update it next week (I need support from IT team) and try to import the key.

Kind regards,
Andrei

↧

Commented Unassigned: Import Key - Invalid Key Scheme [11869]

September 15, 2014, 7:15 am

≫ Next: Commented Unassigned: Import Key - Invalid Key Scheme [11869]

≪ Previous: Commented Unassigned: Import Key - Invalid Key Scheme [11869]

hi agavrilenko ,

Basically i just change de key Scheme to 'X' when i tried to import,

Online-AUTH>IK
Enter LMK id [0-9]: 0
Enter key type: 001
Enter key scheme: U
Enter ZMK: U1129 9294 E211 949D FDAA 4078 EB99 6D31
Enter key: X9204 BC57 C145 4A9E 3E04 F137 1C20 62DA

because the partner key was created to be imported and exported

Hope this help you

Regards

↧

Commented Unassigned: Import Key - Invalid Key Scheme [11869]

October 6, 2014, 7:09 am

≫ Next: Commented Unassigned: Import Key - Invalid Key Scheme [11869]

≪ Previous: Commented Unassigned: Import Key - Invalid Key Scheme [11869]

Hi amendez85,

Thank you for update.

Unfortunately, our status is not so good.

1. We disabled parameter ""Import and Export keys in trusted format only" on our HSM.
2. We imported ZPK key under scheme "U", but KCV is different than provided by 3rd party. See a log below:
Online-AUTH>IK

Enter LMK id [0-1]: 0
Enter key type: 001
Enter key scheme: U
Enter ZMK: U 12b5 …
Enter key: U 4f93 …

Warning: key parity corrected

Encrypted key: UA1CA …
Key check value: 48B0B1

3rd party KCV: CAC43D.

We performed a test decrypt operation, but it was unsuccessful as well. We received error: "PIN block does not contain valid values".

So, we should fix the problem with KCV mismatch.

We also tried to import key under "X" scheme. For this case we received error: Invalid key scheme.

Any ideas are welcome! We are really blocked with this issue. I reported it to Thales support - no valuable feedback yet.

Thanks, Andrei

↧

Commented Unassigned: Import Key - Invalid Key Scheme [11869]

October 7, 2014, 2:21 am

≫ Next: Commented Unassigned: Import Key - Invalid Key Scheme [11869]

≪ Previous: Commented Unassigned: Import Key - Invalid Key Scheme [11869]

Hi!

I assume, you have wrong ZMK or ZPK you are importing (some mistakes in key or ZMK components may be,,,). The HSM showed warning:

```
Warning: key parity corrected
```
Basicly, that means, that the plaintext key do not have ODD parity, but it MUST have it.

Regards,
Juris

↧

Commented Unassigned: Import Key - Invalid Key Scheme [11869]

October 8, 2014, 2:42 am

≫ Next: New Post: How to interact with HSM using JAVA

≪ Previous: Commented Unassigned: Import Key - Invalid Key Scheme [11869]

Hi,

One more think you can check, use ```X``` scheme in IK command to import key as in example below. In the most cases to exchange keys between different parties is used ANSI scheme:

```
X9204 BC57 C145 4A9E 3E04 F137 1C20 62DA
```

And make sure, the following parameter is enabled in security configuration (CS). You will need to reinstall LMK after parameter update if it is disabled:

```
Enable X9.17 for import: YES
```

Regards,
Juris

↧