Hej!
I have to support a 3 custodian part key exchange cermony
with the custodian parts generated on a Thales 8000 on a Safenet Luna SA HSM.
I know the how this key would be imported on another thales but...
our Safenet HSM is only accessed programatically.
So I need to transalate the Thales scheme into the actual algorith used..
Can anyone point me in the correct direction or a description like mine below?
I have tried to re-create the key in lots of other different ways but always failed to recreate the
final checvalue "BADB AD".
The keys are generate with the GC command like:
>gc
Enter key length [1,2,3]: 2
Enter key type: 002
Enter key scheme: u
resulting in somthing like:
*********************************************************************
Clear component 1: xxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx
Key check value: ABCD EF
Clear component 2: xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx
Key check value: 1234 56
Clear component 3: xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx
Key check value: CAFF CA
Final Key check value for the above three componets is: BADB AD
COMS_KEY(TRANSPORT KEY): X 1234 5678 9101 1121 3141 5161 7181 9201
Key check value: 0102 03
***********************************************************************
Our custodian export and import:
Three components will be supplied.
All components and the resultant KEK are odd parity.
The key (and key components) check digits are obtained by EDE enciphering 64 0 bits of
data under the key and then displaying the left most 3 or 4 bytes.
Transfer keys split into 3 components: (all executed internally on the HSM)
o Choose two random 16 byte numbers
o Perform xor = key ^ random_1 ^ random_2
o Distribute random_1, random_2 and xor to 3 people.
o The key value is regenerated by key = random_1 ^ random_2 ^ xor at the key loading.
Comments: ** Comment from web user: lilleman **
I have to support a 3 custodian part key exchange cermony
with the custodian parts generated on a Thales 8000 on a Safenet Luna SA HSM.
I know the how this key would be imported on another thales but...
our Safenet HSM is only accessed programatically.
So I need to transalate the Thales scheme into the actual algorith used..
Can anyone point me in the correct direction or a description like mine below?
I have tried to re-create the key in lots of other different ways but always failed to recreate the
final checvalue "BADB AD".
The keys are generate with the GC command like:
>gc
Enter key length [1,2,3]: 2
Enter key type: 002
Enter key scheme: u
resulting in somthing like:
*********************************************************************
Clear component 1: xxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx
Key check value: ABCD EF
Clear component 2: xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx
Key check value: 1234 56
Clear component 3: xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx
Key check value: CAFF CA
Final Key check value for the above three componets is: BADB AD
COMS_KEY(TRANSPORT KEY): X 1234 5678 9101 1121 3141 5161 7181 9201
Key check value: 0102 03
***********************************************************************
Our custodian export and import:
Three components will be supplied.
All components and the resultant KEK are odd parity.
The key (and key components) check digits are obtained by EDE enciphering 64 0 bits of
data under the key and then displaying the left most 3 or 4 bytes.
Transfer keys split into 3 components: (all executed internally on the HSM)
o Choose two random 16 byte numbers
o Perform xor = key ^ random_1 ^ random_2
o Distribute random_1, random_2 and xor to 3 people.
o The key value is regenerated by key = random_1 ^ random_2 ^ xor at the key loading.
Comments: ** Comment from web user: lilleman **
Sorry should have been added under discussions..,. Ok to close