Master key in Thales HSM 8000

1,495 views
Skip to first unread message

queo1987

unread,
Jan 8, 2010, 8:55:54 PM1/8/10
to jpos-...@googlegroups.com

Dear,
I am reading user guide of Thales HSM 8000 about generate key.
Example gen Terminal Master Key.
This is form:

Enter Key Length[1,2,3]: 2 <Return>

Enter Key type: 002 <Return>

Enter Key Scheme: U <Return>

Component type [X,H,E,S]: E <Return>

Enter number of components (1-9): 2 < Return >

Enter component 1: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX <Return>

Enter component 2: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX <Return>

Encrypted key: YYYY YYYY YYYY YYYY YYYY YYYY YYYY YYYY

Key check value: ZZZZZZ

I am doing simulator, How to do it?

Question:
1) How does HSM 8000 create master key?
2) How does HSM 8000 get key check value?

thank and regards

-----
----Cheer :drunk: ---
mail: queo...@gmail.com
Yahoo: queo1987
--
View this message in context: http://old.nabble.com/Master-key-in-Thales-HSM-8000-tp27084919p27084919.html
Sent from the jPOS - Users mailing list archive at Nabble.com.

Mark Salter

unread,
Jan 9, 2010, 3:36:08 AM1/9/10
to jpos-...@googlegroups.com
:drunk: / queo1987 can you please mark the subjects of these questions
about ATMs key handling and cryptography are Off Topic [OT], as I have
done. They really have nothing directly to do with jPos.

queo1987 wrote:

> I am reading user guide of Thales HSM 8000 about generate key.
> Example gen Terminal Master Key.
> This is form:
>
> Enter Key Length[1,2,3]: 2 <Return>
>
> Enter Key type: 002 <Return>
>
> Enter Key Scheme: U <Return>
>
> Component type [X,H,E,S]: E <Return>
>
> Enter number of components (1-9): 2 < Return >
>
> Enter component 1: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX <Return>
>
> Enter component 2: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX <Return>
>
> Encrypted key: YYYY YYYY YYYY YYYY YYYY YYYY YYYY YYYY
>
> Key check value: ZZZZZZ
>
> I am doing simulator, How to do it?

Why do you need to simulate the key loading process of an HSM?

>
> Question:
> 1) How does HSM 8000 create master key?

Don't know, as you are simulating things, why do you care?

The master key (I'm assuming you mean Local Master Key(s) under which
keys are encrypted outside of the HSM don't matter in simulation, here's
why:-

An LMK protects keys, when a key (encrypted) is given to the HSM to be
used in a transaction it decrypts the incoming key (using the LMK and
variant) to gain the 'real' or clear key to use. This way the key
outside the HSM can be handled carefully rather than securely, in the
knowledge that as long as the LMK is safe your security is assured.

So in your 'simulator' you can do what you like with the key given -
don't encrypt them at all - it doesn't matter.

> 2) How does HSM 8000 get key check value?

This is where google can help you...
...The key check value (KCV) is the result (the first few digits (up to
6 normally)) of DES encrypting x'0000000000000000' under the key.

--
Mark

Mark Salter

unread,
Jan 9, 2010, 4:35:36 AM1/9/10
to jpos-...@googlegroups.com
Mark Salter wrote:
> So in your 'simulator' you can do what you like with the key given -
> don't encrypt them at all - it doesn't matter.
Poor form self responding, but anyway...

... I've been thinking about this and it is probably not going to be
clear to you.


When interacting with a real HSM or a simulator, you send it
transactions so it can do work. Part of the input data are keys you
want the 'HSM' to use. This input data will have been retrieved from a
persistent store, so whether the file contains encrypted keys or (in
testing) clear keys it is just data.

If your simulated HSM just uses the key data passed in directly, then
you are good to go.

There is no difference in the HSM client code - that would move into
production - it just gets the 'key' and passes it to the HSM which gives
a result.

--
Mark

queo1987

unread,
Jan 11, 2010, 4:54:48 AM1/11/10
to jpos-...@googlegroups.com

Dear all,
Which variant for Key pair 14-15 in table of HSM.
Example: pair 28-29 use variant 2
Thank and regard

> --
> You received this message because you are subscribed to the "jPOS Users"
> group.
> Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
> To post to this group, send email to jpos-...@googlegroups.com
> To unsubscribe, send email to jpos-users+...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/jpos-users
>


-----
----Cheer :drunk: ---
mail: queo...@gmail.com
Yahoo: queo1987
--

View this message in context: http://old.nabble.com/Master-key-in-Thales-HSM-8000-tp27084919p27108056.html

Mark Salter

unread,
Jan 11, 2010, 5:14:08 AM1/11/10
to jpos-...@googlegroups.com
queo1987 wrote:

> Which variant for Key pair 14-15 in table of HSM.

If no variant is stated, then I would think no variant will be used.

> Example: pair 28-29 use variant 2

This describes the key (and variant) under which the HSM expects the key
you are passing into the command to have been encrypted.

--
Mark

Reply all
Reply to author
Forward
0 new messages