Trouble migrating to new LMK
2,241 views
Skip to first unread message
Anton
Jan 17, 2011, 4:49:23 AM1/17/11
to jPOS Users
Hi Guys,
I'm having a thales racal 8000 HSM with LMK 2 components loaded and
some working keys encrypted under this key. Now i need to change it to
a 3 components LMK while i dont have the old working keys so i'm
looking for a way to migrate the workings key without changing them.
I found BW command in the manual sounds like what i need. So i tried
like this:
BWFF1Uxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;002
but somehow i always got response 10 from HSM (key parity error).
Could some1 tell me what could i do wrong with the keys. (i tried
generate new keys using old LMK then try this but still not working)
I'm having a thales racal 8000 HSM with LMK 2 components loaded and
some working keys encrypted under this key. Now i need to change it to
a 3 components LMK while i dont have the old working keys so i'm
looking for a way to migrate the workings key without changing them.
I found BW command in the manual sounds like what i need. So i tried
like this:
BWFF1Uxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;002
but somehow i always got response 10 from HSM (key parity error).
Could some1 tell me what could i do wrong with the keys. (i tried
generate new keys using old LMK then try this but still not working)
kapilashantha rajapaksha
Jan 17, 2011, 5:22:34 AM1/17/11
to jpos-...@googlegroups.com
I think that you are trying to translate from one LMK to another LMK.
You can export working keys using unknown ZMK (KE) and after you can impor
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage.
Please support jPOS, contact: sa...@jpos.org
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to jpos-...@googlegroups.com
To unsubscribe, send email to jpos-users+...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/jpos-users
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage.
Please support jPOS, contact: sa...@jpos.org
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to jpos-...@googlegroups.com
To unsubscribe, send email to jpos-users+...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/jpos-users
Chung vu
Jan 17, 2011, 5:24:00 AM1/17/11
to jpos-...@googlegroups.com
with my opinion,
new HSM 8000 has 3 lmk storage so while you don't try this
HTH
new HSM 8000 has 3 lmk storage so while you don't try this
HTH
Anton
Jan 17, 2011, 6:07:07 AM1/17/11
to jPOS Users
You're right, Kapila
I also tried your method but i always got invalid key scheme problem.
According to the key scheme table there're only 2 possible choices:
either u or x since my key is double length.
Online-AUTH>f
Clear ZMK component: AB08 F4BA 97E3 6E4F 5170 A402 EFE6 2602
Encrypted ZMK component: E02C 6BED A1DE 2480 03DB 6A44 EDA9 3E4A
Key check value: 49AB DC00 0000 0000
Online-AUTH>fk
Enter LMK id [0-4]: 0
Enter key length [1,2,3]: 2
Enter key type: 000
Enter key scheme: u
Enter component type [X,H,T,E,S]: x
Enter number of components [1-9]: 1
Enter component 1: ***************************************
Encrypted key: UFB44 55A0 6A33 6B12 C973 4543 899E 9FCC
Key check value: 49AB DC
Online-AUTH>ke
Enter LMK id [0-4]: 0
Enter key type: 002
Enter key scheme: x
Enter ZMK: UFB44 55A0 6A33 6B12 C973 4543 899E 9FCC
Enter key under LMK: uxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Invalid key scheme
Online-AUTH>ke
Enter LMK id [0-4]: 0
Enter key type: 001
Enter key scheme: u
Enter ZMK: UFB44 55A0 6A33 6B12 C973 4543 899E 9FCC
Enter key under LMK: uxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Invalid key scheme
I also tried your method but i always got invalid key scheme problem.
According to the key scheme table there're only 2 possible choices:
either u or x since my key is double length.
Online-AUTH>f
Clear ZMK component: AB08 F4BA 97E3 6E4F 5170 A402 EFE6 2602
Encrypted ZMK component: E02C 6BED A1DE 2480 03DB 6A44 EDA9 3E4A
Key check value: 49AB DC00 0000 0000
Online-AUTH>fk
Enter LMK id [0-4]: 0
Enter key length [1,2,3]: 2
Enter key type: 000
Enter key scheme: u
Enter component type [X,H,T,E,S]: x
Enter number of components [1-9]: 1
Enter component 1: ***************************************
Encrypted key: UFB44 55A0 6A33 6B12 C973 4543 899E 9FCC
Key check value: 49AB DC
Online-AUTH>ke
Enter LMK id [0-4]: 0
Enter key type: 002
Enter key scheme: x
Enter ZMK: UFB44 55A0 6A33 6B12 C973 4543 899E 9FCC
Enter key under LMK: uxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Invalid key scheme
Online-AUTH>ke
Enter LMK id [0-4]: 0
Enter key type: 001
Enter key scheme: u
Enter ZMK: UFB44 55A0 6A33 6B12 C973 4543 899E 9FCC
Enter key under LMK: uxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Invalid key scheme
Chung vu
Jan 17, 2011, 6:11:21 AM1/17/11
to jpos-...@googlegroups.com
You try to export is key type is 000
but when you export i saw 001,002 ...
maybe it is problem
but when you export i saw 001,002 ...
maybe it is problem
--
Anton
Jan 17, 2011, 6:09:35 AM1/17/11
to jPOS Users
@Chung: actually mine has 3 lmk storage in total, but the fact that i
can only use 1 of them at a time, so eventually i need to translate my
working keys under old LMK to currently LMK anyhow.
> > Please seehttp://jpos.org/wiki/JPOS_Mailing_List_Readme_first
can only use 1 of them at a time, so eventually i need to translate my
working keys under old LMK to currently LMK anyhow.
> > To post to this group, send email to jpos-...@googlegroups.com
> > To unsubscribe, send email to jpos-users+...@googlegroups.com<jpos-users%2Bunsu...@googlegroups.com>
> > For more options, visit this group at
> >http://groups.google.com/group/jpos-users
>
> > --
> > jPOS is licensed under AGPL - free for community usage for your open-source
> > project. Licenses are also available for commercial usage.
> > Please support jPOS, contact: sa...@jpos.org
>
> > You received this message because you are subscribed to the "jPOS Users"
> > group.
> > Please seehttp://jpos.org/wiki/JPOS_Mailing_List_Readme_first
> >http://groups.google.com/group/jpos-users
>
> > --
> > jPOS is licensed under AGPL - free for community usage for your open-source
> > project. Licenses are also available for commercial usage.
> > Please support jPOS, contact: sa...@jpos.org
>
> > You received this message because you are subscribed to the "jPOS Users"
> > group.
> > To post to this group, send email to jpos-...@googlegroups.com
> > To unsubscribe, send email to jpos-users+...@googlegroups.com<jpos-users%2Bunsu...@googlegroups.com>
kapilashantha rajapaksha
Jan 17, 2011, 6:20:55 AM1/17/11
to jpos-...@googlegroups.com
Try on this,
=================================================================
Creating ZMK in RG8000 for exporting its keys
=================================================================
Online-AUTH[216]>z
Enter ZMK component: 10101010101010101010101010101010
Encrypted ZMK component: 4BE5 1C33 9E04 F56A 4BE5 1C33 9E04 F56A
Key check value: 82E1 3600 0000 0000
Online-AUTH[216]>z
Enter ZMK component: 20202020202020202020202020202020
Encrypted ZMK component: C143 8C55 4779 72C3 C143 8C55 4779 72C3
Key check value: 9772 2000 0000 0000
Online-AUTH[216]>z
Enter ZMK component: 23232323232323232323232323232323
Encrypted ZMK component: C6AE C15B BAD0 64CE C6AE C15B BAD0 64CE
Key check value: 0096 2B00 0000 0000
Online-AUTH[216]>
=================================================================
Online-AUTH[216]>d
Input components from smartcards? [Y/N]: n
Enter number of components [2-9]: 3
Enter encrypted component 1: 4BE5 1C33 9E04 F56A 4BE5 1C33 9E04 F56A
Enter encrypted component 2: C143 8C55 4779 72C3 C143 8C55 4779 72C3
Enter encrypted component 3: C6AE C15B BAD0 64CE C6AE C15B BAD0 64CE
Encrypted ZMK: 7F6E C17B 1769 05E7 7F6E C17B 1769 05E7
Key check value: A8B7 B500 0000 0000
=================================================================
Can you tell me what keys you are going export ?
Regards
Mark Salter
Jan 17, 2011, 6:22:40 AM1/17/11
to jpos-...@googlegroups.com
Please can you prefix the subjects of further exchanges on this thread
with the characters [OT].
with the characters [OT].
This will allow people to readily ignore it as it is really "Off Topic".
--
Mark
Chung vu
Jan 17, 2011, 6:25:43 AM1/17/11
to jpos-...@googlegroups.com
@Aton: i read HSM manual before , seem that can support for use the same time ... please check before
it is advantage of new firmware.
it is advantage of new firmware.
Anton
Jan 17, 2011, 6:33:12 AM1/17/11
to jPOS Users
@Kapila:
Im trying to export zpk (001) and pvk (002)
anyway, i find my hsm working so funny. See my test below (it cant
verify check for it own generated key):
Online-AUTH>gc
Enter LMK id [0-4]: 0
Enter key length [1,2,3]: 2
Encrypted component: UAAB2 E91B D13A BE17 1C6E 8600 8F12 A45F
Key check value: 96E3 ED
Online-AUTH>
Online-AUTH>ck
Enter LMK id [0-4]: 0
Enter key type: 001
Enter key length flag [S/D/T]: d
Enter encrypted key: AAB2 E91B D13A BE17 1C6E 8600 8F12 A45F
Key parity error; re-enter key: UAAB2 E91B D13A BE17 1C6E 8600 8F12
A45F
Key parity error; re-enter key: UAAB2 E91B D13A BE17 1C6E 8600 8F12
A400
Key parity error; re-enter key: AAB2E91BD13ABE171C6E86008F12A45F
Key parity error; re-enter key: 5294 CB2A FDD9 2326 B0D3 F7F4 A720
ABB0
On Jan 17, 6:20 pm, kapilashantha rajapaksha <kapilashan...@gmail.com>
wrote:
> >> Please seehttp://jpos.org/wiki/JPOS_Mailing_List_Readme_first
Im trying to export zpk (001) and pvk (002)
anyway, i find my hsm working so funny. See my test below (it cant
verify check for it own generated key):
Online-AUTH>gc
Enter LMK id [0-4]: 0
Enter key length [1,2,3]: 2
Enter key type: 001
Enter key scheme: u
Clear component: 5294 CB2A FDD9 2326 B0D3 F7F4 A720 ABB0
Enter key scheme: u
Encrypted component: UAAB2 E91B D13A BE17 1C6E 8600 8F12 A45F
Key check value: 96E3 ED
Online-AUTH>
Online-AUTH>ck
Enter LMK id [0-4]: 0
Enter key type: 001
Enter encrypted key: AAB2 E91B D13A BE17 1C6E 8600 8F12 A45F
Key parity error; re-enter key: UAAB2 E91B D13A BE17 1C6E 8600 8F12
A45F
Key parity error; re-enter key: UAAB2 E91B D13A BE17 1C6E 8600 8F12
A400
Key parity error; re-enter key: AAB2E91BD13ABE171C6E86008F12A45F
Key parity error; re-enter key: 5294 CB2A FDD9 2326 B0D3 F7F4 A720
ABB0
On Jan 17, 6:20 pm, kapilashantha rajapaksha <kapilashan...@gmail.com>
wrote:
> >> To post to this group, send email to jpos-...@googlegroups.com
> >> To unsubscribe, send email to jpos-users+...@googlegroups.com<jpos-users%2Bunsu...@googlegroups.com>
> >> For more options, visit this group at
> >>http://groups.google.com/group/jpos-users
>
> > --
> > jPOS is licensed under AGPL - free for community usage for your open-source
> > project. Licenses are also available for commercial usage.
> > Please support jPOS, contact: sa...@jpos.org
>
> > You received this message because you are subscribed to the "jPOS Users"
> > group.
> > Please seehttp://jpos.org/wiki/JPOS_Mailing_List_Readme_first
> >>http://groups.google.com/group/jpos-users
>
> > --
> > jPOS is licensed under AGPL - free for community usage for your open-source
> > project. Licenses are also available for commercial usage.
> > Please support jPOS, contact: sa...@jpos.org
>
> > You received this message because you are subscribed to the "jPOS Users"
> > group.
> > To post to this group, send email to jpos-...@googlegroups.com
> > To unsubscribe, send email to jpos-users+...@googlegroups.com<jpos-users%2Bunsu...@googlegroups.com>
Reply all
Reply to author
Forward
0 new messages