3

Scheme has following requirements

  • Client application should perform encryption/decryption using component 1, component 2 and ZPK (zone PIN key. Client should get this key from host in encrypted form).
  • Host application should perform encryption/decryption using key MK (master key formed from component 1 and component 2) and ZPK.

Here is how I'm generating components

Online-AUTH>GC
Enter LMK id [0-2]: 0
Enter key length [1,2,3]: 2
Enter key type: 002
Enter key scheme: u
Clear component: **** **** **** **** **** **** **** **** 
Encrypted component: UXXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX 
Key check value: xxxxxx

Online-AUTH>GC
Enter LMK id [0-2]: 0
Enter key length [1,2,3]: 2
Enter key type: 002
Enter key scheme: u
Clear component: **** **** **** **** **** **** **** ****
Encrypted component: UYYYY YYYY YYYY YYYY YYYY YYYY YYYY YYYY 
Key check value: yyyyyy

Online-AUTH>FK
Enter LMK id [0-2]: 0
Enter key length [1,2,3]: 2
Enter key type: 002
Enter key scheme: u
Enter component type [X,H,T,E,S]: e
Enter number of components [1-9]: 2
Enter component 1: UXXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX 
Component 1 check value: xxxxxx
Continue? [Y/N]: y
Enter component 2: UYYYY YYYY YYYY YYYY YYYY YYYY YYYY YYYY
Component 2 check value: yyyyyy
Continue? [Y/N]: y
Encrypted key: UZZZZ ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ 
Key check value: zzzzzz

What I don’t understand is

  • What are the benefits of creating MK using enciphered components How to decrypt enciphered ZPK with component 1 and component 2.
  • What is the relation between component 1, component 2 and output of FK command
  • Is encrypting PIN block under ZPK is enough/ubiquitous

Any help appreciated. PS I want to stick to ubiquitous implementations.

Saahon
  • 404
  • 1
  • 6
  • 27

1 Answers1

3

You are not first :)

I will try to explain (but my English not so good to be clear enough :( ).

HSM never works with plain keys, all the keys it processing, are encrypted under other, called Key Encryption Key (KEK), keys. The LMK is KEK which is securely stored in the secure environment, HSM. The main idea of HSM is, that you can not get real LMK key value, respectively, you can not get the real working key plain value. All the keys you are using with HSM are cryptograms. LMK is your personal KEK which is not accessible to other parties (what means it is secure KEK). These keys you should keep in database to use with your own HSM.

Sometimes, you need to transmit keys to other parties, eg, Visa or MasterCard to exchange some encrypted data like PIN-blocks. In that case you should use another KEK called ZMK. It is transport key which is used ONLY for other key exchange. You are unable to use ZMK encrypted keys with your HSM. First, you MUST import the key under your LMK to make it managanbe.

CONCLUSION:

1) You should keep in DB keys under LMK

2) Keys under ZMK are only used to be transmitted to other parties.

If I was not clear enough pls do not hesitate to ask, will try to find another explanation.

hitman47
  • 237
  • 2
  • 14