Reputation: 419
Need help implementing key management scheme
Scheme has following requirements
- Client application should perform encryption/decryption using component 1, component 2 and ZPK (zone PIN key. Client should get this key from host in encrypted form).
- Host application should perform encryption/decryption using key MK (master key formed from component 1 and component 2) and ZPK.
Here is how I'm generating components
Online-AUTH>GC
Enter LMK id [0-2]: 0
Enter key length [1,2,3]: 2
Enter key type: 002
Enter key scheme: u
Clear component: **** **** **** **** **** **** **** ****
Encrypted component: UXXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
Key check value: xxxxxx
Online-AUTH>GC
Enter LMK id [0-2]: 0
Enter key length [1,2,3]: 2
Enter key type: 002
Enter key scheme: u
Clear component: **** **** **** **** **** **** **** ****
Encrypted component: UYYYY YYYY YYYY YYYY YYYY YYYY YYYY YYYY
Key check value: yyyyyy
Online-AUTH>FK
Enter LMK id [0-2]: 0
Enter key length [1,2,3]: 2
Enter key type: 002
Enter key scheme: u
Enter component type [X,H,T,E,S]: e
Enter number of components [1-9]: 2
Enter component 1: UXXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
Component 1 check value: xxxxxx
Continue? [Y/N]: y
Enter component 2: UYYYY YYYY YYYY YYYY YYYY YYYY YYYY YYYY
Component 2 check value: yyyyyy
Continue? [Y/N]: y
Encrypted key: UZZZZ ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ
Key check value: zzzzzz
What I don’t understand is
- What are the benefits of creating MK using enciphered components How to decrypt enciphered ZPK with component 1 and component 2.
- What is the relation between component 1, component 2 and output of FK command
- Is encrypting PIN block under ZPK is enough/ubiquitous
Any help appreciated. PS I want to stick to ubiquitous implementations.
Upvotes: 3
Views: 2736
Answers (1)
Reputation: 237
You are not first :)
I will try to explain (but my English not so good to be clear enough :( ).
HSM never works with plain keys, all the keys it processing, are encrypted under other, called Key Encryption Key (KEK), keys. The LMK is KEK which is securely stored in the secure environment, HSM. The main idea of HSM is, that you can not get real LMK key value, respectively, you can not get the real working key plain value. All the keys you are using with HSM are cryptograms. LMK is your personal KEK which is not accessible to other parties (what means it is secure KEK). These keys you should keep in database to use with your own HSM.
Sometimes, you need to transmit keys to other parties, eg, Visa or MasterCard to exchange some encrypted data like PIN-blocks. In that case you should use another KEK called ZMK. It is transport key which is used ONLY for other key exchange. You are unable to use ZMK encrypted keys with your HSM. First, you MUST import the key under your LMK to make it managanbe.
CONCLUSION:
1) You should keep in DB keys under LMK
2) Keys under ZMK are only used to be transmitted to other parties.
If I was not clear enough pls do not hesitate to ask, will try to find another explanation.
Upvotes: 3
Related Questions
- HSM and custom module
- Thales PayShield HSM key management
- PKCS#11: Encryption of multiple plaintext
- How do I integrate HSM encryption with JAVA?
- Thales HSM PIN Related Operations
- HSM decryption + encryption chaining
- How to HSM device store and protect private key?
- Protocol and data format to get connected with HSM boards
- Symmetric encryption keys with HSM
- How do I integrate HSM encryption with C#?