Encrypted key on host and console is different?

Feb 25, 2010 at 2:23 AM
Edited Feb 25, 2010 at 2:25 AM
Hi all,
I try to create a TMK for my ATM include 2 component

On console: I create 2 component and Form it to make a TMK

Key length [1,2,3]: 2
Key Type: 002
Key Scheme: X
Clear Component: 6B7F A245 A898 6E31 5886 29A8 2C5E 08E6
Encrypted Component: X A3FB 3C1A 570B B2E7 4CFD 7753 D79D F9E4
Key check value: CEAC 3B

Key length [1,2,3]: 2
Key Type: 002
Key Scheme: X
Clear Component: 8C4F 9819 1A83 6D32 2697 760E 0DCD C451
Encrypted Component: X 761D DBF7 0DFA FDA7 FE63 307A 3181 7852
Key check value: 738D 39

Key length [1,2,3]: 2
Key Type: 002
Key Scheme: X
Component type [X,H,E,S]: X
Enter number of components (2-9): 2
Enter component #1: 6B7FA245A8986E31588629A82C5E08E6
Enter component #2: 8C4F98191A836D322697760E0DCDC451
Encrypted key: X 271B 34F7 507F C27D FCE0 DB52 7A61 9FDE
Key check value: DC24 19

I receive an encrypted TMK key: X 271B 34F7 507F C27D FCE0 DB52 7A61 9FDE and check value: DC24 19

Then I try co create TMK with 2 component about with host command
I using a command like this to send to host 1234A42002XXA3FB3C1A570BB2E74CFD7753D79DF9E4X761DDBF70DFAFDA7FE63307A31817852
XA3FB3C1A570BB2E74CFD7753D79DF9E4 is the encrypted of component #1 from GC command on console
and same as X761DDBF70DFAFDA7FE63307A31817852 is the encrypted of component #2
and I receive a message from HSM simulator: 1234A500X0D5EF082C860066C5E719138F2FC8DE3DC2419

The encrypted TMK key is: X0D5EF082C860066C5E719138F2FC8DE3 and the check value: DC2419

Here is the result from HSM simulator command events:

Field HEADER, value 1234
Field COMMAND_CODE, value A4
Field NBR_COMPONENTS, value 2
Field KEY_TYPE_CODE, value 002
Field KEY_SCHEME_LMK, value X

Component 1 (clear): 6B7FA245A8986E31588629A82C5E08E6
Component 2 (clear): 8C4F98191A836D322697760E0DCDC451
Key (clear): E7303A5CB21B03037E115FA62193CCB7
Check value: DC2419

The check value of encrypted TMK key from both host and console is the same but why the encrypted key is different? I think it must be encrypted from same LMKs pair so It must be the same too?

Does some one understand this problem and explain for me?

Thanks you all!
Feb 25, 2010 at 5:03 PM
Edited Feb 25, 2010 at 5:04 PM

In essence, both keys you're using are the same. If you XOR the clear components you used with the FK command, you'll get the value E7303A5CB21B03037E115FA62193CCB7, which is also the value printed out by the A4 event output. This key, however, doesn't have odd parity. If you force odd parity on this key, you'll get the value E6313B5DB31A02027F105EA72092CDB6. If you use any DES calculator to encrypt zeroes with these keys, you'll see that they produce the same results,

So, the difference you observed is because the FK console command forces odd parity on the key before encrypting it under the LMKs but the A4 host command does not. To verify this, you can edit the FormKeyFromEncryptedComponents_A4.vb file and change the line:

Dim cryptKey As String = Utility.EncryptUnderLMK(clearKey, ks, LMKKeyPair, var.ToString)

to the following:

Dim cryptKey As String = Utility.EncryptUnderLMK(Utility.MakeParity(clearKey, Utility.ParityCheck.OddParity), ks, LMKKeyPair, var.ToString)

Then you'll get the same encrypted key back. As far as I know, the A4 command does not force odd parity on the formed key before encrypting it but I could be wrong.