Load ZMK

Oct 26, 2010 at 2:07 PM

Hi again,

 

I have two HSM:

1. RG 7000.

2. PayShield 9000.

 

what I'm trying to create a ZMK from 7000 and load it to the 9000.

Is it possible to do that and how ?

 

many thanks 

Coordinator
Oct 26, 2010 at 4:40 PM

I'm not exactly familiar with the 9000 but I know that it's also compatible with the 8000 so it's possible.

Method 1: In the traditional scheme of things, Zone Master Keys are made of 2 or more components, with each component being known to a custodian. You can simply gather the custodians, go the 9000 console and follow the appropriate import procedure. IMHO this is the most secure way to do it since your organization can be certain that no single person gains knowledge of the clear ZMK.

Method 2: Create a new ZMK at the 7000, call it ZMK-2. Encrypt/Export your ZMK under ZMK-2. Import ZMK-2 at the 9000. Import ZMK encrypted under ZMK-2 at the 9000. If this is done properly, it can be as secure as method 1 but in order to do that you would need to generate 2 or more ZMK components in order to form ZMK-2.

Hope this helps.

Oct 26, 2010 at 5:35 PM

 

Hi, what I did in the 7000 was the following :

  • using the F command I generate a ZMK
  • and the result was (Clear, Encrypted and Check value) for ZMK

then in the 9000 I used the IK command to import the ZMK I generate from 7000, I filled the following:

  • LMK field ID :     ------->      0
  • Key Type     :      ------->     000
  • key Schema :      -------->     U
  • encrypted ZMK:  --------> XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX

Then it gace me the following error

Key parity error: re-enter key:

 

Can you please to guide me ?

Coordinator
Oct 26, 2010 at 6:12 PM

In order to understand what happened, IK asks for a key type and a key scheme, then requests the encrypted ZMK. What value did you put there?

Oct 27, 2010 at 7:37 AM

Hi

 

as I put in the example before

 

Key type : 000       ZMK

key Schema: U      Variant

Encrypted ZMK :   the value I got from RG 7000

Coordinator
Oct 27, 2010 at 7:46 AM

The encrypted value you got from RG7000? If so, think about what's happening. The key generated at the 7000 is encrypted under the LMKs of the 7000 and not the LMKs of the 9000. Therefore, 9000 has no way of decrypting that key. You need to follow one of the two methods I posted previously.