Decrypt PIN Block using ZPK

Jan 9, 2011 at 8:24 PM

Hi all,

can you please help - advice on the below scenario ?

I want to calculate a PIN Verification Value, in order to write it to a chip card. PVV calculation is not standarized like e.g command 'FW' (Generate a VISA PVV)

The algorithm provided to me includes various steps, the most important of which is to decrypt PIN Block using ZPK. (PIN Block is provided, not calculated)

Which combination of commands can accomplish this ?

Currently, i am thinking of encrypting ZPK under ZEK and use M0 command, but had no success so far.

Even encrypting ZPK under ZEK is not "standarized"

Any idea is appriciated...

Thanks in advance.

Jan 9, 2011 at 8:32 PM

I'm not clear as to what exactly you're trying to accomplish, so perhaps it would be best to describe in more detail.

One thing I can indicate right now is that there is no Thales host command to decrypt a PIN block, but there are several commands that can translate it to encryption under another key.

Jan 9, 2011 at 9:22 PM
Edited Jan 9, 2011 at 9:34 PM

Hi, thanks for replying.

I am currently trying to personalize a chip card which is pre - personalized.

There are 3 parties involved in the process

Party A : Pre - personalizer

Pre - personalizer has manufactured cards and has written into the cards keys for encryption -  macing (e.g PKenc, PKmac) derived from his Master Key (KMC)

KMC is securely injected into terminals so that they can authenticate to cards and update counters on them.

Party B : Acquirer

Holds all card security related data : PVV, PVK, PVKI. Performs online PIN authorization using DUKPT.

Party C : Personalizer (Me)

Have received KMC from Party A in order to be able to authenticate to card and write personalization data.

Have received ZPK  and personalization data from Party B . Data include PINBlock and VISAPINPVV.


One of the data elements that will be written to the card is the PIN offset used for offline PIN verification.

According to algorithm provided i have to decrypt PINBlock under ZPK.

In case this scenario seems familiar to you, and something seems to be wrong  in my description

please point it out.



Jan 9, 2011 at 9:33 PM

This sounds similar to one of the other discussions I was having recently.

I'm no expert in personalization but I may be able to follow the subject. I guess the main question here is how do you want to have the PIN block? Do you need to have it in clear unencrypted form or do you need to have it encrypted under another key?

Jan 9, 2011 at 9:37 PM
Edited Jan 9, 2011 at 9:56 PM

It would be the second one (encrypted)

Jan 9, 2011 at 9:56 PM

Do you have the ZPK and the other key both encrypted as well?

Jan 9, 2011 at 10:01 PM

Yes, both keys are in HSM under their LMK's

Jan 9, 2011 at 10:04 PM

The ZPK is encrypted under LMK 06-07. What is the type of the other key?

Jan 9, 2011 at 10:08 PM
Edited Jan 9, 2011 at 10:17 PM

This is a piece of info i am missing.

I know that i will have this key in HSM but i do not know it's type.

This what i am trying to understand through this Thread and Thales 8000 manual.

 From our discussion, i realize now that, i want a translation and not decryption.

I am starting to think that this key will probably be PVK, but i am not sure

Jan 9, 2011 at 10:21 PM
Edited Jan 9, 2011 at 10:23 PM

I'm sorry to say that I can't help you with that. All I can say is that if the target key is is another ZPK, you can use the CC command which translates a PIN block from one ZPK to another.

That being said, if the target key is not a ZPK but another type, there is a small little trick you can pull.

  1. Create a new ZMK of your own.
  2. Export the target key from its format under your own ZMK.
  3. Import the key exported in (2) but during the import change the key type to ZPK.

That will leave you with an encrypted ZPK that has a different encrypted value but in essence will be the same as the target key. Using this, you can call the CC command to translate the PIN block.

(EDIT: I think it's very unlikely that the target key will be a PVK).

Jan 11, 2011 at 7:15 PM

I am a bit surprised you are using a Thales 8000 to personalize a card. Ususally other models are used for personalisation and the 8000 is used for the authorization host system

Jun 4, 2014 at 7:50 AM
Dear All,

I need to generate a PIN Block (Pin under ZPK) with thales HSM 800 using mod line :
  • I have Clear PIN.
  • I have a ZPK under LMK.
I need only the command to use , because we are working on terminal simulator.

Best regards.
Jun 5, 2014 at 10:24 AM

You can do that using 2 host commands:

1) Encrypt PIN under LMK using 'BA' command;
2) translate PIN under LMK to ZPK encryption using 'JG' command.