Generation of TMK

May 18, 2011 at 7:50 AM

I recently try to generate 3DES TMK key. using FK

However I found that use 3 different set of clear key to generate TMK. The 3 set of key come out with same encrypted key and check value. May i know is that correct and why?

Coordinator
May 18, 2011 at 7:57 AM

Can you please post the series of commands you sent along with the responses you got in order for us to better understand your question?

May 18, 2011 at 8:05 AM
Edited May 18, 2011 at 8:06 AM

Below is the TMK key generate using different set of clear component.

 

       


Online-AUTH>fk

Enter LMK id [0-9]:
Enter key length [1,2,3]: 2
Enter key type: 002
Enter key scheme: u
Enter component type [X,H,T,E,S]: x
Enter number of components [1-9]: 1

Enter component 1: 20110504100202021002020205042011

Encrypted key: U5347 ED1E C3E3 5587 22A5 3AB7 A3F5 DD68
Key check value: FF3F57

   

Online-AUTH>fk

Enter LMK id [0-9]:
Enter key length [1,2,3]: 2
Enter key type: 002
Enter key scheme: u
Enter component type [X,H,T,E,S]: x
Enter number of components [1-9]: 1

Enter component 1: 20110504100203031002030305042011

Encrypted key: U5347 ED1E C3E3 5587 22A5 3AB7 A3F5 DD68
Key check value: FF3F57

 

       

Online-AUTH>fk

Enter LMK id [0-9]: 0
Enter key length [1,2,3]: 2
Enter key type: 002
Enter key scheme: u
Enter component type [X,H,T,E,S]: x
Enter number of components [1-9]: 1

Enter component 1: 20110504100302021003020205042011

Encrypted key: U5347 ED1E C3E3 5587 22A5 3AB7 A3F5 DD68
Key check value: FF3F57

 

 

I found that the 3 set component give me back the same encrypted key  output and key check value output. Is this the correct output?

Coordinator
May 18, 2011 at 8:15 AM

Of course it is. You're executing the same command three times and you get the same output which, if you think about it, is what you'd expect. Normally, though, you wouldn't form a key from a single component (not in a production environment anyway - it's considered very insecure to have a single person know the clear key value).

I'm guessing that there's some confusion involved. What is it you're trying to accomplish?

May 18, 2011 at 8:24 AM
nickntg wrote:

Of course it is. You're executing the same command three times and you get the same output which, if you think about it, is what you'd expect. Normally, though, you wouldn't form a key from a single component (not in a production environment anyway - it's considered very insecure to have a single person know the clear key value).

I'm guessing that there's some confusion involved. What is it you're trying to accomplish?


 I try create for testing. you see my input component for the TMK key is different. By right it should be come out with different key check value and encrypted key, am i right?

 

 

2011050410020 202100 2020205042011

2011050410020 303100 2030305042011

2011050410030 202100 3020205042011

Coordinator
May 18, 2011 at 8:49 AM

Oops, sorry. I only observed the first few characters of keys and I thought they were the same.

This happens because odd-parity is enforced in keys (have a look about it here). The keys you're using essentially represent the same key when odd parity is used (that is 2010040410020202 1002020204042010). Try putting more bits in the keys (use more hex characters) and also try to vary key digits by more than one bit (key 89CDF7EC52498FA4A76861388CC72ACD and key 89CDF7EC52498FA5A76861388CC72ACD are essentially the same).

May 18, 2011 at 9:04 AM

nick thank you for information

Coordinator
May 18, 2011 at 9:08 AM

You're welcome.