Import CVK pair

Jun 30, 2011 at 6:31 AM


I've been struggling with this for a bit and don't know what more I can do so I'm hoping somebody here can help me. I am totally new to the HSM 8000 world, and what I'm trying to achieve is to import a CVK pair int the HSM. I would know the plaintext A and B components but don't know how I can import them into the HSM 8000.

Can somebody please help me?

Jun 30, 2011 at 10:33 AM

Is this a production environment? You should not have the clear values of the CVKs. How where the CVKs generated?

Jul 4, 2011 at 11:12 AM

Well that is the point I have the plaintext values that should be used as component A and B for tha CVK pair and I want to import that key into HSM 8000 and use it for generation and validation of CVV values. I have done this on nCipher HSM's but thigs are different on HSM 8000. Those CVV values will be used in 3D Secure environment and will not be generated with the keys used to generate CVV values that are found on the card.

Jul 4, 2011 at 2:42 PM

Can you try the "Encrypt Clear Component" console command (EC)? The key type for CVKs is 402. Use that and verify with the key check value generated by the console command.

Jul 7, 2011 at 8:37 AM

Nick thanks for the tip, I thought that the same command set is used through the console, my oversight. Well I tried to use the EC command and it seems to successfuly encrypt the key components. But when I try to check if the generated check value is correct using CK command I keep getting an 'Key parity error' message. I have checked the components I'm importing and they have odd parity but this message persists. What could be causing this error?

Jul 7, 2011 at 8:50 AM

That's a bit weird. The check values produced by the EC command should obviously be the same as those produced by CK. The only thing I can think of is a data-entry mistake in the encrypted values entered in the CK command or the key type code used in both commands (which should be the same). Can you post the inputs/outputs of both EC and CK?

Jul 7, 2011 at 1:09 PM

Here is one example of creation of ove CVK key from clear component. The clear componet has odd parity and there is no error reported. But when I try to generate the key check value from encrypted component i get the Key parity error.


Enter LMK id [0-9]: 0
Enter key type: 402
Enter key scheme: 0
Enter component: 0110233245546776

Encrypted component: 250A FC98 D472 CA00
Key check value: 2462DB


Enter LMK id [0-9]: 0
Enter key type: 402
Enter key length flag [S/D/T]: s
Enter encrypted key: 250afc98d472ca00
Key parity error; re-enter key:

I'm doing this through a console on a Thales 8000 in our test environment.

Jul 7, 2011 at 9:31 PM

That really doesn't compute. I don't see an error with either command you're sending.

I know it's a particularly dumb thing to say but are you sure that entering the encrypted key with lower-case characters isn't the cause of the error?

One final though: can you try both commands with a double-length key, just to eliminate the possibility of CK expecting both CVK-A and CVK-B together?

Jul 8, 2011 at 6:16 AM

I have tried all sorts of combinations, generating double length CVK key, single length keys, with lower-case, upper-case characters and the end result is the same. That's what makes on sense, but the best thing is that there is no problems with CVK keys that have been generated by the HSM itself.

Jul 8, 2011 at 1:32 PM

Well, I'll chalk this up on my personal "Does not compute" list for the 8000. I can't see anything wrong there. I even checked your 0110233245546776 clear component for parity errors but it's already odd parity. When you say there are no problems with CVK keys, do you mean that CVV verification runs successfully even if the CVK check values cannot be verified by the CK console command?

Jul 12, 2011 at 7:12 AM

What I ment by 'there is no problems with CVK keys that have been generated by the HSM itself' is that I didn't have problems with the keys that were generated by using the Generate a CVK pair command.

But the good thing is I've found a solution. The CVK keys obviously cannot be imported with the EC command, but everything works as expected with BK or FK commands. I won't go into the reasons why it doesn't work with the EC command.

Nick thanks for all your effort!

Jul 12, 2011 at 1:16 PM

No problem.

Jul 27, 2011 at 6:20 AM

Hi nick,

I hope this discussion is still open. I want to ask a question also, regarding CVKs. Our situation is different from what Kreso11 encountered though. 

We were provided with a CVK pair (CVKA/B) encrypted under ZMK and are trying to import/translate the CVK to be encrypted under our LMK.

What command (console/host) should we use to perform our goal? We already tried using console commands IV, IK and Host Commands A6, AW, AU for HSM8000. Unfortunately, we encounter Invalid Key scheme and Key Parity error using the said commands.

The given ZMK was provided with three clear components, encrypted under our LMK using FK console command, KCV was OK. Then we imported the IWK encrypted under ZMK using A6 host command, which was also successful with correct KCV. 

This is why we are puzzled about CVK import generating errors.

Aug 6, 2011 at 4:17 PM

Sorry for the late response, vacations :-)

That seems puzzling. Can you show an example of the console command you're trying to import the CVK?