Obtain a TPK encrypted PIN block

Nov 4, 2011 at 4:39 PM
Edited Nov 4, 2011 at 4:47 PM


I am trying to use the HSM 'DC' command to validate a pin block and I am running into a few problems.

To test that this command is working properly, I need to provide a TPK encrypted under an LMK, a pin block encrypted under that TPK and a PVV.

The problem is that to obtain a pin block encrypted under a TPK, I need the clear TPK, since apparently the HSM does not provide a command to do this.

To obtain the PVV I also need a PIN encrypted under the LMK. This is doable, since the HSM generates such pins, but how can I then translate the pin block from encryption under a LMK to encryption under a TPK, so I can use that pin block with the 'DC' command?

Thank you for your help, and thanks for developing this simulator, it's a really helpful tool.

Nov 6, 2011 at 6:10 PM

A typical cycle for PIN generation is the following:

1. Generate a random PIN. The JA command is used and it delivers a PIN encrypted under an LMK.

2. Generate a PVV using the PIN encrypted under LMK (DG command). This yields the PVV which is stored to the card and/or the authorization host.

Now, during this cycle you obviously do not need a TPK or ZPK. However, the JG command can be used to translate the PIN from LMK to ZPK encryption. This is used to communicate a generated PIN to an outside entity as a PIN block.

The aforementioned PIN generation cycle is used for random PIN generation when the customer doesn't have control over the initial PIN. It is not uncommon to see banks offer their customers the chance to select the initial PIN at a POS or PIN pad. When this happens, step (1) is skipped altogether and step (2) is carried out with the equivalent of the FW command which generates a PVV from a PIN block encrypted under a TPK or ZPK.

This background info may have already helped to clear up matters regarding PIN generation. Now as far as the first part of your question is concerned, an HSM can provide a clear TPK as part of key generation management. This happens at the HSM console and typically a clear key is split to two or more clear-text components which go out to separate custodians to ensure that no single person knows the complete clear-text key.

I hope this answers your question but please post back if something's not clear.

Nov 7, 2011 at 9:26 AM

Hello Nick,

Thank you for your help, I think this whole process is a lot clearer now.

I am trying to write a functional test to validate a Pin Block, encrypted under a TPK. Ideally, this functional test would work with all HSMs, interdependently of the LMKs in use, so I need to find a way to obtain a valid Pin Block encrypted under a TPK.

Is this even possible? Maybe with a translate command to translate a PIN Block from ZPK or LMK encryption to TPK encryption?

Nov 7, 2011 at 10:24 AM

The catch is always the same here. Regardless of whether you translate the PIN block from TPK to ZPK or not, you need to create a PIN block. This can be done with either a ZPK or TPK but in either case you'll need to have a clear-text key to create the PIN block. There's no way around it.