JA command

Apr 4, 2013 at 3:33 AM
Hi Nick,

When issuing a JA command to a real HSM (Thales 9000) such as following:
JA12345678912304 - request a 4 digit PIN

I am getting something like:

Is this '87348' / '87454' the correct encrypted PIN to use? why 5 digits rather than 4?

Can you please advice.

Apr 4, 2013 at 5:16 PM
That's the PIN encrypted under the LMK. For more info (which isn't much) have a look in the Thales Command Reference Manual.
Apr 5, 2013 at 12:39 AM
Hi Nick,

Thanks for the reply, would you mind to describe me, in general, how the pin mailers are generated ?

At the moment we are utilising an ESM to generate the PINs, put them in file and send it to our card manufacture for them to print the pin mailers. The ESM is very different from how HSM works, take this for example,

Our program first sends command to the ESM request a "session key", it returns a session key and an encrypt key.
All the pin blocks will then generated and encrypted under the encrypt key.
The session key at the end will be attached in the PIN file and send to them.

For me it looks like the ZPK(under LMK) on HSM is similar to the encrypt key on ESM so I need to encrypt all pins under a ZPK
and attache the ZPK in the PIN file so they can undo the PINs.

What I am not understand are :
  1. How will their decryption device able to get the clear PIN to print on the mailers if they don't have our LMK?
  2. What would the "session key" for the HSM here
If you believe there's anything that is wrong please correct me.

Apr 6, 2013 at 6:22 PM
Like you said, all the PIN blocks are encrypted under the ZPK. Since the do have the ZPK, they can decrypt the PIN block and derive the PIN. Since you've exchanged ZMKs and created a ZPK, they don't need access to your LMKs.

Using Thales only, the batch process is like this:
  • A random PIN is generated using JA.
  • The PIN block is generated and saved for encoding to the card.
  • The PIN is printed to a printer attached to the HSM using the PE command.