Nov 17, 2014 at 7:13 AM

I am new to HSM. CAn any one point out how i encrypt a pin block using HSM.
I am trying to achieve this using JAVA.

I have tried to use command BA to do this. BA has been mentioned in the list of HSM commands.
say i have a pin block 4492. I want to encrypt it using HSM.
Can anyone provide some pointers to help me?

Nov 17, 2014 at 10:09 AM
Edited Nov 17, 2014 at 10:12 AM

First, the HSM do not use plain keys. The keys (ZPK) always are encrypted under LMK which must be installed on HSM. So, the first thing you should do in your Java code, you need to decrypt the ZPK key from under LMK (DESede/ECB/NoPadding).

ZPK is encrypted with the 06-07 LMK pair. If you use Thales Variant Test LMK the value of that pair will be:
To not use the "Variants" of LMK you can use single length ZPK. You will not require to do any chemistry with LMK key for each key part. Single length keys with Variant 0 are encrypted like ANSI x9.17 (common 3DES).

The HSM applies only PINs encrypted under LMK. Unfortunately, the algorithm is unknown and Thales keeps it in secret :( But you can just pad clear PIN with zeroes in your Java code like it is implemented in "Thales Simulator Library". To verify the result of PIN encryption on HSM you can encrypt your PIN under LMK using "BA" host command.

After that you can combine PIN-block, for example EMV'96 (34). The descrition of that PIN block you can find in the following topic:

It will look like
This PIN block can be encrypted using your decrypted ZPK with "DESede/ECB/NoPadding" method.

The result can be verified using "JG" host command.