ZPK/ZMK/LMK

Jan 13, 2015 at 9:10 AM
Hi,

Can anyone explain me the concepts of ZPK under LMK and ZPK under ZMK?

Which of these needs to be stored in database?

I am really confused between these two encrypted keys?__

Regards,

Karna Nair
Editor
Jan 19, 2015 at 1:54 AM
Edited Jan 19, 2015 at 2:10 AM
Hi,

You are not first :)

I will try to explain (but my English not so good to be clear enough :( ).

HSM never works with plain keys, all the keys it processing, are encrypted under other, called Key Encryption Key (KEK), keys. The LMK is KEK which is securely stored in the secure environment, HSM. The main idea of HSM is, that you can not get real LMK key value, respectively, you can not get the real working key plain value. All the keys you are using with HSM are cryptograms. LMK is your personal KEK which is not accessible to other parties (what means it is secure KEK). These keys you should keep in database to use with your own HSM.

Sometimes, you need to transmit keys to other parties, eg, Visa or MasterCard to exchange some encrypted data like PIN-blocks. In that case you should use another KEK called ZMK. It is transport key which is used ONLY for other key exchange. You are unable to use ZMK encrypted keys with your HSM. First, you MUST import the key under your LMK to make it managanbe.

CONCLUSION:
1) You should keep in DB keys under LMK
2) Keys under ZMK are only used to be transmitted to other parties.

If I was not clear enough pls do not hesitate to ask, will try to find another explanation.

Regards,
Juris
Jan 22, 2015 at 3:23 PM
In simple words:

LMK : MAIN OR MOTHER KEYS. UNDER THIS KEYS ALL THE FUTURE GENERATED KEYS WILL BE SAVED. You need to save this LMKs in the either chip card format of paper. Mostly used it Chip card, thales provides you with this cards.

ZPK: Zone Pin Key. used for pinblock generation

ZMK: Zone Master Key, VIsa calls it ZCMK. Its a transport key. Whenever you want to comunicate with another system. And u dont want to EXPOSE the CLEAR COMPONENTs you can use a ZMK to transport them. What you will do, you will invoque 3 custodians, Each of the them will generate a clear ZMK component. Then u will form a ZMK criptogram with those 3 clear components. After that you can export any key under that ZMK. For the other party to get the key. U will need to send them by email the key (ex ZPK) ZPK under ZMK, and the from each custodian has to send to a specific person its clear component. In the other company they will form the ZMK from the clear component and just import the key.