FA (translate ZPK from ZMK to LMK) command with single length keys

Jan 21, 2015 at 3:48 PM
Has anyone got the FA command to work using single length keys?
I get FB10 returned which suggests there is an issue with the ZMK.

See example below where I also include the keys and how they were generated at the console.:

ZMK (plain full key) 9DDC9BAE925D31E6
KCV: 0EB795

Plain ZPK: ABDC5476102301FE
KCV: 6C5A CF

ZPK encrypted under ZMK is 76E565ADB1062E6E

------console to create ZMk from encrypted components-------------
EC
Key Type: 000
Key Scheme: 0
Enter component: 43455E25297CD946
Encrypted Component: 42D51505B7CFC461
Key check value: 428C 48
EC
Key Type: 000
Key Scheme: 0
Enter component: 834CDF1052761FBA
Encrypted Component: 9FB1185F9741502A
Key check value: D6FC F1
EC
Key Type: 000
Key Scheme: 0
Enter component: 5DD51A9BE957F71A
Encrypted Component: 619E36FE513CEA21
Key check value: EEC6 6C

FK
Key length [1,2,3]: 1
Key Type: 000
Key Scheme: 0
Component type [X,H,E,S]: E
Enter number of components (2-9): 3
Enter component #1: 42D51505B7CFC461
Enter component #2: 9FB1185F9741502A
Enter component #3: 619E36FE513CEA21
Encrypted key: 2B77 B300 B254 94A2

Key check value: 0EB7 95

So the ZMK under LMK 04-05 is 2B77 B300 B254 94A2

So for the FA command:
send:
ABCDFA2B77B300B25494A276E565ADB1062E6E

Response:
ABCDFB10

If anyone can shed any light on this it will be much appreciated?

thanks.
Editor
Feb 22, 2015 at 2:10 AM
Edited Feb 22, 2015 at 2:11 AM
Hi!

Check the parameter in ThalesParameters.xml "DoubleLengthZMKs", it should be set to "False" if you want to use single length ZMKs. It is the real HSM "Double ZMK" security parameter analog to diffirentiate single length ZMK key from double length legacy ZMK without scheme qualifier (which has each part encrypted under LMK like a separate single length key, like key pair).

Regards,
Juris