Thales 9000 Encryption Method

Apr 28, 2015 at 8:58 AM
Hi all,

I used HSM host command JA to generate a random pin. The result is pin under LMK. Then I used JG command to translate the pin from LMK to ZPK.

The problem is when I get the pin block under ZPK result from JG command, I need to send to another party. But how is the other party to decrypt the pin block under ZPK? How can I know which encryption algorithm the HSM box is using?

Thanks in advance.
Apr 29, 2015 at 3:50 PM

The encryption is 3DES/ECB.

You need to share this ZPK with another part. You can do it by exporting ZPK under ZMK using KE command and send ZMK clear components to 3rd party and ZPK under ZMK. 3rd party will import that ZPK under their LMK or decrypt it by some software.

Let us know if you need assistance in key export under ZMK.

Apr 30, 2015 at 3:04 AM
Hi Juris,

Thanks for your reply.

Is there any documents I can refer to for the HSM box encryption method? I tried to search in the Thales manual but couldn't find any info on it. What I can only get from the manual is the pin encryption method is either Visa method or Racal method during security setup using console command CS.

For the key export, I already have an image on it and I can find the steps you shared out in some other threads.

Thank you.
Jun 26, 2015 at 12:22 PM
As long as you export PIN under 3DES key the encryption algorithm has to be 3DES. Encryption mode of resulting PIN block is defined by PIN block format. Description of PIN block formats can be found in General Information HSM manual.
Visa/Racal method you are referring to is a method of encrypting PIN and PAN under LMK only.