ZPK's KCV not matching

Oct 27, 2015 at 1:13 PM
Edited Oct 27, 2015 at 1:15 PM
I m new to HSM interface. Tried to create my own CK, ZMK, ZPK components, but still in the end I was unable to get correct KCV for ZPK data.

The following steps were followed:
GENERATE CLEAR KEY1---->

GC
Key length [1,2,3]: 2
Key Type: 000
Key Scheme: U
Clear Component: ECBA647525619DB9A89B26B520975238
Encrypted Component: U 62AB 6D5A 627A 58B0 3A0B BA5D B7AA E694
Key check value: 252D B3

GENERATE CLEAR KEY2---->
GC
Key length [1,2,3]: 2
Key Type: 000
Key Scheme: U
Clear Component: 4F02D983A2ABB0BCB3C2E5F71685BFEF
Encrypted Component: U 388F C54E 8D8E 17C7 2676 482E 3025 3AD4
Key check value: C9FA B0

GENERATE CLEAR KEY3---->
GC
Key length [1,2,3]: 2
Key Type: 000
Key Scheme: U
Clear Component: 2FCBC8B0041FC1916DC2619EF807028A
Encrypted Component: U B217 52E1 C51C F9DF 4D4B 32D6 B267 D315
Key check value: 98EE F3

GENERATE ZMK ---->

FK
Key length [1,2,3]: 2
Key Type: 000
Key Scheme: U
Component type [X,H,E,S]: X
Enter number of components (2-9): 3
Enter component #1: ECBA647525619DB9A89B26B520975238
Enter component #2: 4F02D983A2ABB0BCB3C2E5F71685BFEF
Enter component #3: 2FCBC8B0041FC1916DC2619EF807028A
Encrypted key: U5951F794E619BF50089C987F7D627447
Key check value: DB5F B6

GENERATE PK--->
GC
Key length [1,2,3]: 2
Key Type: 001
Key Scheme: U
Clear Component: 4A9D40018A294FB0E6EF3D924CA2940D
Encrypted Component: UE9BEB6B92388412B2306538E5E881B8B
Key check value: B65F 19

GENERATE ENCRYPTED ZPK ------->

KE
Key Type: 001
Key Scheme: U
Enter encrypted ZMK: U5951F794E619BF50089C987F7D627447
Enter encrypted key: UE9BEB6B92388412B2306538E5E881B8B
Key encrypted under ZMK: UE7BE9848A4C1C6FF601767ACC926A5B0
Key Check Value: B65F 19

RECHECK THE ENCRYPTED ZPK ----->
IK
Key Type: 001
Key Scheme: U
Enter encrypted ZMK: U5951F794E619BF50089C987F7D627447
Enter key: XE7BE9848A4C1C6FF601767ACC926A5B0
Key under LMK: U D3BB DB5D F361 C20B DDEB 24E5 8F2F 9CFB
Key Check Value: E539 77

Actually I should be getting the correct KCV in the "RECHECK THE encrypted ZPK" sequence, but I m unable to get the correct ZPK's KCV. Please guide.
Editor
Mar 9, 2016 at 2:37 PM
Edited Mar 9, 2016 at 2:39 PM
Hi,

Sorry for very late answer, but this question may be answered, because is frequently asked.

You are exporting key under ZMK in scheme U, it is Thales proprietary scheme, but importing using X scheme, which is usual ANSI ECB without Variants. The plaintext key after decryption using wrong scheme results the completely different key and also key check value.

In such cases, normally, Thales HSM will adjust parity but the key will be wrong.

Do like in example below:

KE
Key Type: 001
Key Scheme: U
Enter encrypted ZMK: U5951F794E619BF50089C987F7D627447
Enter encrypted key: UE9BEB6B92388412B2306538E5E881B8B
Key encrypted under ZMK: UE7BE9848A4C1C6FF601767ACC926A5B0
Key Check Value: B65F 19

RECHECK THE ENCRYPTED ZPK ----->
IK
Key Type: 001
Key Scheme: U
Enter encrypted ZMK: U5951F794E619BF50089C987F7D627447
Enter key: UE7BE9848A4C1C6FF601767ACC926A5B0
...

Regards,
Juris
Mar 14, 2016 at 1:51 PM
Hi,

Thank you, I tried with "U" option still it is not matching. Thanks for the reply, I tried again but in vain.

GENERATE CLEAR KEY1---->
GC
Key length [1,2,3]: 2
Key Type: 000
Key Scheme: U
Clear Component: 835D 4AD3 4092 EF7C 700E 32CE 983D F85D
Encrypted Component: U 82A5 BAC7 607A 3626 A45F F868 F3B4 3207
Key check value: 4C8A 46
__
GENERATE CLEAR KEY2---->
GC
Key length [1,2,3]: 2
Key Type: 000
Key Scheme: U
Clear Component: C7E5 FDFD 929B A849 CB7A 6285 672A 7F3B
Encrypted Component: U C284 C0D4 0D4B 632E AA1D A76D 0752 3BE6
Key check value: E8DE 21

GENERATE CLEAR KEY3---->
GC
Key length [1,2,3]: 2
Key Type: 000
Key Scheme: U
Clear Component: BC57 13CB 1361 9140 4913 1A5B F8F8 9268
Encrypted Component: U C139 8E42 C022 6EF1 CA67 4FB9 2694 5F79
Key check value: 0F39 77
__
Clear Key1, 2 & 3

835D4AD34092EF7C700E32CE983DF85D
C7E5FDFD929BA849CB7A6285672A7F3B
BC5713CB1361914049131A5BF8F89268

GENERATE ZMK ---->
FK
Key length [1,2,3]: 2
Key Type: 000
Key Scheme: U
Component type [X,H,E,S]: X
Enter number of components (2-9): 3
Enter component #1: 835D4AD34092EF7C700E32CE983DF85D
Enter component #2: C7E5FDFD929BA849CB7A6285672A7F3B
Enter component #3: BC5713CB1361914049131A5BF8F89268
Encrypted key: U CB42 400E 1F99 657E 7113 AB17 2A9B 67BB
Key check value: 6209 63

__GENERATE PK--->
__GC
Key length [1,2,3]: 2
Key Type: 001
Key Scheme: U
Clear Component: FEFD 3D7A EC92 C7C4 237C EFA1 7A79 341C
Encrypted Component: U 7A8F 821E 9F6A BAAF 0881 7FEC 7081 F6DE
Key check value: 5269 9F

Encrypted ZMK & PK--->
UCB42400E1F99657E7113AB172A9B67BB
U7A8F821E9F6ABAAF08817FEC7081F6DE

Key Export--->
KE
Key Type: 001
Key Scheme: U
Enter encrypted ZMK: UCB42400E1F99657E7113AB172A9B67BB
Enter encrypted key: U7A8F821E9F6ABAAF08817FEC7081F6DE
Key encrypted under ZMK: U 07EC 7AE9 17C0 A4FF 1998 F434 B404 B882
Key Check Value: 5269 9F

Encrypted ZPK --->
U07EC7AE917C0A4FF1998F434B404B882

Import Key ZPK--->
IK
Key Type: 001
Key Scheme: U
Enter encrypted ZMK: UCB42400E1F99657E7113AB172A9B67BB
Enter key: __U__07EC7AE917C0A4FF1998F434B404B882
INVALID KEY SCHEME FOR ENCRYPTED KEY - MUST BE ANSI

Sorry I getting this error if i change X to U.