CA command issue Pin Translation from TPK to ZPK

Nov 30, 2016 at 1:49 PM

My requirement is to generate TMK & TPK using Thales and on the POS terminal I need to load TMK, TPK and form pinblock under TPK than i need to translate pinblock under TPK to ZPK. I am able to generate TMK & TPK and on the POS terminal I am able to form the pinblock & now I need to translate pin block encrypted under TPK to ZPK but I am getting error code 24 from HSM. Below is the complete procedure I had followed to generate TMK, TPK & ZPK , and I unable to figure out the issue so Kindly help me.

My Plain TMK


Enter LMK id [0-4]: 0
Enter key length [1,2,3]: 2
Enter key type: 002
Enter key scheme: u

Clear component: 4A61 A2F2 FD6B AEAD 64E0 EFFB 0238 BF92
Encrypted component: U57ED CDB3 2A71 E86E CD1E 36D8 10F7 C4A3
Key check value: C4C0 A0

TMK under LMK


Enter LMK id [0-4]: 0
Enter key length [1,2,3]: 2
Enter key type: 002
Enter key scheme: u
Enter component type [X,H,T,E,S]: x
Enter number of components [1-9]: 1

Enter component 1: ***************************************

Encrypted key: U4C9F 09F3 5793 2D72 2D21 B8FB D17C 44AC
Key check value: C4C0 A0

Session keys under TMK

HSM Req 00000000HCU4C9F09F357932D722D21B8FBD17C44AC;XU0
HSM Res 00000000HD00X92F9F09C81A15CD3D356219B0C877130U4C3842A2AD9320BB7A0D746AF2FC58DF

Pin Block calculated on terminal in ISO - 0 Standard

Card no - 5399232099999952(12 - digit card no 923209999995)
Pin - 1111
clear TPK - B31F3DA722760101A27F86FC04FFB619
TPK under TMK - 92F9F09C81A15CD3D356219B0C877130(clear TMK- BAFE1FBA3491C1B007BF1398C7D026FD)
Encrypted Pin block block formed on terminal - 9BD69620014FA8B0

Bank ZPK


Enter LMK id [0-4]: 0
Enter key length [1,2,3]: 2
Enter key type: 001
Enter key scheme: u
Enter component type [X,H,T,E,S]: x
Enter number of components [1-9]: 2

Enter component 1: ****************************************
Enter component 2: ***************************************

Encrypted key: U400B ACC4 6F0F 611B 893A 6CBA 7E86 6D6D
Key check value: 15A9 31

Pin Translation from TPK to TMK

HSM Req 00000000CAU4C3842A2AD9320BB7A0D746AF2FC58DFU400BACC46F0F611B893A6CBA7E866D6D049BD69620014FA8B00101923209999995
HSM Res 00000000CB24

Thanks in advance for your valuable feedback.
Jan 16 at 1:58 AM
Hi Rakesh,

When I checked the error code "24" in the HSM manual it refers to "PIN IS FEWER THAN 4 OR MORE THAN 12 DIGITS IN LENGTH".

Can you send/show me the HSM settings?
Jan 18 at 4:29 AM
Hi, I have the same error, error Code 24 when doing the "CA" and "G0" Command..
Jan 27 at 4:43 AM
Hi Christ,

thank you for the response. please find the settings of the HSM below and let me know if any changes need to be made.


Base release: 3.1a
Revision: 1110-0831
Build Number: 0008

Bootstrap Version: 2.5.7
Kernel Version: 3.8.3
ESS FPGA Version: 2.44.3
HSM Core API Version: 3.4.14
HSM Application Version: 3.4.14
HSM COMMs Version: 1.9.2
Application Checksum: FB90

Host Configuration: Async, Ethernet, SNA-SDLC 3274

Serial Number: A3453266271V Licence Issue No: 2
Performance: 220 TPS Build location: 01
Base Software: Version 3 Ship Counter: 1
Crypto: 3DES, RSA

Press "Enter" to view additional information...

HSM8-LIC001 V3 Base


PIN length: 04
Encrypted PIN length: 05
Echo: OFF
Atalla ZMK variant support: ON
Transaction key support: RACAL
User storage key length: TRIPLE

Select clear PINs: YES
Enable ZMK translate command: YES
Enable X9.17 for import: YES
Enable X9.17 for export: YES
Solicitation batch size: 1024
Prevent Single-DES keys masquerading as double or triple-length keys: NO
ZMK length: DOUBLE
Decimalization tables: PLAINTEXT
Decimalization table checks: ENABLED
PIN encryption algorithm: A
Card/password authorisation (local): C

Press "Enter" to view additional security settings...

Authorised State required when Importing DES key under RSA key: NO
Minimum HMAC key length in bytes: 64
Enable PKCS#11 import and export for HMAC keys: YES
Enable ANSI X9.17 import and export for HMAC keys: YES
Enable ZEK encryption of all printable ASCII chars: YES
Enable ZEK encryption of "Base94" ASCII chars: YES
Enable ZEK encryption of "Base64" ASCII chars: YES
Enable ZEK encryption of "Hex-only" ASCII chars: YES

Restrict Key Check Values to 6 hex chars: NO
Enable multiple authorised activities: NO
Enable variable length PIN offset: YES
Enable weak PIN checking: NO
Enable Pin Block Format 34 as output format for PIN Translations to ZPK: YES

Default LMK identifier: 00
Management LMK identifier: 00
Use HSM clock for date/time validation: NO
Additional padding to disguise key length: NO
Key export and import in trusted format only: NO


Enter LMK id [0-4]: 0
Feb 8 at 8:34 AM
hi Rakesh,

I tried to parse the message which you send to the HSM using host command CA
and I came up with this. Please see below. Also, are the keys encrypted under Test LMK?
                                                00000000  - HEADER LENGTH
                                                            CA - COMMAND CODE
U4C3842A2AD9320BB7A0D746AF2FC58DF - TPK
U400BACC46F0F611B893A6CBA7E866D6D - ZPK
                                                             04 - MAXIMUM PIN LENGTH  --> could you set this to "12" 
                                 9BD69620014FA8B0 - PINBLOCK 
                                                             01 - SOURCE PIN BLOCK
                                                             01 - DESTINATION PINBLOCK
                                         923209999995 - ACCOUNT NUMBER


Feb 27 at 2:03 AM
Hi Rakesh,

Any update on this? were you able to transact successfully?