This project is read-only.
1
Vote

Import Key - Invalid Key Scheme

description

Hi All,

I'm having troubles with importing key in Thales 8000, everything works correctly in Thales Simulator but on the HSM is not working.


1) First, I create my Key (ZMK ) with 3 randoms clear components


Enter LMK id [0-9]: 0
Enter key length [1,2,3]: 2
Enter key type: 000
Enter key scheme: U
Enter component type [X,H,T,E,S]: X
Enter number of components [1-9]: 3

Enter component 1: ***************************************
Enter component 2: ***************************************
Enter component 3: ****************************************

Encrypted key: U1129 9294 E211 949D FDAA 4078 EB99 6D31



2) I need to import a key from a partner.
   Partner key: 9204 BC57 C145 4A9E  3E04 F137 1C20 62DA


 Online-AUTH>IK
Enter LMK id [0-9]: 0
Enter key type: 001
Enter key scheme: U
Enter ZMK: U1129 9294 E211 949D FDAA 4078 EB99 6D31
Enter key: U9204 BC57 C145 4A9E 3E04 F137 1C20 62DA

Invalid key scheme




Im getting error "Invalid Key Scheme" , when I import it on the SIMULATOR, I dont have problems


Thanks for any help!

file attachments

comments

agavrilenko wrote Sep 11, 2014 at 1:55 PM

I have the same issue with Thales payShield 9000. We generated ZMK and provided to a 3rd party and received ZPK. I try to import ZPK to HSM exactly the same as you and receive "Invalid key scheme" error.
How you resolved your problem?
Please advice.

Manshtein wrote Sep 12, 2014 at 9:16 AM

Hi!

Show please the output of "QS" console command. I assume, you have enabled parameter "Import and Export keys in trusted format only". You must disable it. If this parameter is enabled (by default it is) the HSM awaits keys encrypted under ZMK in Thales KeyBlock scheme.

Regards,
Juris

Manshtein wrote Sep 12, 2014 at 9:18 AM

Btw, next time such issues open pls in "Discussions". "Issues" tab for simualtor bug reporting.

Thank you!

Regards,
Juris

agavrilenko wrote Sep 15, 2014 at 2:14 PM

Hi Juris,

I checked HSM configuration - parameter "Import and Export keys in trusted format only" is enabled.
We will update it next week (I need support from IT team) and try to import the key.

Kind regards,
Andrei

amendez85 wrote Sep 15, 2014 at 3:15 PM

hi agavrilenko ,

Basically i just change de key Scheme to 'X' when i tried to import,

Online-AUTH>IK
Enter LMK id [0-9]: 0
Enter key type: 001
Enter key scheme: U
Enter ZMK: U1129 9294 E211 949D FDAA 4078 EB99 6D31
Enter key: X9204 BC57 C145 4A9E 3E04 F137 1C20 62DA

because the partner key was created to be imported and exported

Hope this help you

Regards

wrote Oct 6, 2014 at 3:08 PM

agavrilenko wrote Oct 6, 2014 at 3:09 PM

Hi amendez85,

Thank you for update.

Unfortunately, our status is not so good.
  1. We disabled parameter ""Import and Export keys in trusted format only" on our HSM.
  2. We imported ZPK key under scheme "U", but KCV is different than provided by 3rd party. See a log below:
    Online-AUTH>IK
Enter LMK id [0-1]: 0
Enter key type: 001
Enter key scheme: U
Enter ZMK: U 12b5 …
Enter key: U 4f93 …

Warning: key parity corrected

Encrypted key: UA1CA …
Key check value: 48B0B1

3rd party KCV: CAC43D.

We performed a test decrypt operation, but it was unsuccessful as well. We received error: "PIN block does not contain valid values".

So, we should fix the problem with KCV mismatch.

We also tried to import key under "X" scheme. For this case we received error: Invalid key scheme.

Any ideas are welcome! We are really blocked with this issue. I reported it to Thales support - no valuable feedback yet.

Thanks, Andrei

Manshtein wrote Oct 7, 2014 at 10:21 AM

Hi!

I assume, you have wrong ZMK or ZPK you are importing (some mistakes in key or ZMK components may be,,,). The HSM showed warning:
Warning: key parity corrected 
Basicly, that means, that the plaintext key do not have ODD parity, but it MUST have it.

Regards,
Juris

Manshtein wrote Oct 8, 2014 at 10:42 AM

Hi,

One more think you can check, use X scheme in IK command to import key as in example below. In the most cases to exchange keys between different parties is used ANSI scheme:
X9204 BC57 C145 4A9E 3E04 F137 1C20 62DA
And make sure, the following parameter is enabled in security configuration (CS). You will need to reinstall LMK after parameter update if it is disabled:
Enable X9.17 for import: YES
Regards,
Juris