This project is read-only.

ZMK from Thales 8000 to Safenet Luna SA HSM



I have to support a 3 custodian part key exchange cermony
with the custodian parts generated on a Thales 8000 on a Safenet Luna SA HSM.

I know the how this key would be imported on another thales but...
our Safenet HSM is only accessed programatically.

So I need to transalate the Thales scheme into the actual algorith used..
Can anyone point me in the correct direction or a description like mine below?

I have tried to re-create the key in lots of other different ways but always failed to recreate the
final checvalue "BADB AD".

The keys are generate with the GC command like:
Enter key length [1,2,3]: 2
Enter key type: 002
Enter key scheme: u

resulting in somthing like:

Clear component 1: xxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx
Key check value: ABCD EF

Clear component 2: xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx
Key check value: 1234 56

Clear component 3: xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx
Key check value: CAFF CA

Final Key check value for the above three componets is: BADB AD

COMS_KEY(TRANSPORT KEY): X 1234 5678 9101 1121 3141 5161 7181 9201
Key check value: 0102 03

Our custodian export and import:
Three components will be supplied.
All components and the resultant KEK are odd parity.
The key (and key components) check digits are obtained by EDE enciphering 64 0 bits of
data under the key and then displaying the left most 3 or 4 bytes.

Transfer keys split into 3 components: (all executed internally on the HSM)
o Choose two random 16 byte numbers
o Perform xor = key ^ random_1 ^ random_2
o Distribute random_1, random_2 and xor to 3 people.
o The key value is regenerated by key = random_1 ^ random_2 ^ xor at the key loading.


lilleman wrote Feb 4, 2014 at 12:25 PM

Sorry should have been added under discussions..,. Ok to close