An issue in FG or DG commands

Editor
Feb 19, 2011 at 11:33 AM

Hello Dears!!

Thank you very much for Thales Simulator! It is very useful for me and also for my test environment.

The thing i have found is related on FG or DG commans, i am not realy sure.

When i am generating a pair of single PVKs using FG command in response i have to get back (by the latest HSM8000[3.1d] documentation)

FH00<1st PVK[LMK]><2nd PVK[LMK]><1st PVK[ZMK]><2nd PVK[ZMK]><KCV PVK[LMK]><KCV PVK[ZMK]>

After that i am generating VISA PVV on PIN under LMK using command DG.

The issue is, that realy for PVV here must be used 2xPVK[LMK], and when i am doing so, i am getting back source key parrity error. PVV can be generated, when you are using 2xPVK[ZMK], this is not correct, may i am not correct =) ?

Once again --> thank you for SIMULATOR.

 

Coordinator
Feb 19, 2011 at 8:45 PM

By having a look at the command source code I can see that the implementation is probably incorrect, just as you suspected.

I think that this can be fixed easily. Keep in mind though that FH is a really old command and is now considered a legacy command. To create PVKs and export them under a ZMK, I would suggest using A0 with mode 1 (generate key and encrypt under ZMK).

This would create a double-length PVK, not two PVK components. I've seen the practice of creating PVKs as two separate keys in other systems as well and I really cannot understand why that is happening. All commands using PVKs require the PVK pair as a whole. I can't see why a host application would care about a PVK component or the check value of a PVK component instead of having the PVK pair and its check value as a whole.

Like I said, I'll fix FH according to my interpretation of the spec. Unless you let me know that you're in a hurry to have it, I'll give this change a low priority for now.

Editor
Feb 19, 2011 at 11:45 PM

Hi!

Thanx for reply!

This issue is not urgent. I have created my test cards generating PVKs on real HSM8000 (using Test LMK like in Simulator).

About A0 command i think you are right, but, i just wanted to make a card using real scenarios. VISA test key set for certification contains two of single DES PVKs and also two single DES CVKs.