Pin encryption with ZPK

Mar 23, 2012 at 11:48 AM

Dear all,

Good day. Currently I am having a task for the Pin Verification in my Internet Banking project. Below is the scenario :

  1. Customers to register a PIN number from ATM machine with his ATM Card No. And this information will be stored in Bank Host side and later will be using for PIN Verification.
  2. Customers go to the Internet Banking Web Site for 1st time lo-gin by entering the i.ATM created PIN and ii. ATM Card No. Then Internet Banking application will pass the information to Bank Host for verification.

I am handling the 2. items which we will have to prepare the pin block with the PIN and the ATM Card No then encrypt it with clear ZPK, then send to Bank Host for verification. Currently what I have from the Thales HSM vendor is just the encrypted ZPK(under ZMK). I have checked with the HSM Vendor and we have 2 options for the encryption.

Option1 Encryption at HSM
HSM to do the encryption by using the HE command which we have to pass in the Encrypted TAK + Pin Block.
Problem : How to get the encrypted TAK as I only have the Encrypted ZPK

Option2 Encryption at Application Level
Application to encrypt the PIN block with the clear ZPK.
Problem : How to get the clear ZPK? As I could not find the command in the Thales manual

As I am still new to HSM, I would really appreciate if someone could advise me. Thanks for reading :).

Mar 24, 2012 at 9:41 PM

What is the HE command?

Mar 26, 2012 at 2:15 AM

Hi Nick,

Good day. HE command is to Encrypt a 64bit data block with a TAK. According to my HSM vendor, it is an optional command and required additional license to using it.



Mar 28, 2012 at 8:55 PM

I figured. Well, the problem at hand is tricky as it always is when you try to use Thales in such a manner. You can use either an one of your solutions. The problem is that either one is not really a good idea.

With #1, you need to send clear data to the HSM in order to create an encrypted PIN block. Regardless if your server and the HSM are in a secure zone, this kind of defeats the whole purpose of using an HSM (implement a secure environment where nothing is in the clear).

With #2, there are various ways to get a clear ZPK. The problem is that you'll need to store that in code somewhere (by "code" I mean in software - could be the Windows crypto store, an XML file or whatever). This makes it kinda hackable under the right circumstances, which again defeats the purpose of having an HSM.

Generally speaking, I would say that trying to use this financial-oriented method of validating data that comes from the internet is not elegant. In essence you're implementing a huge POS device, where the PIN pad is physically separated from the PIN key. There's lots of room for errors and security holes.

Mar 30, 2012 at 12:07 PM

Thanks Nick.

By the way would really appreciate you could guide me on the problems I have which are

  1. How to get the encrypted TAK?
  2. How to get the clear ZPK? As I could not find the command in the Thales manual

The information I have in my application is

  1. 3 Clear Components (Which use to form ZMK) and
  2. Encrypted ZPK (under ZMK)

Really really thanks if anyone could help me on this.....


Mar 30, 2012 at 12:16 PM

By the way Nick, based on your experience, could you share some ideas with me about how to implement it in a better way? Thanks and have a nice day. :)

Mar 30, 2012 at 3:50 PM

From your previous, I understood that you have 3 ZMK clear components in an application. This is a very serious problem in key management. To give you an idea, these three clear components are transmitted separately in a secure manner to three different custodians, which are typically senior members of an organization. Steps are also taken to ensure that no one custodian knows more than their own component. I do suggest that you take the time to read the security operations manual of Thales, as it gives valuable insights.

Having said that, here's what you should do:

1. Ensure that the three custodians enter the ZMK clear components to form the encrypted ZMK component.

2. Use the encrypted ZMK to translate the ZPK from ZMK to LMK encryption. This will allow you to use the ZPK in your local system.

3a - You can create a new TAK or TMK/TPK in your own system and have it encrypted under LMK (for your own use) or under ZMK (for transmission).

3b - You can ask your remote party to create a TAK/TMK/TPK and send it you you encrypted under the ZMK. You, then, will translate it to encryption under the LMK for use in your own system.

Apr 2, 2012 at 11:43 AM

Hi Nick,

Thanks. Will go thru again.


Mar 25, 2013 at 8:04 PM
Hi There

I need some help to generate ZPK under ZMK on THALES 9000 HSM and will appreciate some hints on how I can do that. I tried KG command but I always get invalid key scheme.

Key Length: 2
Key Type: 001
key Scheme LMK: U
key Scheme ZMK: X or U
ZMK: <ZMK encrypted Values entered>

invalid key scheme.
Oct 26, 2013 at 4:14 PM
lsyeong wrote:
Hi Nick, Thanks. Will go thru again. Regards,Sean
Hi Isyeong,

I knew it has been more than one year since your last reply.
But could you share with me the solution for your problem ?

I'm facing the same problem right now.
Someone told me that I should use "clear" key to encrypt pin on Internet Banking, so the encrypted pin can be decrypted by HSM.
He told me that I can use "encrypted" key, only if I have another HSM on Internet Banking side.

Thank you