HC and A0 commands...

Dec 8, 2012 at 2:13 PM

Hi Nick,

I really hope you are still looking at this forum as I am on a project changing some processes to use HSM, however things didn't go well, I have a few questions below hope you are able to advise for me.

1. KG command

KG
Key length [1,2,3]: 2
Key Type: 000
Key Scheme (LMK): U
Key Scheme (ZMK) [ENTER FOR NONE]:
Enter encrypted ZMK [ENTER FOR NONE]:
Enter ZMK check value [ENTER TO SKIP CV TEST]:
Key under LMK: U D6D1 B96C 395E 9B94 BAF1 624D 0488 844A
Key check value: 95C7 6E


KG
Key length [1,2,3]: 2
Key Type: 002
Key Scheme (LMK): U
Key Scheme (ZMK) [ENTER FOR NONE]: U
Enter encrypted ZMK [ENTER FOR NONE]: D6D1B96C395E9B94BAF1624D0488844A
Enter ZMK check value [ENTER TO SKIP CV TEST]: 95C76E
KEY CHECK FAILED

When I try to generate a TPK (2nd KG) using encrypted ZMK (from first KG), why is it telling me key check failed?

 

2. even though, I can still use the ZMK in a A0 command without an error to generate a TPK encrypted under ZMK:

=== [A0], starts 23:18:08.813 =======
[Key,Value]=[Key Scheme LMK,U]
[Key,Value]=[Key Scheme ZMK,U]
[Key,Value]=[Key Type,002]
[Key,Value]=[Mode,1]
[Key,Value]=[ZMK,D6D1B96C395E9B94BAF1624D0488844A]
[Key,Value]=[ZMK Scheme,U]

Key generated (clear): 1F80FE38BF62A1B5F7E9F7EF8FE52997
Key generated (LMK): U98C855AE6823ECA765AE41FADCA24247
Check value: 3ECFD7
ZMK (clear): 5246547C7A89FE8A315EA1E610705D20
Key under ZMK: U9FFCF5D55629F18017A18CF57C76820E
=== [A0],   ends 23:18:08.953 =======

 

3. Generated a TMK using A0 command, then try to generate a TPK encrypted under the TMK always get a "Source Key parity Error"

My program:

A00002U
Input to HSM : 0000A00002U
Output from HSM : 0000A100U8EA4E66E5D9916AD2994068820DBAD9CBFB0D9

A01002UU8EA4E66E5D9916AD2994068820DBAD9CU
Input to HSM : 0000A01002UU8EA4E66E5D9916AD2994068820DBAD9CU
Output from HSM : 0000A110

 

Application Events:

Client from 127.0.0.1:56984 is connected
Client: 127.0.0.1:56984
Request: 0000A00002U
Parsing header and code of message 0000A00002U...
Searching for implementor of A0...
Found implementor ThalesSim.Core.HostCommands.BuildIn.GenerateKey_A0, instantiating...
Calling AcceptMessage()...
Calling ConstructResponse()...
Calling ConstructResponseAfterOperationComplete()...
Attaching header/response code to response...
Sending: 0000A100U8EA4E66E5D9916AD2994068820DBAD9CBFB0D9
Calling Terminate()...
Implementor to Nothing
Client: 127.0.0.1:56984
Request: 0000A01002UU8EA4E66E5D9916AD2994068820DBAD9CU
Parsing header and code of message 0000A01002UU8EA4E66E5D9916AD2994068820DBAD9CU...
Searching for implementor of A0...
Found implementor ThalesSim.Core.HostCommands.BuildIn.GenerateKey_A0, instantiating...
Calling AcceptMessage()...
Calling ConstructResponse()...
Calling ConstructResponseAfterOperationComplete()...
Attaching header/response code to response...
Sending: 0000A110
Calling Terminate()...
Implementor to Nothing

 

Command Events:

=== [A0], starts 00:04:33.654 =======
[Key,Value]=[Key Scheme LMK,U]
[Key,Value]=[Key Type,002]
[Key,Value]=[Mode,0]

Key generated (clear): 08BAF410FECD62F8E92F15A8E32A1ACD
Key generated (LMK): U8EA4E66E5D9916AD2994068820DBAD9C
Check value: BFB0D9
=== [A0],   ends 00:04:33.779 =======

=== [A0], starts 00:05:01.329 =======
[Key,Value]=[Key Scheme LMK,U]
[Key,Value]=[Key Scheme ZMK,U]
[Key,Value]=[Key Type,002]
[Key,Value]=[Mode,1]
[Key,Value]=[ZMK,8EA4E66E5D9916AD2994068820DBAD9C]
[Key,Value]=[ZMK Scheme,U]

Key generated (clear): 4332CBF264199485AE4AD97AF1CD2604
Key generated (LMK): U25E23D55354154AEB1038FE2D70F44C4
Check value: EFE7F8
=== [A0],   ends 00:05:01.454 =======

If I then try A01002U;1U8EA4E66E5D9916AD2994068820DBAD9CU, my program gets an exception and ends.

Application Events:

Client: 127.0.0.1:56984
Request: 0000A01002U;1U8EA4E66E5D9916AD2994068820DBAD9CU
Parsing header and code of message 0000A01002U;1U8EA4E66E5D9916AD2994068820DBAD9CU...
Searching for implementor of A0...
Found implementor ThalesSim.Core.HostCommands.BuildIn.GenerateKey_A0, instantiating...
Calling AcceptMessage()...
Exception while processing message
System.Exception: Invalid value [;1U8EA4E66E5D9916AD2994068820DBA] for field [ZMK].
   at ThalesSim.Core.Message.XML.MessageParser.Parse(Message msg, MessageFields fields, MessageKeyValuePairs& KVPairs, String& result)
   at ThalesSim.Core.HostCommands.BuildIn.GenerateKey_A0.AcceptMessage(Message msg)
   at ThalesSim.Core.ThalesMain.WCMessageArrived(WorkerClient sender, Byte[]& b, Int32 len)
Disconnecting client.
Calling Terminate()...
Implementor to Nothing
Client disconnected.

Command Events:

=== [A0], starts 00:09:59.384 =======
Invalid value detected for field [ZMK].
Received [;1U8EA4E66E5D9916AD2994068820DBA] but expected a hexadecimal value.

is this because the simulator didn't have the ;0/;1 field implemented?

 

Thanks for your time answering all my questions.

David

Coordinator
Dec 9, 2012 at 7:04 AM
liaod wrote:

Key length [1,2,3]: 2
Key Type: 002
Key Scheme (LMK): U
Key Scheme (ZMK) [ENTER FOR NONE]: U
Enter encrypted ZMK [ENTER FOR NONE]: D6D1B96C395E9B94BAF1624D0488844A
Enter ZMK check value [ENTER TO SKIP CV TEST]: 95C76E
KEY CHECK FAILED

When I try to generate a TPK (2nd KG) using encrypted ZMK (from first KG), why is it telling me key check failed?

Enter the ZMK with its scheme (UD6D1... instead of D6D1...).

liaod wrote:
Generated a TMK using A0 command, then try to generate a TPK encrypted under the TMK always get a "Source Key parity Error"

My program:

A00002U
Input to HSM : 0000A00002U
Output from HSM : 0000A100U8EA4E66E5D9916AD2994068820DBAD9CBFB0D9

A01002UU8EA4E66E5D9916AD2994068820DBAD9CU
Input to HSM : 0000A01002UU8EA4E66E5D9916AD2994068820DBAD9CU
Output from HSM : 0000A110

You're generating a TMK and then try to use it as a ZMK. The key type code should be 000 in the first A0 command.

Dec 9, 2012 at 12:08 PM

Thanks Nick,

So what should I do if I want to generate a TPK which encrypted under the TMK?

I tried A01002U;1U8EA4E66E5D9916AD2994068820DBAD9CU but it didn't work, the simulator throws exception (please see the last part of my previous post)

Cheers,

David

Coordinator
Dec 9, 2012 at 6:34 PM

A0 can be used to generate and optionally encrypt under a ZMK. Use A0 to get a random TPK and then use AE to encrypt the TPK under a TMK.