Encryption format DES (Data Encryption Standard) HSM (Host Security Module) from FK Form Key Components

Oct 25, 2009 at 1:58 AM
Staff

  See if someone could help me, how can I run the procedure below, using the control Thales or another and how and where could I find the control.

Encryption format DES (Data Encryption Standard), the intention was to work with vb.net, more if you are in another language I try to do the conversion.

-> HSM (Host Security Module) from FK Form Key Components

With the following formats after
 
Key Length = 1 - Single length
Key Type = 001
Key Scheme = Z - Single Length key encrypted using Ansi x9.17 methods
Key Component Type = X - Clear XOR
Key Number of Components 3 

Components 1: QQQQQQQQQQQQQQQQ -apenas confirmando 16 caracteres
Components 2: RRRRRRRRRRRRRRRR -apenas confirmando 16 caracteres
Components 3: SSSSSSSSSSSSSSSS -apenas confirmando 16 caracteres


Encrypted Key: TTTT TTTT TTTT TTTT
Key check value: UU UU UU

Key Scheme Table - From 1270A513-5 HSM & Op Inst Man, page 140
Key Type Table - From 1270A513-5 HSM & Op Inst Man, page 139

G = Generate. E = Export. I = Import.
blank = not allowed.
A = Authorized allowed in state
U = Unconditionally allowed, ie without Authorized state.

As the table below I got a doubt, in relation to the control of Thales, because I realized the more items that would be really necessary?
Key Type

    Variant
      LMK
Pair    Code 0 1 2 3 4 5 6 7 8 9
04-05 00
06-07 01
14-15 02
16-17 03
18-19 04
20-21 05
22-23 06
24-25 07
26-27 08
28-29 09
30-31 0A
32-33 0B
34-35 0C
36-37 0D
38-39 0E

Based on the data above as I do to get the expected result as below?


See example
password: 5537 is encrypted 57DB18B4AFDE4855 (16 characters)
Where the key was used C44CEF2502C475E5 (where he went to the check value as 90B34B).


Coordinator
Oct 25, 2009 at 5:11 PM

I'm a bit confused regarding the question...if you want to simulate an FK command, you can use the Thales simulator - but the simulation is only good to contain in its own environment. The actual data would be meaningless outside the simulator. If you want to run the FK command against a real Thales box, all you have to do is connect to it using TCP and send the command. Please elaborate further if this does not answer your question.

Oct 26, 2009 at 12:35 AM

nickntg

     The password 5537 she is right, because the client uses the FK - Form from Key Components - command, and the password crypto 57DB18B4AFDE4855 would be that he used the key to the cryptographic C44C EF25 02C4 75E5 where even went to check the Key check value 90 B3 4B.
     And to perform the above process he used
  
Key Length = 1 - Single length
Key Type = 001
Key Scheme = Z - Single Length key encrypted using Ansi x9.17 methods
Key Component Type = X - Clear XOR
Key Number of Components 3
               
    If you have any error in this process please let me know what is the password for the cryptographic information below:

Key Length = 1 - Single length
Key Type = 001
Key Scheme = Z - Single Length key encrypted using Ansi x9.17 methods
Key Component Type = X - Clear XOR
Key Number of Components 3

Password Original 5537 with no cryptographic key used 57DB18B4AFDE4855 crypto C44C EF25 02C4 75E5, see what would be the correct password crypto.
  If you can send me an example so you can test would be ideal because on that basis could see where I'm missing, or how to do it correctly.

Coordinator
Oct 26, 2009 at 10:57 PM

I'm totally lost here.

Can we take it from the beginning? How are you trying to use the FK command? I hope we're not discussing someone trying the FK command at a Thales console???

Oct 28, 2009 at 1:00 AM

Yes we can start from the beginning.

1) I will be receiving a customer number data being stored in a database, where would crypto
  User Password, and how to test it send the following example.
1.1) Where a need descryptografar information.
1.2) and elsewhere a cryptographic information.
Where the client uses the FK - Form from Key Components, based on DES (Data Encryption Standard), Format HSM (Host Security Module)
   -> 56bit - Mode ECB

and in my case I intend to use Visual Studio 2008 VB.net

Example
1) The password would 57DB18B4AFDE4855 the cryptographic key crytografia would C44CEF2502C475E5 and password descrytografada
would be 5537, then as you would to run the above process successfully.

Simulation
Descryptografar: 57DB18B4AFDE4855 key: C44C EF25 02C4 75E5 Results: 5537

 
2) After you need the password 5537 to encrypt using the key crytografia C44C EF25 02C4 75E5 where the password crypto
be 57DB18B4AFDE4855, then as you would to run the above process successfully.

Simulation
Encryption: 5537 key: C44C EF25 02C4 75E5 Result: 57DB18B4AFDE4855


     Overview

  - DES (Data Encryption Standard) - 56bit Mode ECB

  + Encryption
  - Key = C44CEF2502C475E5
  - Data = 5537
  - Result = 57DB18B4AFDE4855

  + Decryption
  - Key = C44CEF2502C475E5
  - Data = 57DB18B4AFDE4855
  - Result = 5537

Coordinator
Oct 29, 2009 at 11:34 PM
Claudinei wrote:

The password would 57DB18B4AFDE4855 the cryptographic key crytografia would C44CEF2502C475E5 and password descrytografada
would be 5537, then as you would to run the above process successfully.

Simulation
Descryptografar: 57DB18B4AFDE4855 key: C44C EF25 02C4 75E5 Results: 5537

This is the part that I don't understand at all. If you DESEncrypt a 16-hex data string with a 16-hex key, you get a 16-hex result. How do you come up with the number 5537?

Nov 2, 2009 at 1:19 AM
Nickntg
Once again I thank you for your attention, and I apologize for my English and difficult to make it clear my doubt, and see the example below you can follow to better understand my question and problem.
 
And would like to confirm to the standard X9.17 - 56bit, what would be the correct use?

1) - DES (Data Encryption Standard)
2) - AES (Advanced Encryption Standard)
3) - 3DES (Triple Data Encryption Standard)

  Where my client uses the following software:
  HSM (Host Security Module) from FK Form Key Components, where he uses the following pattern:

Key Length = 1 - Single length
Key Type = 001
Key Scheme = Z - Single Length key encrypted using Ansi x9.17 methods
Key Component Type = X - Clear XOR
Key Number of Components 3
Key C44CEF2502C475E5 Check value the 90B34B

Key Scheme Table - From 1270A513-5 HSM & Op Inst Man, page 140
Key Type Table - From 1270A513-5 HSM & Op Inst Man, page 139


  So where can I find the dll or other control so you can use the same standard of my client?

Example
1) crypto

key = C44CEF2502C475E5
text = 5537 (normal)
result = 57DB18B4AFDE4855 (I can not reach this value)

2) des-crypto

key = C44CEF2502C475E5
text = 57DB18B4AFDE4855 (crypto)
result = 5537 (can not reach this value)
 
 
Coordinator
Nov 2, 2009 at 9:31 AM

Key C44CEF2502C475E5 and check value 90B34B appear to be correct (that is, DESEncrypt of zeroes with key C44CEF2502C475E5 produces 90B34B57E1E25ED9). The ThalesSim can emulate the FK command. You could use ThalesSim to import that key or a series of components and create a new key encrypted under the simulator keys. In order to do that, you'd need to write a custom program that talks to ThalesSim and sends the appropriate commands.

Regarding this example: 

key = C44CEF2502C475E5
text = 5537 (normal)
result = 57DB18B4AFDE4855 (I can not reach this value)

You cannot use ThalesSim to do that. The main function of DESEncrypt and DESDecrypt, as that is used by ThalesSim, is to receive hexadecimal keys and data and produce hexadecimal results. As far as your decrypt operation is concerned (key C44CEF2502C475E5 and data 57DB18B4AFDE4855), the result is 4871FFFFFFFFFFFF. I can't immediately tell how, from this result, you reach the result of 5537. If you know how 5537 is transformed to 4871FFFFFFFFFFFF then you can use the DESEncrypt and DESDecrypt functions of ThalesSim.

Nov 2, 2009 at 1:56 PM

And now I want to thank you for your great help.

See if you could help me in the 2 questions below:

1)

Using the control of Thales see if unable to reach the expected result based on the information below:
              
Key Length = 1 - Single length
Key Type = 001
Key Scheme = Z - Single Length key encrypted using Ansi x9.17 methods
Key Component Type = X - Clear XOR
Key Number of Components 3

Components 1: QQQQQQQQQQQQQQQQ  - 16 characters
Components 2: RRRRRRRRRRRRRRRR - 16 characters
Components 3: SSSSSSSSSSSSSSSS - 16 characters


Expected result => Encrypted Key: TTTT TTTT TTTT TTTT
Expected result => Key check value: UU UU UU

2) About the simulation would pass me the steps, so you can see where you can be wrong by using your control ThalesSim.

2a. How did the amount that would be the 90B34B57E1E25ED9 ckeck value (90B34B)?
2b. And How did the value 4871FFFFFFFFFFFF?

 

Coordinator
Nov 2, 2009 at 5:44 PM
Edited Nov 2, 2009 at 5:50 PM

2a. When someone sends you a clear key, they also send you a check value. This is produced by encrypting zeroes with the key. So with the key C44CEF2502C475E5, the following code:

ThalesSim.Core.Cryptography.DES.DESEncrypt("C44CEF2502C475E5", "0000000000000000")

returns a value of 90B34B57E1E25ED9. The first six digits are the check value.

2b. You mentioned about decrypting the value 57DB18B4AFDE4855 with the key C44CEF2502C475E5. This can be done with the following code:

ThalesSim.Core.Cryptography.DES.DESDecrypt(

"C44CEF2502C475E5", "57DB18B4AFDE4855")

This returns a value of 4871FFFFFFFFFFFF. I don't know how you can go to 5537 from there.

1. If you are given three clear key components Ansi X9.17, I presume you want to form a Zone Master Key. For example, if someone gives you the following components:

A235EDF4C58A2CB0C84641D07319CF21

FF43378ED5D85B1BC465BF000335FBF1

2EC8A0412B5D0E86E3C1E5ABFA19B3F5

...you'll want to form the clear key 73BE7A3B3B0F792DEFE21B7B8A358725 with check value B669BF. Unfortunately, ThalesSim does not simulate the import of clear keys to form another key, only the input of encrypted keys to form another encrypted key (like function GG).

I just finally understood what you need to do. You want to use the Thales console FK command. Unfortunately, ThalesSim does not implement console commands (although that's not a bad idea for the future) - you will need physical access to a Thales HSM to do this.

Nov 3, 2009 at 2:43 PM

Once again I thank you for your great help and attention now that You'll understand better my need to simulate the console FK command, which would be
component of Visual Studio 2008, which would be more compatible to perform the task?

1) - DES (Data Encryption Standard)
2) - AES (Advanced Encryption Standard)
3) - 3DES (Triple Data Encryption Standard)

Coordinator
Nov 3, 2009 at 6:58 PM

FK simply XORs the key components for the clear key and encrypts the result under the appropriate LMK, so you'd use DES and 3DES.

Nov 3, 2009 at 9:41 PM
Edited Nov 4, 2009 at 12:27 AM

See if you could help me the question below:

1) I was able to use your software to reach the correct password decrypted with the following cases:

Key Value C44CEF2502C475E5 check value 90B34B

Password B0DF587FD57AC87E encrypted password returned by the system 2134FFFFFFFFFFFF
Password F0D6173C673F26F4 encrypted password returned by the system 3576FFFFFFFFFFFF
Password AD284396CCF7691B encrypted password returned by the system 6719FFFFFFFFFFFF

Doubt
1.1) As in all cases it always returns with twelve (F) at the end result would be normal?
1.2) I got utizá DES I also would get the same result using the TripleDES?


2) Now for encryption which would be correct I use?

  2.1) DES or TripleDES?
  2.1) What would be the way that I should use to get the result below:

Key Value C44CEF2502C475E5 check value 03BAF3

Password decrypted 2134 where I have to have the result B0DF587FD57AC87E
Password decrypted 3576 where I have to have the result F0D6173C673F26F4
Password decrypted 6719 where I have to have the result AD284396CCF7691B

     If you can would you send me an example?


3) And I got another key 72136927FA1C6E42 to do another test later, where the check value is 03BAF3 but using your example of that
check did not get the same result for this case, actually in this case the check value correct?

 

Coordinator
Nov 4, 2009 at 8:37 AM

1a. That is the result of the decryption. The DES algorithm cannot interpret the nature of the data passed to it - in other words, only you can know if that is normal or not.

1b. DES and TripleDES are virtually identical. The only thing that changes is the length of the key. In your case, the TripleDES algorithm would return the same result.

2. Check out TripleDES in wikipedia --> http://en.wikipedia.org/wiki/Triple_des.

3. The check value appears to be incorrect. I would expect it to be 345CE4.

Nov 4, 2009 at 11:06 AM
In Question 1.1 the (F) that appear in the result I could be considered as white space Because the result would be just the numbers without (F).

On the question 2.1, I could be doing wrong to not get the expected result as the examples below:

Key Value C44CEF2502C475E5 check value 03BAF3

Password decrypted 2134 where I have to have the result B0DF587FD57AC87E
Password decrypted 3576 where I have to have the result F0D6173C673F26F4
Password decrypted 6719 where I have to have the result AD284396CCF7691B

  If you can would you send me an example?

Nov 4, 2009 at 11:32 AM
Even for a better understanding of the problem I'm having in question 2.1, see the simulations below:

1) Encryption                       example 1                      example 2                         example 3

  Normal                             2134                              3576                                 6719
  Key                                   C44CEF2502C475E5        C44CEF2502C475E5           C44CEF2502C475E5
  Results obtained incorrect  6364C3ACE18872EF        F94176922882489B            CF00ACF8A168B951
  Expected result correct      B0DF587FD57AC87E        F0D6173C673F26F4            AD284396CCF7691B

2) Decryption
  Since unlike
 
  Value decrypted                B0DF587FD57AC87E       F0D6173C673F26F4           AD284396CCF7691B
  Key                                  C44CEF2502C475E5        C44CEF2502C475E5          C44CEF2502C475E5
  Results obtained               2134FFFFFFFFFFFF            3576FFFFFFFFFFFF             6719FFFFFFFFFFFF
  Expected result correct      2134                              3576                               6719
Nov 5, 2009 at 11:30 AM

 

Good morning, based on data submitted would you do a simulation Thales Simulator Library and see if will actually give the same values as I did, to see if I'm missing somewhere?
     And on that issue 72136927FA1C6E42 key value, which for me is giving the value 345CE46C56537C0C (345CE4) is the correct thing (03BAF3), it was this that provided for me as a person uses the FK, I would do at some place (site - home page or some other program), a value check to verify that indeed the value given is correct or not?

Nov 6, 2009 at 2:00 AM

Nicktng

I got found out what was going wrong in the check value, it was the wrong key value, because the value it had received had already passed by the component FK.
    Now on to the examples 1, 2 and 3 so far could not have found what may be doing wrong, I can decrypt the data and I can not encrypted, as the 3 examples, you would know what to do to get the desired value and correct ?

Coordinator
Nov 6, 2009 at 7:29 AM

If you're using FFFFs to pad values, you should do it both for encrypt and decrypt operations.

DESEncrypt of 2134FFFFFFFFFFFF with key C44CEF2502C475E5 gives B0DF587FD57AC87E. DESEncrypt of 2134000000000000 with key C44CEF2502C475E5 gives 6364C3ACE18872EF. Likewise for the other examples.

Nov 9, 2009 at 6:19 PM

 Nicktng

There really is a parameter within the software to track F with the information to be encrypted, now one question is there any parameter in your software or visual studio.net I can also setup this parameter for it when it takes place F, and when required take the F, which is not the function (. replace)?

Coordinator
Nov 9, 2009 at 9:21 PM

No such parameter in the simulator but you can pad using the .Net string methods.