Command: FK (Form Key). Can be used in online, offline or secure state.
Function: To build
a key from components. If clear
components used they will not be checked for parity, but odd parity will be
forced on the final key before encryption under the LMK.
The HSM must be in the Authorised state.
Refer to Key Type Table for Key types and restrictions on Generate, Export
and Import.
Inputs: Key
length: (1 - Single length, 2 - Double
Length, 3 -Triple Length).
Key Type: See Key Type Table
Key Scheme: Key scheme for encrypting key under LMK; see Key Scheme
Table
(Defaults: Key Length 1, Key Scheme 0,
Key Length 2, Key Scheme U,
Key Length 3, Key Scheme T)
Component Type:
(X = Clear XOR, H = Clear Half or Third Key, E = Encrypted, S = Smartcard)
The number of key components to be entered: 1 to 9 for X or E; 2 to 3 for S.
The key component:
· For clear XOR components each key component must contain 16 or 32 or 48 hexadecimal characters.
· For clear Half or Third Key components each key component must contain 8 or 16 hexadecimal characters.
· For encrypted components each component must contain 16 Hex or 1 Alpha + 32 hex or 1 Alpha + 48 Hex.
· For Smartcard components the components will be extracted from Smartcards.
Outputs: The key
formed by exclusive-ORing or concatenating the components, forcing odd parity
and encrypting under the appropriate LMK pair.
The key check value, formed by encrypting a block of zeros with the key, and
returning the first 24 bits: 6 hexadecimal characters.
Errors: Command only allowed from authorised the HSM is not in authorised state.
Invalid key scheme - an invalid key scheme is entered. See Key Scheme Table.
Invalid key type; re-enter: - the key type is invalid. See Key Type Table.
Key all zero the key is invalid.
Invalid entry - an invalid number of components has been entered.
Data invalid; please re-enter: - the amount of input data is incorrect. Re-enter the correct number of hexadecimal characters.
Invalid PIN; re-enter: - a PIN of less than 4 or greater than 8 is entered.
Smartcard error; command/return: 0003 invalid PIN is entered
No component exists no key component on the provided smart card.
Not a LMK card card formatted for HSM storage or is a licence card.
Card not formatted card is not formatted.
Internal failure 12: function aborted - the contents of LMK storage have been corrupted or erased. Do not continue. Inform the Security Department.
Example 1:
Online-AUTH> FK <Return>
Enter Key Length[1,2,3]: 2 <Return>
Enter Key type: 002 <Return>
Enter Key Scheme: U <Return>
Component type [X,H,E,S]: X <Return>
Enter number of components [1-9]: 2 <Return>
Enter component 1: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX <Return>
Enter component 2: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX <Return>
Encrypted key: U YYYY YYYY YYYY YYYY YYYY YYYY YYYY YYYY
Key check value: ZZZZZZ
Example 2: Input from Smartcard
Online-AUTH> FK <Return>
Enter Key Length[1,2,3]: 2 <Return>
Enter Key type: 002 <Return>
Enter Key Scheme: U <Return>
Component type [X,H,E,S]: S <Return>
Enter number of components (1-9): 2 <Return>
Insert card 1 and enter PIN: XXXX <Return>
Insert card 2 and enter PIN: XXXX <Return>
Encrypted key: U YYYY YYYY YYYY YYYY YYYY YYYY YYYY YYYY
Key check value: ZZZZZZ
Example 3: Form from encrypted components
Online-AUTH> FK <Return>
Enter Key Length[1,2,3]: 2 <Return>
Enter Key type: 002 <Return>
Enter Key Scheme: U <Return>
Component type [X,H,E,S]: E <Return>
Enter number of components (1-9): 2 < Return >
Enter component 1: U XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX <Return>
Enter component 2: U XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX <Return>
Encrypted key: U YYYY YYYY YYYY YYYY YYYY YYYY YYYY YYYY
Key check value: ZZZZZZ
Note: In order to produce a valid ZMK then 000 must be used for the key type input in the GC command when generating Key components