The following table indicates, for each sensitive host or console command, which activity needs to be authorised. For example, in order to successfully invoke host command A0 to generate a ZMK, the activity generate.zmk.host must be authorised.
Note: The key type table still determines whether the HSM needs to be authorised in order to generate, import or export a certain key. Where the key type table entry indicates ‘U’ (unconditional), it is not necessary to authorise the HSM for that activity, even if such an activity is defined (specifically, L0 & LU host commands). Moreover, authorised activities genprint.* and component.* do not examine the KTT and are always required.
|
Command (H=Host, C=Console) |
Description |
Category |
Sub- Category |
Interface |
|
SYMMETRIC KEY GENERATION |
||||
|
H – A0 |
Generate Key (Auth required as per key table) |
generate |
zmk kml zpk pvk tpk tmk tak csck cvk wwk zak bdk mk-ac
|
host |
|
H – FG |
Generate a Pair of PVKs |
generate |
pvk |
host |
|
H – L0 |
Generate an HMAC Key |
generate |
hmac |
host |
|
C – KG |
Generate Key (Auth required as per key table) |
generate |
zmk kml zpk pvk tpk tmk tak csck cvk wwk zak bdk mk-ac
|
console |
|
C – K |
Encrypt a Key under LMK Pair 14-15 (from components) |
generate |
tmk tpk pvk |
console |
|
H – A2 |
Generate and Print a Component |
genprint |
zmk kml zpk pvk tpk tmk tak csck cvk wwk zak bdk mk-ac
|
host |
|
H – NE |
Generate and Print a Key as Split Components |
|||
|
H – OE |
Generate and Print a TMP, TPK or PVK |
genprint |
tmk |
host |
|
H – A4 |
Form a Key from Encrypted Components |
component |
zmk kml zpk pvk tpk tmk tak csck cvk wwk zak bdk mk-ac
|
host |
|
C – BK |
Form a Key from Components |
component |
zmk kml zpk pvk tpk tmk tak csck cvk wwk zak bdk mk-ac
|
console |
|
C – EC |
Encrypt Clear Component |
|||
|
C – FK |
Form Key from Component |
|||
|
C – GS |
Generate Key Components and Write to a Smartcard |
|||
|
C – GC |
Generate Key Component |
|||
|
SYMMETRIC KEY IMPORT |
||||
|
H – A6 |
Import a Key (Auth required as per key table) |
import |
zmk kml zpk pvk tpk tmk tak csck cvk wwk zak bdk mk-ac
|
host |
|
H – FC |
Translate a TMK, TPK or PVK from ZMK to LMK Encryption |
import |
tmk tpk pvk |
host |
|
H – LU |
Import an HMAC Key |
import |
hmac |
host |
|
C – IK |
Import Key (Auth required as per key table) |
import |
zmk kml zpk pvk tpk tmk tak csck cvk wwk zak bdk mk-ac
|
console |
|
C – IV
|
Import a CVK or PVK from ZMK to LMK
|
import |
cvk pvk |
console |
|
SYMMETRIC KEY EXPORT |
||||
|
H – A0 |
Generate Key (Auth required as per key table) (when requested to export generated key) |
export |
zmk kml zpk pvk tpk tmk tak csck cvk wwk zak bdk mk-ac
|
host |
|
H – A8 |
Export a Key (Auth required as per key table) |
|||
|
H – FE |
Translate a TMK, TPK or PVK from LMK to ZMK Encryption |
export |
tmk tpk pvk |
host |
|
H – LW |
Export an HMAC Key |
export |
hmac |
host |
|
C – KG |
Generate Key (Auth required as per key table) (when requested to export generated key) |
export |
zmk kml zpk pvk tpk tmk tak csck cvk wwk zak bdk mk-ac
|
console |
|
C – KE |
Export Key (Auth required as per key table) |
|||
|
C – WK |
Translate a Zone PIN Key |
export |
zpk |
console |
|
ZMK MANAGEMENT |
||||
|
H – OC |
Generate and Print a ZMK Component |
genprint |
zmk |
host |
|
H – GG |
Form a ZMK from Three ZMK Components |
generate |
||
|
H – GY |
Form a ZMK from 2 to 9 ZMK Components |
|||
|
H – BY |
Translate ZMK from ZMK to LMK Encryption |
import |
||
|
C – GZ |
Generate a Zone Master Key and Write to Smartcards |
generate |
zmk |
console |
|
C – DE |
Form a ZMK from Clear Components |
|||
|
C – D |
Form a Zone Master Key From Encrypted Components |
|||
|
C – Z |
Encrypt a Clear Zone Master Key Component |
|||
|
ASYMMETRIC KEY MANAGEMENT |
||||
|
H – EI |
Generate an RSA Key Set |
generate |
rsa |
host |
|
H – J0 |
Generate an Issuer RSA Key Set |
|||
|
H – EO |
Generate a MAC on a Public Key |
import |
rsa-pk |
host |
|
H – JO |
Validate a CA Self-Signed Certificate |
|||
|
CLEAR PIN |
||||
|
H – BA |
Encrypt a Clear PIN |
pin
|
clear |
host |
|
H – NG |
Decrypt an Encrypted PIN |
|||
|
PIN MAILER |
||||
|
H – PE |
Print PIN/PIN Solicitation Data |
pin |
mailer |
host |
|
H – OA |
Print a PIN Solicitation Mailer |
|||
|
AUDIT |
||||
|
H – Q6 |
Delete Audit Record |
audit |
|
host |
|
C – CLEARAUDIT |
Clear the Audit Log |
audit |
|
console |
|
C – AUDITOPTIONS |
Audit Options |
|||
|
C – A5 |
Configure Fraud Detection |
|||
|
C – A7 |
Re-enable PIN Verification |
|||
|
ADMINISTRATION |
||||
|
C – SS |
Save HSM Settings to a Smartcard |
admin |
|
console |
|
C – RS |
Retrieve HSM Settings from a Smartcard |
|||
|
C – LO |
Move ‘Old’ LMKs Into Key Change Storage |
|||
|
C – SETTIME |
Set the Time and Date |
|||
|
DIAGNOSTICS |
||||
|
H – KQ |
ARQC (or TC/AAC) Verification and/or ARPC Generation |
diag |
|
host |
|
H – K0 |
Verify Encrypted Counters (M/Chip 4) |
|||
|
H – KW |
ARQC (or TC/ACC) Verification and/or ARPC Generation (EMV4.1 including CCD) |
|||
|
H – KS |
Data Authentication Code and Dynamic Number Verification |
|||
|
H – PM |
Verify a Dynamic CVV |
|||
|
MISCELLANEOUS |
||||
|
H – B0 |
Translate Key Scheme |
misc |
|
host |
|
C – R |
Load the Diebold Table |
misc |
|
console |
|
C – CV |
Generate a VISA Card Verification Value |
|||
|
C – PV |
Generate a VISA PIN Verification Value |
|||
|
C – A6 |
Set KMC Sequence Number |
|||
|
C – ED |
Encrypt Decimalization Table |
|||
|
C – MI |
Generate a MAC on an IPB |
|||
|
COMMAND |
||||
|
H – GI |
Import DES Key (Auth required if backward compatibity mode is enabled by CS) |
command |
gi |
host |
|
CUSTOM |
||||
|
|
|
custom |
specific custom command code(s) |
host console |