Command: WK (Translate ZPK). Can be used in online, offline or secure state.
Function: To translate a ZPK from
encryption under the LMK to encryption under a ZMK.
The HSM must be in the Authorised state.
Inputs: ZMK encrypted
under LMK pair 04-05: 16 or 32 hexadecimal characters.
The ZPK encrypted under LMK pair 06-07: 16 hexadecimal characters.
The ZMK variant: 1 or 2 digit, value 0-99 (or <Enter> to ignore).
Used only when interworking with Atalla systems. Refer to the CS command.
Note that this input is not requested when the ZMK variant support is
set to Off.
Outputs: The ZPK encrypted under
the ZMK: 16 hexadecimal characters.
The key check value for the ZPK; generated by encrypting 64 binary zeros
with the key: 16 hexadecimal characters, if restrict KCV is enabled in
the CS command the output will be restricted to the 6 most significant
digits with padding zeros for the remainder.
Errors: Command only allowed from authorised – the HSM is not in authorised state.
Data invalid; please re-enter: - the encrypted ZMK does not contain 16 or 32 hexadecimal characters. Re-enter the correct number of hexadecimal characters.
Key parity error; re-enter key: - the ZMK does not have odd parity on each byte. Re-enter the key and check for typographic errors.
Key parity error - the ZPK does not have odd parity on each byte. Re-enter the key and check for typographic errors.
Internal failure 12: function aborted - the contents of LMK storage have been corrupted or erased. Do not continue. Inform the Security Department.
Example:
Online-AUTH> WK <Return>
Enter encrypted ZMK: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX <Return>
(Enter ZMK variant: X <Return>, if enabled by CS command)
Enter encrypted ZPK: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX <Return>
ZPK encrypted under ZMK: XXXX XXXX XXXX XXXX
Key check value: XXXX XXXX XXXX XXXX