The HSM host commands support single, double and triple length DES keys. The command set is backward compatible with earlier versions of the HSM. The commands support extensions to enable the specification of key length and key encryption scheme to use.
If the first character of the key is a hexadecimal character (0 – 9 or A - F) or “K” or “S” the commands will operate as previously specified. In most circumstances the key is single length except for ZMKs when the ZMK length is configured for double length or for specific keys that are double length by definition. This is the 16H or 32H length and types.
To support double and triple length keys throughout the command set key scheme tags have been defined these enable the HSM to determine the key length and encryption mechanism used for a key. The key scheme tag prefixes the key. This is the 1A+32H or 1A+48H length and types.
There are currently two key encryption schemes supported by the HSM:
Each key of a double or triple length key is encrypted separately using the ECB mode of encryption. This scheme is only available for import and export of keys and must be enabled using the CS (Configure Security) console command.
The tags for this scheme are:
X – Double length DES keys.
Y – Triple length DES keys.
Each key of a double or triple length key is encrypted separately using the ECB mode of encryption. For the second or third key, depending on whether it is a double or triple length key, a variant is applied to the encryption key. There are five variants to enable the encryption of each key distinctly. This application of variants enforces the key use as a double or triple length key and the key order. This scheme is available for encryption of keys under the Local Master Key and for import and export of keys.
Local Master Keys by definition are double length keys consisting of a left and right half. Each half consists of 16 hexadecimal characters. Other keys, such as ZMKs may be of double or triple lengths. Triple length keys are comprised of three parts; left, middle and right. Each part, like double length keys, consists of 16 hexadecimal characters. The variant is applied to the right half.of double length encrypting keys, and to the middle part of triple length encrypting keys.
The tags for this scheme are as follows:
U – Double length DES keys.
T – Triple length DES keys.
Double length key variants Key 1 of 2 – A6
Key 2 of 2 – 5A
Triple length key variants Key 1 of 2 – 6A
Key 2 of 3 – DE
Key 3 of 3 – 2B
Example 1:
Given a double length encrypting key of: XXXX XXXX XXXX XXXX YYYY YYYY YYYY YYYY
And a double length key of: AAAA AAAA AAAA AAAA BBBB BBBB BBBB BBBB
- The variant A6 is applied to the first two hex characters of Y to encrypt A.
- The variant 5A is applied to the first two hex characters of Y to encrypt B
Example 2:
Given a double length encrypting key of: XXXX XXXX XXXX XXXX YYYY YYYY YYYY YYYY
And a triple length key of: AAAA AAAA AAAA AAAA BBBB BBBB
BBBB BBBB
CCCC CCCC CCCC CCCC
- The variant 6A is applied to the first two hex characters of Y to encrypt A.
- The variant DE is applied to the first two hex characters of Y to encrypt B
- The variant 2B is applied to the first two hex characters of Y to encrypt C
Variants are applied by “Exclusive ORing” (XOR) the first two characters of Y with the Variant.