Translate a Base Derivation Key from LMK to *ZMK Encryption

Notes:

The command ignores the S/D (single/double length) parameter set by the CS (Configure Security) console command.

A key check value (KCV) is produced for the *BDK.

Command is fully backward compatible with the DY command in existing firmware

In HSM 8000 software version 2.0 this command has been extended to support Triple Length *BDK using Key Scheme T.

Field

Length & Type

Details

COMMAND MESSAGE

Message header

m A

(Subsequently returned to the Host unchanged).

Command code

2 A

Value DY.

*ZMK

32H 1A+32H or 1A+48H

The *ZMK encrypted under LMK pair 04-05.

*BDK

32H or 1A+32H or 1A+48H

The *BDK encrypted under LMK pair 28-29

Atalla variant

1 N or 2 N

Optional. For use in networks that use a *ZMK variant.

Delimiter

1 A

Optional. If present the following three fields must be present.  Value “;”.

Key scheme ZMK

1 A

Optional. Key scheme for encrypting key under ZMK.

Reserved

1 A

Optional. If present must be 0.

Key check value type

1 A

Optional. Key check value calculation method

0 = KCV backwards compatible (8H for this command).

1 = KCV 6H.

2 = KCV 8H.

End message delimiter

1 C

Present only if a message trailer is present. Value X’19.

Message trailer

n A

Optional. Maximum length 32 characters.

RESPONSE MESSAGE

Message header

m A

Returned to the Host unchanged.

Response code

2 A

Value DZ.

Error code

2 N

00 : No errors

10 : *ZMK parity error

11 : *BDK parity error

12 : No keys loaded in user storage

15 : Error in input data

21 : Invalid user storage index

27 : *BDK not double length or triple length

*BDK

32H or 1A+32H or                1A+ 48H              

The *BDK encrypted under the *ZMK.

Key check value

6H or 8H

Result of encrypting 64 binary zeros with the key

End message delimiter

1 C

Present only if present in the command message. Value X’19

Message trailer

n A

Present only if present in the command message. Maximum length 32 characters