Translate ZMK from ZMK to LMK encryption

Command:

To translate a ZMK from encryption under a ZMK to encryption under the LMK

Notes:

This command is enabled and disabled using the CS (Configure Security) console command.

The command does not require the imported ZMK to have odd parity, but odd parity is forced on the encrypted output.  Error 01 is returned and subsequent fields are not inhibited.

If a 32-character ZMK is required, the HSM must be configured for double-length ZMKs using the CS (Configure Security) console command.

The HSM must be in Authorised State.

See Key Scheme Table for schemes available to encrypt keys.

 

Field

Length & Type

Details

COMMAND MESSAGE

Message header

m A

(Subsequently returned to the Host unchanged).

Command code

2 A

Value BY.

ZMKi

16H or 32H or
1A+32H or 1A+48H

The ZMKi encrypted under LMK pair 04-05.

  

ZMK

16H or 32H or
1A+32H or 1A+48H

The ZMK encrypted under ZMKi.

  

Atalla Variant

1 N or 2 N

Optional. Atalla variant; for use in systems with Atalla equipment.

Delimiter

1 A

Optional. If present the following three fields must be present.  Value “;”.

If an option is not required by the command fill with a valid value or 0.

Reserved

1 A

Optional. If present must be 0.

Key scheme LMK

1 A

Optional. Key scheme for encrypting key under LMK.

Key check value type

1 A

Optional. Key check value calculation method

0 - KCV backwards compatible.

1 - KCV 6H.

End message delimiter

1 C

Optional. Must be present if a message trailer is present. Value X’19.

Message trailer

n A

Optional. Maximum length 32 characters.

 

Field

Length & Type

Details

 RESPONSE MESSAGE

Message header

m A

Returned to the Host unchanged.

Response code

2 A

Value BZ.

Error code

2 N

00 : No errors

01 : ZMK parity error, advice only

10 : ZMKi Parity error

12 : No keys loaded in user storage

13 : LMK error : report to supervisor

15 : Error in input data

17 : Not in authorised state

21 : Invalid user storage index

ZMK

16H or 32H or
1A+32H or 1A+48H

ZMK encrypted under LMK pair 04-05.

Key check value

6 H

The key check value.

End message delimiter

1 C

Present only if present in the command message. Value X’19.

Message trailer

n A

Present only if present in the command message. Maximum length 32 characters.