Translate a ZPK from ZMK to LMK Encryption

Command:

Translate a ZPK from encryption under a ZMK to encryption under the LMK.

Used to receive a ZPK from another party.

Notes:

The command does not require the ZPK to have odd parity, but odd parity is forced on the encrypted output. Unlike other commands, if error 01 is returned, it does not inhibit the return of subsequent fields.

The command tests the ZPK, after decrypting it from under the ZMK, to ensure the key (including the parity bits) is not zero (i.e., X’0000 0000 0000 0000). If the key is zero, the HSM returns error code 11 (all zero ZPK with even parity) and terminates processing.

If a 32-character ZMK is required, the HSM must be configured for double-length ZMKs using the CS (Configure Security) console command.

 

Field

Length  & Type

Details

COMMAND MESSAGE

Message header

m A

(Subsequently returned to the Host unchanged).

Command code

2 A

Value FA.

ZMK

16H or 32H or
1A+32H or 1A+48H

The ZMK encrypted under LMK pair 04-05.

ZPK

16H or
1A+32H or 1A+48H

ZPK encrypted under the ZMK.

Atalla variant

1 N or 2 N

Optional. Atalla variant; for use in systems with Atalla equipment.

Delimiter

1 A

Optional. If present the following three fields must be present.  Value “;”.

If an option is not required by the command fill with a valid value or 0.

Reserved

1 A

Optional. If present must be 0.

Key scheme LMK

1 A

Optional. Key scheme for encrypting key under LMK.

Key check value type

1 A

Optional. Key check value calculation method

0 - KCV backwards compatible.

1 - KCV 6H.

End message delimiter

1 C

Optional. Must be present if a message trailer is present. Value X’19.

Message trailer

n A

Optional. Maximum length 32 characters.

 

Field

Length & Type

Details

Message header

m A

Returned to the Host unchanged.

Response code

2 A

Value FB.

Error code

2 N

00 : No errors

01 : ZPK parity error; advice only

10 : ZMK parity error

11 : All zero ZPK with even parity. Processing is terminated.

12 : No keys loaded in user storage

13 : LMK error; report to supervisor

15 : Error in input data

21 : Invalid user storage index

ZPK

16H or
1A+32H or 1A+48H

Translated ZPK; encrypted under LMK pair 06-07.

Check value

16 H or 6 H

Result of encrypting 64 binary zeroes with the ZPK.

16H or 6H depends upon KCV type option.

End message delimiter

1 C

Present only if present in the command message. Value X’19.

Message trailer

n A

Present only if present in the command message. Maximum length 32 characters.