The HSM Local Master Keys (LMKs) are numbered from key 00 to key 99. They are used in pairs and each pair has a function, as shown in the table.
|
LMK Pair |
Function |
|
00 - 01 |
Contains the two Smartcard “keys” (Passwords if the HSM is configured for Password mode) required for setting the HSM into the Authorized state. |
|
02 - 03 |
Encrypts the PINs for Host storage. |
|
04 - 05 |
Encrypts Zone Master Keys and double-length ZMKs. Encrypts Zone Master Key components under a Variant. |
|
06 - 07 |
Encrypts the Zone PIN keys for interchange transactions. |
|
08 - 09 |
Used for random number generation. |
|
10 - 11 |
Used for encrypting keys in HSM buffer areas. |
|
12 - 13 |
The initial set of Secret Values created by the user; used for generating all other Master Key pairs. |
|
14 - 15 |
Encrypts Terminal Master Keys, Terminal PIN Keys, and PIN Verification Keys. Encrypts Card Verification Keys under a Variant. |
|
16 - 17 |
Encrypts Terminal Authentication Keys. |
|
18 - 19 |
Encrypts reference numbers for solicitation mailers. |
|
20 - 21 |
Encrypts ‘not on us’ PIN Verification Keys and Card Verification Keys under a Variant. |
|
22 - 23 |
Encrypts Watchword Keys. |
|
24 - 25 |
Encrypts Zone Transport Keys. |
|
26 - 27 |
Encrypts Zone Authentication Keys. |
|
28 - 29 |
Encrypts Terminal Derivation Keys. |
|
30 - 31 |
Encrypts Zone Encryption Keys. |
|
32 - 33 |
Encrypts Terminal Encryption Keys. |
|
34 - 35 |
Encrypts RSA Keys. |
|
36 - 99 |
Reserved for future use. |
|
There are Variants of some keys to suit particular requirements. |
|
The Local Master Keys are normally generated once, recorded on Smartcards and loaded into the HSM. If the HSM is opened for any reason (e.g. maintenance), the keys are erased and therefore must be reloaded.
To generate and load the LMKs, at least three "Component Holders" (two Authorising Officers and at least one other person) are required.
The first Authorising Officer creates two 16-digit Secret Values (and a Password, if the HSM is configured in Password mode), and enters this data at the Console. The two Secret Values are temporarily stored internally as key pair 12 - 13. The HSM generates new values for the other keys shown in the table. The new values are called a "Component Set". This set of values is then recorded on a Smartcard.
Using the same procedure, the second Authorising Officer creates two Secret Values (and if necessary, a password), generates a Component Set and records it on a second Smartcard.
The third Component Holder creates two Secret Values, generates a Component Set and records it on a third Smartcard.
More than three people can be involved.
The procedure results in a number of Smartcards, each containing one Component Set of keys. The first and second Smartcards also contain Authorising data. Each Component Holder makes copies of its data so that it is stored on a number of Smartcards. At least two copies should be made, one for storage onsite and one offsite. Serious consideration should be given to the creation of extra copies to provide a greater level of resilience against the failure of any one Smartcard.
NOTE: AT NO TIME SHOULD ANY ONE PERSON BE ABLE TO GAIN ACCESS TO ALL COMPONENTS.
The data contained in the Smartcards is loaded to LMK storage. The load function stores Authorising data (Passwords, if this mode is used) as key pair 00 - 01, and mathematically combines each Component Set with the previous contents of the LMK storage to form the remaining LMK pairs. The Smartcards must then be separately and securely stored (e.g., in safe deposit boxes).
When new LMKs are generated (for example, if existing keys are known to be compromised), it is usually necessary to save the old LMKs so that existing encrypted data can be translated from encryption under the old keys to encryption under the new keys. To save the LMKs, transfer them to a special memory area known as "key change storage". After this process, use Host commands to translate the old encrypted data.
The LMKs in the unit can be verified and the LMKs on the Smartcards can be checked. It is recommended that:
· LMKs in the HSM are verified at 6-month intervals.
· LMKs on Smartcards (including all the spare copies) are checked at 12-month intervals.
· LMKs are changed at 2 year intervals. This ensures that the procedures required for the change are regularly exercised and updated where necessary.