1
$\begingroup$

I am currently working on a project to migrate keys from a Thales HSM to a Futurex HSM. Given that I have a large number of keys that need to be exported and then imported using the console would be too time consuming. It also has the risk of human error.

So I have a python script that goes through a file with the cryptograms of the keys to be exported along with the key types. The script basically sends an A8 command to the Thales HSM and then sends an A6 command to the Futurex HSM with the exported cryptogram in the response from the A8 command. The issue that I am seeing is that the Thales HSM returns an error code 29 even though the command is allowed.

Please see below example of the command:

SENT -

AAAAA8000T151B73744EA79E851153D7B32BACEB76B79A19CDA9DC85BEUC9DF187DA1FB381DA752CF474D64EE57U
RECV - AAAAA929

Below is the current configuration that I have enabled:

Online-AUTH>GETCMDS

    List of enabled Host commands:
    
    A0  A2  A4  A6  A8  AA  AC  AE  AG  AS  AU  AW  AY  B0  B2
    BA  BC  BE  BG  BI  BK  BM  BQ  BS  BU  BW  BY  CA  CC  CE
    CG  CI  CK  CM  CO  CQ  CS  CU  CW  CY  DA  DC  DE  DG  DI
    DK  DM  DO  DQ  DS  DU  DW  DY  EA  EC  EE  EG  EI  EK  EM
    EO  EQ  ES  EU  EW  EY  FA  FC  FE  FG  FI  FK  FM  FO  FQ
    FS  FU  FW  G0  GA  GC  GE  GG  GI  GK  GM  GO  GQ  GS  GU
    GW  GY  HA  HC  IA  JA  JC  JE  JG  K0  KA  KC  KQ  KS  KU
    KW  KY  LA  LC  LE  LG  LI  LK  LM  LO  M6  M8  MA  MC  ME
    MG  MI  MK  MM  MO  MQ  MS  MY  NC  NE  NG  NI  NK  NO  OA
    OC  OE  PA  PC  PE  PG  PM  Q0  Q2  Q4  Q6  Q8  QA  QC  RA
    RC  RI  RK  RM  RO  RQ  RS  RU  RW  RY  TA

Online-AUTH>CONFIGPB

    List of enabled PIN Block formats:
    01 - ISO 9564-1 & ANSI X9.8 format 0
    05 - ISO 9564-1 format 1
    35 - MasterCard Pay Now and Pay Later format
    41 - Visa/Amex new PIN only format
    42 - Visa/Amex new & old PIN format
    47 - ISO 9564-1 & ANSI X9.8 format 3

Online-AUTH>QS

    PIN length: 04
    Encrypted PIN length: 05
    Echo: OFF
    Atalla ZMK variant support: ON
    Transaction key support: AUSTRALIAN
    User storage key length: TRIPLE
    
    Select clear PINs: NO
    Enable ZMK translate command: YES
    Enable X9.17 for import: YES
    Enable X9.17 for export: YES
    Solicitation batch size: 1024
    Single-DES: ENABLED
    Prevent Single-DES keys masquerading as double or triple-length keys: YES
    ZMK length: DOUBLE
    Decimalization tables: ENCRYPTED
    Decimalization table checks: ENABLED
    PIN encryption algorithm: A
    Card/password authorisation (local): C
    
    Press "Enter" to view additional security settings...Q
    
    Authorised State required when Importing DES key under RSA key: YES
    Minimum HMAC key length in bytes: 10
    Enable PKCS#11 import and export for HMAC keys: NO
    Enable ANSI X9.17 import and export for HMAC keys: YES
    Enable ZEK encryption of all printable ASCII chars: NO
    Enable ZEK encryption of "Base94" ASCII chars: YES
    Enable ZEK encryption of "Base64" ASCII chars: YES
    Enable ZEK encryption of "Hex-only" ASCII chars: YES
    
    Restrict Key Check Values to 6 hex chars: YES
    Enable multiple authorised activities: YES
    Allow persistent authorised activities: YES
    Enable variable length PIN offset: YES
    Enable weak PIN checking: YES
    Enable Pin Block Format 34 as output format for PIN Translations to ZPK: YES
    
    Default LMK identifier: 00
    Management LMK identifier: 00
    Use HSM clock for date/time validation: YES
    Additional padding to disguise key length: NO
    Key export and import in trusted format only: NO

Has anyone encountered this issue? Were you able to resolve it and how?

Improve this question
$\endgroup$
5
  • $\begingroup$ One thing, if you do transport keys like this, do remember to redact the keys! Second, is the Python source code available? Are you using the official SDK? Are there links to documentations? $\endgroup$ Commented Oct 15 at 7:17
  • $\begingroup$ Thankfully I do not need to transport the keys as this is all done on a secure server. Also these keys are exported as cryptograms under a ZMK shared between the two devices. Can't do anything with the cryptograms unless you know the clear key used to encrypt them. Python source code was given to me by a friend that used to work at Futurex. Over time I have updated it to suit my needs. Documentation I am making use of is the Thales documentation and the Futurex documentation for writing the python logic to send host commands to the devices. $\endgroup$ Commented Oct 16 at 2:26
  • $\begingroup$ Actually, we've got a bigger programming site called "StackOverflow", but I determined that it's not appropriate to ask moderators to migrate this question there, as it lacked the experties on cryptography and HSMs. However, given that this is a vendor-specific product you're asking, I'm tempted to say that it lacks the experties here as well. In general, public Q&A sites (and forums) are better for common public knowledge, it may be better received if directed at customer/technical support. So, sorry. Do you mind if we close this question? $\endgroup$ Commented Oct 16 at 4:46
  • $\begingroup$ Sure, Understood. Thank you for the feedback. Was hoping that someone might have some experience with this sort of issue on here. $\endgroup$ Commented Oct 16 at 6:13
  • 2
    $\begingroup$ I’m voting to close this question because it required experties on vendor-supplied product(s) that're currently beyond the scope of this site. (Automated comment created after a close vote casted by a user) $\endgroup$ Commented Oct 16 at 8:08

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.