6

Using the HSM command A0 (Generate a Key), I am getting the below response.

HEADA100U7D4213E0422F4E08E9455D9837E09FDDRA0072B1TX00S000073C35FF96F7A8C7D35D440CCBDA06FFED3AC7017F27B0A0E8896FFC971F0B9
HEAD (Message Header)
A1   (Response Code)
00   (Error Code)
U7D4213E0422F4E08E9455D9837E09FDD (Key under LMK)
RA0072B1TX00S000073C35FF96F7A8C7D35D440CCBDA06FFED3AC7017F27B0A0E8896FFC9 (Key under TMK - export tr31 key block)
71F0B9 (Key Check Value)

My questions are:

How can I extract the key (under tmk) from tr31 key block?

Does anyone know how to decode the tr31 key block?

Panagiotis Giannakis
  • 400
  • 1
  • 9
  • 19

2 Answers2

8

Take a look at the TR31 standard (which isn't legally available for free, because ANSI wants to make your life miserable).

  • R doesn't seem to be part of the TR31 block and I can only assume is something Thales specific
  • A is the key block version id (the first field of the header) and describes the key binding method being used. A is deprecated and uses a key variant binding method.
  • 0072 is the length of the whole TR31 key block in decimal digits, which happens to fit if, we ignore the leading R
  • B1 is the key usage, which is an Initial DUKPT Key
  • T is the algorithm of the key, which is Triple-DES (or Triple-DEA in TR31 notation)
  • X is the mode of use, which is "Key used to derive other key(s)"
  • 00 is the key version number, which means no key versioning is used for this key
  • S is the exportability of the key, which is "Sensitive"
  • 00 is the number of optional blocks in decimal.
  • 00 is reserved for future use and always has to be two ASCII zeros. As there are no optional blocks, this field is the last field of the header.
  • 73C35FF96F7A8C7D35D440CCBDA06FFED3AC7017F27B0A0E is the hex encoded encrypted key (everything after the header except the last 8 characters). It is 24 bytes long, which fits for a 16 byte long key (2 bytes key length, 16 bytes key, 6 bytes padding to get to full 8 byte block size).
  • 8896FFC9 is the MAC (the last 8 characters which (for key block version id A) are the leftmost 32 bit of the Triple-DES CBC-MAC)

To go any further (decrypt the encrypted key) I would need the Key Block Protection Key (which is probably the TMK?).

Perseids
  • 12,584
  • 5
  • 40
  • 64
  • Excuse me, can you explain better this sentence? "It is 24 bytes long, which fits for a 16 byte long key (2 bytes key length, 16 bytes key, 6 bytes padding to get to full 8 byte block size)." – Lazarus Jan 14 '21 at 16:28
  • (Triple-)DES is a 64bit block cipher, so it can only process blocks of the size of 8bytes. The TR31 padding method to encrypt a key of arbitrary length is as follows: Take the length of the key, encode it in two bytes and prepend it to the key. Then take the result and append random bytes until the overall byte-length is a multiple of the blocksize (8 bytes). – Perseids Feb 11 '21 at 09:00
  • @Perseids this is awesome! quick question - can TR31 be implemented on general purpose HSM ? like AWS KMS ? or does the standard require that this is implemented at the firmware level – Sandeep Jul 06 '22 at 10:38
  • To implement TR-31, you need to be able to perform ISO/IEC 9797-1 MAC algorithm 1 and encryption in ECB mode using your KBPK (or KEK). You do need to know the type of your KBPK (e.g AES-128 vs AES-256). So, if the HSM allows those then you should be able to do this in software. But it will be probably slow and you will be keeping KBPK derived keys (KBAK and KBEK) in memory. That is bad for a secure environment. – K.Novichikhin Oct 01 '22 at 06:14
1

'R' is the scheme flag used by Thales, means the format of the key is TR-31. This would not usually be included in any messaging to a peer device as it isn't part of the TR-31 format.

Jim Sheldon
  • 11
  • 1