-1

I want to integrate and test a terminal device (PED) with HSM Luna. But I'm not able to understand steps clearly, as to what is done when a new device is integrated. Can anyone please help with this.

Things I know:

Firstly, a BDK is generated. For every device to be integrated, we generate a KSN (which is essentially 59 bit value (left padded 16 bits 0xFFFF, keysetID 24 bits and device id 19 bits)), which uniquely identifies the BDK for every transaction.

Now the question is, how it is done. The request/response of HSM device (function codes etc).

If someone can explain it, it'll be appreciated.

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
vish4071
  • 99
  • 1

1 Answers1

0

SafeNet have documentation on how to generate and manage keys using the Luna. I believe the following is roughly the series of steps you're looking for.

  • Generate key component 1
  • Generate key component 2
  • Load each component to the HSM to generate BDK
  • Use an application API with the HSM to derive an Initial Key using the Initial KSN (your 59-bit value including the keyset-ID and the serial number of the terminal) as a vector with the BDK.
  • Load the Initial Key to the PED; this is usually called "injection".
  • As it operates, the PED derives a new key for each transaction using a 21-bit (more-or-less) counter appended to the Initial KSN to form the KSN. The standard algorithm uses "future" keys precomputed from the Initial Key and is optimized for a limited-power hostile-environment device like a PED, but other algorithms are possible.
  • Each transaction will provide the transaction details as well as the KSN (which includes the keyset-ID, the device serial, and the transaction counter) so the HSM using the BDK can derive the appropriate per-transaction key for decryption.
dave_thompson_085
  • 9,759
  • 1
  • 24
  • 28
AndyMac
  • 3,149
  • 12
  • 21
  • Proposed edit with added/clarified details and standard terminology. If approved but you disagree, (I'm pretty sure) you can re-edit or revert. – dave_thompson_085 Sep 02 '15 at 07:45
  • Hi @dave_thompson_085 and andymac, Its been a week and I was stuck in some other work, so I could not get to this forum again. Sorry for the delay – vish4071 Sep 09 '15 at 10:05
  • Actually, your answer is pretty informative and I understood all steps. But it does not essentially solve my problem. How do we use an application API with hsm to derive initial key (called IPEK). How do we use that information to generate future keys and all? – vish4071 Sep 09 '15 at 10:20
  • Also, through a blog, I even understood each step and now, I can write a code for the whole scenario(possibly), but I need to work with HSM. – vish4071 Sep 09 '15 at 10:22
  • @vish4071 I helped with the generic DUKPT process, but I don't know about your specific model HSM. I can say you should only need to inject IPEK (also called IDK); the *device* (PED) should compute the "future" keys starting from IPEK. – dave_thompson_085 Sep 12 '15 at 14:48
  • @dave_thompson_085, the problem is, the documentation I have of HSM device, `Safenet LUNA eft`, does not have the request/response format to generate IPEK. Thats where I'm stuck. – vish4071 Sep 12 '15 at 15:02
  • If you know anyone, any site that can help me with this step, it will be appreciated. – vish4071 Sep 12 '15 at 15:03