Where do i get BDK for DUKPT decryption
Question
I have generated a BDK Type3 key for DUKPT in Thales HSM. I have sent this BDK which is encrypted under the LMK of the HSM to the terminal manufacturer to generate the IPEK key and inject it into the terminal.
When I receive the encrypted data I have the KSN and now I need the BDK again to decrypt it.I am not storing the BDK anywhere in my HOST application.How can I get the BDK again for decryption.Is it stored somewhere in the HSM.If there are multiple BDKs how do I find the right one used for this particular terminal?
2 answers
solution1
2 2017-07-18 08:10:05
The BDK (Base Derivation Key) should be kept in the HSM so it's available when you need to decrypt. During decrypt you would pass the KSN (Key Serial Number) as input to the HSM , and the HSM would then recreate the DUKPT key used by the terminal for encryption from the BDK .
solution2
0 2017-07-26 23:08:21
For data decryption you can use THALES HSM command M2 with parameters
- BDK (under LMK) - This is the key that you sent to the terminal
manufacturer - Encrypted data - received from the terminal
- KSN - received from the terminal
About BDK exchange (between you and the terminal manufacturer)
The straightforward process is:
- exchange ZMK (zone master key) between you and the manufacturer
- encrypt BDK under ZMK
- the manufacturer decrypts the BDK (using the ZMK) in a secure environment (key injection room)
- the manufacturer produces IPEK using the clear BDK
Your BDK is encrypted under LMK. In other words your BDK is protected by LMK, in this way none else can you use your BDK (super secret key). Consistently if you send your BDK (under LMK), your manufacturer can not use the BDK (clear) for IPEK generation. That's why you need a ZMK in your process.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.