Thales HSM Generate key “Form key from clear components” (“FK” command)

Question

I have two clear components, generated by command 000A30303030413230303255 (it's a 000A0000A2002U in HEX mode. This is "GC" - Translate a ZPK from LMK to ZMK Encryption command from 1270A513 Issue 3 manual) using Java code

Now I need to generate an Encrypted key from those components. The console command for it: "FK" command (1270A513 Issue 3, page 5-14). I couldn't find any commands for doing it by Java code. I used Host Command Reference manual (1270A351 Issue 6) and found only A4- Form a Key from Encrypted Components command, but this command for generating key from Encrypted components.

Is there way to generate encrypted key using clear components?

Answer 1

There is no way to do this and for good reason. If you were to send this via your java code it is open to attack as the clear components are being sent through the network unencrypted. Any person intercepting these components can generate the key themselves. The GC and FK commands are meant to be used with the console and not remotely which is why it is possible using those commands.

If you already have the components you can only form them at the HSM console. If you can possibly generate new keys use the A0 command from your java code.

Answer 2

I don't recommend using this in production. I would take following steps if i really need to do that.

1. Generate A ZMK(clear and encrypted) on HSM console using 'GC' and 'FK' command.(Need to do only once and reuse key).
2. use clear ZMK to encrypt all of your keys using TripleDES-ECB-NOPADDING in your application.
3. Use command 'A6'. Import all ZMK encrypted keys to LMK.
4. Use 'A4' command to form key using LMK encrypted Components.