Thales PayShield HSM key management
1
I'm reading PayShield docs and have stumbled upon a question regarding key management and LMK when importing keys:
- PayShield can store up to 20 LMKs. When performing commands (like A6 - Import a Key), how does the HSM know which LMK to use? As a parameter it only asks for a key type, but aren't key types the same for different LMKs (considering they're all variant)?
- Command import a key asks you to provide key already encrypted under ZMK, for example when transferring a key from one HSM to another. Is there a way to import plaintext unencrypted keys into an HSM? For example, I think of some random sequence and then try to import it into HSM. If not, can you somehow encrypt it under ZMK or must all such new keys be generated using appropriate HSM command?
cryptography hsm
asked Nov 13 '18 at 16:13
karolyzzkarolyzz
13115
add a comment |
1
I'm reading PayShield docs and have stumbled upon a question regarding key management and LMK when importing keys:
- PayShield can store up to 20 LMKs. When performing commands (like A6 - Import a Key), how does the HSM know which LMK to use? As a parameter it only asks for a key type, but aren't key types the same for different LMKs (considering they're all variant)?
- Command import a key asks you to provide key already encrypted under ZMK, for example when transferring a key from one HSM to another. Is there a way to import plaintext unencrypted keys into an HSM? For example, I think of some random sequence and then try to import it into HSM. If not, can you somehow encrypt it under ZMK or must all such new keys be generated using appropriate HSM command?
cryptography hsm
asked Nov 13 '18 at 16:13
karolyzzkarolyzz
13115
Just wondering if this in a university class that has such an HSM?
– zaph
Nov 13 '18 at 17:27
add a comment |
1
1
1
I'm reading PayShield docs and have stumbled upon a question regarding key management and LMK when importing keys:
- PayShield can store up to 20 LMKs. When performing commands (like A6 - Import a Key), how does the HSM know which LMK to use? As a parameter it only asks for a key type, but aren't key types the same for different LMKs (considering they're all variant)?
- Command import a key asks you to provide key already encrypted under ZMK, for example when transferring a key from one HSM to another. Is there a way to import plaintext unencrypted keys into an HSM? For example, I think of some random sequence and then try to import it into HSM. If not, can you somehow encrypt it under ZMK or must all such new keys be generated using appropriate HSM command?
cryptography hsm
asked Nov 13 '18 at 16:13
karolyzzkarolyzz
13115
I'm reading PayShield docs and have stumbled upon a question regarding key management and LMK when importing keys:
- PayShield can store up to 20 LMKs. When performing commands (like A6 - Import a Key), how does the HSM know which LMK to use? As a parameter it only asks for a key type, but aren't key types the same for different LMKs (considering they're all variant)?
- Command import a key asks you to provide key already encrypted under ZMK, for example when transferring a key from one HSM to another. Is there a way to import plaintext unencrypted keys into an HSM? For example, I think of some random sequence and then try to import it into HSM. If not, can you somehow encrypt it under ZMK or must all such new keys be generated using appropriate HSM command?
cryptography hsm
cryptography hsm
asked Nov 13 '18 at 16:13
karolyzzkarolyzz
13115
asked Nov 13 '18 at 16:13
karolyzzkarolyzz
13115
asked Nov 13 '18 at 16:13
karolyzzkarolyzz
13115
asked Nov 13 '18 at 16:13
karolyzzkarolyzz
13115
asked Nov 13 '18 at 16:13
karolyzzkarolyzz
13115
13115
Just wondering if this in a university class that has such an HSM?
– zaph
Nov 13 '18 at 17:27
add a comment |
Just wondering if this in a university class that has such an HSM?
– zaph
Nov 13 '18 at 17:27
Just wondering if this in a university class that has such an HSM?
– zaph
Nov 13 '18 at 17:27
Just wondering if this in a university class that has such an HSM?
– zaph
Nov 13 '18 at 17:27
add a comment |
1 Answer
1
active
oldest
votes
1
You can identify a LMK in the command itself or by port. This is in the command or console reference manuals depending on the type of command.
You can not import a clear key, you can form a key from a minimum of two clear components.
answered Nov 13 '18 at 17:20
zaphzaph
98k18151193
Full disclosure: I had help with this answer. 😁
– zaph
Nov 13 '18 at 21:33
Thanks. Adding to the answer: after reading the docs, apparently (2) only applies to the console commands. Host does not have this option, thus my original confusion.
– karolyzz
Nov 23 '18 at 11:32
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53285120%2fthales-payshield-hsm-key-management%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
1
You can identify a LMK in the command itself or by port. This is in the command or console reference manuals depending on the type of command.
You can not import a clear key, you can form a key from a minimum of two clear components.
answered Nov 13 '18 at 17:20
zaphzaph
98k18151193
Full disclosure: I had help with this answer. 😁
– zaph
Nov 13 '18 at 21:33
Thanks. Adding to the answer: after reading the docs, apparently (2) only applies to the console commands. Host does not have this option, thus my original confusion.
– karolyzz
Nov 23 '18 at 11:32
add a comment |
1
You can identify a LMK in the command itself or by port. This is in the command or console reference manuals depending on the type of command.
You can not import a clear key, you can form a key from a minimum of two clear components.
answered Nov 13 '18 at 17:20
zaphzaph
98k18151193
Full disclosure: I had help with this answer. 😁
– zaph
Nov 13 '18 at 21:33
Thanks. Adding to the answer: after reading the docs, apparently (2) only applies to the console commands. Host does not have this option, thus my original confusion.
– karolyzz
Nov 23 '18 at 11:32
add a comment |
1
1
1
You can identify a LMK in the command itself or by port. This is in the command or console reference manuals depending on the type of command.
You can not import a clear key, you can form a key from a minimum of two clear components.
answered Nov 13 '18 at 17:20
zaphzaph
98k18151193
You can identify a LMK in the command itself or by port. This is in the command or console reference manuals depending on the type of command.
You can not import a clear key, you can form a key from a minimum of two clear components.
answered Nov 13 '18 at 17:20
zaphzaph
98k18151193
answered Nov 13 '18 at 17:20
zaphzaph
98k18151193
answered Nov 13 '18 at 17:20
zaphzaph
98k18151193
answered Nov 13 '18 at 17:20
zaphzaph
98k18151193
98k18151193
Full disclosure: I had help with this answer. 😁
– zaph
Nov 13 '18 at 21:33
Thanks. Adding to the answer: after reading the docs, apparently (2) only applies to the console commands. Host does not have this option, thus my original confusion.
– karolyzz
Nov 23 '18 at 11:32
add a comment |
Full disclosure: I had help with this answer. 😁
– zaph
Nov 13 '18 at 21:33
Thanks. Adding to the answer: after reading the docs, apparently (2) only applies to the console commands. Host does not have this option, thus my original confusion.
– karolyzz
Nov 23 '18 at 11:32
Full disclosure: I had help with this answer. 😁
– zaph
Nov 13 '18 at 21:33
Full disclosure: I had help with this answer. 😁
– zaph
Nov 13 '18 at 21:33
Thanks. Adding to the answer: after reading the docs, apparently (2) only applies to the console commands. Host does not have this option, thus my original confusion.
– karolyzz
Nov 23 '18 at 11:32
Thanks. Adding to the answer: after reading the docs, apparently (2) only applies to the console commands. Host does not have this option, thus my original confusion.
– karolyzz
Nov 23 '18 at 11:32
add a comment |
draft saved
draft discarded
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53285120%2fthales-payshield-hsm-key-management%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Just wondering if this in a university class that has such an HSM?
– zaph
Nov 13 '18 at 17:27