The HSM provides an extensive range of functions including support for key management, PIN generation, encryption and verification, and Message Authentication Code (MAC) generation and verification. The use of HSM is a requirement for compliance with American National Standards Institute (ANSI) TG-3 PIN protection and key management guidelines, as well as most card association and network security mandates.

Types of Keys Used by the HSM

HSM never works with plain keys, all the keys it processes are encrypted under other Key Encryption Key (KEK), keys. The LMK is KEK which is securely stored in the secure environment, HSM. The main idea of HSM is, that you cannot get real LMK key value, respectively, you cannot get the real working key plain value. All the keys you are using with HSM are cryptograms.

Key Management

1. LMK – Local Master Key

The Local Master Key (LMK) is the master key for the HSM and is used for protecting all other keys used by the institution concerned. As the transaction volume increases, Banks usually deploy multiple HSMs. That doesn’t mean there are multiple LMKs. There is only one LMK per site. It is the mother of all keys for each institution.

Three clear key components are generated by 3 officials of the institution concerned. Each of these clear components are kept by a separate custodian that works for that institution and entered into HSM using a smart card and a Key Check Value is created. During this operation each creates a smart card copy, as a fall-back. Each custodian enters their component to the HSM which combines them to form the ZMK. Most typically, the clear components are simply XORed to form the LMK.

Watch the following 3 videos to know the way LMK is generated.

1. https://www.youtube.com/watch?v=f_ucKijZ6uY (format 3 smart cards and 3 fall-back cards)

2. https://www.youtube.com/watch?v=4EP3sB400a4 (each officer separately enters his/her clear key component into his/her smartcard and its copy)

3. https://www.youtube.com/watch?v=7l8QncIpWlE (using smartcards 3 officers enter their components to generate final LMK pairs, which are stored only in HSM)

The three smart cards are kept separately by each of the officers in a safe place (preferably Bank Locker), and taken out for re-entry, should a need arise or an additional HSM is purchased.

Security for key management is ensured by the use of an enforced key hierarchy and the use of multiple Local Master Key (LMK) pairs. The HSM can use Smart Cards (compatible with ISO 7816) to provide a convenient means of handling LMKs.

Local Master Keys are a sets of 40 DES keys. They are stored securely in the HSM making it very difficult for an attacker to gain access to them. LMKs are the only keys that are stored in the HSM.

LMKs are not used for encrypting data, but are instead used to encrypt and decrypt other keys as these enter or leave the HSM. LMKs are used to ensure that even if the data traffic between the HSM and an application is recorded, the clear values of any exchanged keys are not compromised.

LMKs come in pairs and the Thales HSM contains several LMK pairs. Different LMK pairs are used to encrypt/decrypt different types of security keys. LMK pairs are identified by two numbers, for example LMK pair 04-05, LMK pair 14-15, etc. See the diagram below.

for more details: https://github.com/snowch/hsm-guide/blob/master/book.md#pin-block-creation-clear-pin-blocks

2. Zone Master Key

Sometimes, Banks need to transmit keys to other parties, e.g., Visa or MasterCard to exchange some encrypted data like PIN-blocks. In that case Banks should use another KEK called ZMK.

A Zone Master Key (ZMK) is a key-encrypting key which is distributed manually between two (or more) communicating sites, within a shared network, in order that further keys can be exchanged automatically (without the need for manual intervention). The ZMK is used to encrypt keys of a lower level for transmission. For local storage, a ZMK is encrypted under one of the LMK pairs.

Within the VISA environment this is known as a ZCMK.

3. Zone PIN Key

A Zone PIN Key (ZPK) is a data encrypting key which is distributed automatically and is used to encrypt PINs for transfer between communicating parties (for example, between acquirers and issuers). For transmission, a ZPK is encrypted under a ZMK; for local storage it is encrypted under one of the LMK pairs.

4. Terminal Master Key

A Terminal Master Key (TMK) is a key-encrypting key which is distributed manually, or automatically under a previously installed TMK. It is used to distribute data-encrypting keys, within a local (non-shared) network, to an ATM or POS terminal or similar. The TMK is used to encrypt other TMKs or keys of a lower level for transmission. For local storage, a TMK is encrypted under one of the LMK pairs.

5. Terminal PIN Key

A Terminal PIN Key (TPK) is a data-encrypting key which is used to encrypt PINs for transmission, within a local network, between a terminal and the terminal data acquirer. For transmission, a TPK is encrypted under a TMK; for local storage it is encrypted under one of the LMK pairs.

6. Terminal Authentication Key

A Terminal Authentication Key (TAK) is a data-encrypting key which is used to generate and verify a Message Authentication Code (MAC) when data is transmitted, within a local network, between a terminal and the terminal data acquirer. For transmission, a TAK is encrypted under a TMK or ZMK; for local storage it is encrypted under one of the LMK pairs.

7. PIN Verification Key

A PIN Verification Key (PVK) is a data-encrypting key which is used to generate and verify PIN verification data and thus verify the authenticity of a PIN. For transmission, a PVK is encrypted under a TMK or under a ZMK; for local storage, it is encrypted under one of the LMK pairs.

8. Card Verification Key

A Card Verification Key (CVK) is similar to a PIN Verification Key, but for Card information instead of a PIN.

The HSM supports Master / Session Key and Transaction Key management techniques.