Using the HSM command A0 (Generate a Key), I am getting the below response.
HEADA100U7D4213E0422F4E08E9455D9837E09FDDRA0072B1TX00S000073C35FF96F7A8C7D35D440CCBDA06FFED3AC7017F27B0A0E8896FFC971F0B9
HEAD (Message Header)
A1 (Response Code)
00 (Error Code)
U7D4213E0422F4E08E9455D9837E09FDD (Key under LMK)
RA0072B1TX00S000073C35FF96F7A8C7D35D440CCBDA06FFED3AC7017F27B0A0E8896FFC9 (Key under TMK - export tr31 key block)
71F0B9 (Key Check Value)
My questions are:
How can I extract the key (under tmk) from tr31 key block?
Does anyone know how to decode the tr31 key block?
Take a look at the TR31 standard (which isn't legally available for free, because ANSI wants to make your life miserable).
R doesn't seem to be part of the TR31 block and I can only assume is something Thales specificA is the key block version id (the first field of the header) and describes the key binding method being used. A is deprecated and uses a key variant binding method.0072 is the length of the whole TR31 key block in decimal digits, which happens to fit if, we ignore the leading RB1 is the key usage, which is an Initial DUKPT KeyT is the algorithm of the key, which is Triple-DES (or Triple-DEA in TR31 notation)X is the mode of use, which is "Key used to derive other key(s)"00 is the key version number, which means no key versioning is used for this keyS is the exportability of the key, which is "Sensitive"00 is the number of optional blocks in decimal.00 is reserved for future use and always has to be two ASCII zeros. As there are no optional blocks, this field is the last field of the header.73C35FF96F7A8C7D35D440CCBDA06FFED3AC7017F27B0A0E is the hex encoded encrypted key (everything after the header except the last 8 characters). It is 24 bytes long, which fits for a 16 byte long key (2 bytes key length, 16 bytes key, 6 bytes padding to get to full 8 byte block size).8896FFC9 is the MAC (the last 8 characters which (for key block version id A) are the leftmost 32 bit of the Triple-DES CBC-MAC)To go any further (decrypt the encrypted key) I would need the Key Block Protection Key (which is probably the TMK?).