Complete list of Thales HSM commands
2020-12-23
List of Thales HSM commands with their description.
| Host Command (Response) | Function | Supported by BP-HSM | Note |
| A0 (A1) | Generate a Key | X | |
| A2 (A3, AZ) | Generate and Print a Component | Printer handling | |
| A4 (A5) | Form a Key from Encrypted Components | X | |
| A6 (A7) | Import a Key | X | |
| A8 (A9) | Export a Key | X | |
| AA (AB) | Translate a TMK, TPK or PVK | ||
| AC (AD) | Translate a TAK | ||
| AE (AF) | Translate a TMK, TPK or PVK from LMK to Another TMK, TPK or PVK | X | |
| AG (AH) | Translate a TAK from LMK to TMK Encryption | X | |
| AQ (AR) | Translate an RSA-encrypted PIN to a ZPK or TPK-encrypted | X | |
| AS (AT) | Generate a CVK Pair | ||
| AU (AV) | Translate a CVK Pair from LMK to ZMK Encryption | X | |
| AW (AX) | Translate a CVK Pair from ZMK to LMK Encryption | X | |
| AY (AZ) | Translate a CVK Pair from Old LMK to New LMK Encryption | ||
| B0 (B1) | Translate Key Scheme | X | |
| B2 (B3) | Echo Command | X | |
| BA (BB) | Encrypt a Clear PIN | X | |
| BC (BD) | Verify a Terminal PIN Using the Comparison Method | X | |
| BE (BF) | Verify an Interchange PIN Using the Comparison Method | X | |
| BG (BH) | Translate a PIN and PIN Length | Missing KEY CHANGE STORAGE | |
| BI (BJ) | Generate a BDK | X | |
| BK (BL) | Generate an IBM PIN Offset (of a customer selected PIN) | X | |
| BM (BN) | Load the Excluded PIN Table | ||
| BQ (BR) | Translate PIN Algorithm | ||
| BS (BT) | Erase the Key Change Storage | ||
| BU (BV) | Generate a Key Check Value | X | |
| BW (BX) | Translate Keys from Old LMK to New LMK | ||
| BY (BZ) | Translate ZMK from ZMK to LMK encryption | ||
| C0 (C1) | Generate Initial Terminal Master Keys (AS2805) | X | Term |
| C2 (C3) | Generate a MAC (Message Authentication Code, large messages) (AS2805) | X | |
| C4 (C5) | Verify MAC (Message Authentication Code, large messages) (AS2805) | X | |
| C6 (C7) | Generate a Random Number (AS2805) | X | Term |
| C8 (C9) | Generate an Acquirer Master Key Encrypting Key (AS2805) | Term | |
| CA (CB) | Translate a PIN from TPK to ZPK Encryption | X | |
| CC (CD) | Translate a PIN from One ZPK to Another | X | |
| CE (CF) | Generate a Diebold PIN Offset | ||
| CG (CH) | Verify a Terminal PIN Using the Diebold Method | X | Custom Code |
| CI (CJ) | Translate a PIN from BDK to ZPK Encryption (DUKPT) | X | |
| CK (CL) | Verify a PIN Using the IBM Method (DUKPT) | X | |
| CM (CN) | Verify a PIN Using the VISA PVV Method (DUKPT) | X | |
| CO (CP) | Verify a PIN Using the Diebold Method (DUKPT) | ||
| CQ (CR) | Verify a PIN Using the Encrypted PIN Method (DUKPT) | ||
| CU (CV) | Verify & Generate a VISA PVV (of a customer selected PIN) | X | |
| CW (CX) | Generate a Card Verification Code/Value | X | |
| CY (CZ) | Verify a Card Verification Code/Value | X | |
| D0 (D1) | Generate a PIN Pad Authentication Code (AS2805) | X | Term |
| D2 (D3) | Verify a PIN pad Authentication code (AS2805) | X | Term |
| D4 (D5) | Translate a PIN Block to Encryption under a PIN Encryption Key (AS2805) | Term | |
| D6 (D7) | Translate an Acquirer Master Key Encrypting Key (AS2805) | Term | |
| D8 (D9) | Encrypt a CPAT Authentication Value (AS2805) | Term | |
| DA (DB) | Verify a Terminal PIN Using the IBM Method | X | |
| DC (DD) | Verify a Terminal PIN Using the VISA Method | X | |
| DE (DF) | Generate an IBM PIN Offset (of an LMK encrypted PIN) | X | |
| DG (DH) | Generate a VISA PIN Verification Value (of an LMK encrypted PIN) | X | |
| DI (DJ) | Generate and Export a KML | ||
| DK (DL) | Import a KML | ||
| DM (DN) | Verify Load Signature S1 and Generate Load Signature S2 | ||
| DO (DP) | Verify Load Completion Signature S3 | ||
| DQ (DR) | Verify Unload Signature S1 and Generate Unload Signature S2 | ||
| DS (DT) | Verify Unload Completion Signature S3 | ||
| DU (DV) | Verify & Generate an IBM PIN Offset (of customer selected new PIN) | X | |
| DW (DX) | Translate a BDK from ZMK to LMK Encryption | X | |
| DY (DZ) | Translate a BDK from LMK to ZMK Encryption | X | |
| E0 (E1) | Generate a KEKs Validation Request (AS2805) | X | |
| E2 (E3) | Generate a KEKr Validation Response (AS2805) | X | |
| E4 (E5) | Verify a PIN Pad Proof of End Point (POEP) (AS2805) | X | Term |
| E6 (E7) | Generate a PIN Pad Proof of Endpoint (AS2805) | Term | |
| E8 (E9) | Generate a KCA and KMACH (AS2805) | Term | |
| EA (EB) | Verify an Interchange PIN Using the IBM Method | X | |
| EC (ED) | Verify an Interchange PIN Using the VISA Method | X | |
| EE (EF) | Derive a PIN Using the IBM Method | X | |
| EG (EH) | Verify an Interchange PIN Using the Diebold Method | X | Custom Code |
| EI (EJ) | Generate an RSA Key Set | X | |
| EK (EL) | Load an RSA Secret Key | X | |
| EM (EN) | Translate an RSA Secret Key | ||
| EO (EP) | Import a Public Key (Generate a MAC on an RSA Public Key) | X | |
| EQ (ER) | Validate a Public Key (Verify a MAC on an RSA Public Key) | X | |
| ES (ET) | Validate a Certificate and Generate a MAC on its RSA Public Key | X | |
| EU (EV) | Translate a MAC on an RSA Public Key | ||
| EW (EX) | Generate an RSA Signature | X | |
| EY (EZ) | Validate an RSA Signature | X | |
| F0 (F1) | Verify a Terminal PIN using the IBM Method (AS2805) | X | Term |
| F2 (F3) | Verify a Terminal PIN using the VISA Method (AS2805) | X | Term |
| F4 (F5) | Calculate KMACI | Term | |
| F6 (F7) | KEKGEN (AS2805) | ||
| F8 (F9) | KEKREC (AS2805) | ||
| FA (FB) | Translate a ZPK from ZMK to LMK Encryption | X | |
| FC (FD) | Translate a TMK, TPK or PVK from ZMK to LMK Encryption | X | |
| FE (FF) | Translate a TMK, TPK or PVK from LMK to ZMK Encryption | X | |
| FG (FH) | Generate a Pair of PVKs | X | |
| FI (FJ) | Generate ZEK/ZAK | X | |
| FK (FL) | Translate a ZEK/ZAK from ZMK to LMK Encryption | X | |
| FM (FN) | Translate a ZEK/ZAK from LMK to ZMK Encryption | X | |
| FO (FP) | Generate a Watchword Key | ||
| FQ (FR) | Translate a Watchword Key from LMK to ZMK Encryption | X | |
| FS (FT) | Translate a Watchword Key from ZMK to LMK Encryption | X | |
| FU (FV) | Verify a Watchword Response | ||
| FW (FX) | Generate a VISA PIN Verification Value (of a customer selected PIN) | X | |
| G0 (G1) | Translate a PIN from BDK to ZPK Encryption (3DES DUKPT) | X | |
| GA (GB) | Derive a PIN Using the Diebold Method | ||
| GC (GD) | Translate a ZPK from LMK to ZMK Encryption | X | |
| GE (GF) | Translate a ZMK | ||
| GG (GH) | Form a ZMK from Three ZMK Components | ||
| GI (GJ) | Import Key under an RSA Public Key | X | |
| GK (GL) | Export Key under an RSA Public Key | X | |
| GM (GN) | Hash a Block of Data | X | |
| GO (GP) | Verify a PIN Using the IBM Method (3DES DUKPT) | X | |
| GQ (GR) | Verify a PIN Using the VISA PVV Method (3DES DUKPT) | X | |
| GS (GT) | Verify a PIN Using the Diebold Method (3DES DUKPT) | – | |
| GU (GV) | Verify a PIN Using the Encrypted PIN Method (3DES DUKPT) | X | Custom Code |
| GW (GX) | Generate/Verify a MAC (3DES DUKPT) | X | |
| GY (GZ) | Form a ZMK from 2 to 9 ZMK Components | X | |
| H0 (H1) | Decrypt a PIN Pad Public Key (AS2805) | Term | |
| H2 (H3) | Generate a RSA Public Key Verification Code (AS2805) | ||
| H4 (H5) | Generate a KEKs for use in Node to Node interchange using RSA (AS2805) | ||
| H6 (H7) | Receive a KEKr for use in Node to Node interchange using RSA (AS2805) | ||
| H8 (H9) | Encrypt a Cross Acquirer Key Encrypting Key under an Initial Transport Key (AS2805) | Term | |
| HA (HB) | Generate a TAK | X | |
| HC (HD) | Generate a TMK, TPK or PVK | X | |
| I0 (I1) | Encrypt a Terminal Key under the Local Master Key (AS2805) | Term | |
| I2 (I3) | Import MULTOS Transport Key Certifying Key | EMV Issuing | |
| I4 (I5) | Import MULTOS Hash Modulus Key | EMV Issuing | |
| I6 (I7) | Translate MULTOS KTU | EMV Issuing | |
| I8 (I9) | MULTOS ALU Generator | EMV Issuing | |
| IA (IB) | Generate a ZPK | X | |
| IC (ID) | Establish Secure Session with Chip Card | EMV Issuing | |
| IE (IF) | Prepare Secure Message for Chip Card | EMV Issuing | |
| JA (JB) | Generate a Random PIN | X | |
| JC (JD) | Translate a PIN from TPK to LMK Encryption | X | |
| JE (JF) | Translate a PIN from ZPK to LMK Encryption | X | |
| JG (JH) | Translate a PIN from LMK to ZPK Encryption | X | |
| K0 (K1) | Verify Encrypted Counters (EMV | ||
| K2 (K3) | Verify Truncated Application Cryptogram (MasterCard CAP) | ||
| K8 (K9) | Export a Key under a KEK | ||
| KA (KB) | Generate a Key Check Value (Not Double-Length ZMK) | X | |
| KC (KD) | Translate a ZPK | ||
| KE (KF) | Generate Issuer RSA Key Set and Public Key Certificate | EMV Issuing | |
| KG (KH) | Validate an Issuer Public Key Certificate | EMV Issuing | |
| KI (KJ) | Derive Card Unique DES Keys | EMV Issuing | |
| KK (KL) | Import a Certification Authority Self-Signed Certificate | EMV Issuing | |
| KM (KN) | Generate Static Data Authentication Signature | EMV Issuing | |
| KO (KP) | Generate Card RSA Key Set and Public Key Certificate | EMV Issuing | |
| KQ (KR) | ARQC Verification and/or ARPC Generation (EMV 3.1.1) | X | |
| KS (KT) | Data Authentication Code and Dynamic Number Verification (EMV 3.1.1) | X | |
| KU (KV) | Generate Secure Message (EMV 3.1.1) | ||
| KW (KX) | ARQC Verification and/or ARPC Generation (EMV 4.x) | X | |
| KY (KZ) | Generate Secure Message (EMV 4.x) | ||
| L0 (L1) | Generate an HMAC Secret Key | ||
| LA (LB) | Load Data to User Storage | ||
| LC (LD) | Verify the Diebold Table in User Storage | ||
| LE (LF) | Read Data from User Storage | ||
| LG (LH) | Set HSM Response Delay | X | Custom Code, no real functionality yet |
| LI (LJ) | Load a PIN Text String | ||
| LK (LL) | Generate a Decimal MAC | ||
| LM (LN) | Verify a Decimal MAC | ||
| LO (LP) | Translate Decimalisation Table from Old to New LMK | ||
| LQ (LR) | Generate an HMAC on a Block of Data | ||
| LS (LT) | Verify an HMAC on a Block of Data | ||
| LU (LV) | Import an HMAC key under a ZMK | ||
| LW (LX) | Export an HMAC key under a ZMK | ||
| LY (LZ) | Translate a HMAC Key from Old LMK to New LMK | ||
| M0 (M1) | Encrypt Data Block | X | |
| M2 (M3) | Decrypt Data Block | X | |
| M4 (M5) | Translate Data Block | X | |
| M6 (M7) | Generate MAC | X | |
| M8 (M9) | Verify MAC | X | |
| MA (MB) | Generate a MAC | ||
| MC (MD) | Verify a MAC | ||
| ME (MF) | Verify and Translate a MAC | ||
| MG (MH) | Translate a TAK from LMK to ZMK Encryption | X | |
| MI (MJ) | Translate a TAK from ZMK to LMK Encryption | X | |
| MK (ML) | Generate a Binary MAC | ||
| MM (MN) | Verify a Binary MAC | ||
| MO (MP) | Verify and Translate a Binary MAC | ||
| MQ (MR) | Generate MAC (MAB) for Large Message | ||
| MS (MT) | Generate MAC (MAB) using ANSI X9.19 Method for a Large Message | ||
| MY (MZ) | Verify and Translate MAC | X | |
| NC (ND) | Perform Diagnostics | X | |
| NE (NF, NZ) | Generate and Print a Key as Split Components | ||
| NG (NH) | Decrypt an Encrypted PIN | X | |
| NI (NJ) | Return Network Information | ||
| NK (NL) | Command Chaining | X | |
| NO (NP) | HSM Status | X | |
| NY (NZ) | Generate IVCVC3 and Static CVC3 | EMV Issuing | |
| OA (OB, OZ) | Print a PIN Solicitation Mailer | ||
| OC (OD, OZ) | Generate and Print a ZMK Component | ||
| OE (OF, OZ) | Generate and Print a TMK, TPK or PVK | ||
| OI (OJ) | Generate a Set of Zone Keys (AS2805) | X | |
| OK (OL) | Translate a Set of Zone Keys to Encryption under the Local Master Key (AS2805) | X | |
| OU (OV) | Update Terminal Master Key 1 (Roll KEK 1) (AS2805) | X | Term |
| OW (OX) | Update Terminal Master Keys (Roll KEK 1 and KEK 2) (AS2805) | X | Term |
| P2 (P3) | Generate a VISA PVV (AS2805) | Term | |
| P4 (P5) | Generate a Proof of Host value (AS2805) | Term | |
| PA (PB) | Load Formatting Data to HSM | X | |
| PC (PD) | Load Additional Formatting Data to HSM | ||
| PE (PF, PZ) | Print PIN/PIN and Solicitation Data | X | |
| PG (PH) | Verify PIN/PIN and Solicitation Mailer Cryptography | ||
| PI (PJ) | Generate Terminal Key Set (AS2805) | X | Term |
| PK (PL) | Generate a PIN Pad Acquirer Security Number (AS2805) | Term | |
| PM (PN) | Verify a Dynamic CVV (dCVV) | X | |
| PO (PP) | Verify and Generate a VISA PVV, translate a PIN Block to Encryption under a Zone PIN Key (AS2805) | X | Term |
| PQ (PR) | Generate a Message Authentication Code AS2805-1988 (AS2805) | ||
| PS (PT) | Validate a Message Authentication Code AS2805-1988 (AS2805) | ||
| PU (PV) | Encrypt data (AS2805) | X | |
| PW (PX) | Decrypt data (AS2805) | X | |
| PY (PZ) | Verify and Generate an IBM PIN Offset (AS2805) | Term | |
| Q0 (Q1) | Translate Audit Record MAC key | ||
| Q2 (Q3) | Retrieve Audit Record | ||
| Q4 (Q5) | Archive (Print) Audit Record | ||
| Q6 (Q7) | Delete Audit Record | ||
| Q8 (Q9) | Audit Record Verification | ||
| QA (QB) | Load Solicitation Data to User Storage | ||
| QC (QD) | Final Load of Solicitation Data to User Storage | ||
| QI (QJ) | Translate a PPASN from old to new LMK (AS2805) | Term | |
| QM (QN) | Data Encryption Using a Derived Privacy Key (AS2805.6.2) | Term | |
| QO (QP) | Data Decryption Using a Derived Privacy Key (AS2805.6.2) | Term | |
| QQ (QR) | Verify a PIN at Card Issuer using IBM Method (AS2805.6.2) | Term | |
| QS (QT) | Verify a PIN at Card Issuer using the Diebold Method (AS2805.6.2) | Term | |
| QU (QV) | Verify a PIN at Card Issuer using Visa Method (AS2805.6.2) | Term | |
| QW (QX) | Verify a PIN at Card Issuer using the Comparison Method (AS2805.6.2) | Term | |
| RA (RB) | Cancel Authorised Activities | ||
| RC (RD) | Verify Solicitation Mailer Cryptography | ||
| RE (RF) | Verify a Transaction Request, without PIN (AS2805.6.2) | Term | |
| RG (RH) | Verify a Transaction Request, with PIN, when CD Field Available (AS2805.6.2) | Term | |
| RI (RJ) | Verify a Transaction Request, with PIN, when CD Field not Available (AS2805.6.2) | Term | |
| RI (RJ) | Transaction Request With a PIN (T/AQ Key) | ||
| RK (RL) | Generate Transaction Response, with Auth Para Generated by Acquirer (AS2805.6.2) | Term | |
| RK (RL) | Transaction Request Without a PIN | ||
| RM (RN) | Generate Transaction Response with Auth Para Generated by Card Issuer (AS2805.6.2) | Term | |
| RM (RN) | Administration Request Message | ||
| RO (RP) | Translate a PIN from PEK to ZPK Encryption (AS2805.6.2) | Term | |
| RO (RP) | Transaction Response with Auth Para from Card Issuer | ||
| RQ (RR) | Verify a Transaction Completion Confirmation Request (AS2805.6.2) | Term | |
| RQ (RR) | Generate Auth Para and Transaction Response | ||
| RS (RT) | Generate a Transaction Completion Response (AS2805.6.2) | Term | |
| RS (RT) | Confirmation | ||
| RU (RV) | Generate Auth Para at the Card Issuer (AS2805.6.2) | Term | |
| RU (RV) | Transaction Request With a PIN (T/CI Key) | ||
| RW (RX) | Generate an Initial Terminal Key (AS2805.6.2) | Term | |
| RW (RX) | Translate KEYVAL | ||
| RY (RZ) | Calculate Card Security Codes | ||
| RY (RZ) | Verify Card Security Codes | ||
| RY (RZ) | Generate a CSCK | ||
| RY (RZ) | Export a CSCK | ||
| RY (RZ) | Import a CSCK | ||
| SC (SD) | |||
| SE (SF) | |||
| SI (SJ) | |||
| SK (SL) | Generate ZAK, ZPK under BDK and MAC, PAC random numbers (Shell) | ||
| TA (TB, TZ) | Print TMK Mailer |