Complete list of Thales HSM commands
2020-12-23
List of Thales HSM commands with their description.
Host Command (Response) | Function | Supported by BP-HSM | Note |
A0 (A1) | Generate a Key | X | |
A2 (A3, AZ) | Generate and Print a Component | Printer handling | |
A4 (A5) | Form a Key from Encrypted Components | X | |
A6 (A7) | Import a Key | X | |
A8 (A9) | Export a Key | X | |
AA (AB) | Translate a TMK, TPK or PVK | ||
AC (AD) | Translate a TAK | ||
AE (AF) | Translate a TMK, TPK or PVK from LMK to Another TMK, TPK or PVK | X | |
AG (AH) | Translate a TAK from LMK to TMK Encryption | X | |
AQ (AR) | Translate an RSA-encrypted PIN to a ZPK or TPK-encrypted | X | |
AS (AT) | Generate a CVK Pair | ||
AU (AV) | Translate a CVK Pair from LMK to ZMK Encryption | X | |
AW (AX) | Translate a CVK Pair from ZMK to LMK Encryption | X | |
AY (AZ) | Translate a CVK Pair from Old LMK to New LMK Encryption | ||
B0 (B1) | Translate Key Scheme | X | |
B2 (B3) | Echo Command | X | |
BA (BB) | Encrypt a Clear PIN | X | |
BC (BD) | Verify a Terminal PIN Using the Comparison Method | X | |
BE (BF) | Verify an Interchange PIN Using the Comparison Method | X | |
BG (BH) | Translate a PIN and PIN Length | Missing KEY CHANGE STORAGE | |
BI (BJ) | Generate a BDK | X | |
BK (BL) | Generate an IBM PIN Offset (of a customer selected PIN) | X | |
BM (BN) | Load the Excluded PIN Table | ||
BQ (BR) | Translate PIN Algorithm | ||
BS (BT) | Erase the Key Change Storage | ||
BU (BV) | Generate a Key Check Value | X | |
BW (BX) | Translate Keys from Old LMK to New LMK | ||
BY (BZ) | Translate ZMK from ZMK to LMK encryption | ||
C0 (C1) | Generate Initial Terminal Master Keys (AS2805) | X | Term |
C2 (C3) | Generate a MAC (Message Authentication Code, large messages) (AS2805) | X | |
C4 (C5) | Verify MAC (Message Authentication Code, large messages) (AS2805) | X | |
C6 (C7) | Generate a Random Number (AS2805) | X | Term |
C8 (C9) | Generate an Acquirer Master Key Encrypting Key (AS2805) | Term | |
CA (CB) | Translate a PIN from TPK to ZPK Encryption | X | |
CC (CD) | Translate a PIN from One ZPK to Another | X | |
CE (CF) | Generate a Diebold PIN Offset | ||
CG (CH) | Verify a Terminal PIN Using the Diebold Method | X | Custom Code |
CI (CJ) | Translate a PIN from BDK to ZPK Encryption (DUKPT) | X | |
CK (CL) | Verify a PIN Using the IBM Method (DUKPT) | X | |
CM (CN) | Verify a PIN Using the VISA PVV Method (DUKPT) | X | |
CO (CP) | Verify a PIN Using the Diebold Method (DUKPT) | ||
CQ (CR) | Verify a PIN Using the Encrypted PIN Method (DUKPT) | ||
CU (CV) | Verify & Generate a VISA PVV (of a customer selected PIN) | X | |
CW (CX) | Generate a Card Verification Code/Value | X | |
CY (CZ) | Verify a Card Verification Code/Value | X | |
D0 (D1) | Generate a PIN Pad Authentication Code (AS2805) | X | Term |
D2 (D3) | Verify a PIN pad Authentication code (AS2805) | X | Term |
D4 (D5) | Translate a PIN Block to Encryption under a PIN Encryption Key (AS2805) | Term | |
D6 (D7) | Translate an Acquirer Master Key Encrypting Key (AS2805) | Term | |
D8 (D9) | Encrypt a CPAT Authentication Value (AS2805) | Term | |
DA (DB) | Verify a Terminal PIN Using the IBM Method | X | |
DC (DD) | Verify a Terminal PIN Using the VISA Method | X | |
DE (DF) | Generate an IBM PIN Offset (of an LMK encrypted PIN) | X | |
DG (DH) | Generate a VISA PIN Verification Value (of an LMK encrypted PIN) | X | |
DI (DJ) | Generate and Export a KML | ||
DK (DL) | Import a KML | ||
DM (DN) | Verify Load Signature S1 and Generate Load Signature S2 | ||
DO (DP) | Verify Load Completion Signature S3 | ||
DQ (DR) | Verify Unload Signature S1 and Generate Unload Signature S2 | ||
DS (DT) | Verify Unload Completion Signature S3 | ||
DU (DV) | Verify & Generate an IBM PIN Offset (of customer selected new PIN) | X | |
DW (DX) | Translate a BDK from ZMK to LMK Encryption | X | |
DY (DZ) | Translate a BDK from LMK to ZMK Encryption | X | |
E0 (E1) | Generate a KEKs Validation Request (AS2805) | X | |
E2 (E3) | Generate a KEKr Validation Response (AS2805) | X | |
E4 (E5) | Verify a PIN Pad Proof of End Point (POEP) (AS2805) | X | Term |
E6 (E7) | Generate a PIN Pad Proof of Endpoint (AS2805) | Term | |
E8 (E9) | Generate a KCA and KMACH (AS2805) | Term | |
EA (EB) | Verify an Interchange PIN Using the IBM Method | X | |
EC (ED) | Verify an Interchange PIN Using the VISA Method | X | |
EE (EF) | Derive a PIN Using the IBM Method | X | |
EG (EH) | Verify an Interchange PIN Using the Diebold Method | X | Custom Code |
EI (EJ) | Generate an RSA Key Set | X | |
EK (EL) | Load an RSA Secret Key | X | |
EM (EN) | Translate an RSA Secret Key | ||
EO (EP) | Import a Public Key (Generate a MAC on an RSA Public Key) | X | |
EQ (ER) | Validate a Public Key (Verify a MAC on an RSA Public Key) | X | |
ES (ET) | Validate a Certificate and Generate a MAC on its RSA Public Key | X | |
EU (EV) | Translate a MAC on an RSA Public Key | ||
EW (EX) | Generate an RSA Signature | X | |
EY (EZ) | Validate an RSA Signature | X | |
F0 (F1) | Verify a Terminal PIN using the IBM Method (AS2805) | X | Term |
F2 (F3) | Verify a Terminal PIN using the VISA Method (AS2805) | X | Term |
F4 (F5) | Calculate KMACI | Term | |
F6 (F7) | KEKGEN (AS2805) | ||
F8 (F9) | KEKREC (AS2805) | ||
FA (FB) | Translate a ZPK from ZMK to LMK Encryption | X | |
FC (FD) | Translate a TMK, TPK or PVK from ZMK to LMK Encryption | X | |
FE (FF) | Translate a TMK, TPK or PVK from LMK to ZMK Encryption | X | |
FG (FH) | Generate a Pair of PVKs | X | |
FI (FJ) | Generate ZEK/ZAK | X | |
FK (FL) | Translate a ZEK/ZAK from ZMK to LMK Encryption | X | |
FM (FN) | Translate a ZEK/ZAK from LMK to ZMK Encryption | X | |
FO (FP) | Generate a Watchword Key | ||
FQ (FR) | Translate a Watchword Key from LMK to ZMK Encryption | X | |
FS (FT) | Translate a Watchword Key from ZMK to LMK Encryption | X | |
FU (FV) | Verify a Watchword Response | ||
FW (FX) | Generate a VISA PIN Verification Value (of a customer selected PIN) | X | |
G0 (G1) | Translate a PIN from BDK to ZPK Encryption (3DES DUKPT) | X | |
GA (GB) | Derive a PIN Using the Diebold Method | ||
GC (GD) | Translate a ZPK from LMK to ZMK Encryption | X | |
GE (GF) | Translate a ZMK | ||
GG (GH) | Form a ZMK from Three ZMK Components | ||
GI (GJ) | Import Key under an RSA Public Key | X | |
GK (GL) | Export Key under an RSA Public Key | X | |
GM (GN) | Hash a Block of Data | X | |
GO (GP) | Verify a PIN Using the IBM Method (3DES DUKPT) | X | |
GQ (GR) | Verify a PIN Using the VISA PVV Method (3DES DUKPT) | X | |
GS (GT) | Verify a PIN Using the Diebold Method (3DES DUKPT) | – | |
GU (GV) | Verify a PIN Using the Encrypted PIN Method (3DES DUKPT) | X | Custom Code |
GW (GX) | Generate/Verify a MAC (3DES DUKPT) | X | |
GY (GZ) | Form a ZMK from 2 to 9 ZMK Components | X | |
H0 (H1) | Decrypt a PIN Pad Public Key (AS2805) | Term | |
H2 (H3) | Generate a RSA Public Key Verification Code (AS2805) | ||
H4 (H5) | Generate a KEKs for use in Node to Node interchange using RSA (AS2805) | ||
H6 (H7) | Receive a KEKr for use in Node to Node interchange using RSA (AS2805) | ||
H8 (H9) | Encrypt a Cross Acquirer Key Encrypting Key under an Initial Transport Key (AS2805) | Term | |
HA (HB) | Generate a TAK | X | |
HC (HD) | Generate a TMK, TPK or PVK | X | |
I0 (I1) | Encrypt a Terminal Key under the Local Master Key (AS2805) | Term | |
I2 (I3) | Import MULTOS Transport Key Certifying Key | EMV Issuing | |
I4 (I5) | Import MULTOS Hash Modulus Key | EMV Issuing | |
I6 (I7) | Translate MULTOS KTU | EMV Issuing | |
I8 (I9) | MULTOS ALU Generator | EMV Issuing | |
IA (IB) | Generate a ZPK | X | |
IC (ID) | Establish Secure Session with Chip Card | EMV Issuing | |
IE (IF) | Prepare Secure Message for Chip Card | EMV Issuing | |
JA (JB) | Generate a Random PIN | X | |
JC (JD) | Translate a PIN from TPK to LMK Encryption | X | |
JE (JF) | Translate a PIN from ZPK to LMK Encryption | X | |
JG (JH) | Translate a PIN from LMK to ZPK Encryption | X | |
K0 (K1) | Verify Encrypted Counters (EMV | ||
K2 (K3) | Verify Truncated Application Cryptogram (MasterCard CAP) | ||
K8 (K9) | Export a Key under a KEK | ||
KA (KB) | Generate a Key Check Value (Not Double-Length ZMK) | X | |
KC (KD) | Translate a ZPK | ||
KE (KF) | Generate Issuer RSA Key Set and Public Key Certificate | EMV Issuing | |
KG (KH) | Validate an Issuer Public Key Certificate | EMV Issuing | |
KI (KJ) | Derive Card Unique DES Keys | EMV Issuing | |
KK (KL) | Import a Certification Authority Self-Signed Certificate | EMV Issuing | |
KM (KN) | Generate Static Data Authentication Signature | EMV Issuing | |
KO (KP) | Generate Card RSA Key Set and Public Key Certificate | EMV Issuing | |
KQ (KR) | ARQC Verification and/or ARPC Generation (EMV 3.1.1) | X | |
KS (KT) | Data Authentication Code and Dynamic Number Verification (EMV 3.1.1) | X | |
KU (KV) | Generate Secure Message (EMV 3.1.1) | ||
KW (KX) | ARQC Verification and/or ARPC Generation (EMV 4.x) | X | |
KY (KZ) | Generate Secure Message (EMV 4.x) | ||
L0 (L1) | Generate an HMAC Secret Key | ||
LA (LB) | Load Data to User Storage | ||
LC (LD) | Verify the Diebold Table in User Storage | ||
LE (LF) | Read Data from User Storage | ||
LG (LH) | Set HSM Response Delay | X | Custom Code, no real functionality yet |
LI (LJ) | Load a PIN Text String | ||
LK (LL) | Generate a Decimal MAC | ||
LM (LN) | Verify a Decimal MAC | ||
LO (LP) | Translate Decimalisation Table from Old to New LMK | ||
LQ (LR) | Generate an HMAC on a Block of Data | ||
LS (LT) | Verify an HMAC on a Block of Data | ||
LU (LV) | Import an HMAC key under a ZMK | ||
LW (LX) | Export an HMAC key under a ZMK | ||
LY (LZ) | Translate a HMAC Key from Old LMK to New LMK | ||
M0 (M1) | Encrypt Data Block | X | |
M2 (M3) | Decrypt Data Block | X | |
M4 (M5) | Translate Data Block | X | |
M6 (M7) | Generate MAC | X | |
M8 (M9) | Verify MAC | X | |
MA (MB) | Generate a MAC | ||
MC (MD) | Verify a MAC | ||
ME (MF) | Verify and Translate a MAC | ||
MG (MH) | Translate a TAK from LMK to ZMK Encryption | X | |
MI (MJ) | Translate a TAK from ZMK to LMK Encryption | X | |
MK (ML) | Generate a Binary MAC | ||
MM (MN) | Verify a Binary MAC | ||
MO (MP) | Verify and Translate a Binary MAC | ||
MQ (MR) | Generate MAC (MAB) for Large Message | ||
MS (MT) | Generate MAC (MAB) using ANSI X9.19 Method for a Large Message | ||
MY (MZ) | Verify and Translate MAC | X | |
NC (ND) | Perform Diagnostics | X | |
NE (NF, NZ) | Generate and Print a Key as Split Components | ||
NG (NH) | Decrypt an Encrypted PIN | X | |
NI (NJ) | Return Network Information | ||
NK (NL) | Command Chaining | X | |
NO (NP) | HSM Status | X | |
NY (NZ) | Generate IVCVC3 and Static CVC3 | EMV Issuing | |
OA (OB, OZ) | Print a PIN Solicitation Mailer | ||
OC (OD, OZ) | Generate and Print a ZMK Component | ||
OE (OF, OZ) | Generate and Print a TMK, TPK or PVK | ||
OI (OJ) | Generate a Set of Zone Keys (AS2805) | X | |
OK (OL) | Translate a Set of Zone Keys to Encryption under the Local Master Key (AS2805) | X | |
OU (OV) | Update Terminal Master Key 1 (Roll KEK 1) (AS2805) | X | Term |
OW (OX) | Update Terminal Master Keys (Roll KEK 1 and KEK 2) (AS2805) | X | Term |
P2 (P3) | Generate a VISA PVV (AS2805) | Term | |
P4 (P5) | Generate a Proof of Host value (AS2805) | Term | |
PA (PB) | Load Formatting Data to HSM | X | |
PC (PD) | Load Additional Formatting Data to HSM | ||
PE (PF, PZ) | Print PIN/PIN and Solicitation Data | X | |
PG (PH) | Verify PIN/PIN and Solicitation Mailer Cryptography | ||
PI (PJ) | Generate Terminal Key Set (AS2805) | X | Term |
PK (PL) | Generate a PIN Pad Acquirer Security Number (AS2805) | Term | |
PM (PN) | Verify a Dynamic CVV (dCVV) | X | |
PO (PP) | Verify and Generate a VISA PVV, translate a PIN Block to Encryption under a Zone PIN Key (AS2805) | X | Term |
PQ (PR) | Generate a Message Authentication Code AS2805-1988 (AS2805) | ||
PS (PT) | Validate a Message Authentication Code AS2805-1988 (AS2805) | ||
PU (PV) | Encrypt data (AS2805) | X | |
PW (PX) | Decrypt data (AS2805) | X | |
PY (PZ) | Verify and Generate an IBM PIN Offset (AS2805) | Term | |
Q0 (Q1) | Translate Audit Record MAC key | ||
Q2 (Q3) | Retrieve Audit Record | ||
Q4 (Q5) | Archive (Print) Audit Record | ||
Q6 (Q7) | Delete Audit Record | ||
Q8 (Q9) | Audit Record Verification | ||
QA (QB) | Load Solicitation Data to User Storage | ||
QC (QD) | Final Load of Solicitation Data to User Storage | ||
QI (QJ) | Translate a PPASN from old to new LMK (AS2805) | Term | |
QM (QN) | Data Encryption Using a Derived Privacy Key (AS2805.6.2) | Term | |
QO (QP) | Data Decryption Using a Derived Privacy Key (AS2805.6.2) | Term | |
QQ (QR) | Verify a PIN at Card Issuer using IBM Method (AS2805.6.2) | Term | |
QS (QT) | Verify a PIN at Card Issuer using the Diebold Method (AS2805.6.2) | Term | |
QU (QV) | Verify a PIN at Card Issuer using Visa Method (AS2805.6.2) | Term | |
QW (QX) | Verify a PIN at Card Issuer using the Comparison Method (AS2805.6.2) | Term | |
RA (RB) | Cancel Authorised Activities | ||
RC (RD) | Verify Solicitation Mailer Cryptography | ||
RE (RF) | Verify a Transaction Request, without PIN (AS2805.6.2) | Term | |
RG (RH) | Verify a Transaction Request, with PIN, when CD Field Available (AS2805.6.2) | Term | |
RI (RJ) | Verify a Transaction Request, with PIN, when CD Field not Available (AS2805.6.2) | Term | |
RI (RJ) | Transaction Request With a PIN (T/AQ Key) | ||
RK (RL) | Generate Transaction Response, with Auth Para Generated by Acquirer (AS2805.6.2) | Term | |
RK (RL) | Transaction Request Without a PIN | ||
RM (RN) | Generate Transaction Response with Auth Para Generated by Card Issuer (AS2805.6.2) | Term | |
RM (RN) | Administration Request Message | ||
RO (RP) | Translate a PIN from PEK to ZPK Encryption (AS2805.6.2) | Term | |
RO (RP) | Transaction Response with Auth Para from Card Issuer | ||
RQ (RR) | Verify a Transaction Completion Confirmation Request (AS2805.6.2) | Term | |
RQ (RR) | Generate Auth Para and Transaction Response | ||
RS (RT) | Generate a Transaction Completion Response (AS2805.6.2) | Term | |
RS (RT) | Confirmation | ||
RU (RV) | Generate Auth Para at the Card Issuer (AS2805.6.2) | Term | |
RU (RV) | Transaction Request With a PIN (T/CI Key) | ||
RW (RX) | Generate an Initial Terminal Key (AS2805.6.2) | Term | |
RW (RX) | Translate KEYVAL | ||
RY (RZ) | Calculate Card Security Codes | ||
RY (RZ) | Verify Card Security Codes | ||
RY (RZ) | Generate a CSCK | ||
RY (RZ) | Export a CSCK | ||
RY (RZ) | Import a CSCK | ||
SC (SD) | |||
SE (SF) | |||
SI (SJ) | |||
SK (SL) | Generate ZAK, ZPK under BDK and MAC, PAC random numbers (Shell) | ||
TA (TB, TZ) | Print TMK Mailer |