Product Configuration

payShield Certification Course

Q1 2020
CPL Technical Training
Q3 2019 CPL Technical Training
Copyright © and Legal Disclaimer
Technical Training Documentation.
Copyright © 2019 Gemalto, All rights reserved.
The information contained in this document is intended solely for your personal reference and for learning
purposes. Such information is subject to change without notice, its accuracy is not guaranteed, and it may not
contain all material information concerning Gemalto /Thales (the “Company”).
The Company makes no representation regarding, and assumes no responsibility or liability for, the accuracy or
completeness of, or any errors or omissions in, any information contained herein. The information is used fro lab
purposes only. In addition, the information contains projections and forward-looking statements that may reflect
the Company’s current views with respect to future events. These views are based on current assumptions which
are subject to various risks and which may change over time.
Managing payShield
 Three Options
 Connecting a Console (USBC on front panel)
 Local payShield Manager - Ethernet directly into management port
 Remote payShield Manager - Ethernet into network

 Thales-recommended Option: Remote payShield Manager

 Local payShield Manager comes as part of the payShield package and

creates a GUI user interface that is much easier to use than the console. Once
customer trust has been set up between the payShield and the payShield
Manager Smart Cards, customers can easily choose to add the remote
licenses with minimal setup.
Console
 HSM Console Configuration
 PC with dumb terminal emulator (puTTY or TeraTerm)
 Backup method of managing the HSM
 Self configuring, the setting for the terminal emulator is 9600 N 8 1
 If your laptop does not have a driver for USB serial emulation, you will need to
download a USB-C to serial driver for the laptop. USB-C to USB-A and USB-C
to USB-C cables can be ordered from Thales.
Console Connection

USBC

USBA or C

Laptop must support USB A or C

and a terminal emulator.
Managing the HSM – Using Console Commands
 Dumb terminal / terminal emulator connected to HSM via serial to USB
cable
 Examples of brief commands:
 QH=Query host
 VR=view software version
 Control C to quit
 Commands available depend on:
 Operational state set by keys
 Authorization state enabled by cards
 See payShield 10K Installation and User Guide, Chapter 12, for console
commands
 Managing the HSM Locally or Remotely from
payShield Manager
 Requirements
 A standard Ethernet cable connected directly for local or with Network access for remote
management
 A laptop with access to Internet Explorer, Chrome, or Firefox browser
 A Card Reader recognized by the OS
 payShield Manager Warranted Smart Cards
.
Internet Explorer, A standard Ethernet For remote operation, DHCP is supported. The default
Chrome, or Firefox cable with network or network interface name is “<serial number>-mgmt”. For
browser point-to-point access for example, if the unit’s serial number is A4665000014P, then
connectivity. the default name would be A4665000014P-mgmt.

Ethernet
Standard Management
PC or Laptop port
payShield Manager User Types
 Restricted – Auditor View
 Basic view-only of settings and LMK functions
 Can use Virtual Console
 Administrator
 Restricted RACC smart card authenticated at payShield
 Access to very basic and view-only management functions
 Single RACC smart card authenticated at payShield
 Similar to ‘Offline’ management functions
 Two RACC smart cards authenticated at payShield
 Similar to ‘Secure Mode’
 Access to all functions
 Some functions will require Authorization by authorizing officers
payShield Manager – Commissioning Process
 Establishes Trust Between HSMs and the Management Cards
 For all new payShields and management cards
 Warranting at Thales factory establishes initial key material and certificates for
establishing initial trust path between HSMs and management cards

 At domain level (e.g., Bank Production systems)

 Customer Trust Anchor (CTA) provides 2nd trust hierarchy within customer’s domain

 For HSM security group within CTA security domain

 Whitelisting of CTA-certified administrator and restricted ‘auditor’ cards for controlled
group access to HSM
HSM Commissioning #1 – Commission Cards & HSM
 Commission all Cards and HSMs in a Security Domain using a
Common Customer Trust Anchor (CTA)
 Create own Customer Trust Anchor (CTA)
 Create public/private key pair for each HSM & card Certified public key using
the CTA
 Cards/HSMs not certified by the same CTA cannot be used inside domain
 Forms basic boundary around set of HSMs and their operator cards
(e.g., all Cards and HSMs for Bank production environment)
 Commissioning process can be bootstrapped using warranted HSMs and
cards
The Security Group

Group

Domain
HSM Commissioning #2 – Group HSMs, and the Left
and Right Administrator and Restricted Cards
 Group HSM Administrator Cards with HSMs to be Managed by the
Same Personnel
 Whitelist of allowed HSM left and right administrator and restricted ‘auditor’
cards added to each HSM
 Forms secondary grouping within security Domain (e.g., separates out
management of Banks application systems)
How to Recover after a Medium Tamper
 If an HSM is tampered, then the key material is erased.

 Aside from LMK, the key material also includes HSM and smart card
certificates signed by CTA and required to access payShield Manager.

 So how to recover for payShield Manager?

 Use an AES key - HSM Recovery Key (HRK) to protect and restore the HSM
and smart card certificates.
What is the HSM Recovery Key?
 The HRK is generated by a combination of:
 a single commissioned smart card (i.e., CTA share) and
 two passphrases

 HRK encrypts the certificates of the HSM and security group smart cards
in non-volatile memory, so even after a medium tamper, the certificates
remain protected in the HSM, but not accessible for use.
 The two passphrases are then entered to restore the certificates to the
HSM secure memory.
 payShield Manager is now accessible for remote management.
How to Recover HSM with HRK
 Recovery is Only Possible on the Console using SL Command
 Ensures that the data center operators are able to inspect the HSM prior to
recovery
 Suggested approach:
 Data center operators call HSM operators for passphrases
 Once both passphrases are entered, payShield Manager is recovered
 HSM operators change passphrases

 LMK will Still Need to be Reloaded for Operations

Commissioning Steps
 Create Customer Trust Anchor
 All HSMs and cards used within security domain commissioned using
Customer Trust Anchor
 Set passphrases for HSM Recovery Key
 Cards personalized with PIN and identity
 HSM Left & Right Remote Access Control Cards (RACC) grouped with
HSMs they are managing
 HSM States
State Physical Keys payShield Main Functions Available
(with Administrator Login
Console)
Online Both in locked state • Restricted card or • View status information
Left or Right RACC • Host application can use
login HSM
• Select online
Offline One key turned • Either Left or Right • View status information
RACC login • Configure HSM
• Select offline • No host access

Secure Two keys turned • Both Left and Right • View status information
RACC login • Configure HSM
• Select secure • Load and manage LMKs
• Update firmware / licenses
• No host access
Commissioning payShield Manager
 Commissioning Process
 For payShield 9000 3.x and payShield 10K
 Supported by wizard running on payShield Manager
 Builds on “Warrant” (Thales Certified keys) installed at manufacture
 9000 and 10k can share the same CTA and LMKs
 Not applicable to payShield 9000 purchased prior to v3.x
 HSMs without Thales warrant must use local commissioning process using console and Domain
Authority cards
 Migration from Remote HSM Manager to payShield Manager is not supported
on 10k
 Migration must be done on a 9000

 PS Consultant Support Available if Required

Local vs Remote Cards
Local Management via Console
 Older LMK smart cards
 Card loaded via HSM front panel

Remote Management via payShield Manager

 payShield Manager Java cards
 Card read via card reader connected to PC
Local vs Remote Cards – Uses
Used by Use Console payShield
Manager
Auditor View HSM Status
HSM Administrator Remote Left and
Right Access
Control (RACC)
LMK Custodian LMK Component /
Share
Authorizing Officer Authorization
ZMK Custodian ZMK Components
HSM Administrator Saving Settings
payShield Manager Landing Page
 If the Security Configuration Parameter for the payShield landing page
is set to YES: Summary, Health, and Revision Numbers are displayed.
Direct Printer Connection
 Used to Print
 Key Components
 PIN Mailers
 Utilization Statistics

 Can Connect Via:

 USB
 Serial (requires USB to serial converter)
 Parallel (requires USB to parallel converter)
 Ethernet (available from v1.1)
PIN Mailer Printing: Host-attached Printer

Host
Security:
Computer PIN is in-the-clear
within application &
Encrypted PIN blocks on cable
decrypted by
payShield 10K

payShield 10K
PIN Mailer Printing: HSM-attached Printer
Host
Computer

Encrypted PIN blocks

and clear text data Security:
sent to payShield 10K PIN is in-the-clear
only on this
cable
ESC/P Protocol over Serial/Parallel

payShield 10K payShield 10K formats

printout to simple format,
Security: decrypts PIN
payShield 10K requires
Authorized state
Management & Configuration – Objectives
 Initial configuration of the HSM Security settings to match expected usage
 Additional hardening of the configuration of the HSM
 Commands, PIN Block formats
 Configuring the security alarms & fraud detection mechanisms
 Authorizing key management and other sensitive commands
 Saving the HSM configuration
Points to Note on First Install
 Before Installation, Physically Check HSM
 Signs of physical tampering
 Note serial number!

 Configuring HSM will Result in all LMKs Being Removed

(so Install LMKs After Initial Settings)
 Prepare required settings beforehand with application team

 Think About Setting Tamper Protection Before Going Live

 Don’t Forget to Set the Time

Configure Security Settings
 What is it?
 Configuration of security parameters and some processing parameters
 HSM must be in Secure state
 Requires reloading of LMKs for security sensitive changes
(Key custodian involved if major changes occur to settings)

 Security Importance
 Allows selection of options which reduce security
 Generally default to most secure selection (not all PCI compliant) – only
change if necessary
Often default configurations require no change. Following is an example of
configuration that regularly needs to change.
Import/Export Key
 Parameters:
 Enable X9.17 for import? [Y/N]:
 Enable X9.17 for export? [Y/N]:
 Enables support for the ANSI X9.17 mechanism for key import and
export
 Each key of double or triple length is encrypted/decrypted
separately using Electronic Code Book (ECB) encryption
 Default = N (for both)
 Keys exported as component values

Note: This is a lower security option, but is the only widely-supported standard
method for interoperation between systems until TR31 key blocks is implemented
as mandated.
Export in Trusted Format
 The payShield 10K uses default values which have good security
practices.
 The export of keys is configured to disallow un-trusted export.
 This need to be turned off unless you are using key blocks.

 Parameters:
 Enable keys import/export in trusted format only [Y/N]:

Note: This is a lower security option, but is the only widely-supported standard
method for interoperation between systems until TR31 key blocks is
implemented as mandated.
Disabling Unused and Potentially Weaker Options
 HSM should be hardened before use by disabling unused
commands and weaker options
 Disabling of Host Commands
 Disable commands with no valid use
 Host commands are disabled from factory settings and after reset

 Disabling of PIN Block formats

 Disable weak legacy formats
HSM Enable/Disable Commands Solution
 HSM provides over 100 console & 300 host commands.
 Host applications typically use just 10% of these commands.
 Unused commands available = Unnecessary security risk

 Solution: Minimize complexity to improve security.

 Enable only the commands that are required.

 Commands which are not required are disabled, and then no longer
available to the HOST system.
 This allows host and console commands to be enabled / disabled
 Default is all commands disabled
 Requires HSM in “Secure” state
Enable/Disable Commands
 Using payShield Manager:
 Select Configure.
 Click Configure Commands.
 Select Console or Host.
 Click the checkbox to enable.

 Using Console:
 ConfigCmds [+ or -] [C or H] [<Command Code>]
Enable/Disable Commands Error Codes
 If a disabled command is used on the HSM, an error is returned.
 Console: The message “Function Disabled” is shown.
 Host: Error code 68 is returned.
 Example – Weak PIN Block Formats
Thales Format 03 – may b e used in IBM, Diebold, Docutel ATMs (Disabled by default)
Structure: 0, PIN length, PIN, F padding

Example: 0592 389F FFFF FFFF

(PIN = 92389 )

WEAK - encrypted PIN Block same if PINs the

same
Thales Format 01 – ISO 9564-1 Format 0 (Enabled by Default)
PIN Field: 0592 389F FFFFFFFF (PIN = 92389)
A / c No. Field: 0000 4000 0012 3456
PIN Block: 0592 789F FFED CBA9 XORed
STRONG - encrypted PIN Block
different for same PIN
See payShield 10K Host Programmers Manual - Chapter 14, for
all supported PIN block formats.
PIN Block Format Restrictions
 By default, weak PIN Blocks are disabled
 PCI HSM requires compliance with ISO 9564 / X9.8
 Security setting:
 Restrict PIN block usage for PCI HSM compliance
 Must be selected for PCI HSM compliance
 Restrictions on PIN Block Format translations
(e.g., from Thales 01 to weaker formats not allowed)
 Restrictions on PIN Block usage
(e.g., only calculate PIN Verification value for Thales 1 and 47)
 Factory default this restriction not selected, i.e., not PCI compliant
 Provides backward compatibility

See payShield 10K Host Programmers Manual - Chapter 14 for PIN Block definitions.
HSM Clock
 Time used in Audit and Error logs
 Console: SETTIME requires authorization
 Can check current clock setting through
 Console / payShield Manager
 Host health check
 SNMP – Management information
Save HSM Settings
 Current configuration can be saved to smart card
 Saves Alarm, Host Port, Security, Audit, Command, and PIN Block

 payShield Manager: Configuration menu, Load /Save settings

 Save to any commissioned smart card

 Console SS (save) / RS (retrieve)

 Saves settings to Card specifically formatted for saving settings (not formatted for LMK)
 Requires authorization
 Thank you.

www.thalesgroup.com CPL Technical Training