KB_180035: How to unwrap a software level transport key that is wrapped by a KEK2/27/2017 2:30:46 PM
This article explains how to unwrap/decrypt a software-level transport key that is wrapped by a Key Encryption Key (KEK).
Keywords: DPX, DPX-Key, KEK, HSM
When ordering a new DIGIPASS batch, the “Host Files and Keys Sheet” (filled out with the help of your VASCO Technical Account Manager) allows to configure protection of the software-level transport key by wrapping it with another (HSM) key (see screenshot below).
Therefore, when receiving the transport key, you will need to decrypt it before you can start importing the DPX file.
This article explains how to do so.
Unwrapping the transport key.
The steps below provide a way to unwrap the transport key using OpenSSL (which is commonly available).
1. Create a text file containing the wrapped transport key (as delivered to you by VASCO). Name it e.g. wrapped_tk.txt.
2. Execute the command:
openssl enc –d –des-cbc –k “value_of_kek” –in wrapped_tk.txt –out unwrapped_tk.txt.
- value_of_kek = the Key Encryption Key in clear text (typically exported from the HSM using multiple custodians and put together using an exor function).
A file unwrapped_tk.txt will be created containing the un-encrypted Transport Key.
Note: In this example, the wrapping algorithm used is DES with CBC. The wrapping algorithm actually depends on the type of the KEK you have used. To get a list of supported algorithms, execute the command:
$ openssl help
Applies to: IDENTIKEY Authentication Server, VACMAN Controller, DPX
KB 180035– 27/02/2017
© 2016 VASCO Data Security. All rights reserved.