Authentication Suite for HSM Version 4.0 (2024)

Starting with version 3.22, Authentication Suite supports Entrust nShield Security World version 3 running ciphersuite DLf3072s256mAEScSP800131Ar1.

OneSpan Authentication Suite supersedes all previous versions of OneSpan Authentication Server Framework and VACMAN Controller. All versions of VACMAN Controller up to 3.18 reach end-of-life in June 2024, all versions of OneSpan Authentication Server Framework/VACMAN Controller up to 3.22 will reach end-of-life in March 2025. For more information, refer to the OneSpan product life cycle reference, available at https://www.onespan.com/support/security/product-life-cycle.

We strongly recommend to migrate to OneSpan Authentication Suite 4.0 at your earliest convenience to allow future upgrades and receive further product enhancements.

• Usage restriction with the Thales ProtectServer2 HSMs in case of FIPS security mode enabled:

  If the FIPS Algorithm Only flag is enabled on ProtectServer2 HSMs, the following restrictions will apply with the Authentication Suite for Thales ProtectServer HSM:

  • Usage of HSM transport keys being double-length 3DES keys (DES2) is not possible.

  • Usage of HSM storage keys being double-length 3DES keys (DES2) is not possible.

  • Usage of HSM transport keys and HSM storage keys being triple-length 3DES keys (DES3) is not recommended in case of FIPS security mode enabled. For PSE2, as of the release PTK 5.6 / FW 5.03.00 in FIPS mode, DES3 keys can be only used a limited number of times before becoming inactive. It is strongly recommended to use AES HSM transport keys and AES HSM storage keys when the FIPS security mode is enabled.

  • Usage of DIGIPASS using a DES or 3DES algorithm is not possible.

• Usage restriction with the Thales ProtectServerHSMs in case of FIPS security mode enabled:

  If the FIPS Algorithm Only flag is enabled on ProtectServer HSMs, the following restriction will apply with the Authentication Suite for Thales ProtectServer HSM:

  • Usage of DIGIPASS using a DES or 3DES algorithm is not possible.

• Communication issue of the key management tool with a hardserver 11.70 or later (nCipher netHSM and Entrust nShield):

  On Unix platforms (Linux, AIX, Solaris SPARC…), the location of the TCP communication socket used by the hardserver has changed in hardserver 11.70 and later. (hardserver installed with the Entrust nShield support software, Entrust CipherTools, or Entrust CodeSafe toolkit).

  The Unix versions of the manager tool 3.x provided with Authentication Suite for Entrust nShield HSM comply with the TCP communication sockets of previous version of the hardserver (prior 11.70).

  On Unix platforms where hardserver 11.70 or more is running, the manager tool 3.x may fail due to communication issue with the hardserver: “Open session error : 603 -> Error NFastApp Connect”.

  In such situation, in order to allow the manager tool 3.x communicating with the hardserver 11.70 or more, the hardserver must be configured to maintain backward compatibility with the legacy socket location. To do this:

  1. Create the file /etc/nfast.conf with the entry: NFAST_CREATEDEVNFAST=1

  2. Perform an /opt/nfast/sbin/init.d-ncipher restart to get the socket backward compatibility applied

See Entrust nShield software package v11.70 release notes for more information (rnotes.pdf).

The manager-xc tool 4.x provided with the Linux 64-bit version of the Authentication Suite for Entrust nShield HSM is not concerned by this need of backward compatibility with the legacy socket location.

• Usage restriction with the Entrust nShield XC HSMs in case of FIPS 140-2 Level 3 Security World:

  In case of FIPS 140-2 Level 3 Security World, the following restrictions will apply when generating keys with the manager-xc tool and with the nShield XC HSMs:

  • Generation of HSM storage keys being double-length 3DES keys (DES2) is not possible.

  • Generation of key encrypting keys being double-length 3DES keys (DES2) is not possible.

  • Generation of HSM transport keys being double-length 3DES keys (DES2) is not possible.

• Usage restriction with FIPS 140-2 Level 3 Security World created as of nCipher security world software 12.50:

  Since the version 12.50 of the nCipher Software and Firmware, the new security worlds which are created as from this version in strict FIPS 140-2 level 3 mode no longer alow the usage of the 3DES operations with the nShield HSM.

  To possibly use 3DES HSM transport keys or 3DES HSM storage keys with the Authentication Suite for Entrust nShield HSM, customers must either:

  • Use a security world (whatever FIPS 140-2 level 2 or  FIPS 140-2 level 3) that was created prior the nCipher security world software 12.50

  • Use mandatorily a security world FIPS 140-2 level 2 if it is created as from the nCipher security world software 12.50

• Limited performances with the Entrust nShield XC Base HSM:

  The symmetric cryptography performances of the nShield XC Base when executed from a SEE machine are very low compared to the former nShield HSM devices based on the former PowerPCSXF architecture (nShield Connect/Connect+/Solo/Solo+). As a result the performances of the Authentication Suite for Entrust nShield HSM when using a nShield XC Base HSM are significantly lower than when using a former nShield HSM.

  Compared to usage with a former nShield HSM (nShield Connect/Connect+/Solo/Solo+), the performances of Authentication Suite for Entrust nShield HSM are:

  • Around 5 to 6 times slower when using a nShield XC Base performance level

  • Almost similar when using a nShield XC Mid performance level

  • Around 2 to 3 times faster when using a nShield XC High performance level