AAL2DeriveTokenBlobsICSF
- 22 Jan 2025
- 4 Minutes à lire
- SombreLumière
- PDF
AAL2DeriveTokenBlobsICSF
- Mis à jour le 22 Jan 2025
- 4 Minutes à lire
- SombreLumière
- PDF
The content is currently unavailable in French. You are viewing the default English version.
Résumé de l’article
Avez-vous trouvé ce résumé utile ?
Merci pour vos commentaires
Function prototype
aat_int32 AAL2DeriveTokenBlobsICSF (
TDigipassBlob* DPData[8],
aat_int16 Appl_Count,
TKernelParms* CallParms,
aat_ascii* aStorageKeyNameIn,
aat_ascii* aInitialVectorIn,
aat_ascii* Challenge,
aat_ascii* Derivationcode,
aat_word32 DerivationCodeFormat);Description
This function derives the Digipass data of a software Digipass authenticator based on the Digipass SDK 4.0 or later.
Digipass data derivation is allowed only for applications supporting the feature (Call the AAL2GetTokenProperty function with property DERIVATION_SUPPORTED to check if a authenticator application supports the feature).
If supported by the software Digipass authenticator, this feature is used to bind a software Digipass authenticator with its hosting device. In this case, during the activation process, the software Digipass authenticator can create a diversifier based on a device’s fingerprint and can provide a derivation code based on the diversifier, an OTP, and an optional challenge.
AAL2DeriveTokenBlobsICSF allows applying the derivation to the authenticator application BLOBs on the server-side.
When reactivating the same Digipass authenticator on another device, the Digipass data must be derived again on the server-side using AAL2DeriveTokenBlobsICSF with the new derivation code. The Digipass instance on the old device will not work anymore.
The derivation code is validated using the first authenticator application BLOB of the authenticator application BLOB table (DPData) input parameter. This first authenticator application BLOB MUST match the authenticator application used for generating the derivation code on the client. This first authenticator application BLOB MUST support either Response-Only or Challenge/Response authentication.
For example, it means that when the application named AUTH_APP1 is used for generating the derivation code on the client-side, the first authenticator application BLOB must relate to the AUTH_APP1 application.
Application names are exposed during import process.
In addition, the derivation will fail if one or more authenticator application BLOB does not support the derivation feature.
Score-based Digipass
For Digipass devices that integrate the score-based algorithm, Authentication Suite Server SDK performs a score-based authentication to validate the derivation code. This allows retrieving the Digipass scoring value. Once Authentication Suite Server SDK has successfully validated the BLOBs, it returns either SUCCESS or SUCCESS with the relevant scoring warning code. See the list of return codes in Table: Return codes (AAL2DeriveTokenBlobsICSF) for more details.
Parameters
COBOL calling convention
Entry point: AA2DTBIC
02 W-KERNELPARMS.
03 W-PARMCOUNT PIC 9(8) USAGE BINARY.
03 W-PARM01 PIC 9(8) USAGE BINARY.
. . .
03 W-PARM19 PIC 9(8) USAGE BINARY.
02 W-BLOB-TABLE.
03 W-BLOB PIC X(248) OCCURS 8.
02 W-BLOB-PTR-TABLE.
03 W-BLOB-PTR USAGE POINTER OCCURS 8.
02 W-APPL-COUNT PIC S9(4).
02 W-CHALLENGE PIC X(17).
02 W-DERIVATION-CODE PIC X(28).
02 W-STORAGEKEY PIC X(65).
02 W-INITVECTOR PIC X(17).
02 W-RETURN PIC S9(8) USAGE BINARY.
02 W-DERIVATION-FMT PIC S9(8) USAGE BINARY.
02 W-API-NAME PIC X(8) VALUE 'AA2DTBIC'.
. . .
SET W-BLOB-PTR(n) TO ADDRESS OF W-BLOB(n).
CALL W-API-NAME USING
BY REFERENCE W-BLOB-PTR-TABLE
BY VALUE W-APPL-COUNT
BY REFERENCE W-KERNELPARMS
BY REFERENCE W-STORAGEKEY
BY REFERENCE W-INITVECTOR
BY REFERENCE W-CHALLENGE
BY REFERENCE W-DERIVATION-CODE
BY VALUE W-DERIVATION-FMT
RETURNING W-RETURNReturn codes
* Specific score-based authentication codes; for more information, refer to Score-based Digipass.
Cet article vous a-t-il été utile ?