Login
    Contenu x
    AAL2SyncTokenAndHostICSF
    • 22 Jan 2025
    • 4 Minutes à lire
    • Sombre
      Lumière
    • PDF
    Contenu

    AAL2SyncTokenAndHostICSF

    • Mis à jour le 22 Jan 2025
    • 4 Minutes à lire
    • Sombre
      Lumière
    • PDF
    The content is currently unavailable in French. You are viewing the default English version.
    Résumé de l’article

    Function prototype

    aat_int32 AAL2SyncTokenAndHostICSF (
                                TDigipassBlob*   DPBlob,
                                TKernelParms*    RunTimeParms,
                                aat_ascii*       aStorageKeyNameIn,
                                aat_ascii*       aInitialVectorIn,
                                aat_ascii*       Password1,
                                aat_ascii*       Challenge1,
                                aat_ascii*       Password2,
                                aat_ascii*       Challenge2);

    Description

    Based on two contiguous Digipass responses, this function synchronizes

    • the host time with the Digipass time or
    • the host event counter with the Digipass event counter.

    This function can either be used for

    • time-based-only algorithms, or
    • event-based-only algorithms.

    Time- and event-based algorithms are not supported.

    The AAL2GetTokenInfoEx function can be used to retrieve the algorithm: TIME BASED, EVENT BASED, TIME AND EVENT BASED.

    For time-based Challenge/Response Digipass authenticators, the CheckChallenge kernel parameter must be set to 4 for the synchronization (i.e. to allow two consecutive authentication requests in the same time step).

    Time-based only algorithm

    This function can be called to fix the following scenarios:

    • A valid password (response) generated by a Digipass authenticator is rejected because the Digipass authenticator has not been used for a long period of time.
    • A Digipass clock has drifted too far and is now outside the time synchronization window.

    • Now, a valid password (response) generated from the Digipass is rejected by the HOST.

    After calling AAL2SyncTokenAndHost, the new time drift is stored in the authenticator application BLOB, and a valid password will be accepted again.

    With VACMAN Controller 3.7.10 and later/Authentication Suite Server SDK, this function will use the SyncWindow kernel parameter instead of iTimeWindow as a reference for the synchronization time window limit.

    Event-based only algorithm

    This function can be called to fix the following scenario:

    1. The Digipass authenticator generates a password (response) based on event 1000.
    2. A validation is performed on the host with this password so that this event is stored in the authenticator application BLOB.
    3. The Digipass user then generates another ten passwords without a validation on the host.
    4. The Digipass authenticator generates a password based on event 1011.
    5. A validation is attempted on the host with this password.
    6. The event window is too small and the host rejects this valid password because it is outside the event synchronization window.

    After calling AAL2SyncTokenAndHost, the event used to generate the last of the two contiguous responses is stored in the authenticator application BLOB, and a valid password will be accepted again.

    For event-based Digipass authenticators to work properly, AAL2SyncTokenAndHost must be used with the EventWindow kernel parameter greater than with the validation with AAL2VerifyPassword. If the same EventWindow is used, the synchronization will fail for the same reasons as the authentication (Digipass event outside the event synchronization window).

    Score-based Digipass

    For Digipass devices that integrate the score-based algorithm, Authentication Suite Server SDK performs a score-based authentication which allows retrieving the Digipass scoring value. Once Authentication Suite Server SDK has successfully validated the two consecutive passwords, it returns either SUCCESS or SUCCESS with the relevant scoring warning code. See the list of return codes in Table: Return codes (AAL2SyncTokenAndHostICSF) for more details.

    Parameters

    The memory management of the output parameters must be performed by the calling function.

      Table: Parameters (AAL2SyncTokenAndHostICSF)
    TypeNameUseDescription
    TDigipassBlob *DPBlobI/Oauthenticator application BLOB. Upon return from the function call, this BLOB must be rewritten to the application database to reflect changes.
    TKernelParms *CallParmsIStructure of runtime parameters to use during this function call.
    aat_ascii *aStorageKeyNameInIString of up to 64+1 characters, left-justified, null-terminated, or right-padded with spaces. This is the label of the HSM storage key used to encrypt the sensitive authenticator applicationBLOB data.
    aat_ascii *aInitialVectorInIString of 16 hexadecimal characters, left-justified, null-terminated, or right-padded with spaces. This is the initial vector used to encrypt the sensitive authenticator application BLOB data.
    aat_ascii *Password1I

    String of up to 17+24 numeric or hexadecimal characters, left-justified, null-terminated or right-padded with spaces. This is the dynamic password generated by the Digipass device.

    aat_ascii *Challenge1IUp to 16 numeric characters, left justified, null terminated or right padded with spaces. This parameter holds the challenge that was proposed to the user to generate CodeToVerify. If no challenge was generated, this parameter should be NULL.
    aat_ascii *Password2I

    String of up to 17+24 numeric or hexadecimal characters, left-justified, null-terminated or right-padded with spaces. This is the next password generated by the Digipass device.

    aat_ascii * Challenge2IUp to 16 numeric characters, left justified, null terminated or right padded with spaces. This parameter holds the challenge that was proposed to the user to generate CodeToVerify. If no challenge was generated, this parameter should be NULL.

    COBOL calling convention

    Entry point: AA2STAHI
02   W-BLOB             PIC X(248).
02   W-KERNELPARMS.
     03  W-PARMCOUNT   PIC 9(8) USAGE BINARY.
     03  W-PARM01      PIC 9(8) USAGE BINARY.
     . . .
     03  W-PARM19      PIC 9(8) USAGE BINARY.
02   W-RETURN          PIC S9(8) USAGE BINARY.
02   W-PASSWORD1       PIC X(17).
02   W-CHALLENGE1      PIC X(17).
02   W-PASSWORD2       PIC X(17).
02   W-CHALLENGE2      PIC X(17).
02   W-STORAGEKEY      PIC X(65).
02   W-INITVECTOR      PIC X(17).
02   W-API-NAME         PIC X(8) VALUE 'AA2STAHI'.
. . .
     CALL W-API-NAME USING
           BY REFERENCE W-BLOB
           BY REFERENCE W-KERNELPARMS
           BY REFERENCE W-STORAGEKEY
           BY REFERENCE W-INITVECTOR
           BY REFERENCE W-PASSWORD
           BY REFERENCE W-CHALLENGE
           BY REFERENCE W-PASSWORD1
           BY REFERENCE W-CHALLENGE1
           RETURNING W-RETURN

    Return codes

      Table:  Return codes (AAL2SyncTokenAndHostICSF)
    CodeMeaningCodeMeaning
    0Success510Invalid Digipass data pointer
    10001Success with context warning*802Change password mandatory
    10002Success with user warning*803New password too short
    10003Success with user & context warning*804New password too long
    10004Success with platform warning*900Invalid session context handle
    10005Success with platform & context warning*908HSM key not found
    10006Success with platform & user warning*951Invalid HSM key type for HSM decryption
    10007Success with platform & user & context warning*1116Response check digit not allowed
    1Code not verified1117Challenge check digit not allowed
    2Static password validation failed1118Unsupported BLOB
    130Invalid response pointer-101Challenge too short
    131Missing required challenge-102Challenge too long
    132Unsupported token type-103Challenge check digit wrong
    140Challenge corrupted-108Challenge character invalid
    201Code replay attempt-201Response length out of bounds
    202Identification error threshold reached-202Response too short
    205Inactive days reached-203Response too long
    208Application disabled-204Response check digit wrong
    412Invalid checksum (software)-205Response character not decimal
    413Invalid Base64 format-206Response character not hexadecimal
    414Invalid checksum (HSM)  

    * Specific score-based authentication codes; for more information, refer to Score-based Digipass.

    Cet article vous a-t-il été utile ?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout
    ESC

    Ozzy, facilitant la découverte de connaissances grâce à l’intelligence conversationnelle