This function authenticates a Digipass owner by verifying whether an authentication response based on a standard protocol and a given Digipass dynamic password is valid for a specified authenticator application described by its authenticator application BLOB. Optionally, a previously generated challenge is also passed to this function.
AAL2VerifyWIN can be used for controlling LANMAN, NTLMv1, NTLMv2, CHAP, and MSCHAPv2 authentication responses, which are part of a LANMAN, NTLM (v1 or v2), CHAP, and MSCHAP (v1 or v2) authentication message.
In input, the TAuthParms structure may contain the response, the challenges, and user fields required to perform the validation. In output, the structure can contain the given dynamic password and its NT or LM hash. For MSCHAPv2 response validation, it can also contain the MSCHAPv2 authenticator response allowing the back-authentication of the server.
Virtual Mobile Authenticator
If Virtual Mobile Authenticator is supported for the given authenticator application BLOB, this function can be used to validate protocol-dependent authentication responses based on Virtual DIGIPASS one-time passwords.
If both backup authenticator and primary authenticator are activated, Authentication Suite Server SDK will automatically detect whether the given dynamic password is from the backup or primary Digipass authenticator.
Parameters
Table: Parameters (AAL2VerifyWin)
Type
Name
Use
Description
TDigipassBlob *
DPData
I/O
authenticator application BLOB. Upon return from the function call, this BLOB must be rewritten to the application database to reflect changes.
TKernelParms *
CallParms
I
Structure of runtime parameters to use during this function call.
aat_ascii *
Challenge
I
String of up to 17 numeric characters, left-justified, null-terminated or right-padded with spaces. This parameter holds the challenge that was proposed to the user to generate the Digipass dynamic password. This challenge can be generated by AAL2GenerateChallenge. If no challenge was generated, this parameter should be NULL.
TAuthParms *
WinParms
I/O
Structure of authentication parameters containing protocol-dependent challenges and responses. Upon return from the function call, this parameter may contain authenticator responses allowing the back-authentication of the server.
The TAuthParms structure contains the following information:
Table: Authentication parameters
Name
Description
Challenges
Number of TData structures containing authentication challenges.
Challenge
One or more TData structures containing the type, the value, and the length of the challenge.
Responses
Number of TData structures containing authentication responses (should be one).
Response
TData structure containing the type, the value, and the length of the response.
Hashes
Number of TData structure set for receiving hash return values.
Hash
Optional TData structures containing allocated space and length for receiving hash or authenticator response return values.
Table: Challenge types
Name
Value
Size
Description
LANMAN
1
8 bytes
Challenge used for LANMAN response validation.
NTLM
2
8 bytes
Challenge used for NTLMv1 response validation.
NTLM2
4
8 bytes
Challenge used for NTLMv2 response validation.
NTLM2USER
8
Up to 512 bytes
User name used for NTLMv2 response validation.
NTLM2DOMAIN
16
Up to 512 bytes
Domain name used for NTLMv2 response validation.
CHAP
128
Up to 255 bytes
Challenge used for CHAP response validation.
MSCHAP2
256
Up to 255 bytes
User name used for MSCHAPv2 response validation.
Table: Response types
Name
Value
Size
Description
LANMAN
1
24 bytes
LANMAN response used with the LANMAM, NTLM, or MSCHAPv1 authentication protocol.
NTLM
2
24 bytes
NTLMv1 response used with the NTLM or MSCHAPv1 authentication protocol.
NTLM2
4
24 bytes
NTLMv2 response used with the NTLM authentication protocol.
CHAP
128
17 bytes
CHAP ID + CHAP response used with the CHAP protocol.
MSCHAP2
256
56 bytes
Authentication challenge + peer challenge + MSCHAPv2 response used with the MSCHAPv2 protocol.
Table: Hash types
Name
Value
Allocated size
Description
LANMAN
1
16 bytes
Allocated space for accepting 16-byte LMHash.
NTLM
2
16 bytes
Allocated space for accepting 16-byte NTHash.
DPRSP
64
32 bytes
Allocated space for accepting 32-byte Digipass dynamic password.
MSCHAP2
256
43 bytes
Allocated space for accepting 43-byte string MSCHAPv2 authenticator response.
For LANMAN, NTLMv1, and NTLMv2, authentication responses may contain a concatenated challenge and response. In this case, the TData challenge structure could be NULL.
Return codes
Table: Return codes (AAL2VerifyWin)
Code
Meaning
Code
Meaning
0
Success
1000
Function does not support EMV-CAP
1
Code not verified
1039
Invalid response length with DP algorithm
130
Invalid response pointer
1040
Invalid host code length with DP algorithm
131
Missing required challenge
1103
Unlock Version 2 not supported
132
Unsupported token type
1116
Response check digit not allowed
140
Challenge corrupted
1117
Challenge check digit not allowed
201
Code replay attempt
1118
Unsupported BLOB
202
Identification error threshold reached
-101
Challenge too short
205
Inactive days reached
-102
Challenge too long
208
Application disabled
-103
Challenge check digit wrong
412
Invalid checksum
-105
Challenge minimum length not allowed
413
Invalid Base64 format
-106
Challenge maximum length not allowed
510
Invalid Digipass data pointer
-107
Challenge number wrong
802
Change password mandatory
-108
Challenge character invalid
Cet article vous a-t-il été utile ?
Merci pour vos commentaires! Notre équipe vous répondra
