Authenticator application BLOB HSM encryption

The Authentication Suite Server SDK BLOBs, which contain the Digipass profile and keys, remain in the host computer database under control of the customer application, but are encrypted in a different way.

The most sensitive information inside the BLOB (the Digipass keys), is encrypted by the HSM using a long-term storage key of the HSM. Thus, these keys cannot be reconstructed or changed outside the HSM. To ensure unique encryption per BLOB, it is possible to specify an 8-byte initial vector that will be used during the HSM 3DES/AES encryption of the HSMprotected data.

Depending on the HSM type, other data of the BLOB will be protected either on a hardware level or on a software level.

A hash is calculated on the full BLOB. This hash allows checking the BLOB integrity prior any operation on it.

Maintenance operations, for example resetting or re-synchronizing the token time drift, are possible without putting extra load on the HSM, as such operations do not require usage and decryption of any sensitive data HSM encrypted.

To increase performance, multiple HSMs with the same storage key can be used in parallel.

In this document, this BLOB is referred to as the HSM BLOB as opposed to the original standard BLOB.

Some Digipass authenticators are able to perform operations based on a Secure Channel protocol. Such Digipass authenticators have a Secure Channel payload key represented on the server side by a payload key BLOB. As for the authenticator application BLOBs, similar protection mechanisms apply to the payload key BLOBs.