Authenticator application BLOB secure storage

The authenticator application BLOBs in the database are protected by a key which is unique per record because it is derived from the Digipass serial number, the authenticator application name, and a static initial vector.

It is possible for customers to derive the default Authentication Suite Server SDK database protection key to obtain their own database protection key. The following sections describe the two possible methods.

Some Digipass are able to perform operations based on a Secure Channel protocol. These authenticators have a Secure Channel payload key represented on the server side by a payload key BLOB. As for the authenticator application BLOBs, similar protection mechanisms apply for the payload key BLOBs.

Derive vector

The database protection key is maintained within Authentication Suite Server SDK and can be uniquely configured for each customer via the derive vector. The derive vector value is stored as a kernel runtime parameter defined on the host, with possible values ranging from 0x00 to 0x7FFFFFFF.

Authentication Suite Server SDK uses the defined derive vector with a static key to derive a unique database key, which is then used to encrypt and decrypt the authenticator application BLOB.

After the first time the derive vector is used to encrypt/decrypt the authenticator application BLOB, the same derive vector must be used for all Authentication Suite Server SDK function calls. Otherwise, the authenticator application BLOB will be unreadable for Authentication Suite Server SDK. The derive vector value needs to be selected prior to the integration and must not be changed.

Storage derive key

The database protection key is maintained within Authentication Suite Server SDK and can be uniquely configured for each customer via a 32-byte derivation key. This derivation key value is set using the StorageDeriveKey1, StorageDeriveKey2, StorageDeriveKey3, StorageDeriveKey4, StorageDeriveKey5, StorageDeriveKey6, StorageDeriveKey7, and StorageDeriveKey8 kernel parameters, with possible values ranging from 0x00 to 0xFFFFFFFF for each of them.

If the derivation key selected by the host is 0x00 0x11 0x22 0x33 0x44 0x55 0x66 0x77 0x88 0x99 0xAA 0xBB 0xCC 0xDD 0xEE 0xFF 0xFF 0xEE 0xDD 0xCC 0xBB 0xAA 0x99 0x88 0x77 0x66 0x55 0x44 0x33 0x22 0x11 0x00, then:

• StorageDeriveKey1 = 0x00112233
• StorageDeriveKey2 = 0x44556677
• StorageDeriveKey3 = 0x8899AABB
• StorageDeriveKey4 = 0xCCDDEEFF
• StorageDeriveKey5 = 0xFFEEDDCC
• StorageDeriveKey6 = 0xBBAA9988
• StorageDeriveKey7 = 0x77665544
• StorageDeriveKey8 = 0x33221100

StorageDeriveKey1 to StorageDeriveKey8 form a 32-byte derivation key that Authentication Suite Server SDK uses together with a static key to derive a unique database key, which is then used to encrypt and decrypt the authenticator application BLOB.

After the first time the storage derive keys are used to encrypt/decrypt the authenticator application BLOB, the same storage derive keys must be used for all Authentication Suite Server SDK function calls. Otherwise, the authenticator application BLOB will be unreadable for Authentication Suite Server SDK. The storage derive keys need to be selected prior to the integration and must not be changed.