BLOBs migration from Thales ProtectServer HSM to Authentication Suite Server SDK for Entrust nShield HSM

The following steps are provided to perform a successful BLOB migration of hardware-encrypted BLOBs used on a former Authentication Suite Server SDK for Thales ProtectServer HSM. It is protected by a former HSM-level BLOB storage key 1 and optionally by an initial vector 1:

1. On the former Thales ProtectServer HSM side, with the Thales ProtectServer key management utility (KMU):
   • Generate a Key Encrypting Key KEK (3DES key split in 2 or 3 components). Write down the components and the key KCV.
   • Generate a HSM-level BLOB transport key 2 (3DES Key). Write key KCV.
   • Export this HSM-level BLOB transport key 2 wrapped by the KEK.

The KEK must be created with the following key attributes set to TRUE:

• Sensitive
• Export

The HSM-level BLOB transport key 2 must be created with the following key attributes set to TRUE:

• Sensitive
• Exportable
• Wrap
• Unwrap

2. With the former Authentication Suite Server SDK for Thales ProtectServer HSM, migrate the hardware-encrypted BLOBs (authenticator application BLOBs and payload key BLOBs if any) from HSM-level BLOB storage key 1 and initial vector 1 (if any) to HSM-level BLOB transport key 2. Optionally also migrate the initial vector 2, that will result in hardware-encrypted BLOBs in a format that is ready for export.
3. On the Entrust nShield HSM side, with Key Management Tool (see Key management utility):
   • Import the KEK from its multiple components obtained in 1) (see Import the customer’s KEK with custodians import). Check the key KCV matches the KCV obtained in step 1.
   • Import the HSM-level BLOB transport key 2 from its value wrapped by the KEK (see  Import the HSM-level DPX transport key wrapped by the KEK). Check the key KCV matches the KCV obtained in step 1.
   • Generate an HSM-level BLOB storage key 3 (see OneSpan customer procedure).
4. With Authentication Suite Server SDK for Entrust nShield HSM, migrate hardware-encrypted BLOBs obtained in step 2 from the reconstructed HSM-level BLOB transport key 2 and from initial vector 2 (if any) to HSM-level BLOB storage key 3 and optionally initial vector 3. This results in the hardware-encrypted BLOBs being provided in the Entrust nShield format.

It is possible to use the hardware-encrypted BLOBs obtained in step 4 with the HSM-level BLOB storage key 3 and the initial vector 3 (if any) for operations with Authentication Suite Server SDK for Entrust nShield HSM, for example OTP validation (AS functions AAL2GenVerifyPasswordCmdEx and AAL2ProcVerifyPasswordReply).