BLOBs migration from Thales WebSentry HSM to Authentication Suite Server SDK for Entrust nShield HSM

The following steps are provided to perform a successful BLOB migration of hardware-encrypted BLOBs used on a former VACMAN Controller for Thales WebSentry and protected by a former 3DES HSM-level BLOB storage key 1:

1. On the former Thales WebSentry HSM-side, with the Thales WebSentry manager utility:
   • Generate a Key Encrypting Key KEK (ZMK 3DES key split in 2 or 3 components). Write down the components and the key KCV.
   • Generate a HSM-level BLOB transport key 2 (ZMK 3DES key split in 2 components). Write down the components and the key KCV.

2. Calculate the encrypted value of HSM-level BLOB transport key 2 encrypted by the KEK (using 3DES_ECB mechanism):

   Encrypted_TK2 = 3DES_ECB [KEK] (TK2) = 3DES_ECB [KEK_component1 ⊕ KEK_component2 ⊕ …] (TK2_component1 ⊕ TK2_component2)

   Or alternatively, export the HSM-level BLOB transport key 2 wrapped by the 3DES KEK using the 3DES_ECB mechanism(obtaining the encrypted value of the HSM-level BLOB transport key 2 encrypted by the KEK).

2. With the former VACMAN Controller for Thales WebSentry (v3.8.0.7), migrate hardware-encrypted BLOBs (authenticator application BLOBs). This should be done by mandatorily using the AAL2MigrateBlobExportHSM function, from HSM-level BLOB storage key 1 to HSM-level BLOB transport key 2. This results in hardware-encrypted BLOBs in a format that is ready for export.
3. On the Entrust nShield HSM-side, with the OneSpan manager tool (see Key management utility):
   • Import the KEK from its multiple components obtained in step 1 (see Import the customer’s KEK with custodians import). Check the key KCV matches that were obtained by the KCV in step 1.
   • Import the HSM-level BLOB transport key 2 from its value encrypted by the KEK (see Import the HSM-level DPX transport key wrapped by the KEK). Check the key KCV matches that were obtained by the KCV in step 1.
   • Generate an HSM-level BLOB storage key 3 (see OneSpan customer procedure).
4. With Authentication Suite Server SDK for Entrust nShield HSM, migrate the hardware-encrypted BLOBs obtained in step 2 from the reconstructed HSM-level BLOB transport key 2 to HSM-level BLOB storage key 3 and optionally initial vector 3. This will produce hardware-encrypted BLOBs in the Entrust nShield format.

It is possible to use the hardware-encrypted BLOBs obtained in step 4 with the HSM-level BLOB storage key 3 and the initial vector 3 (if any) for operations with Authentication Suite Server SDK for Entrust nShield HSM, for example OTP validation (AS functions AAL2GenVerifyPasswordCmdEx and AAL2ProcVerifyPasswordReply).