Conceptual description

Authentication Suite Server SDK facilitates the validation of passwords and signatures from Digipass authenticators. For this purpose, Authentication Suite Server SDK has to handle a copy of the parameters and secrets that are programmed on the Digipass authenticator. Authentication Suite Server SDK retrieves this information from the authenticator application BLOB, which is a flat data structure stored in a database accessible from the computer where Authentication Suite Server SDK is running.

To prevent unauthorized access, the authenticator application BLOB is protected (secrecy and integrity) through an AES-based encryption. The standard version of Authentication Suite Server SDK is a full software product and the AES keys used for this encryption are based upon secret codes stored in the software and passed during runtime.

In case a higher level of security is required, it is possible to migrate to the Authentication Suite Server SDK for HSM solution. A hardware security module (HSM) is a tamper-proof hardware module that is connected to, or inserted into, the host computer. The HSM contains a secure storage for secret keys in combination with cryptographic processing capabilities.

Using an HSM in combination with Authentication Suite Server SDK ensures that the Digipass secrets cannot be viewed on the host computer. The Authentication Suite Server SDK for HSM solution uses 3DES or AES HSM keys to encrypt the authenticator application BLOBs. When a wrong Digipass password or signature is rejected, the HSM guarantees that the correct password or signature is not available on the host computer.

Authentication Suite Server SDK always generates the correct answer to test if the received answer is correct.