Digipass data model
- 23 Jan 2025
- 3 Minutes à lire
- SombreLumière
- PDF
Digipass data model
- Mis à jour le 23 Jan 2025
- 3 Minutes à lire
- SombreLumière
- PDF
The content is currently unavailable in French. You are viewing the default English version.
Résumé de l’article
Avez-vous trouvé ce résumé utile ?
Merci pour vos commentaires
The Digipass data model is the software abstraction of the Digipass parameter settings. The data model consists of:
- Digipass serial number
- Digipass type
- authenticator application names
- authenticator application authentication modes
- authenticator application BLOBs
Digipass serial number
The Digipass serial number is a string of ten characters. In case of hardware devices pre-provisioned in factory (for instance Digipass GO 3 or Digipass 300), this number is a string of ten digits. The serial number can be found on the back of the hardware device.
In case of hardware or software devices post-provisioned through activation, the string may contain three uppercase letters or digits, followed by seven digits.
Digipass type
The Digipass type indicates the device model. It is a string of five characters. Each character can be either an alphabetic uppercase or a numeric character, representing the Digipass model, as for example:
- DPGO3 for the one-button Digipass GO 3
- DP300 for the keypad Digipass 300
- WEB10 for Digipass for Web
Authenticator application name
Each authenticator application has a defined name allowing to distinguish different authenticator applications (if any) between them. The authenticator application name is a string of 12 characters. Each character can be either an alphabetic uppercase or a numeric character, an underscore character (_), or a space, as for example:
- “APPL_1 “
- “AUTH “
- “SIGN “
- etc.
Authenticator application authentication mode
The authentication mode of an authenticator application is a two-character string representing the authenticator application behavior:
| Authentication mode string | Description |
|---|---|
| RO | Response-Only: Digipass generates the OTP directly. |
| CR | Challenge/Response: Digipass requires a challenge to generate an OTP. |
| SG | Signature: Digipass generates a signature with the data fields provided in input. |
| MM | Multi-mode: A signature with non-mandatory data fields. This mode is mainly used with software Digipass authenticators. An application can be used in Response-Only, Challenge/Response, or signature mode. The multi-mode is used with applications with a challenge number greater than 0, a minimum length for the first challenge being 0, and a codeword indicating the processing of the challenge with 0 right-padding. |
| UL | Unlock V2: This mode is reserved for Unlock V2 applications. Unlock V2 is a new unlock mechanism (for compliant Digipass authenticators only) which is compatible with DES, 3DES, AES, OATH, and SM3 Digipass. In contrast to the Unlock V1 mechanism, Unlock V2 uses a dedicated application BLOB (with authentication mode UL) instead of the Digipass authentication modes RO, CR, SG, or MM. |
| MA | Master Activation application: This mode is reserved for master activation applications. The master activation applications are particular authenticator applications which are used as licenses in the context of multi-device licensing (see Multi-device licensing) for Digipass devices supporting the multi-device activation in two steps (see Digipass Multi-Device Activation Service). Each master activation application corresponds to a particular Digipass license. This application is used to activate a Digipass device with an instance of the Digipass license. |
Authenticator application BLOB
The services provided by OneSpan Authentication Suite Server SDK utilize the same data block structure, i.e. the authenticator application BLOB that contains all the parameter settings and secrets of an authenticator application (a Digipass authenticator can have from one to eight Digipass authentication or e-signature applications).
The authenticator application BLOB is an ASCII string of 248 characters with an integrity checking mechanism based on a SHA-256 hash.
There is one BLOB per authenticator application, with the ten-digit serial number of the Digipass authenticator in clear text, the 12-character authenticator application name in clear text, and other parameter settings, sensitive or not, on the last 226 characters. The sensitive data are encrypted using AES-256 encryption.
The ciphered sensitive data contains:
- DES, 3DES, AES, OATH, or SM3 keys
- Event counter value
- Offset values
- Unlock key
- Server static PIN
- etc.
These BLOBs are initially obtained from an import file with a .dpx extension containing the image of a Digipass authenticator batch. The extraction of the BLOBs from the DPX file is performed by the DPX Import Service of OneSpan Authentication Suite Server SDK, which allows populating a database with the authenticator application BLOBs coming from the DPX file.
In the context of single-device licensing (see Single-device licensing), the DPX file directly contains authentication and e-signature applications for a batch of a Digipass authenticator.
In the context of multi-device licensing (see Multi-device licensing), the DPX file contains master activation applications for a batch of a Digipass license.
Cet article vous a-t-il été utile ?