Login
    Contenu x
    Digipass Secure Channel Service
    • 23 Jan 2025
    • 6 Minutes à lire
    • Sombre
      Lumière
    • PDF
    Contenu

    Digipass Secure Channel Service

    • Mis à jour le 23 Jan 2025
    • 6 Minutes à lire
    • Sombre
      Lumière
    • PDF
    The content is currently unavailable in French. You are viewing the default English version.
    Résumé de l’article

    Description

    The Digipass Secure Channel Service groups functionalities for operations based on the Secure Channel protocol for compliant Digipass devices (software or hardware): generation of Secure Channel request messages and deactivation messages; and processing of response messages and information messages. The Secure Channel is applicable only to certain Digipass devices (e.g. Digipass 760, some software authenticators supporting multi-device activation and the Secure Channel, Digipass GO 215, some Digipass 875 smart card readers).

    The Secure Channel is optional with Digipass devices compliant with multi-device licensing, and will be usable only if the Secure Channel feature has been ordered (configured by OneSpan at the time of order); see Multi-device licensing for more information. If the Secure Channel feature has been ordered, during the activation process it requires mandatory provisioning of a payload key that will be used to generate or process Secure Channel messages, represented on the server side by a payload key BLOB.

    In case of Digipass devices compliant with single-device licensing, the usage of the Secure Channel is only applicable to connected Digipass hardware devices able to perform operations based on the Secure Channel protocol (Digipass GO 215, some Digipass 875 smart card readers). In this case, the payload key BLOB that will be used to generate or process Secure Channel messages will be obtained from the DPX file at import time; see Single-device licensing for more information.

    The Secure Channel protocol allows the protection of the messages exchanged between the server side and the client side using the payload key.

    The payload key is a shared key specific to each Digipass serial number. Thus, the Secure Channel messages protected with a payload key are specific and bound to a certain Digipass serial number.

    Secure Channel deactivation global workflow

    To optionally remove a Digipass instance previously activated on a Digipass device, a deactivation process involving a deactivation message is available (applicable only for Digipass devices compliant with multi-device licensing and using the Secure Channel feature).

    The server sends a protected deactivation message to the device containing the Digipass serial number license identifier and the sequence number to destroy.

    For fallback reasons, the deactivation message can be stored on the server.

    Figure: Secure Channel deactivation global workflow

    Authentication Suite Server SDK will be involved in the following steps during the Secure Channel deactivation process:

    • Step 2: Generation of the deactivation message

    In step 4, Authentication Suite Server SDK will not be involved in the message transformation into an image or other media (e.g. Cronto image generated with the Image Generator SDK).

    General Secure Channel request global workflow

    To transfer a protected request message to a Digipass device compliant with it, a request message generation functionality is available.

    The server sends a protected request message to a device containing a Digipass instance with a certain Digipass serial number and using the payload key specific to this Digipass serial number license.

    Figure: General Secure Channel request global workflow

    Authentication Suite Server SDK will be involved in the following steps during the Secure Channel request process:

    • Step 2: Generation of the request message from the request data body

    Step 1: Authentication Suite Server SDK will not be involved in the generation of the clear request data body (e.g. request data body generated with the Secure Messaging SDK Server). Authentication Suite Server SDK is agnostic to the content of the request.

    Step 3: Authentication Suite Server SDK will not be involved in the message transformation into an image or other media (e.g. Cronto image generated with the Image Generator SDK).

    • (OPTIONAL) Step 7: Depending on the nature of the device and on the nature of the request, the reply to the request can be:
      • Nothing (the request does not imply any reply data from the device)
      • A message signature to validate (the Digipass device generated a signature using the request message as the message to sign). In this case, the verification of request message signature must be performed using the dedicated message signature validation functionality and the correct Digipass instance application BLOB. The Digipass instance application BLOB to use must correspond to the crypto application that the request targets (the information of the crypto application to use is part of the request data body). See Secure Channel request/response global workflow for more information.
      • A response message to be used on the server side to extract some output data in the response. See Secure Channel request/response global workflow for more information.

    Secure Channel request/response global workflow

    For Digipass client devices supporting the 2-way Secure Channel, the device can send back a Secure Channel response message as a reply to a Secure Channel request message.

    To use on the server side a response message replied by a Digipass device in response to a request message, a response message processing functionality is available.

    The corresponding flow is a particular case of the General Secure Channel Request Global Workflow, where the device replies with a response message to be used on the server side.

    Figure: Secure Channel request/response global workflow

    Authentication Suite Server SDK will be involved in the following steps during the Secure Channel request/response process:

    • Step 2: Generation of the request message from the request data body
    • Step 7: Processing of the response message to obtain the response data body in clear

    Step 1: Authentication Suite Server SDK will not be involved in the generation of the clear request data body (e.g. request data body generated with the Secure Messaging SDK Server). Authentication Suite Server SDK is agnostic to the content of the request.

    Step 8: Authentication Suite Server SDK will not be involved in the parsing and usage of the clear response data body (e.g. response data body parsed with the Secure Messaging SDK Server). Authentication Suite Server SDK is agnostic to the content of the response.

    Steps 7 and 8: In case of response messages to be used on the server side, the following server components must be used to process and parse a Secure Channel response message:

    1. The Authentication Suite Server SDK library must be used to extract a response body from the Secure Channel response message.
    2. The Secure Messaging SDK Server must be used to output response data from the response body extracted by Authentication Suite Server SDK.

    Secure Channel information global workflow

    To possibly exchange some raw data that the Digipass device may have to securely transfer to the server side, an information message processing functionality is available.

    This information data flow is only applicable with compliant software Digipass devices able to generate Secure Channel information messages. It involves the generation of an information message on the client side, and the parsing of the information message on the server side.

    Contrary to a response message (see Secure Channel request/response global workflow), the Secure Channel information message is a standalone message to be transferred from the Digipass client device to the server without having first a request message exchanged from the server to the Digipass client device.

    Figure: Secure Channel information global workflow

    Authentication Suite Server SDK will be involved in the following steps during the Secure Channel information process:

    • Step 3: Processing of the information message to obtain the information data body in clear

    Step 4: Authentication Suite Server SDK will not be involved in the usage of the clear information data body (e.g. information data body used by a layer above Authentication Suite Server SDK). Authentication Suite Server SDK is agnostic to the content of the raw information data.

    Functionalities

    The Digipass Secure Channel Service relies on the following functionalities:

    • Deactivation message generation
    • Request message generation
    • Response message processing
    • Information message processing
    • Message properties retrieval

    Workflows

    Deactivation message generation workflow

    Figure: Deactivation message generation workflow

    Request message generation workflow

    Figure: Request message generation workflow

    Request message signature validation workflow

    Figure: Request message signature validation workflow

    Response message processing workflow

    Figure: Response message processing workflow

    Information message processing workflow

    Figure: Information message processing workflow

    Message properties retrieval workflow

    Figure: Message properties retrieval workflow

    Cet article vous a-t-il été utile ?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout
    ESC

    Ozzy, facilitant la découverte de connaissances grâce à l’intelligence conversationnelle