DPX Import Service

Description

As with the DPX Import Service offered by standard Authentication Suite Server SDK, this service groups functionalities responsible for the extraction of Digipass data from the DPX file. For more information on the standard DPX Import Service, refer to the Authentication Suite Server SDK Product Guide.

In addition to the standard functionalities such as initialization, Digipass data extraction and finalization, the DPX import process with a Authentication Suite Server SDK for HSM requires the encryption migration of the imported Digipass data. This consists in migrating the imported BLOBs from their encryption under an HSM-level transport key (in case of a double DPX file encryption) or under a software encryption (in case of standard DPX file encryption) to an encryption under an HSM storage key before storing them in the database.

The import process consists of five mandatory steps:

1. Initialization
2. Digipass data extraction
3. Digipass data migration 1
4. Digipass data storage: Digipass data obtained in the previous step is written into the database.
5. Finalization: The DPX file is closed.

(OPTIONAL 1) In addition to this standard import process common to all Digipass authenticators, a step must be added to extract the static vector from the DPX file for certain categories of Digipass authenticators. The static vector is a string containing parameter settings for the Digipass activation. The presence of the static vector in the DPX file and its usage is applicable only to the following categories of Digipass authenticators:

• Software Digipass compliant with standard activation (in the context of single-device licensing; for more information, see the Authentication Suite Server SDK Product Guide).
• Software or hardware Digipass authenticators compliant with multi-device activation (in the context of multi-device licensing; for more information, see the Authentication Suite Server SDK Product Guide).

(OPTIONAL 2) In addition to this standard import process common to all Digipass authenticators, a step must be added to extract the message vector from the DPX file for certain categories of Digipass authenticators. The message vector is a string containing configuration settings for the message generation. The presence of the message vector in the DPX file and its usage is applicable only to the following category of Digipass authenticators:

• Software or hardware Digipass authenticators compliant with multi-device activation (in the context of multi-device licensing; for more information, see the Authentication Suite Server SDK Product Guide).
• Software or hardware Digipass authenticators that support operations based on the Secure Channel protocol; for more information, see the Authentication Suite Server SDK Product Guide).

(OPTIONAL 3) In addition to this standard import process common to all Digipass authenticators, additional data must be retrieved for each Digipass data extraction in case of software or hardware Digipass authenticators compliant with multi-device activation: the sequence number threshold and the activation vector. The sequence number threshold is an integer indicating the number of instances that can be created from a certain Digipass license; the activation vector is a string containing encrypted activation data for a certain Digipass license. The presence of the sequence number threshold and activation vector data in the DPX file and their usages is applicable only to the following category of Digipass authenticators:

• Software or hardware Digipass authenticators compliant with multi-device activation (in the context of multi-device licensing; for more information, see the Authentication Suite Server SDK Product Guide).

(OPTIONAL 4) In addition to this standard import process common to all Digipass authenticators, additional data must be retrieved for each Digipass data extraction in case of hardware Digipass authenticators based on the single-device licensing model and using the Secure Channel protocol: the payload key BLOB. The payload key BLOB (if any) contains a Secure Channel payload key that will be involved for operations based on the Secure Channel protocol. The presence of the payload key BLOB in the DPX file and its usage is applicable only to the following category of Digipass authenticators:

• Hardware Digipass authenticators based on the single-device licensing model (provisioned in factory) which support operations based on the Secure Channel protocol; for more information, see the Authentication Suite Server SDK Product Guide.

Functionalities

To import Digipass data from a DPX file, the Digipass data import functionalities of the DPX Import Service, the Digipass HSM protection key management functionality, and the payload key BLOB HSM protection key management functionality (if payload key BLOB obtained during import) of Authentication Suite Server SDK for HSM must be used (see Figure: Import process workflow).

Figure:  Import process workflow