HSM-level BLOB storage key

The HSM-level BLOB storage key is used to encrypt the sensitive Digipass information of the authenticator application BLOB for long-term storage.

The HSM-level BLOB storage key is only used for authenticator applications.

This key is generated by the customer within the HSM and has the following properties:

• This key is either:

  • Double-length 3DES key (128 bits, including parity bits)
  • Triple-length 3DES key (192 bits, including parity bits)(triple-length highly recommended)
  • AES-128 key (128 bits) or
  • AES-256 key (256 bits)
• This key is generated in the customer’s hardware security module.
• This key is not exportable from production hardware security module in clear.
• Key rotation takes place on a regular basis, expected to be two years at most.

This key must be loaded into the Authentication Suite Server SDK SEE machine when using authenticator applications (encrypted with this HSM-level BLOB storage key) with Authentication Suite Server SDK for HSM.

It is highly recommended to no longer use HSM-level BLOB storage keys that are double-length 3DES keys, and to use HSM-level BLOB storage keys that are triple-length 3DES or AES keys instead. See Compatibility of HSM-level BLOB storage key with authenticator application for the compatibility matrix of HSM-level BLOB storage keys with authenticator applications.

Compatibility of HSM-level BLOB storage key with authenticator application

Table: Compatibility of HSM-level BLOB storage key with authenticator application summarizes the compatibility of the 3DES or AES HSM storage keys with the different types of authenticator application embedded in a authenticator application BLOB (HSM encrypted).

When using HSM transport keys of type AES-128 or AES-256, the following authenticator applications will not be supported anymore:

• authenticator applications using DES or 3DES
• authenticator applications using the UnlockV1 unlocking mechanism (UnlockV1 is based on a DES key)

For Digipass using DES, 3DES algorithm, and/or UnlockV1 unlocking, the hardware encryption with HSM transport keys will have to mandatorily use 3DES HSM keys.

As of version 12.50 of Entrust nShield software and firmware, the new security worlds that are created since this version in strict FIPS 140-2 level 3 mode no longer allow the usage of the 3DES operations with HSM.

To use 3DES HSM transport keys with OneSpan Authentication Suite Server SDK for Entrust nShield HSM, you must either:

• Use a security world (whatever FIPS 140-2 level 2 or FIPS 140-2 level 3) that was created prior to Entrust nShield security world software version 12.50.
• Mandatorily use a security world FIPS 140-2 level 2, if it has been created as of Entrust nShield security world software version 12.50.