HSM-level DPX transport key

The HSM-level DPX transport key is used to encrypt the sensitive Digipass information in a DPX file. This key is typically generated by the customer and distributed to OneSpan, encrypted with a key encrypting key (KEK).

The HSM-level DPX transport key is only used for authenticator applications.

The key check value (KCV) and name of the HSM-level DPX transport key are included in clear text in the DPX file.

The HSM-level DPX transport key has the following properties:

• This key is either:

  • Double-length 3DES key (128 bits, including parity bits)
  • Triple-length 3DES key (192 bits, including parity bits) (A triple-length is recommended)
  • AES-128 key (128 bits) or
  • AES-256 key (256 bits)
• This key is typically generated in the customer’s hardware security module.
• This key is not exportable from production hardware security module in clear.
• Key rotation takes place on a regular basis, expected to be two years at most.

It is highly recommended to no longer use HSM-level DPX transport keys that are double-length 3DES keys and to use HSM-level DPX transport keys that are triple-length 3DES or AES keys instead. See  Compatibility of HSM-level DPX transport key with authenticator application for compatibility matrix of HSM-level DPX transport key with authenticator applications.

Compatibility of HSM-level DPX transport key with authenticator application

Table: Compatibility of HSM-level HSM transport key with authenticator application summarizes the compatibility of the 3DES or AES HSM transport keys with the different types of authenticator application embedded in a DPX file double encrypted (HSM encrypted).

When using HSM transport keys of type AES-128 or AES-256, the following authenticator applications will not be supported anymore:

• authenticator applications using DES or 3DES
• authenticator applications using the UnlockV1 unlocking mechanism (UnlockV1 is based on a DES key)

For Digipass using DES, 3DES algorithm, and/or UnlockV1 unlocking, the hardware encryption with HSM transport keys will have to mandatorily use 3DES HSM keys.

The authenticator application based on OATH (HOTP, TOTP, OCRA) do not support double encrypted DPX files (HSM encrypted).

As of version 12.50 of Entrust nShield software and firmware, the new security worlds that are created since this version in strict FIPS 140-2 level 3 mode no longer allow the usage of the 3DES operations with HSM.

To use 3DES HSM transport keys with OneSpan Authentication Suite Server SDK for Entrust nShield HSM, you must either:

• Use a security world (whatever FIPS 140-2 level 2 or FIPS 140-2 level 3) that was created prior to Entrust nShield security world software version 12.50.
• Mandatorily use a security world FIPS 140-2 level 2, if it has been created as of Entrust nShield security world software version 12.50.