HSM-level DPX transport key

The HSM-level DPX transport key is used to encrypt the sensitive Digipass information in a DPX file. This key is typically generated by the customer and distributed to OneSpan, encrypted with a key encrypting key (KEK).

The HSM-level DPX transport key is only used for authenticator applications.

The key check value (KCV) and name of the HSM-level DPX transport key are included in clear text in the DPX file.

The HSM-level DPX transport key has the following properties:

• This key is either:

  • Double-length 3DES key (128 bits, including parity bits)
  • Triple-length 3DES key (192 bits, including parity bits) (A triple-length is recommended)
  • AES-128 key (128 bits) or
  • AES-256 key (256 bits)
• This key is typically generated in the customer’s hardware security module.
• In the hardware security module, this key is identified by a name.
• This key is not exportable from production hardware security module in clear.
• Key rotation takes place on a regular basis, expected to be two years at most.

It is highly recommended to no longer use HSM-level DPX transport keys that are double-length 3DES keys and to use HSM-level DPX transport keys that are triple-length 3DES or AES keys instead. See Compatibility of HSM-level DPX transport key with authenticator application for compatibility matrix of HSM-level DPX transport key with authenticator applications.

In addition, the Thales ProtectServer2 HSMs (firmwares version 5.00.02 and above) apply a restriction on double-length 3DES keys when the HSM is configured with the FIPS Algorithm Only flag enabled. Usage of double-length 3DES keys with Authentication Suite Server SDK for Thales ProtectServer HSM requires the ProtectServer2 HSMs to be configured with the FIPS Algorithm Only flag disabled.

Compatibility of HSM-level DPX transport key with authenticator application

Table: Compatibility of HSM-level HSM transport key with authenticator application summarizes the compatibility of the 3DES or AES HSM transport keys with the different types of authenticator application embedded in a DPX file double encrypted (HSM encrypted).

When using HSM transport keys of type AES-128 or AES-256, the following authenticator applications will not be supported anymore:

• authenticator applications using DES or 3DES
• authenticator applications using the UnlockV1 unlocking mechanism (UnlockV1 is based on a DES key)

For Digipass using DES, 3DES algorithm, and/or UnlockV1 unlocking, the hardware encryption with HSM transport keys will have to mandatorily use 3DES HSM keys.

The authenticator application based on OATH (HOTP, TOTP, OCRA) do not support double encrypted DPX files (HSM encrypted), and are not supported for Authentication Suite Server SDK for Thales ProtectServer HSM.