OneSpan customer procedure
- 23 Jan 2025
- 4 Minutes à lire
- SombreLumière
- PDF
OneSpan customer procedure
- Mis à jour le 23 Jan 2025
- 4 Minutes à lire
- SombreLumière
- PDF
The content is currently unavailable in French. You are viewing the default English version.
Résumé de l’article
Avez-vous trouvé ce résumé utile ?
Merci pour vos commentaires
Customers must adhere to the following key management procedures to be able to use the authenticator application:
- Generate the HSM-level BLOB storage key.
- Generate the KEK with Custodians Export.
- Generate the HSM-level DPX transport key.
- Export the HSM-level DPX transport key wrapped by the KEK.
- Distribute the encrypted HSM-level DPX transport key and the KEK to OneSpan.
Procedure 2 to 5 are only required in case of double-encrypted DPX-file import.
Generate the HSM-level BLOB storage key
To generate the HSM-level BLOB storage key
Launch Key Management Tool provided with Authentication Suite Server SDK for HSM.
On the Key Management Tool main screen, select (2): Generate a storage key.
Select one of the following key types: AES128, AES256, DES2 or DES3. The default value is 3. (DES2 is not recommended.)
In case of using FIPS 140-2 Level 3 Security World (strict FIPS 140-2 Level 3 mode), the new Entrust nShield HSMs based on PowerPCELF architecture (nShield XC) does not permit to generate keys being double-length 3DES keys (DES2).
Attempting to generate a storage key with DES2 type will fail in such case with the following error: “Function exits with an error : 62 -> StrictFIPS140”.
Select the ID of the storage key. The default value is 0.
The key name is determined by the key ID as follows:
- ID 0 corresponds to the name vascoStorageKey.
- IDs 1 to 9 correspond to the names vasco1 to vasco9.
- ID 0x7fffff corresponds to the name vascoTransportKey.
Generate the KEK with custodians export
The purpose of this key is to export the HSM-level DPX transport key generated in Generate the HSM-level DPX transport key.
As this key is highly sensitive, it should be generated by a security officer.
On the Key Management Tool main screen, select (3): Generate a Key Encrypting Key.
Select one of the following key types: AES128, AES256, DES2 or DES3. The default value is 3. (DES2 is not recommended.)
In case of using FIPS 140-2 Level 3 Security World (strict FIPS 140-2 Level 3 mode), the new Entrust nShield HSMs based on PowerPCELF architecture (Entrust nShield XC) does not permit to generate keys being double-length 3DES keys (DES2).
Attempting to generate a key encrypting key with DES2 type will fail in such case with the following error: “Function exits with an error : 62 -> StrictFIPS140”.
Select the number of custodians. The default value is 3.
Select the ID of the key encrypting key. The KCV of the KEK appears on the screen.
- Press any key to continue.
Press any key to display the first component on the screen.
The first component and its KCV are displayed on the screen:
- Repeat the previous steps for all further components.
Each component of the KEK must be kept safe by a key custodian. The KEK generation must be supervised by the security officer.
Generate the HSM-level DPX transport key
To generate the HSM-level DPX transport key
- On the Key Management Tool main screen, select (4): Generate a Transport Key.
Select one of the following key types: AES128, AES256, DES2 or DES3. The default value is 3. (DES2 is not recommended.)
In case of using FIPS 140-2 Level 3 Security World (strict FIPS 140-2 Level 3 mode), the new Entrust nShield HSMs based on PowerPCELF architecture (Entrust nShield XC) does not permit to generate keys being double-length 3DES keys (DES2).
Attempting to generate a transport key with DES2 type will fail in such case with the following error: “Function exits with an error : 62 -> StrictFIPS140”.
- Select the ID of the transport key. The default value is 0x7fffff.
Select the ID of the KEK key authorized to wrap and export this transport key. No other key will be able to perform this operation.
The KCV of the HSM-level DPX transport key is displayed.
During this operation, the security officer in charge of the export ceremony must verify which KEK is authorized to export (wrap) the HSM-level DPX transport key. If the authorized KEK is not controlled by the security officer, the HSM-level DPX transport key secret might be compromised.
Export the HSM-level DPX transport key wrapped by the KEK
To export the HSM-level DPX transport key
- On the Key Management Tool main screen, select (5): Export a Transport Key.
- Select the ID of the transport key to export. The default value is 0x7fffff.
- Select the ID of the KEK key authorized to wrap and export this transport key. This KEK must be the same as in Generate the HSM-level DPX transport key.
Press any key to display the wrapped value of the HSM-level DPX transport key on the screen.
The wrapped value of the HSM-level DPX transport key must be kept safe.
Press any key to return to the main screen.
Distribute the encrypted HSM-level DPX transport key and the KEK to OneSpan
The HSM-level DPX transport key can be delivered to OneSpan using the following media:
- Secure physical mail (secure envelope)
- Fax
Date: 07 March 2007
Wrapped Transport Key: 1e7b 3a39 ee0b 793a 8338 19f3
ea0a c057 18ff c6ee 7609 3909
Transport Key KCV: d2e3d3
Key Encryption Key KCV: 26d098The components of the KEK can be delivered to OneSpan using the following media:
- secure physical mail (secure envelope) for every key component
Date: 07 March 2007
Key Share (A/B/C): A
Key Share: b9ae 4051 a8f8 625b 01d0 b93b
6131 dadc c779 f494 fd8a 5eea
Key Share KCV: 1ccc74
Key Encryption Key KCV: 26d098Cet article vous a-t-il été utile ?