Login
    Contenu x
    OneSpan customer procedure
    • 23 Jan 2025
    • 3 Minutes à lire
    • Sombre
      Lumière
    • PDF
    Contenu

    OneSpan customer procedure

    • Mis à jour le 23 Jan 2025
    • 3 Minutes à lire
    • Sombre
      Lumière
    • PDF
    The content is currently unavailable in French. You are viewing the default English version.
    Résumé de l’article

    Customers must adhere to the following key management procedures to be able to use the authenticator application:

    1. Generate the HSM-level BLOB storage key.
    2. Generate the KEK with Custodians Export.
    3. Generate the HSM-level DPX transport key.
    4. Export the HSM-level DPX transport key wrapped by the KEK.
    5. Distribute the encrypted HSM-level DPX transport key and the KEK to OneSpan.

    Procedure 2 to 5 are only required in case of double-encrypted DPX-file import.

    Generate the HSM-level BLOB storage key

    To generate the HSM-level BLOB storage key

    1. Open the KMU (HSM) tool included in the Thales ProtectServer Protect Toolkit C.
    2. Under Select a token, log in on <Slot0> as User(password is required).

      Figure: Generate the HSM-level BLOB storage key (1)

    The slot ID may vary depending on the configuration.

    1. From the menu, select Options > Create > Secret Key.
    2. Select the Mechanism: Double DES, Triple DES, AES with key size 128 bits or AESwith key size 256 bits.

      Figure: Generate the HSM-level BLOB storage key (2)

    With these settings, vascoStorageKey backup is not possible. To allow backup, set Exportable to TRUE.

    Generate the KEK with custodians export

    The purpose of this key is to export the HSM-level DPX transport key generated in Generate the HSM-level DPX transport key.

    Because this key is highly sensitive, it should be generated by a security officer.

    To generate the KEK

    1. In the Key Managment Utility window, under Select a token, log in on <Slot0> as Security Officer (password is required).
    2. From the menu, select Options > Create > Generate Key Components.
    3. Select the Mechanism: Double DES, Triple DES, AES with key size 128 bits or AESwith key size 256 bits.

      Figure: Generate the KEK with custodians export (1)

    4. Specify the number of KEK components (typically 2 or 3).

      Figure: Generate the KEK with custodians export (2)

    5. Keep the key components and their KCVs safe.

      Figure: Generate the KEK with custodians export (3)

    6. Repeat the previous steps for all further key components.

      Figure: Generate the KEK with custodians export (4)

    7. In the Key Managment Utility window, verify the three keys are created.

    Each component of the KEK must be kept safe by a key custodian. The KEK generation must be supervised by the security officer.

    1. In the Key Managment Utility window, under Select a token, log in on <Slot0> as User (password is required).

    Generate the HSM-level DPX transport key

    To generate the HSM-level DPX transport key

    1. In the Key Managment Utility window, from the Menu, select Options > Create > Secret Key.
    2. Select the Mechanism: Double DES, Triple DES, AES with key size 128 bits or AESwith key size 256 bits.

      Figure: Generate the HSM-level DPX transport key (1)

    For security reasons, set Extractable to FALSE and Exportable to TRUE.

    With this setup, only a security officer can create a key that can export this HSM-level DPX transport key.

    1. When the key is generated, in the Key Managment Utility window, right-click on vascoTransportKey.

      Figure: Generate the HSM-level DPX transport key (2)

    2. From the shortcut menu, select View KCV.

      Figure: Generate the HSM-level DPX transport key (3)

    During this operation, the security officer in charge of the export ceremony must verify that Extractable is set to FALSE, and Exportable is set to TRUE. Otherwise, the HSM-level DPX transport key will be easily exportable outside the HSM, and its secret might be compromised.

    Export the HSM-level DPX transport key wrapped by the KEK

    To export the HSM-level DPX transport key

    1. To prepare the export, in the Key Managment Utility window, select OneSpanTransportKey.

      Figure: Export the HSM-level DPX transport key wrapped by the KEK (1)

    2. From the menu, select Options > Export.
    3. Select the write encrypted part to the screenoption.

      Figure: Export the HSM-level DPX transport key wrapped by the KEK (2)

    4. Keep the wrapped key and its KCV safe.

      Figure: Export the HSM-level DPX transport key wrapped by the KEK (3)

    Distribute the encrypted HSM-level DPX transport key and the KEK to OneSpan

    The HSM-level DPX transport key can be delivered to OneSpan using the following media:

    • email
    • secure physical mail (secure envelope)
    • fax
    Date:                            07 March 2007
Wrapped Transport Key:           1e7b 3a39 ee0b 793a 8338 19f3
                                 ea0a c057 18ff c6ee 7609 3909
Transport Key KCV:               d2e3d3
Key Encryption Key KCV:          26d098

    The components of the KEK can be delivered to OneSpan using the following media:

    • secure physical mail (secure envelope) for every single key component
    Date:                            07 March 2007
Key Share (A/B/C):               A
Key Share:                       b9ae 4051 a8f8 625b 01d0 b93b
                                 6131 dadc c779 f494 fd8a 5eea
Key Share KCV:                   1ccc74
Key Encryption Key KCV:          26d098
    Cet article vous a-t-il été utile ?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout
    ESC

    Ozzy, facilitant la découverte de connaissances grâce à l’intelligence conversationnelle