Login
    Contenu x
    Processes
    • 23 Jan 2025
    • 2 Minutes à lire
    • Sombre
      Lumière
    • PDF
    Contenu

    Processes

    • Mis à jour le 23 Jan 2025
    • 2 Minutes à lire
    • Sombre
      Lumière
    • PDF
    The content is currently unavailable in French. You are viewing the default English version.
    Résumé de l’article

    Five processes need to be implemented for offline authentication:

    1. Hash data synchronization between server and client
    2. State data synchronization from server to client
    3. State data synchronization from client to server
    4. Offline authentication
    5. Online authentication

    The data synchronization between the server and the client and vice versa must guarantee:

    • Availability of offline authentication data (OAD) on the client side for offline authentications.
    • Code replay detection between the offline and online verification processes.

    To meet these requirements, two types of data have to be synchronized between the client and the server:

    • State data. The state data contains information about the last successful authentication to detect code replay attempts and to keep track of the error counter. In the further course of this document, the state data is referred to as StateDataBlock.
    • Hash data. The hash data contains an OTP hash list that will be used to validate OTP values for offline authentication. In the further course of this document, this list will be referred to as HashDataBlock.

    The authentication process(es) can be performed online or offline. The credentials for the user authentication process either consists of the user ID and OTP, or the username, a static PIN, and an OTP.

    Hash data synchronization

    This process involves the following steps:

    1. On the server:

      • Retrieving the authenticator application BLOB for a specific user from the server repository.
      • Generating HashDataBlock structures for a specified event window or time period.
      • Transporting the HashDataBlock structures to the client platform.

    2. On the client:

      • Storing/updating the HashDataBlock structures.

    The HashDataBlock structures are generated by the Authentication Suite Server SDK function AAL2GenHashDataBlock(). Transporting, storing, and updating HashDataBlock structures is not described in this document.

    The synchronization of the HashDataBlock structures from the server to the client should take place only after a successful online authentication process.

    In case of static PIN support, the different HashDataBlock structures need to be regenerated whenever the static PIN is changed.

    State data synchronization: Server – client

    This process involves the following steps:

    1. On the server:

      • Retrieving the authenticator application BLOB for a specific user from the server repository.
      • Generating a StateDataBlock structure from the authenticator application BLOB using a new Authentication Suite Server SDK function.
      • Transporting the StateDataBlock structure to the client platform.

    2. On the client:

      • Storing/updating the StateDataBlock structure.

    The StateDataBlock structure is generated by the Authentication Suite Server SDK function AAL2GetStateDataBlock(). Transporting, storing, and updating StateDataBlock structures on the client application is not described in this document.

    To detect code replay, the StateDataBlock synchronization from the server to the client should take place after each online authentication process.

    State data synchronization: Client – server

    This process involves the following steps:

    1. On the client:

      • Retrieving the StateDataBlock structure from the local storage.
      • Transporting the StateDataBlock structure to the server.

    2. On the server:

      • Retrieving the authenticator application BLOB for this specific user from the server repository.
      • Synchronizing the authenticator application BLOB with the StateDataBlock structure using the Authentication Suite Server SDK AAL2SyncStateData() function.
      • Updating the authenticator application BLOB on the server repository.

    To detect code replay, the synchronization of the StateDataBlock structures from the client to the server should precede each online authentication process.

    Offline authentication

    This process is executed on the client platform and involves the following steps:

    • Retrieving the StateDataBlock and HashDataBlock structures from the local storage for this specific user.
    • Calling the offline validation function with an OTP, StateDataBlock and HashDataBlock.
    • Updating the StateDataBlock structure on the local storage.

    The change static PIN functionality is not available for offline authentication.

    Online authentication

    This process involves the following steps:

    1. On the client:

      • Transporting the OTP and user ID to the server.

    2. On the server:

      • Retrieving the authenticator application BLOB for a specific user from the server repository.

      • Validating the OTP using the Authentication Suite Server SDK AAL2VerifyPassword() function.

    Cet article vous a-t-il été utile ?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout
    ESC

    Ozzy, facilitant la découverte de connaissances grâce à l’intelligence conversationnelle