Protecting sensitive data

Sensitive data include:

• Passwords for OneSpan Authentication Server user accounts or other accounts
• Shared secrets with back-end servers or other components
• Administrative privileges
• Global configuration settings

Sensitive data keys are used to protect and decrypt such sensitive data when stored in the OneSpan Authentication Server data store. By default, sensitive data is encrypted using an embedded key on a software level. If a higher level of security is required, it is possible to use a hardware security module (HSM) for encryption.

Protecting sensitive data using software encryption

By default, OneSpan Authentication Server encrypts security-sensitive data using an embedded key. This encryption can be strengthened by adding a custom key via the Administration Web Interface. The sensitive data key is derived from the embedded and the custom keys and is used to protect sensitive data attributes in the data store.

For new installations of OneSpan Authentication Server, AES-128 is used. Upgraded installations using previously supported algorithms may continue to use the legacy algorithms.

Protecting sensitive data using a hardware security module (HSM)

When using an HSM to protect sensitive data, the respective data attributes are encrypted by the HSM using AES-128 and a sensitive data key of the HSM. Those keys cannot be reconstructed or modified outside the HSM.