Protection of authenticator application BLOBs and payload key BLOBs (storage)

When importing a DPX file into a database using Authentication Suite Server SDK for Entrust nShield HSM, the resulting authenticator application BLOBs (and of payload key BLOBs if any) after migration will be encrypted twice after HSM migration:

• The confidentiality and integrity of the sensitive authenticator application BLOB data, such as Digipass keys and other secrets, (and of the sensitive payload key BLOB data if any) are protected by encrypting and electronically signing them using the HSM-level BLOB storage key. This key resides in the customer’s HSM.
• The confidentiality and integrity of the entire authenticator application BLOBs/ payload key BLOBs are protected by encrypting and electronically signing the BLOB using the software-level BLOB storage key.

This approach ensures that sensitive data fields are encrypted with a key that is securely stored. On the other hand, maintenance operations that involve less sensitive data fields, such as resynchronizing a Digipass authenticator with Authentication Suite Server SDK, can still be performed very efficiently because the HSM is not involved.

The HSM-level BLOB storage key can be of either type 3DES or AES. For more information, refer to  HSM-level BLOB storage key. In case of using HSM-level BLOB storage key of type 3DES with the Authentication Suite Server SDK for Entrust nShield HSM, the resulting authenticator application BLOBs (and of payload key BLOBs if any) are hardware encrypted only.