Protection of authenticator application BLOBs and payload key BLOBs (storage)

When importing a DPX file into a database using Authentication Suite Server SDK for Thales ProtectServer HSM, the resulting authenticator application BLOBs (and the payload key BLOBs if any) will be encrypted twice after HSM migration:

• The confidentiality and integrity of the sensitive authenticator application BLOB data, such as Digipass keys and other secrets, (and of the sensitive payload key BLOB data if any) are protected by encrypting and electronically signing them using the HSM-level BLOB storage key. This key resides in the customer’s HSM.
• The confidentiality and integrity of the entire authenticator application BLOBs/ payload key BLOBs are protected by encrypting and electronically signing the BLOB using the software-level BLOB storage key. This key resides in the software.

This approach ensures that sensitive data fields are encrypted with a key that is securely stored. On the other hand, maintenance operations that involve less sensitive data fields, such as resynchronizing a Digipass authenticator with Authentication Suite Server SDK, can still be performed very efficiently because the HSM is not involved.