Secure Auditing With a hardware security module (HSM)

To enable secure auditing for a hardware security module (HSM), a master audit key pair must be created on the HSM. This must be done before you configure OneSpan Authentication Server Appliance to use secure auditing.

The public key from the master audit key pair must be exported from the HSM to allow its use in verification.

Figure: Secure auditing with HSM

OneSpan Authentication Server Appliance will request a signature from the HSM for each epoch and use this as the epoch ID. An epoch key pair will be generated, consisting of an epoch public key and an epoch private key. Each secure audit entry will contain the epoch public key, the epoch ID, and an cryptographic signature that relates it to the previous and subsequent entries.

To verify each secure audit entry, the Secure Auditing Verification Tool uses the following:

• The epoch public key
• The epoch ID (supplied on each secure audit line)
• The master audit public key which has been exported to a PEM file.

The entire file will be verified with a Yes (verification successful) or No (verification unsuccessful) result provided after verification.