Secure Auditing Without a hardware security module (HSM)

To enable secure auditing for systems that do not use an HSM, the OneSpan Authentication Server Maintenance Wizard creates a master audit key pair in a PKCS#12 file during installation.

OneSpan Authentication Server generates a signature using the private key in the PKCS#12 file. This signature will be used as the epoch ID. OneSpan Authentication Server then generates an epoch key pair, consisting of an epoch public key and epoch private key. Each secure audit entry will contain the epoch public key, and the epoch ID.

To verify each secure audit entry, the Secure Auditing Verification Tool uses the following:

• The epoch public key
• The epoch ID (supplied on each secure audit line)
• The master audit public key which has been exported to a PEM file.

During installation, the Maintenance Wizard performs all the required processing to create the PKCS#12 file for the keystore, according to the variables provided on the corresponding page. The Maintenance Wizard will create a self-signed certificate, but secure auditing can be configured to use a commercial SSL certificate.