Digipass activation derivation

This article describes the function(s) on which the Digipass activation derivation functionality is based. It contains information about parameters and possible return codes, as well as a prototype for each function.

AAL2DeriveTokenBlobsICSF

Function prototype

aat_int32 AAL2DeriveTokenBlobsICSF (
                                TDigipassBlob*     DPData[8],
                                aat_int16          Appl_Count,
                                TKernelParms*      CallParms,
                                aat_ascii*         aStorageKeyNameIn,
                                aat_ascii*         aInitialVectorIn,
                                aat_ascii*         Challenge,
                                aat_ascii*         Derivationcode,
                                aat_word32         DerivationCodeFormat);

Description

This function derives the Digipass data of a software Digipass authenticator based on the Digipass SDK 4.0 or later.

Digipass data derivation is allowed only for applications supporting the feature (Call the AAL2GetTokenProperty function with property DERIVATION_SUPPORTED to check if a authenticator application supports the feature).

If supported by the software Digipass authenticator, this feature is used to bind a software Digipass authenticator with its hosting device. In this case, during the activation process, the software Digipass authenticator can create a diversifier based on a device’s fingerprint and can provide a derivation code based on the diversifier, an OTP, and an optional challenge.

AAL2DeriveTokenBlobsICSF allows applying the derivation to the authenticator application BLOBs on the server-side.

When reactivating the same Digipass authenticator on another device, the Digipass data must be derived again on the server-side using AAL2DeriveTokenBlobsICSF with the new derivation code. The Digipass instance on the old device will not work anymore.

The derivation code is validated using the first authenticator application BLOB of the authenticator application BLOB table (DPData) input parameter. This first authenticator application BLOB MUST match the authenticator application used for generating the derivation code on the client. This first authenticator application BLOB MUST support either Response-Only or Challenge/Response authentication.
For example, it means that when the application named AUTH_APP1 is used for generating the derivation code on the client-side, the first authenticator application BLOB must relate to the AUTH_APP1 application.
Application names are exposed during import process.
In addition, the derivation will fail if one or more authenticator application BLOB does not support the derivation feature.

Score-based Digipass

For Digipass devices that integrate the score-based algorithm, Authentication Suite Server SDK performs a score-based authentication to validate the derivation code. This allows retrieving the Digipass scoring value. Once Authentication Suite Server SDK has successfully validated the BLOBs, it returns either SUCCESS or SUCCESS with the relevant scoring warning code. See the list of return codes in Table: Return codes (AAL2DeriveTokenBlobsICSF) for more details.

Parameters

Table: Parameters (AAL2DeriveTokenBlobsICSF)
Type	Name	Use	Description
TDigipassBlob * [8]	DPData	I/O	Array of authenticator application BLOB pointers. Upon return from the function call, these BLOBs must be rewritten to the application database to reflect the changes.
aat_int16	Appl_count	I	Number of applications in the authenticator application BLOB array. (1 to 8)
TKernelParms *	CallParms	I	Structure of runtime parameters to use during this function call.
aat_ascii *	aStorageKeyNameIn	I	String of up to 64+1 characters, left-justified, null-terminated, or right-padded with spaces. This is the label of the ICSF storage key used to encrypt the sensitive Digipass application BLOB data.
aat_ascii *	aInitialVectorIn	I	String of 16 or 32 hexadecimal characters, left-justified, null-terminated. This is the initial vector used to encrypt the sensitive authenticator application BLOB data.
aat_ascii *	Challenge	I	String of up to 17 numeric characters, left justified, null-terminated or right padded with spaces. This parameter holds the challenge that may have been proposed to the user to generate the derivation code (if the first authenticator application BLOB is a Challenge/Response application). If no challenge is used to generate the derivation code, this parameter must be NULL.
aat_ascii *	DerivationCode	I	String of up to 27+1 decimal or hexadecimal characters, null-terminated. This is the derivation code generated by the Digipass device. This derivation code can contain hexadecimal characters if the OTP response output is hexadecimal.
aat_word32	DerivationCodeFormat	I	Reserved. Must be set to 0.

COBOL calling convention

Entry point: AA2DTBIC
02   W-KERNELPARMS.
     03  W-PARMCOUNT           PIC 9(8) USAGE BINARY.
     03  W-PARM01              PIC 9(8) USAGE BINARY.
     . . .
     03  W-PARM19              PIC 9(8) USAGE BINARY.
02   W-BLOB-TABLE.
     03  W-BLOB                PIC X(248) OCCURS 8.
02   W-BLOB-PTR-TABLE.
     03  W-BLOB-PTR            USAGE POINTER OCCURS 8.
02   W-APPL-COUNT              PIC S9(4).
02   W-CHALLENGE               PIC X(17).
02   W-DERIVATION-CODE         PIC X(28).
02   W-STORAGEKEY              PIC X(65).
02   W-INITVECTOR              PIC X(17).
02   W-RETURN                  PIC S9(8) USAGE BINARY.
02   W-DERIVATION-FMT          PIC S9(8) USAGE BINARY.
02   W-API-NAME                 PIC X(8) VALUE 'AA2DTBIC'.
. . .
     SET W-BLOB-PTR(n) TO ADDRESS OF W-BLOB(n).
     CALL W-API-NAME USING
           BY REFERENCE W-BLOB-PTR-TABLE
           BY VALUE W-APPL-COUNT
           BY REFERENCE W-KERNELPARMS
           BY REFERENCE W-STORAGEKEY
           BY REFERENCE W-INITVECTOR
           BY REFERENCE W-CHALLENGE
           BY REFERENCE W-DERIVATION-CODE
           BY VALUE W-DERIVATION-FMT
           RETURNING W-RETURN

Return codes

Table: Return codes (AAL2DeriveTokenBlobsICSF)
Code	Meaning	Code	Meaning
0	Success	908	HSM key not found
10001	Success with context warning[1]	951	Invalid HSM key type for HSM decryption
10002	Success with user warning[1]	1000	Function does not support EMV-CAP
10003	Success with user & context warning[1]	1039	Invalid response length with DP algorithm
10004	Success with platform warning[1]	1040	Invalid host code length with DP algorithm
10005	Success with platform & context warning[1]	1103	Unlock Version 2 not supported
10006	Success with platform & user warning[1]	1109	Invalid derivation code
10007	Success with platform & user & context warning[1]	1110	Invalid derivation code pointer
1	Code not verified	1111	Invalid derivation code length
130	Invalid response pointer	1112	Invalid character in derivation code
131	Missing required challenge	1113	Derivation code check digit is wrong
132	Unsupported token type	1114	Invalid derivation code format parameter
140	Challenge corrupted	1118	Unsupported BLOB
201	Code replay attempt	-101	Challenge too short
202	Identification error threshold reached	-102	Challenge too long
205	Inactive days reached	-103	Challenge check digit wrong
208	Application disabled	-105	Challenge minimum length not allowed
412	Invalid checksum (software)	-106	Challenge maximum length not allowed
413	Invalid Base64 format	-107	Challenge number wrong
414	Invalid checksum (HSM)	-108	Challenge character invalid
510	Invalid Digipass data pointer	-201	Response length out of bounds
600	Invalid Gordian root information	-202	Response too short
601	Invalid Gordian today information	-203	Response too long
602	Invalid Gordian tomorrow information	-205	Response character not decimal
603	Invalid Gordian stimulus information	-206	Response character not hexadecimal
807	Serial number not equal	-207	Response character set not specified
808	Invalid application count value	-1501	Memory allocation failed
900	Invalid session context handle

Specific score-based authentication code (see Score-based DIGIPASS)