Thank you for reading the Authentication Suite Server SDK for HSM Key Management Guide for Thales!
The OneSpan authentication technology relies on the fact that OneSpan customers share certain secrets with their end users. OneSpan provides the customer with these secrets in the form of a DPX file. The customer stores the secrets as a collection of Digipass BLOBs.
A fundamental security requirement is that the secrets shared between customers and end users remain secret. This means that the secrets have to be protected at all times, including the transport of the DPX file and storage of the authenticator application BLOB. The protection of the DPX files and authenticator application BLOBs is based on cryptographic operations with keys, which need to be protected as well.
OneSpan supports different key management options, with different levels of security. This document focuses on key management using the Thales ProtectServer or ProtectServer2, as well as Thales Luna, hardware security module (HSM). More specifically, it describes how to use these HSMs to safely manage the keys that are used to protect DPX files and Digipass application BLOBs.
This guide provides information about:
Protection mechanisms for DPX files and Digipass application BLOBs
The keys involved in the protection mechanisms
Thales key management utility (KMU)
This guide does not provide:
Information about the functions necessary to implement the Digipass family of authentication devices in a host system (refer to the Authentication Suite Server SDK C-C++ Programmer's Guide).
Information about the functions necessary to use Authentication Suite Server SDK with a hardware security module (refer to the Authentication Suite Server SDK for HSM C-C++ Programmer's Guide).
This guide assumes that you have thorough knowledge of the following products:
Authentication Suite Server SDK for HSM
Thales ProtectServer hardware security module (ProtectServer Orange/Gold/External/Internal, ProtectServer2 External/Internal)
-OR-
Thales Luna
Thales ProtectServer HSM SDK: ProtectToolkit C (if you are using Thales ProtectServer)
As of version 4.0, OneSpan Authentication Server Framework has been renamed to Authentication Suite Server SDK. If not explicitly stated otherwise, any information and references to OneSpan Authentication Server Framework or VACMAN Controller also apply to Authentication Suite Server SDK.