OneSpan customer procedure

Customers must complete the following key management tasks to be able to use the authenticator application:

1. Generate the HSM-level BLOB storage key.

2. Generate the KEK with custodians export.

3. Generate the HSM-level DPX transport key.

4. Export the HSM-level DPX transport key wrapped by the KEK.

5. Distribute the encrypted HSM-level DPX transport key and the KEK to OneSpan.

Tasks 2 to 5 are only required in case of double-encrypted DPX-file import.

Task 1: Generate the HSM-level BLOB storage key

To generate the HSM-level BLOB storage key (Thales ProtectServer)

1. Open the KMU (HSM) tool included in the Thales ProtectServer Protect Toolkit C.

2. Under Select a token, log in on <Slot0> as User (password is required).

   

   Figure: Generate the HSM-level BLOB storage key (1)

The slot ID may vary depending on the configuration.

3. From the menu, select Options > Create > Secret Key.

4. Select the Mechanism: Double DES, Triple DES, AES with key size 128 bits or AES with key size 256 bits.

   

   Figure: Generate the HSM-level BLOB storage key (2)

With these settings, vascoStorageKey backup is not possible. To allow backup, set Exportable to TRUE.

To generate the HSM-level BLOB storage key (Thales Luna)

1. Sign in to the relevant HSM slot.

2. Open a command-line prompt.

3. Use the following command to generate the storage key:

   generatekey -keytype=aes -keysize=16 -label=vascoStorageKey -private=1 -sensitive=1 -extractable=1 -encrypt=1 -decrypt=1 -sign=1 -verify=1 -derive=1 -wrap=1 -unwrap=1 -modifiable=1

Task 2: Generate the KEK with custodians export

The purpose of this key is to export the HSM-level DPX transport key generated in Generate the HSM-level DPX transport key.

Because this key is highly sensitive, it should be generated by a security officer.

To generate the KEK (Thales ProtectServer)

1. In the Key Management Utility window, under Select a token, log in on <Slot0> as Security Officer (password is required).

2. From the menu, select Options > Create > Generate Key Components.

3. Select the Mechanism: Double DES, Triple DES, AES with key size 128 bits or AES with key size 256 bits.

   

   Figure: Generate the KEK with custodians export (1)

4. Specify the number of KEK components (typically 2 or 3).

   

   Figure: Generate the KEK with custodians export (2)

5. Keep the key components and their KCVs safe.

   

   Figure: Generate the KEK with custodians export (3)

6. Repeat the previous steps for all further key components.

   

   Figure: Generate the KEK with custodians export (4)

7. In the Key Management Utility window, verify the three keys are created.

Each component of the KEK must be kept safe by a key custodian. The KEK generation must be supervised by the security officer.

8. In the Key Management Utility window, under Select a token, log in on <Slot0> as User (password is required).

To generate the KEK (Thales Luna)

1. Sign in to the respective HSM slot.

2. Open a command-line prompt.

3. Use the following command to generate an AES KEK with custodians:

   generatekey -slot=slot_number -keytype=aes -keysize=16 -label=KEK -clearcomponents=custodians_number

   Replace the following:

   • slot_number is the number of the respective HSM slot.

   • custodians_number is the number of key custodians to use.

4. Follow the instructions on the screen.

   Make sure that you take a note of each key component and the corresponding KCV. Take a note of the handle number for the newly created KEK, you will need it in subsequent tasks.

Task 3: Generate the HSM-level DPX transport key

To generate the HSM-level DPX transport key (Thales ProtectServer)

1. In the Key Management Utility window, from the Menu, select Options > Create > Secret Key.

2. Select the Mechanism: Double DES, Triple DES, AES with key size 128 bits or AES with key size 256 bits.

   

   Figure: Generate the HSM-level DPX transport key (1)

For security reasons, set Extractable to FALSE and Exportable to TRUE.

With this setup, only a security officer can create a key that can export this HSM-level DPX transport key.

3. When the key is generated, in the Key Management Utility window, right-click on vascoTransportKey.

   

   Figure: Generate the HSM-level DPX transport key (2)

4. From the shortcut menu, select View KCV.

   

   Figure: Generate the HSM-level DPX transport key (3)

During this operation, the security officer in charge of the export ceremony must verify that Extractable is set to FALSE, and Exportable is set to TRUE. Otherwise, the HSM-level DPX transport key will be easily exportable outside the HSM, and its secret might be compromised.

To generate the HSM-level DPX transport key (Thales Luna)

1. Sign in to the respective HSM slot.

2. Open a command-line prompt.

3. Use the following command to generate the storage key:

   generatekey -keytype=aes -keysize=24 -label=vascoTransportKey -private=1 -sensitive=1 -extractable=1 -encrypt=1 -decrypt=1 -sign=1 -verify=1 -derive=1 -wrap=1 -unwrap=1 -modifiable=1

   Take a note of the handle number for the newly created transport key, as you will need it in the subsequent tasks.

4. Use the following command to get the attributes of the key:

   getattribute -handle=transportkey_handle

   Replace transportkey_handle with the transport key handle number returned by the previous generatekey command.

   Take a note of the KCV.

Task 4: Export the HSM-level DPX transport key wrapped by the KEK

To export the HSM-level DPX transport key (Thales ProtectServer)

1. To prepare the export, in the Key Management Utility window, select OneSpanTransportKey.

   

   Figure: Export the HSM-level DPX transport key wrapped by the KEK (1)

2. From the menu, select Options > Export.

3. Select the write encrypted part to the screen option.

   

   Figure: Export the HSM-level DPX transport key wrapped by the KEK (2)

4. Keep the wrapped key and its KCV safe.

   

   Figure: Export the HSM-level DPX transport key wrapped by the KEK (3)

To export the HSM-level DPX transport key (Thales Luna)

1. Sign in to the respective HSM slot.

2. Open a command-line prompt.

3. Use the following command to export the transport key, wrapped by the KEK:

   export -handle=transportkey_handle -key=kek_handle -algo=aes_kwp -outputfile=path -format=format

   Replace the following:

   • transportkey_handle. The transport key handle generated during Task 3: Generate the HSM-level DPX transport key.

   • kek_handle. The KEK handle number generated during Task 2: Generate the KEK with custodians export.

   • path. This is the output file path. This can be a full path (c:\file.txt) or relative to the current one (file.txt).

   • format. Supported values for private or secret key are the following: bin, txt, or text.

Task 5: Distribute the encrypted HSM-level DPX transport key and the KEK to OneSpan

The HSM-level DPX transport key can be delivered to OneSpan using the following media:

• Email

• Secure physical mail (secure envelope)

• Fax

Date:                            07 March 2007
Wrapped Transport Key:           1e7b 3a39 ee0b 793a 8338 19f3
                                 ea0a c057 18ff c6ee 7609 3909
Transport Key KCV:               d2e3d3
Key Encryption Key KCV:          26d098

The components of the KEK can be delivered to OneSpan using the following media:

• Secure physical mail (secure envelope) for every single key component

Date:                            07 March 2007
Key Share (A/B/C):               A
Key Share:                       b9ae 4051 a8f8 625b 01d0 b93b
                                 6131 dadc c779 f494 fd8a 5eea
Key Share KCV:                   1ccc74
Key Encryption Key KCV:          26d098