Conceptual description
Authentication Suite Server SDK facilitates the validation of passwords and signatures from Digipass authenticators. For this purpose, Authentication Suite Server SDK has to handle a copy of the parameters and secrets that are programmed on the Digipass authenticator. Authentication Suite Server SDK retrieves this information from the authenticator application BLOB, which is a flat data structure stored in a database accessible from the computer where Authentication Suite Server SDK is running.
To prevent unauthorized access, the authenticator application BLOB is protected (secrecy and integrity) through an AES-based encryption. The standard version of Authentication Suite Server SDK is a full software product and the AES keys used for this encryption are based upon secret codes stored in the software and passed during runtime.
In case a higher level of security is required, it is possible to migrate to the Authentication Suite Server SDK for HSM solution. A hardware security module (HSM) is a tamper-proof hardware module that is connected to, or inserted into, the host computer. The HSM contains a secure storage for secret keys in combination with cryptographic processing capabilities.
Using an HSM in combination with Authentication Suite Server SDK ensures that the Digipass secrets cannot be viewed on the host computer. The Authentication Suite Server SDK for HSM solution uses 3DES or AES HSM keys to encrypt the authenticator application BLOBs. When a wrong Digipass password or signature is rejected, the HSM guarantees that the correct password or signature is not available on the host computer.
Authentication Suite Server SDK always generates the correct answer to test if the received answer is correct.
Integration concept
Figure: Authentication Suite Server SDK for HSM integration concept
The Authentication Suite Server SDK BLOBs, which contain token profile and keys, remain on the host computer, where the Authentication Suite Server SDK host API can access only the less sensitive parameters. The token keys and secrets can only be accessed within the HSM. As a result of this and to minimize the amount of code inside the HSM, functional partitioning between the two modules is organized as follows:
All Authentication Suite Server SDK functionalities that use the secured values inside the authenticator application BLOB will run inside the HSM (e.g. password validation functionality, signature validation functionality etc.). The input for the routines associated with these functionalities is serialized and sent from the host computer into the HSM. The output, including the updated BLOB, is returned in a serialized format to the host computer. Authentication Suite Server SDK on the host computer will then convert it back into the format as defined in the Authentication Suite Server SDK API.
All Authentication Suite Server SDK functionalities that do not use any secured values inside the BLOB will run on the host computer only, without access to the HSM.
These functionalities are not fully identical to the routines of the standard Authentication Suite Server SDK because of the different BLOB encryption.
Some extra Authentication Suite Server SDK APIs are added to the host computer, which organizes the generation and processing of input and output parameters with the HSM. This code is independent of the HSM model (see HSM independence concept.) These APIs consist of:
The HSM input parameter validation
The serialization of input and output parameters, i.e., the conversion of Authentication Suite Server SDK structures into or from a string of bytes
The HSM output parameter validation
The method for loading Authentication Suite Server SDK for HSM inside the HSM depends on the vendor. Some vendors require a firmware upgrade that has to be performed by their services. For these vendors, OneSpan can provide the routines (ANSI C-code) that need to be added to the HSM. Other vendors allow uploading third-party modules into the HSM, which are then signed (RSA-signature) to ensure that the correct module is uploaded.
HSM independence concept
The Authentication Suite Server SDK for HSM independence component is a collection of Level 2 functions giving integrators simplified hardware security module support which is independent of the HSM type.
On the host, Authentication Suite Server SDK does not perform any HSM management, as for example initialization, communication, or finalization. Integrators need to write this functionality separately to Authentication Suite Server SDK, in line with the particular HSM.
Authentication Suite Server SDK provides the host-side generation and processing of the messages sent to and from the HSM. Thus, Authentication Suite Server SDK and HSM management tasks are separated from each other.
For each Authentication Suite Server SDK function performed on the HSM, the host-side Authentication Suite Server SDK must:
Generate an HSM command message to send from the host to the HSM
Process the HSM reply message sent back from the HSM