Authentication Suite Server SDK for HSM services

  • Published on Feb 13, 2026
  • 4 minute(s) read
Prev Next

Authentication Suite Server SDK for HSM provides the following services:

  • DPX Import Service

  • Digipass Dynamic Authentication Service

  • Digipass e-Signature Validation Service

  • Virtual Mobile Authenticator Service

  • Digipass Management Service

  • Software Digipass Activation Service

  • Software Digipass Derivation Service

  • Digipass Multi-Device Activation Service

  • Digipass Secure Channel Service

  • Payload Key BLOB Management Service

  • Question/Answer Service

  • Version Information Service

  • Error Management Service

DPX import service

Description

As with the DPX Import Service offered by standard Authentication Suite Server SDK, this service groups functionalities responsible for the extraction of Digipass data from the DPX file. For more information on the standard DPX Import Service, refer to the Authentication Suite Server SDK Product Guide.

In addition to the standard functionalities such as initialization, Digipass data extraction and finalization, the DPX import process with a Authentication Suite Server SDK for HSM requires the encryption migration of the imported Digipass data. This consists in migrating the imported BLOBs from their encryption under an HSM-level transport key (in case of a double DPX file encryption) or under a software encryption (in case of standard DPX file encryption) to an encryption under an HSM storage key before storing them in the database.

The import process consists of five mandatory steps:

  1. Initialization

  2. Digipass data extraction

  3. Digipass data migration[1]

  4. Digipass data storage: Digipass data obtained in the previous step is written into the database.

  5. Finalization: The DPX file is closed.

(OPTIONAL 1) In addition to this standard import process common to all Digipass authenticators, a step must be added to extract the static vector from the DPX file for certain categories of Digipass authenticators. The static vector is a string containing parameter settings for the Digipass activation. The presence of the static vector in the DPX file and its usage is applicable only to the following categories of Digipass authenticators:

  • Software Digipass compliant with standard activation (in the context of single-device licensing).

  • Software or hardware Digipass authenticators compliant with multi-device activation (in the context of multi-device licensing.

For more information, see the Authentication Suite Server SDK Product Guide.

(OPTIONAL 2) In addition to this standard import process common to all Digipass authenticators, a step must be added to extract the message vector from the DPX file for certain categories of Digipass authenticators. The message vector is a string containing configuration settings for the message generation. The presence of the message vector in the DPX file and its usage is applicable only to the following category of Digipass authenticators:

  • Software or hardware Digipass authenticators compliant with multi-device activation (in the context of multi-device licensing).

  • Software or hardware Digipass authenticators that support operations based on the Secure Channel protocol).

For more information, see the Authentication Suite Server SDK Product Guide.

(OPTIONAL 3) In addition to this standard import process common to all Digipass authenticators, additional data must be retrieved for each Digipass data extraction in case of software or hardware Digipass authenticators compliant with multi-device activation: the sequence number threshold and the activation vector. The sequence number threshold is an integer indicating the number of instances that can be created from a certain Digipass license; the activation vector is a string containing encrypted activation data for a certain Digipass license. The presence of the sequence number threshold and activation vector data in the DPX file and their usages is applicable only to the following category of Digipass authenticators:

(OPTIONAL 4) In addition to this standard import process common to all Digipass authenticators, additional data must be retrieved for each Digipass data extraction in case of hardware Digipass authenticators based on the single-device licensing model and using the Secure Channel protocol: the payload key BLOB. The payload key BLOB (if any) contains a Secure Channel payload key that will be involved for operations based on the Secure Channel protocol. The presence of the payload key BLOB in the DPX file and its usage is applicable only to the following category of Digipass authenticators:

  • Hardware Digipass authenticators based on the single-device licensing model (provisioned in factory) which support operations based on the Secure Channel protocol; for more information, see the Authentication Suite Server SDK Product Guide.

Functionalities

To import Digipass data from a DPX file, the Digipass data import functionalities of the DPX Import Service, the Digipass HSM protection key management functionality, and the payload key BLOB HSM protection key management functionality (if payload key BLOB obtained during import) of Authentication Suite Server SDK for HSM must be used (see Figure: Import process workflow).

Figure: Import process workflow

  1. Prior to any call to HSM-related functionalities (see Functionalities), it is required that you migrate the BLOBs encryption (Digipass HSM protection key management functionality to migrate the Digipass BLOBs encryption, and payload key BLOB HSM protection key management functionality to migrate the payload key BLOBs encryption). The Authentication Suite Server SDK for HSM services based on HSM-related functionalities will not work with BLOBs that have not been migrated.

Other HSM services

Description

All other services available with Authentication Suite Server SDK for HSM are identical to the standard Authentication Suite Server SDK services. For more information about these services, refer to the Authentication Suite Server SDK Product Guide.

Functionalities

Authentication Suite Server SDK for HSM offers the following functionalities:

Functionalities related to HSMs[1]:

  • Password validation

  • Signature validation

  • Message signature validation

  • Password generation

  • Signature generation

  • Digipass unlocking

  • Digipass static PIN management

  • Digipass HSM protection key management

  • Digipass authenticator and host synchronization

  • Software Digipass activation data generation[2]

  • Software Digipass data derivation

  • Payload key BLOB generation

  • Device code validation

  • Activation Message 2 and Digipass instance generation

  • Deactivation message generation

  • Request message generation

  • Response message processing

  • Information message processing

  • Payload key BLOB HSM protection key management

  • Question/answer decryption

  • HSM module version information

Functionalities not related to HSMs:

  • Challenge generation

  • Digipass properties management

  • Digipass information management

  • Digipass authenticator data synchronization

  • Activation Message 1 generation

  • Message properties retrieval

  • Library version information

  • Wrapper version information

  • Error handling

  1. Each HSM-related functionality is based on two functions. The first function generates a command for the HSM, the second function processes the HSM reply. Prior to using one of these HSM-related functionalities, it is required that you migrate the BLOB encryption.

  2. The only software Digipass activation data generation functionality supported by Authentication Suite Server SDK for HSM generates a random key on the fly for the software Digipass to activate (or reactivate).