This topic describes the various encryption modes and processes that are part of Authentication Suite Server SDK for HSM.
DPX encryption
In the course of the DPX file encryption process, the token keys may first be encrypted by an HSM-level transport key. Then, these encrypted keys are embedded in the DPX file and encrypted in the normal way. Thus, the keys in the DPX file are double-encrypted, and the remaining data is single-encrypted.
When importing the DPX file, the DPX-to-BLOB conversion is performed by the software. The (unmigrated) BLOB contains token keys encrypted with an HSM-level transport key. The migration function is used to decrypt the token keys with the HSM-level transport key and to re-encrypt them with the HSM-level storage key. Depending on the HSM type, other data of the final migrated BLOB will be protected either on a hardware level or on a software level. The token keys are never exposed during this process.
Software DPX file encryption
In case of standard DPX file encryption, the DPX file is generated by OneSpan and encrypted with a software-level DPX transport key only.
Figure: Flow of keys and DPX file with software DPX file encryption illustrates the flow of keys and the DPX file between the customer and OneSpan:
OneSpan generates the software-level DPX transport key, generates and encrypts the DPX file, and sends the DPX file to the customer.
0OneSpan sends the software-level DPX transport key to the customer.
Figure: Flow of keys and DPX file with software DPX file encryption
HSM DPX file encryption
In case of double DPX file encryption, the customer needs to generate the HSM-level DPX transport key and, protected with a key encrypting key, distribute it to OneSpan. This key allows OneSpan to proceed to the double-encryption of the DPX file.
Figure: Flow of keys and DPX file with HSM DPX file encryption illustrates the flow of keys and the DPX file between the customer and OneSpan:
The customer generates the HSM-level DPX transport key and sends it to OneSpan, encrypted with a key encrypting key (KEK).
The customer sends the key encrypting key to OneSpan.
OneSpan generates the software-level DPX transport key, generates and double-encrypts the DPX file, and sends the DPX file to the customer.
OneSpan sends the software-level DPX transport key to the customer.
Figure: Flow of keys and DPX file with software DPX file encryption
Authenticator application BLOB HSM encryption
The Authentication Suite Server SDK BLOBs, which contain the Digipass profile and keys, remain in the host computer database under control of the customer application, but are encrypted in a different way.
The most sensitive information inside the BLOB (the Digipass keys), is encrypted by the HSM using a long-term storage key of the HSM. Thus, these keys cannot be reconstructed or changed outside the HSM. To ensure unique encryption per BLOB, it is possible to specify an 8-byte initial vector that will be used during the HSM 3DES/AES encryption of the HSMprotected data.
Depending on the HSM type, other data of the BLOB will be protected either on a hardware level or on a software level.
A hash is calculated on the full BLOB. This hash allows checking the BLOB integrity prior any operation on it.
Maintenance operations, for example resetting or re-synchronizing the token time drift, are possible without putting extra load on the HSM, as such operations do not require usage and decryption of any sensitive data HSM encrypted.
To increase performance, multiple HSMs with the same storage key can be used in parallel.
In this document, this BLOB is referred to as the HSM BLOB as opposed to the original standard BLOB.
Some Digipass authenticators are able to perform operations based on a Secure Channel protocol. Such Digipass authenticators have a Secure Channel payload key represented on the server side by a payload key BLOB. As for the authenticator application BLOBs, similar protection mechanisms apply to the payload key BLOBs.