Transaction data signing
  • 23 Oct 2024
  • 8 Minutes à lire
  • Sombre
    Lumière
  • PDF

Transaction data signing

  • Sombre
    Lumière
  • PDF

The content is currently unavailable in French. You are viewing the default English version.
Résumé de l’article

For more information about the transaction data signing mechanism, refer to the Mobile Authenticator Studio Product Guide.

Listing transactions to sign

With transaction data signing enabled, Mobile Authenticator Studio is able to retrieve a list of transactions on user demand, and sign each transaction locally. The signature is then sent back to a server for validation.

Listing pending transactions (overview)

Integrating transaction data signing involves the following steps:

  1. The app submits an HTTP(S) request to the integrator back-end system. The request contains a one-time password (OTP) to authenticate the issuer.

  2. The integrator validates the OTP.

  3. On successful authentication, the list of pending transactions can be retrieved from the database.

  4. The response that contains the transaction list is sent back to the app.

Transaction list request

The request sent by Mobile Authenticator Studio is configured in the TransactionList section of the configuration file:

  1. <TransactionDataSigningAction authenticationCryptoAppIndex="1"signatureCryptoAppIndex="2"displayPopup="true">

  2. <!-- Transactions list URL -->

  3.  <TransactionList>

  4.    <URL method="GET"value="http://MY_DOMAIN_NAME/MY_WEB_SERVICE?serial=%_SerialNumber_%&amp;otp=%_OTP_%&amp;version=%_Version_%" />

  5.  </TransactionList>

  6.  ...

  7. </TransactionDataSigningAction>

The URL can use the HTTP POST or GET methods. For more information about URL customization, refer to the Mobile Authenticator Studio Customization Guide.

Transaction list request parameters

Parameter name

Description

SerialNumber

The authenticator serial number.

Format: Alphanumeric string, 10 characters

RegistrationIdentifier

The identifier provided by the user via the online activation screen of the Mobile Authenticator Studio app.

Format: Alphanumeric string, limited to 40 characters

UserIdentifier

The extra user identifier that has been set during activation.

Format: Alphanumeric string, limited to 40 characters

Version

The version of the application binary as defined when configuring the app.

DeviceIdentifier

The device-unique identifier.

Format: String of 64 hexadecimal characters

RootingStatus

The status indicating whether the device is rooted, either true or false according to the device state.

Transaction list response

The transaction content can be used for a standard transaction (i.e. with up to 8 data fields) or a Secure Channel transaction.

The response expected by Mobile Authenticator Studio must be formatted as described in the DTD:

  1. <!ELEMENT DP4Mobile (Activation?,PendingTransactions?)>

  2. <!ATTLIST DP4Mobile retCode CDATA #REQUIRED>

  3. <!ATTLIST DP4Mobile message CDATA #REQUIRED>

  4. <!ATTLIST DP4Mobile serverTime CDATA #IMPLIED>

  5. <!ELEMENT PendingTransactions (Transaction*)>

  6. <!ELEMENT Transaction (Item*)>

  7. <!ATTLIST Transaction identifier CDATA #REQUIRED>

  8. <!ATTLIST Transaction name CDATA #REQUIRED>

  9. <!ATTLIST Transaction secureChannelMessage CDATA #IMPLIED>

  10. <!ELEMENT Item EMPTY>

  11. <!ATTLIST Item value CDATA #REQUIRED>

  12. <!ATTLIST Item dtfIndex (1|2|3|4|5|6|7|8) #IMPLIED>

  13. <!ATTLIST Item hidden (true|false) #IMPLIED>

  14. <!ATTLIST Item align (left|right|center) #IMPLIED>

  15. <!ATTLIST Item bold (true|false) #IMPLIED>

  16. <!ATTLIST Item italic (true|false) #IMPLIED>

If the transaction content is used for a standard transaction, the secureChannelMessage attribute must be empty.

Example

  1. <?xml version="1.0"encoding="UTF-8"?>

  2. <DP4Mobile retCode="0"message="Operation Successful" >

  3.  <PendingTransactions>

  4.    <Transaction identifier="795ba1121281608b84a8000"

  5. name="Transaction 1">

  6.      <Item value="Amount"bold="true"align="center" />

  7.      <Item value="123"dtfIndex="1" />

  8.      <Item value="" />

  9.      <Item value="Destination"italic="true" />

  10.      <Item value="456"dtfIndex="2" />

  11.      <Item value="789"hidden="true"dtfIndex="3" />

  12.    </Transaction>

  13.    <Transaction identifier="3456426341316aec21ef0190"name="Transaction 2" >

  14.      <Item value="Amount"bold="true"align="center" />

  15.      <Item value="111"dtfIndex="1" />

  16.      <Item value="Destination"italic="true" />

  17.      <Item value="222"dtfIndex="2" />

  18.      <Item value="333"hidden="true"dtfIndex="3" />

  19.    </Transaction>

  20.  </PendingTransactions>

  21. </DP4Mobile >

If the transaction content is used for a Secure Channel transaction, no item element must be present.

Example

  1. <?xml version="1.0"encoding="UTF-8"?>

  2. <DP4Mobile retCode="0"message="Operation Successful" >

  3.  <PendingTransactions>

  4.    <Transaction identifier="795ba1121281608b84a8000"name="Transaction 1"secureChannelMessage="00C1C...E74AE" />

  5.    <Transaction identifier="3456426341316aec21ef0190"name="Transaction 2"secureChannelMessage="00C1C...E74AE" />

  6.  </PendingTransactions>

  7. </DP4Mobile >

Transaction list response attributes

Attribute name

Description

//DP4Mobile/@retCode

Required. The return code associated with the transaction list request. 0 means success, any other value will cause the message attribute value to be displayed and the list transaction to stop.

//DP4Mobile/@message

Required. The return message associated with the transaction list request. This value will be displayed by the app if not 0.

//DP4Mobile/@serverTime

Optional. This is the current server GMT time. This value will be used by the app to silently set the drift between device and server time to keep the app synchronized.

//Transaction/@identifier

The unique identifier of a transaction. It is not displayed, but only used to uniquely trace a transaction during the signing process.

Format: Alphanumeric string

//Transaction/@name

The name of the transaction as displayed on the device.

Format: Alphanumeric string

//Transaction /@secureChannelMessage

The Secure Channel message. This parameter is mandatory for Secure Channel transactions, but must not be present for standard transaction.

Format: Hexadecimal string

Each transaction contains a list of items that will be displayed in the app. Each item has a number of attributes. For Secure Channel transactions, no item must be present.

Transaction item attributes

Attribute name

Description

//Item/@value

The text as displayed on the device.

Format: Alphanumeric string

//Item/@bold

Indicates whether the text is in bold.

//Item/@align

Indicates whether the text is in left-, center-, or right-aligned.

//Item/@italic

Indicates whether the text is in italics.

//Item/@dtfIndex

Indicates whether the item value is signed as a data field. If omitted, the text is not signed.

//Item/@hidden

Indicates whether the text is visible.

Validating transactions

Depending on the Mobile Authenticator Studio configuration, transactions can be validated either internally or externally.

Internal transaction validation

Internal transaction validation (overview)

Once Mobile Authenticator Studio has signed the content of a transaction, it can manage the validation of the transaction inside the app by connecting to a web service. The web service must be able to validate the signature of a transaction identified by its unique transaction identifier.

The request sent by Mobile Authenticator Studio is configured in the TransactionValidation section of the configuration file:

  1. <TransactionDataSigningAction authenticationCryptoAppIndex="1"signatureCryptoAppIndex="2" displayPopup="true">

  2.  <TransactionValidation>

  3.    <OutputData displayed="false"internalValidation="true">

  4.      <URL method="POST"value="http://MY_DOMAIN_NAME/MY_WEB_SERVICE">

  5.        <PayloadParameter key="serialNumber"value="%_SerialNumber_%" />

  6.        <PayloadParameter key="signature"value="%_OTP_%" />

  7.        <PayloadParameter key="transactionIdentifier"value="%_TransactionIdentifier_%" />

  8.      </URL >

  9.    </OutputData>

  10.  </TransactionValidation>

  11.  ...

  12. </TransactionDataSigningAction>

The URL can use the HTTP POST or GET methods. For more information about URL customization, refer to the Mobile Authenticator Studio Customization Guide.

Internal transaction validation parameters

Parameter name

Description

SerialNumber

The authenticator serial number.

Format: Alphanumeric string, 10 characters

RegistrationIdentifier

The identifier provided by the user via the online activation screen of the Mobile Authenticator Studio app.

Format: Alphanumeric string, limited to 40 characters

UserIdentifier

The extra user identifier that has been set during activation.

Format: Alphanumeric string, limited to 40 characters

OTP

The signature generated by the cryptographic application defined by the signatureCryptoAppIndex attribute of the TransactionDataSigningAction element.

TransactionIdentifier

The unique identifier of a transaction.

Format: Alphanumeric string

Version

The version of the application binary as defined when configuring the app.

DeviceIdentifier

The device-unique identifier.

Format: String of 64 hexadecimal characters

RootingStatus

The status indicating whether the device is rooted, either true or false according to the device state.

If a score-based authentication mechanism is used to generate the OTP, the score evaluated by Mobile Authenticator Studio will be returned by OneSpan Authentication Server Framework. This is done through the return code of the OTP verification API.

Score-based authentication requires OneSpan Authentication Server Framework 3.14 or later.

For more information about retrieving the client score from Authentication Server Framework, refer to the OneSpan Authentication Server Framework Programmer's Guide.

The response expected by Mobile Authenticator Studio must be formatted as described in the DTD:

  1. <!ELEMENT DP4Mobile (Activation?,PendingTransactions?)>

  2. <!ATTLIST DP4Mobile retCode CDATA #REQUIRED>

  3. <!ATTLIST DP4Mobile message CDATA #REQUIRED>

  4. <!ATTLIST DP4Mobile serverTime CDATA #IMPLIED>

  5. <!ATTLIST DP4Mobile confirmationCode CDATA #IMPLIED>

Example

  1. <?xml version="1.0"encoding="UTF-8"?>

  2. <DP4Mobile retCode="0"message="Operation Successful"confirmationCode="123456" >

  3.  <PendingTransactions/>

  4. </DP4Mobile >

A confirmation code attribute can be added to the response. It will be displayed by the app together with the message.

Internal transaction validation response attributes

Attribute name

Description

//DP4Mobile/@retCode

Required. The return code associated with the transaction validation request. 0 means success, any other value will cause the message attribute value to be displayed and the transaction data signing process to stop.

//DP4Mobile/@message

Required. The return message associated with the transaction validation request. This value will be displayed by the app if not empty.

//DP4Mobile/@serverTime

                        Optional. This is the current server GMT time. This value will be used by the app to silently set the drift between device and server time to keep the app synchronized.

//DP4Mobile/@confirmationCode

Optional. The server return host code. If provided, it will be displayed along with the message.

External transaction validation

External transaction validation (overview)

Once Mobile Authenticator Studio has signed the content of a transaction, it can open a URL in the device web browser. This URL contains the information that identifies the authenticator application and the transaction, as well as the transaction signature. The Mobile Authenticator Studio app is closed as soon as the browser is opened.

The URL opened by Mobile Authenticator Studio is configured in the TransactionValidation section of the configuration file:

  1. <TransactionDataSigningAction authenticationCryptoAppIndex="1"signatureCryptoAppIndex="2"displayPopup="true">

  2.  <TransactionValidation>

  3.    <OutputData displayed="false"internalValidation="false">

  4.      <URL method="POST"value="http://MY_DOMAIN_NAME/MY_WEB_SERVICE">

  5.        <PayloadParameter key="serialNumber"value="%_SerialNumber_%" />

  6.        <PayloadParameter key="signature"value="%_OTP_%" />

  7.        <PayloadParameter key="transactionIdentifier"value="%_TransactionIdentifier_%" />

  8.      </URL >

  9.    </OutputData>

  10.  </TransactionValidation>

  11.  ...

  12. </TransactionDataSigningAction>

The URL can use the HTTP POST or GET methods. For more information about URL customization, refer to the Mobile Authenticator Studio Customization Guide.

External transaction validation parameters

Parameter name

Description

SerialNumber

The authenticator serial number.

Format: Alphanumeric string, 10 characters

RegistrationIdentifier

The identifier provided by the user via the online activation screen of the Mobile Authenticator Studio app.

Format: Alphanumeric string, limited to 40 characters

UserIdentifier

The extra user identifier that has been set during activation.

Format: Alphanumeric string, limited to 40 characters

OTP

The signature generated by the cryptographic application defined by the signatureCryptoAppIndex attribute of the TransactionDataSigningAction element.

Format: Hexadecimal string, limited to 16 characters

TransactionIdentifier

The unique identifier of a transaction.

Format: Alphanumeric string

Version

The version of the application binary as defined when configuring the app.

DeviceIdentifier

The device-unique identifier.

Format: String of 64 hexadecimal characters

RootingStatus

The status indicating whether the device is rooted, either true or false according to the device state.

Rejecting transactions

Transaction rejection (overview)

The user can reject a transaction. When a transaction is rejected, no signature will be generated and the transaction will be removed from the list of pending transactions. Transaction rejection is managed by connecting to a web service.

The request sent by Mobile Authenticator Studio is configured for every TransactionDataSigningAction element of the configuration file:

  1. <TransactionDataSigningActionauthenticationCryptoAppIndex="1"signatureCryptoAppIndex="2"displayPopup="true">

  2.  <TransactionRejection>

  3.    <URL method="POST"value="http://MY_DOMAIN_NAME/MY_WEB_SERVICE">

  4.      <PayloadParameter key="serialNumber"value="%_SerialNumber_%" />

  5.      <PayloadParameter key="transactionId"value="%_TransactionIdentifier_%" />

  6.    </URL >

  7.  </TransactionRejection>

  8. </TransactionDataSigningAction>

The URL can use the HTTP POST or GET methods. For more information about URL customization, refer to the Mobile Authenticator Studio Customization Guide.

Transaction rejection parameters

Parameter name

Description

SerialNumber

The authenticator serial number.

Format: Alphanumeric string, 10 characters

RegistrationIdentifier

The identifier provided by the user via the online activation screen of the Mobile Authenticator Studio app.

Format: Alphanumeric string, limited to 40 characters

UserIdentifier

The extra user identifier that has been set during activation.

Format: Alphanumeric string, limited to 40 characters

TransactionIdentifier

The unique identifier of a transaction.

Format: Alphanumeric string

Version

The version of the application binary as defined when configuring the app.

DeviceIdentifier

The device-unique identifier.

Format: String of 64 hexadecimal characters

RootingStatus

The status indicating whether the device is rooted, either true or false according to the device state.

Transaction rejection is only available for Android and iOS.

The response expected by Mobile Authenticator Studio must be formatted as described in the DTD:

  1. <!ELEMENT DP4Mobile (Activation?,PendingTransactions?)>

  2. <!ATTLIST DP4Mobile retCode CDATA #REQUIRED>

  3. <!ATTLIST DP4Mobile message CDATA #REQUIRED>

  4. <!ATTLIST DP4Mobile serverTime CDATA #IMPLIED>

Example

  1. <?xml version="1.0"encoding="UTF-8"?>

  2. <DP4Mobile retCode="0"message="Operation Successful" >

  3.  <PendingTransactions />

  4. </DP4Mobile >

A confirmation code attribute can be added to the response. It will be displayed by the application along with the message.

Transaction rejection response attributes

Attribute name

Description

//DP4Mobile/@retCode

Required. The return code associated with the transaction rejection request. 0 means success, any other value will cause the message attribute value to be displayed and the transaction data signing process to stop.

//DP4Mobile/@message

Required. The return message associated with the transaction rejection request. This value will be displayed by the app if not empty.

//DP4Mobile/@serverTime

                        Optional. This is the current server GMT time. This value will be used by the app to silently set the drift between device and server time to keep the app synchronized.


Cet article vous a-t-il été utile ?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Ozzy, facilitant la découverte de connaissances grâce à l’intelligence conversationnelle