Activation data transfer protection: DSAPP SDK

Regardless of the activation method, the Digipass activation code containing the Digipass key must be securely transferred. To secure the Digipass key communication between the client and the server, it is recommended to use shared data, that is, the Digipass activation password.

The Digipass activation password encrypts (server side) and decrypts (client side) the activation code. Decrypting the Digipass key from the activation code ensures that only the owner of the Digipass activation password is able to obtain the Digipass key.

Integrate the activation password based protection

When an activation password is used, this password must be shared between the server and the user prior to the activation process. This means, the activation data is user-dependent. The full activation data (FAD) or the activation code encrypted by the user’s activation password can only be used by the application run by this specific user.

The activation password is the encryption key of the full activation data or the activation code. It must be transferred to the user via a different secure channel than the one used to exchange the activation data (for instance a sealed letter or a text message).

It is advised to use the same activation password only once but if it must be reused for any reason, it is advised to use a nonce (alea) to diversify the XFAD encryption. The nonce is generated by the device and sent in the first request. OneSpan Authentication Server Framework will use the alea in combination with the activation password to encrypt the FAD into the XFAD.

Even if a nonce is used, the strength of the XFAD encryption is the strength of the activation password. Digipass Software Advanced Provisioning Protocol has been designed to improve the strength of the XFAD encryption.

Digipass Software Advanced Provisioning Protocol SDK

The Digipass Software Advanced Provisioning Protocol (DSAPP) is used to securely transfer the server-side generated Digipass software activation data to the Digipass software client.

The Digipass Software Advanced Provisioning Protocol SDK (DSAPP SDK), i.e. the implementation of the protocol, consists of a server component and a client component. The server component encrypts the activation data before transferring it to the client application. The client component decrypts the activation data.

DSAPP relies on the encryption of the activation data with a 256-bit AES session key negotiated between the DSAPP SDK client component and the DSAPP SDK server component. This session key negotiation uses the Secure Remote Password (SRP) protocol. With this protocol, the secret shared between the server and the client – the user password – is not transmitted through the network.

The user password must be generated by using the DSAPP SDK server component and bound to a unique identifier, i.e. the user identity. The user password must be securely transmitted to the user via a separate channel outside the network. The user will then enter their user password in the mobile client application.

By using the shared user password and exchanging the dynamically generated public keys, the client and the server negotiate a session key that is used to encrypt the activation data.

For more detailed information about the SDK and integration instructions, refer to the DIGIPASS Software Advanced Provisioning Protocol SDK Integration Guide included in the OneSpan Mobile Security Suite product package.