Activation data transfer protection
The Digipass Software Advanced Provisioning Protocol (DSAPP) is used to securely transfer the server-side generated Digipass software activation data to the Digipass software client.
Secret transfer security with shared secret
Regardless of the activation method, the Digipass activation code The Digipass secret key in a decimal or hexadecimal character string format, encrypted with the customer master key in the static vector. It is one of the following: 20 decimal digits for a single-length secret key; the second part of the key is derived from the first part. 40 decimal digits for a double-length secret key. 16 hexadecimal characters for a single-length secret key; the second part of the key is derived from the first part. 32 hexadecimal characters for a double-length secret key. To prevent it from alteration the activation code ends with a checksum on one digit. containing the Digipass key 128-bit secret key used by the Digipass algorithm to generate one-time passwords or e-signatures. The key is provided to the Digipass instance through the activation code. See also Activation code, Digipass instance. must be securely transferred. To secure the Digipass key communication between the client and the server, it is recommended to use shared data, that is, the Digipass activation password Secret data string of up to 64 alphanumeric characters shared between the customer (server) and the user prior to registration; used to protect the transfer of sensitive data during the Digipass activation process. Sometimes also referred to as customer historical secret..
Securely communicating the Digipass key between client and server
The Digipass activation password encrypts (server side) and decrypts (client side) the activation code. Decrypting the Digipass key from the activation code ensures that only the owner of the Digipass activation password is able to obtain the Digipass key.
Integrate the activation password based protection
When an activation password is used, this password must be shared between the server and the user prior to the activation process. This means, the activation data is user-dependent. The full activation data Serves to finalize the activation. The full activation data includes the parameter settings for the OneSpan Digipass SDK activation, the Digipass key, and and the Digipass serial number. It is the concatenation of the static vector, the activation code, and the serial number suffix. If the activation code is encrypted by an activation password and/or a nonce, it becomes encrypted full activation data (XFAD). See also activation code, Digipass SDK, encrypted full activation data, nonce, serial number suffix. (FAD) or the activation code The Digipass secret key in a decimal or hexadecimal character string format, encrypted with the customer master key in the static vector. It is one of the following: 20 decimal digits for a single-length secret key; the second part of the key is derived from the first part. 40 decimal digits for a double-length secret key. 16 hexadecimal characters for a single-length secret key; the second part of the key is derived from the first part. 32 hexadecimal characters for a double-length secret key. To prevent it from alteration the activation code ends with a checksum on one digit. encrypted by the user’s activation password can only be used by the application run by this specific user.
Online activation with an activation password (overview)
The activation password is the encryption key of the full activation data or the activation code. It must be transferred to the user via a different secure channel than the one used to exchange the activation data (for instance a sealed letter or a text message).
It is advised to use the same activation password only once but if it must be reused for any reason, it is advised to use a nonce A 64–hexadecimal-character random number generated by the OneSpan Digipass SDK host platform. It is part of the one-time-activation process and ensures that no other SDK-integrated instance can register with the same data. (alea) to diversify the XFAD Full activation data encrypted with the activation password or a session key. See also activation password, full activation data. encryption. The nonce is generated by the device and sent in the first request. OneSpan Authentication Server Framework will use the alea in combination with the activation password to encrypt the FAD into the XFAD.
Even if a nonce is used, the strength of the XFAD encryption is the strength of the activation password. Digipass Software Advanced Provisioning Protocol has been designed to improve the strength of the XFAD encryption.
Digipass Software Advanced Provisioning Protocol SDK
The Digipass Software Advanced Provisioning Protocol (DSAPP) is used to securely transfer the server-side generated Digipass software activation data to the Digipass software client.
The Digipass Software Advanced Provisioning Protocol SDK (DSAPP SDK), i.e. the implementation of the protocol, consists of a server component and a client component. The server component encrypts the activation data before transferring it to the client application. The client component decrypts the activation data.
DSAPP relies on the encryption of the activation data with a 256-bit AES Symmetric key encryption algorithm. A block cipher with a fixed block size of 128 bits, and a key size of 128, 192, or 256 bits. session key negotiated between the DSAPP SDK client component and the DSAPP SDK server component. This session key negotiation uses the Secure Remote Password (SRP) protocol Augmented protocol to exchange keys securely and password-authenticated.. With this protocol, the secret shared between the server and the client – the user password – is not transmitted through the network.
The user password must be generated by using the DSAPP SDK server component and bound to a unique identifier, i.e. the user identity. The user password must be securely transmitted to the user via a separate channel outside the network. The user will then enter their user password in the mobile client application.
User password transmission with DSAPP (overview)
By using the shared user password and exchanging the dynamically generated public keys, the client and the server negotiate a session key that is used to encrypt the activation data.
Activation data transfer protection with DSAPP (overview)
For more detailed information about the SDK and integration instructions, refer to the DIGIPASS Software Advanced Provisioning Protocol SDK Integration Guide included in the OneSpan Mobile Security Suite product package.