C/C++ API
HSM Dinamo
|
Standard authentication OATH.
The OATH (Open Authentication) initiative is a collaboration supported by various members of the security industry to develop an open and interoperable strong authentication architecture. This goal is achieved by defining open standards available to all.
The OATH ecosystem is made up of device manufacturers (tokens, chips, smart cards, computers, cell phones, PDAs, tablets), platform manufacturers (web services, identity managers, application servers, identification federation systems), application manufacturers (VPN, CRM, ERP, DRM, e-commerce, roaming, Wi-Fi) and system integrators (ISPs, government agencies, credit card brands, etc.).
The HSM can be used as a seed generator OATH and as an OTP (One Time Password) authenticator. The HSM implementation complies with the standards listed below.
By providing a secure cryptographic frontier, a controlled environment and approved algorithms, HSM has advantages when it comes to being adopted as a strong authentication system.
HSM's OATH module has three basic services: issuing, authentication and resynchronization:
In the generation and authentication scenarios described below, what changes is the origin of the seed and how it is received by the application to create the blob and sent to the user (as a seed or embedded in a physical token). Once the blob has been created, authentication in any scenario always follows the same format. In the scenarios below, it doesn't matter whether the token is HOTP or TOTP.
Scenario I: Token: the seed is generated by the token manufacturer and sent in PSKC format
a. Generation
b. Authentication
Scenario II: Token: the seed is generated by the token manufacturer and sent in clear text
a. Generation
b. Authentication
Scenario III: Soft Token: the seed is generated by the user and received in clear text
a. Generation
b. Authentication
Scenario IV: Soft Token: HSM generates the seed
a. Generation
b. Authentication
User authentication in any scenario:
References
Standard authentication OATH. More...
Functions | |
int AAP_API | DOATHIssueBlob(HSESSIONCTX hSession, char *szMasterKeyId, DWORD dwParamBlobType, void *pvParamBlob, DWORD dwParamBlobLen, BYTE *pbOTPBlob, DWORD *pdwOTPBlobLen, DWORD dwFlags) |
int AAP_API | DOATHCheckOTP(HSESSIONCTX hSession, char *szMasterKeyId, char *szOTP, BYTE *pbOATHBlob, DWORD *pdwOATHBlobLen, DWORD dwFlags) |
int AAP_API | DOATHGetNextOTP(HSESSIONCTX hSession, char *szMasterKeyId, BYTE bOTPLen, BYTE *pbOATHBlob, DWORD dwOATHBlobLen, char *szOTP, DWORD dwFlags) |
int AAP_API | DOATHGetBlobInfo (const HSESSIONCTX hSession, char *szMasterKey, BYTE *pbInBlob, DWORD dwInBlobLen, DWORD dwOutBlobType, BYTE *pbOutInfo, DWORD *pdwOutInfoLen, DWORD dwParam) |
int AAP_API | DOATHBlobResync(HSESSIONCTX hSession, char *szMasterKeyId, char *szOTP1, char *szOTP2, BYTE *pbOATHBlob, DWORD *pdwOATHBlobLen, DWORD dwFlags) |
int AAP_API | DOATHPskcTranslate(HSESSIONCTX hSession, char *szMasterKey, BYTE *pbPSK, BYTE bPSKLen, BYTE *pbPSKC, DWORD dwPSKCLen, void **pvBlobList, DWORD *pdwBlobListQuantity, DWORD dwParam) |
int AAP_API DOATHIssueBlob | ( | HSESSIONCTX | hSession, |
char * | szMasterKeyId, | ||
DWORD | dwParamBlobType, | ||
void * | pvParamBlob, | ||
DWORD | dwParamBlobLen, | ||
BYTE * | pbOTPBlob, | ||
DWORD * | pdwOTPBlobLen, | ||
DWORD | dwFlags ) |
#include <dinamo.h>
Generates or imports a blob OATH for use in HSM.
[in] | hSession | Context acquired through the DOpenSession() function. | ||||||||||
[in] | szMasterKeyId | Name of the master key, used to protect the blobs, of maximum size MAX_OBJ_ID_FQN_LEN. | ||||||||||
[in] | dwParamBlobType | The following table is accepted.
| ||||||||||
[in] | pvParamBlob | Pointer to the data or structures specified in dwParamBlobType . | ||||||||||
[in] | dwParamBlobLen | Size of data or structure specified in dwParamBlobType . | ||||||||||
[out] | pbOTPBlob | Minimum size buffer of ISSUE_OATH_OUTPUT_MAX_BLOB_LEN that will contain the generated blob. | ||||||||||
[in,out] | pdwOTPBlobLen | Buffer size pointed to by pbOTPBlob . The entry must contain the buffer size pbOTPBlob in the output will contain the size of the blob written to the allocated buffer. | ||||||||||
[in] | dwFlags | Reserved for future use (must be 0). |
int AAP_API DOATHCheckOTP | ( | HSESSIONCTX | hSession, |
char * | szMasterKeyId, | ||
char * | szOTP, | ||
BYTE * | pbOATHBlob, | ||
DWORD * | pdwOATHBlobLen, | ||
DWORD | dwFlags ) |
#include <dinamo.h>
Checks an OTP value for a given blob OATH.
[in] | hSession | Context acquired through the DOpenSession() function. | ||||||
[in] | szMasterKeyId | Name of the master key, used to protect the blobs, of maximum size MAX_OBJ_ID_FQN_LEN. | ||||||
[in] | szOTP | OTP to be checked for minimum size ISSUE_OATH_MIN_OTP_LEN and maximum ISSUE_OATH_MAX_OTP_LEN. | ||||||
[in,out] | pbOATHBlob | Pointer to a buffer containing the blob that will have the OTP checked. This buffer will be rewritten with the updated buffer. | ||||||
[in,out] | pdwOATHBlobLen | Buffer size pbOATHBlob . The entry will contain the size of pbOATHBlob and output the size of data written in pbOATHBlob . | ||||||
[in] | dwFlags | As of firmware version 4.0.2, the size of the authentication look-ahead window can be set in this parameter. The default is 10 intervals more or less. In the case of HOTP tokens, the intervals will be counted by number of events; in the case of TOTP tokens, they will be counted by number of time-steps.
|
You can also pass the OATH_UPDATE_BLOBto allow the format of the OATH blob to be updated. When the OATH_UPDATE_BLOB is used, you must pass the current OATH blob in pbOATHBlob
in a buffer large enough to hold the updated blob. pdwOATHBlobLen
should contain the value of the buffer size passed in pbOATHBlob
. The size of pbOATHBlob
required, is returned in pdwOATHBlobLen
in the call where the error D_OATH_BLOB_UPDATE is returned. The update only needs to be done after receiving the error D_OATH_BLOB_UPDATE. See Notes for more details.
pdwOATHBlobLen
the size of the buffer that should be used to update the OATH blob in a later call. See details in the OATH_UPDATE_BLOB. int AAP_API DOATHGetNextOTP | ( | HSESSIONCTX | hSession, |
char * | szMasterKeyId, | ||
BYTE | bOTPLen, | ||
BYTE * | pbOATHBlob, | ||
DWORD | dwOATHBlobLen, | ||
char * | szOTP, | ||
DWORD | dwFlags ) |
#include <dinamo.h>
Generates the next OTP from a blob OATH. The OATH blob will not be changed.
[in] | hSession | Context acquired through the DOpenSession() function. |
[in] | szMasterKeyId | Name of the master key, used to protect the blobs, of maximum size MAX_OBJ_ID_FQN_LEN. |
[in] | bOTPLen | Size of the OTP to be generated, which can be a value between ISSUE_OATH_MIN_OTP_LEN and ISSUE_OATH_MAX_OTP_LEN. |
[in] | pbOATHBlob | Pointer to a buffer containing the blob that will be used to generate the OTP. This buffer will not be changed. |
[in] | dwOATHBlobLen | Buffer size pbOATHBlob . |
[out] | szOTP | Buffer that will contain the generated OTP. It must have a minimum size of bOTPLen + 1 (null terminator). |
[in] | dwFlags | Reserved for future use (must be 0). |
int AAP_API DOATHGetBlobInfo | ( | const HSESSIONCTX | hSession, |
char * | szMasterKey, | ||
BYTE * | pbInBlob, | ||
DWORD | dwInBlobLen, | ||
DWORD | dwOutBlobType, | ||
BYTE * | pbOutInfo, | ||
DWORD * | pdwOutInfoLen, | ||
DWORD | dwParam ) |
#include <dinamo.h>
Retrieves the internal information of a blob OATH.
[in] | hSession | Context acquired through the DOpenSession() function. | ||||||
[in] | szMasterKey | Name of the master key, used to protect the blobs, of maximum size MAX_OBJ_ID_FQN_LEN. | ||||||
[in] | pbInBlob | Pointer to a buffer containing the blob for extracting the information. | ||||||
[in] | dwInBlobLen | Buffer size pbInBlob . | ||||||
[in] | dwOutBlobType | Indicates the type of output data. The following table is accepted.
| ||||||
[out] | pbOutInfo | Pointer to a buffer that will receive the information from the blob. It should be as described in dwOutBlobType . | ||||||
[in,out] | pdwOutInfoLen | Buffer size pointed to by pdwOutInfoLen . | ||||||
[in] | dwParam | Reserved for future use (must be 0). |
int AAP_API DOATHBlobResync | ( | HSESSIONCTX | hSession, |
char * | szMasterKeyId, | ||
char * | szOTP1, | ||
char * | szOTP2, | ||
BYTE * | pbOATHBlob, | ||
DWORD * | pdwOATHBlobLen, | ||
DWORD | dwFlags ) |
#include <dinamo.h>
Re-synchronizes a blob OATH by displaying two continuous OTP values. Only for HOTP (OTP per event).
[in] | hSession | Context acquired through the DOpenSession() function. |
[in] | szMasterKeyId | Name of the master key, used to protect the blobs, of maximum size MAX_OBJ_ID_FQN_LEN. |
[in] | szOTP1 | OTP to be checked for minimum size ISSUE_OATH_MIN_OTP_LEN and maximum ISSUE_OATH_MAX_OTP_LEN. |
[in] | szOTP2 | Second OTP to be checked for minimum size ISSUE_OATH_MIN_OTP_LEN and maximum ISSUE_OATH_MAX_OTP_LEN. |
[in,out] | pbOATHBlob | Pointer to a buffer containing the blob to be synchronized. This buffer will be rewritten with the synchronized buffer. |
[in,out] | pdwOATHBlobLen | Buffer size pbOATHBlob . The entry will contain the size of pbOATHBlob and output the size of data written in pbOATHBlob . |
[in] | dwFlags | Accept the flag OATH_UPDATE_BLOBto allow the format of the OATH blob to be updated. When the OATH_UPDATE_BLOB is used, you must pass the current OATH blob in pbOATHBlob in a buffer large enough to hold the updated blob. pdwOATHBlobLen should contain the value of the buffer size passed in pbOATHBlob . The size of pbOATHBlob required, is returned in pdwOATHBlobLen in the call where the error D_OATH_BLOB_UPDATE is returned. The update only needs to be done after receiving the error D_OATH_BLOB_UPDATE. See Notes for more details. |
pdwOATHBlobLen
the size of the buffer that should be used to update the OATH blob in a later call. See details in the OATH_UPDATE_BLOB. int AAP_API DOATHPskcTranslate | ( | HSESSIONCTX | hSession, |
char * | szMasterKey, | ||
BYTE * | pbPSK, | ||
BYTE | bPSKLen, | ||
BYTE * | pbPSKC, | ||
DWORD | dwPSKCLen, | ||
void ** | pvBlobList, | ||
DWORD * | pdwBlobListQuantity, | ||
DWORD | dwParam ) |
#include <dinamo.h>
Imports seeds enveloped in the PSKC(Portable Symmetric Key Container) standard, RFC 6030.
[in] | hSession | Context acquired through the DOpenSession() function. |
[in] | szMasterKey | Name of the master key, used to protect the blobs, of maximum size MAX_OBJ_ID_FQN_LEN output. |
[in] | pbPSK | Maximum buffer size OATH_MAX_PSK_LEN containing the transport key that protects the seeds reported in pbPSKC . |
[in] | bPSKLen | Buffer size pbPSK. |
[in] | pbPSKC | PSKC buffer containing the seeds that will be transformed into blobs in the HSM format. |
[in] | dwPSKCLen | Buffer size pbPSKC. |
[out] | pvBlobList | Ponteiro para ponteiro que apontará para um buffer alocado internamente contendo um array de estruturas OATH_PSKC_TRANSLATE_OUTPUT. Esta estrutura conterá internamente os blobs das sementes traduzidas para o formato do HSM e o identificador de cada semente como na tag "<pskc:Key Id=>". |
[out] | pdwBlobListQuantity | Pointer to the number of blobs returned in the buffer pvBlobList . |
[in] | dwParam | Reserved for future use (must be 0). |