Glossary

A

AE

ActivID Event-Based is a proprietary Triple Data Encryption Standard (3DES) algorithm with the event or counter as a variable.

API

Application Programming Interface.

Asynchronous authentication

The process in which a device generates a One-Time Password based on two (2) variables: a challenge (sent by the server to the end-user and input into the device), and a secret key (Triple DES) – the One-Time Password is considered a response to the challenge.

AT

ActivID Time-Based is a proprietary Triple Data Encryption Standard (3DES) algorithm with the time as a variable.

Authentication code

See user authentication code, server authentication code, and message authentication code. See also One-Time Password.

C

Certificate

See message authentication code.

Challenge

Random number generated by the ActivKernel API for authentication of a user in the asynchronous (challenge/response) mode.

Challenge/response authentication

See asynchronous authentication.

D

Data certification

See message authentication.

Data Encryption Standard (DES)

The solution utilizes the Triple Data Encryption Standard (DES) for authentication calculations. The ActivKernel generates Triple DES keys according to ANSI X9.17 standards.

Device

The security hardware held by an end user. This is typically a hardware token. Devices are protected by a PIN. It is used to authenticate the user.

Device unlocking

Devices automatically lock when users enter incorrect PIN values – the device services are then unavailable. To use a locked device again, the user needs to unlock the device and define a new PIN.

Device resynchronization

When a device is used for synchronous authentication, the device time clock and device event counter are used in the authentication process. The authentication server (built with the Authentication SDK) keeps track of the values of the clock and event counter for each device, as they are used in the authentication process.

When several One-Time Passwords are generated on the device and not sent to the server, the device and the server become out-of-sync. The Device Initialization Tool (ActivKernel API) includes technology to automatically resynchronize the clock and counter values (see standard synchronous range and extended synchronous range). However, if the range is too high, the user will need to manually resynchronize the device.

Dual Mode

Profile mode that allows choosing to use either the Synchronous or Challenge/Response user authentication mode for One-Time Password (OTP) generation based on your organization’s security policy. Only available with the Mode V2 menu.

Dynamic password

See One-Time Password.

E

Extended synchronous range

The range to search for the synchronization parameters as specified in the acKEAutoSynchronizeCounterTime() function.

M

Message authentication

The operation in which a device user guarantees the integrity of a message sent to a server built with the Device Initialization Tool. To authenticate a message:

  1. The user generates a One-Time Password based on specific data that he or she has input into the device (e.g. amount and account number for a financial transaction).

  1. The user sends the server or application the data and the associated One-Time Password.

  2. The server validates that the OTP is consistent with the data it received (e.g. amount and account number), which proves that the data was not altered during the transmission.

Message authentication code

A One-Time Password generated by a device. Used for message authentication. In the context of the Device Initialization Tool, a message authentication code is also referred to as a certificate. The word certificate does not refer to X509 certificate and Public Key Infrastructure.

Mode V2

Profile mode where the user authentication experience is:

  1. End user enters their PIN code (if this option has been enabled).
  2. End user generates an OTP using either Synchronous or Challenge/Response mode. This allows access to the additional features in the following step.
  3. End user can access the menu to execute optional tasks including data signature, or host verification.

Mode V3

Profile mode that allows accessing additional applications (using keys 1, 2 and 3) without needing to generate an OTP first (Mode V2). Access to each application can be configured to require the PIN first.

O

OE

OATH Event-Based is a standard algorithm, based on the RFC4226, with the event or counter as a variable.

One-Time Password

A password generated by a device. This password is used to authenticate a user, a server, or a message. This password can be used only once.

OT

OATH Time-Based is a standard algorithm, based on the RFC6238, with the time as a variable.

P

Personal Identification Number (PIN)

The Personal Identification Number (PIN) code used to access a device’s services.

Devices can only be used after a correct PIN is entered.

R

Response

One-Time Password generated in response to a challenge. See asynchronous authentication.

S

Server authentication

Server authentication is the operation in which a device user validates the identity of the server or application built with the Device Initialization Tool with which it is establishing a transaction. The server authentication process is:

  1. The server generates a One-Time Password (OTP) and sends it to the user.

  1. The user enters the OTP in the device, which displays whether the authentication is successful or not, proving the identity of the server.

Server authentication code

One-Time Password returned by the ActivKernel API to the end-user in response to a server authentication challenge generated by the device.

Software PIN

The Mini Token device does not require the end user to enter a PIN in order to obtain the OTP. Instead, it is possible to configure a software PIN. When the software PIN is in place, in order to be successfully authenticated, the end user must enter the PIN code along with the OTP on the PC.

Specific device offset

The difference between the authentication server’s system clock and the device’s internal clock. This offset must be stored and set in each synchronous function call. This allows the function to integrate any eventual deviation of the device’s time.

Specific Device Offset = Server Time - Device Time

Standard synchronous range

For synchronous authentication, devices use both an authentication counter and the clock as variables (in addition to the cryptographic key). The authentication counter is incremented by one (1) for each One-Time Password generation. The device clock is typically incremented by one (1) every two (2) minutes (this can be customized in the token profile). The authentication falls in the standard synchronous range if the following conditions are met:

  • The value of the device authentication counter is equal to or up to 9 greater than the authentication counter value stored on the server (for the same device)

  • The value of the device clock is within the [-5, +4] range compared to the server clock.

The standard synchronous range is used by the acKESyncAuthCheckCode() function. If the device’s synchronous parameters and the synchronous parameters stored in the database for the device are within this range, then this function is successful and the end user is granted authentication to the secured application/system.

Synchronous authentication

Process in which a device generates a One-Time Password based on three (3) variables: a time clock, an event counter (incremented for each authentication), and a secret key (Triple DES, which is derived for each authentication). In synchronous authentication, the One-Time Password is valid only once; it is accepted by the server only during a specific time window; it can never be replayed.

Synchronous parameters

The synchronous parameters are:

  • Authentication (or certification) event counter

  • Device time

  • Derived authentication (or certification) DES key

These parameters are used for all the synchronization functions, both authentication and certification.

U

User authentication

User authentication is the operation by which a device user authenticates to a server built with the Authentication SDK. To authenticate, the user:

  • Authenticates to the server (or application) by providing a One-Time Password (OTP) generated by his/her device.

  • The server validates that this OTP is coming from the device assigned to the alleged user, which proves the identity of the connected user.

User authentication code

One-Time Password generated by a device. Used for user authentication.