Secure Offline Transaction Signing using MAS

You have activated an MDL MAS token and now wish to generate OTPs based on some transaction data and defeat man-in-the-middle attacks. This can be done by creating a secure channel message, encode it into a Cronto image (color QR Code) and use the out of the box Secure Transaction functionality to scan the image which will display the contents and signature on the screen.

Creating a client component

Before we start we will have to create a client component. In this tutorial we will use the client name SC-Sig which will use the out of the box IDENTIKEY Signature Validation with Secure Channel policy.

Creating a request message

Once again we'll be using the OAS SDK SOAP Wrappers so ensure that your development env. is configured properly. As usual we will start off by creating a configuration bean and overriding a few default parameters:

ConfigurationBean configurationBean = new ConfigurationBean();

Next we want to define our transaction data that we want to securely transmit to our device:

LinkedHashMap<String, String> transactionData = new LinkedHashMap<String, String>(){{
    put("Name", "Bob");
    put("Iban", "AT12345678910");
    put("Amount", "50.00");

Now we will use the signature bean to create a request message by passing:

  1. userId
  2. domain
  3. DIGIPASS serial number with instance number
  4. an empty request body
  5. transaction title that will be displayed when the message is opened on your phone
  6. the transaction data we defined above
SignatureBean signatureBean = new SignatureBean(configurationBean);
SignatureCommandResponse signatureCommandResponse = signatureBean.genRequest(
    "user", "master", "VDS1000120-2",
    "", "Test transaction", transactionData

This will return a request key and request message. Now we will use the ImageGeneratorSDK to generate a Cronto image (follow the integration guide to see how to add the ImageGeneratorSDK and the UtilitiesSDK to your project - the ImageGeneratorSDK requires the UtilitiesSDK).

BufferedImage cronto = ImageGeneratorSDK.generateDynamicCrontoImage(squareSize, signatureCommandResponse.getResults().getRequestMessage(), true);

If you would like to create a png you can do so as follows:

File file = new File(filePath);
ImageIO.write(cronto, "png", file);

If everything went well you should now have a Cronto image:

Remeber that this Cronto image can only be read by an instance of the license you used to generate, other instances will fail to decrypt the content. Now we can start our MAS application and tap on the Secure Transaction button:

Clicking this button will open the camera and allow you to scan the image, once you have done so the contents that we specified earlier will be displayed on the screen along with a signature that is based on the content:

We see the transaction details and can validate them before submitting the OTP on the server. This process is called Sign What You See.

Now will take this signature along with the request key earlier and submit it to OAS for validation with the following parameters:

  1. domain
  2. user id
  3. signature
  4. request key
SignatureBean signatureBean = new SignatureBean(configurationBean);
SignatureCommandResponse signatureCommandResponse = signatureBean.authSignature(


In this tutorial we:

  1. generated a secure channel message
  2. encoded the secure channel message in a Cronto image
  3. scanned it using our MAS to generate an OTP based on the contents of the secure channel message
  4. submitted the OTP along with the request key to validate against OAS
Show Comments