Manualshelf

User's Manual

ManualsBrandsEUTRONSEC ManualsElectronicsUSB Webidentity
21222324252627282930
28
5.5 Cryptography
With WebIdentity it is possible to execute web page encryption; in particular it is possible to encrypt single items of
information both from the server towards the client and vice versa. Indeed some ad hoc scripts are used both on the
server side and on the client side; they enable the server to encrypt the confidential information to be sent to the client
and to decrypt the received information; on the client side they enable decrypting the information received by the server
and encrypting the information to be sent. This way it is at the developer’s discretion to choose which information is
confidential and which is not.
In order to execute the WebIdentity encryption and decryption a symmetric algorithm named Blowfish [SCH96] is
used. Blowfish uses a session key that is shared between the client and the server; it is generated by WebIdentity each
time this is requested. The session key in use is 256 bit type; it is generated in run-time mode both by the server and by
the client.
The client side generates the Blowfish symmetric key on board by using the AES 256 key that is stored in the token
(3DES for WebIdentity3P) and the Random Session String generated and received by the server; the server generates
the symmetric key with the User-Id provided in the authentication phase, the Server Secret stored by the server and by
the Random Session String generated by the server itself. Figure 5.5 describes the process that is necessary for
computing the session key on the client side and on the server side. Here follows the formula used for the session key
computation.
Blowfish Key = AES ( AES-Key, Random Session String )
The Random Session String can depend on time, on a session-id (optional but strongly recommended) which typically
all application servers put at disposal for identifying the session; it can also depend on a password (optional) which, if
present, contributes to the generation of the Random Session String. The generation of the Random Session String can
be different for each session but also when sending each page; important is that the same value is used for completing
the challenge response operations; for instance when the server sends the client an encrypted data with a Random
Session String the client must use the same Random Session String generated by the server for decrypting the data.
AES-Key Challenge
AES
User-Id
Server
Secret
AES
Output
Data
Output
Data
Hashing
Blowfish
- Crypt
- Decrypt
Blowfish
- Crypt
- Decrypt
Input
Data
Input
Data
ServerClient