Manualshelf

User's Manual

ManualsBrandsEUTRONSEC ManualsElectronicsUSB Webidentity
31323334353637383940
38
6 Integration
The integration of WebIdentity into an existing project or its adoption into a new project includes a sequence of
operations to carry out for identifying the necessary points on which work is to be focused.
First of all it is necessary to identify the positions inside the application where a control of the connected user identity is
required and of how such a user can interact with the application. It is therefore necessary to create a connection
between the user and the WebIdentity token by entering a reference into the user profile and positioning the user
authentication scripts where necessary.
It is important to choose the Server Secret in an imaginative way so that it is not "guessed" easily. For a secure choice it
is possible to use a random string with a length of at least 52 characters consisting of upper-case letters, lower-case
letters and numbers. This instruction is given for providing a key with a bit information quantity that corresponds to the
AES 256 bit key used by WebIdentityDL.
The location where to store and protect the Server Secret must also be chosen; it is also necessary to choose a Label for
identifying the service and therefore for distinguishing it from other services; its value can be unique for the whole
application or it can have different values for the same application for special needs.
The application part that requires more attention is the token initialization (a necessary operation for using the token)
which must be carried out outside the application logic preferably.
Another important consideration is the possibility to maintain the user status inside the transaction in order to be able to
manage the authentication in one single service point; this is possible with the aid of session persistence provided by the
application server as described in the next paragraph.
Lastly, some expedients are not to be neglected, such as the security-related expedients, in particular the possibility to
associate the client strong authentication provided by WebIdentity with the server strong authentication provided by
SSL; such complementary feature is illustrated hereunder.5
6.1 Management of user-token association
To associate the token to its own user a new field shall be inserted inside the user database: it is the User-Id related to
the WebIdentity token returned during the token initialization phase; this way each single user will be associated with
the relevant WebIdentity token for service access.
In addition to the User-Id field it will be possible to insert other fields containing information relating to the policies
(expiry dates, restrictions, etc.) made out for creating more complex user profiles. It is also possible to enter the
information relating to the Label and the Server Secret in the database for making the application independent of the
specific service; this way it will be possible to use the same web service scripts or programs for various web
applications.
It is also possible, according to the case, to associate the WebIdentity key-based authentication with a further protection
including the insertion of an alphanumeric string (Password) for obtaining a two factor authentication, that is:
1.
the first factor is possessing something
2.
the second factor is knowing something
Therefore for accessing the service it is necessary to possess a hardware token and know a password. A typical example
is the Bancomat (cash dispenser) working; for being operated it requires knowing the password and possessing a
Bancomat card.
6.2 Token initialization
The key initialization represents the implementation start-up of a web-based WebIdentity-protected service; by using
the libraries provided with the WebIdentity SDK it is possible to initialize the “keys” by univocally associating them
with the protected service and then with each user authorized to the service in question. The key initialization phase
associates one single WebIdentity key with one service and one user univocally.
For initializing the keys it is necessary to use the WebIdentity server ActiveX after duly initializing it with the following
parameters:
Label – A label used for identifying the token on the USB bus, thereby identifying the service