User's Manual
39
•
Server Secret
1
– Secret of the server for security control
•
User Data – Identifying data of the user; for instance name, surname, etc.
As described by figure 5.2 the Label, the Server Secret and the User Data are used for computing and initializing the
WebIdentity token. The label is inserted and used for identifying the token; the Server Secret is the secret of the server
and jointly with the User-Id contributes to the creation of the symmetric key, which is the secret part of the token; the
User Data is the data of the user and jointly with the Token Serial Number it contributes to the creation of the User-Id.
The resulting data is entered in the write-only memory of the WebIdentity key.
Special attention must be given to the application for the token initialization, as during the generation phase the server
side ActiveX must be used, together with the Server Secret; if used on an insecure channel this might seriously
jeopardize the application security.
Differently from authentication and encryption, the initialization just requires using the Server ActiveX after duly
initializing it with the Server Secret.
The ideal implementation might be a standalone application expressly prearranged for ensuring the Server Secret
security and confidentiality. If a web-based application is used, it is necessary to adopt some expedients for
guaranteeing the Server Secret protection; for ensuring confidentiality it is possible to use the HTTPS or WebIdentity,
for authentication security a client SSL3 or WebIdentity certificate can be used instead.
6.2.1 Example –token initialization
This example clearly illustrates the sequence of necessary operations for writing a procedure for WebIdentity token
initialization. The example is realized HTML with Javascript, therefore it is possible to use a browser (Internet
Explorer) for execution. The WebIdentity server ActiveX is used after being downloaded and automatically initialized
by the browser. The HTML page requires inserting the Server Secret, the Label and the User Data as requested for
initialization.
1
Also called Server Password.
<html>
<head>
<title>Token Initialize</title>
</head>
<body>
<object classid="clsid:A811A602-4655-11D3-A75A-00A0245382DE" id="WIDrvSrv"
codebase="software/WISrv.cab#version=4,0,0,0" VIEWASTEXT>
</object>
<script language="JavaScript">
<!--
function InitToken()
{
WIDrvSrv.Label = window.TxtLabel.value;
WIDrvSrv.Password = window.TxtPwd.value;
// Initialize Token
window.TxtUserId.value = WIDrvSrv.InitDongle( window.TxtUser.value );
}
//-->
</script>
<p>Server Secret</p>
<input id=TxtPwd name=TxtPwd size=24 valu
e=""><br>
1
2
3
4
5