User's Manual
14
6 Device
This chapter describes the WebOTP hardware devices.
WebOTP is a hardware device with a USB 2.0 connection which uses the H
UMAN
I
NTERFACE
D
EVICE
(HID) standard
for communicating with the PC. The device contains a microprocessor, which is able to carry out authentication
operations by using the AES256 cryptography standard which is the state-of-the-art in terms of security.
6.1 Event-based and time-based
The devices are provided in two different versions. With battery for the time-based version and without battery for the
event-based version.
The event-based version, which does not avail itself of a battery, is extremely small-sized and boasts unlimited duration
in time. The hermetic sealing of this device makes it also waterproof.
The time-based version avails itself of a battery used by the device for storing the time information for various years.
The battery duration does not depend on the number of times the device is used; indeed, while in operation the device is
fed by the USB connection.
When battery loading is completed the time-based device continues to work like an event-based no-battery device.
6.2 Serial number
Each device is associated with a serial number printed on a label that is applied to the device. The serial number is
present both in numerical format and in bar code format in order to simplify the management of large quantities.
The code bar is encoded according to the 6-figure no-check digit Interleaved 2/5 standard.
6.3 Authentication information
When supplied the WebOTP devices are already initialized; they come with a database containing the associated
authentication information.
The database is in C
OMMA
S
EPARATED
V
ALUES
(CSV) format and contains the serial number of the device that is
associated to an alphanumeric string of about one hundred characters, containing the authentication information. Such a
string, termed Blob, will have to be imported as it is in the user database and provided to the SDK functions that require
it.
An example of such a file is the following:
161315,M/4Om9A+g3W6XPPm0ihdmx2CxaGelIaOyCxJhIK7SL…
161316,2lP4Xa96D16WuykZHjIZ2Swtzee69UFMlD1nBtPpzP…
161317,L+9LIPyCGpBsBzYSKQuKFPkbOPK5ETw3QAK1i4OV+E…
161318,0rnbtTxAFjPgP1w9b/MCddOrSFznxsfGczCPDjK+wD…
161319,0W2QCGoSCfU542XT4LfpUrcVX6TBAuWWOAPiDFAdYG…
The confidential information contained in this file, among which the generated device-keys, are encrypted by using a
key named blob-key
3
. The file can then be transmitted also via insecure channels.
6.4 Protocols
The devices are configured at the moment of production for supporting one or more authentication protocols. Such a
configuration will not be changed and will be preserved for the whole life of the device.
The devices using the WebOTP protocol communicate with the system by simulating pressing a special sequence of
keys on the system. The device is recognized as a USB keyboard and treated as such. Two different information
encodings are possible: Invisible and Alpha.
The devices using the WebCHR protocol communicate with the system as proprietary HID devices.
3
If for security reasons it is not acceptable that the server-key or the device-key are recognized in the production phase
it is possible to provide non-initialized devices and the software necessary to the setting of such reserved information.