User's Manual

5.2.1 Server Secret

The protection model offered by WebIdentity includes the use of one unique secret termed Server Secret (inside the

WebIdentity SDK it is termed Server Password). The Server Secret is used during WebIdentity’s processing for

authentication, cryptography and remote control on the server side; it is also used during the initialization phase relating

the WebIdentity hardware devices. Such a secret makes it possible for the service provider to recognized all and only its

own WebIdentity keys, and consequently the customer who owns them. Practically speaking, the Server Secret is an

alphanumeric string that is chosen in the web service development phase. Il Server Secret is converted into a AES 256

key or DES 2EDE Triplo; an ideal key can be produced by using a string with at least 43 characters, random chosen

among the letters of the English alphabet (lower-case and upper-case) and numbers.

The security of the Server Secret is at the web server developer’s care who must prevent access to non-authorized

persons; for instance, if the Server Secret is stored in the application DB it is advisable to encrypt it. However it is

important to take all the necessary precautions for making access to the application as secure as possible, as security

depends on the Server Secret, which must be accessible on the server service side.

The Server Secret is used as a AES 256 key (3-DES for WebIdentity3P) for generating the secret key of each token.

The input text of the AES computation is the “User-ID” hashing. Therefore each user is assigned a different key, which

guarantees the following security level:

1. by knowing the User-ID it is impossible to calculate the token secret key if the Serve Secret is not known

2. by knowing the User-ID and the token secret key (the latter data being virtually inaccessible as reported above)

it is impossible to trace the Server Secret.