Manualshelf

User's Manual

ManualsBrandsEUTRONSEC ManualsElectronicsUSB Webidentity
21222324252627282930
25
AES-Key Challenge
AES
User-Id
Server
Secret
AES
Client
Response
Server
Response
Hashing
ServerClient
Figure 5.4 – Procedure for client authentication
The challenge is generated by the ActiveX of the server and is termed Random Session String. The Random Session
String can depend on the time, on an id-session which typically all application servers make available for identifying the
session, and on a string which, if present, contributes to the generation of the Random Session String. Having a string
dependent on time and on external pseudo-random variables originates from the need to have univocal and non-
repeatable transactions. They are univocal for preventing two transactions from being identical; non-repeatable for
preventing the communication from being re-proposed in the attempt to deceive the server (“replay avoidance”).
It is to be noticed that the Random Session String can be sent in plain-text format without jeopardizing security
absolutely.
5.4.1 Example – log-in from a web page
The following example sums up the essential steps for integrating the authentication with WebIdentity into a web-based
application with ASP; hereunder reported are only the descriptions that are strictly necessary for understanding the mere
working; for a complete example please refer to section Errore. L'origine riferimento non è stata trovata..
The first step to take at the beginning of the transaction, after the client’s request for a new connection, is the
generation of a challenge string by the server including the relevant login page.
1.
ASP-VBScript code on the server side that is necessary to the generation of the Random Session String
dependent on time (with “true” as first parameter, the time value is used as one of the components for the
generation of the Random Session String), on the session id (Session.SessionID being the variable provided by
ASP for identifying the session) as second parameter and on a random-chosen string as third parameter. The
Random Session String is also stored in the session variable Session("SessionString") for being
used in the client response check.
Once the client receives the login page containing the challenge the user must insert the token and proceed to the
authentication request. The client carries out the computation of the response by means of the token and sends it to
the server. The following code describes an operating example for the computation of the response in client-side
JavaScript code.
Session("SessionString") = WISrv.InitRndSessionString (true,
Session.SessionID, "FREE-STRING")
1