Unfortunately, in the real world, password best practices are rarely enforced. There are also cases when, in spite of strong password policies, password authentication systems can still fall to a skilled and persistent attacker.
Passwords can be compromised through brute force attacks or a variety of social engineering techniques. One way to strengthen user authentication on your server is to augment password authentication with another form of authentication. You see, authentication can be implemented in different ways or factors:. When you combine two factors of authentication something the user knows AND something the user has , the result is 2-factor authentication.
You can also combine more factors and come up with a multi-factor authentication. Combining two or more factors of authentication makes it significantly more difficult for an attacker to succeed. That's what happens when you augment password authentication with client certificate based authentication. If an impostor manages to acquire a user's username and password, he would still have to overcome another challenge — getting hold of something that's supposed to be in the possession of that user.
That is the client certificate. Using both makes it exponentially more difficult? A client digital certificate or client certificate is basically a file, usually protected with a password and loaded onto a client application usually as PKCS12 files with the. At the start of a SSL or TLS session, the server if configured to do so may require the client application to submit a client certificate for authentication.
If it finds the server and its certificate are legitimate entities, it goes ahead and establishes a connection. Sounds unheard of? In client authentication, a server website makes a client generate a keypair for authentication purpose. The private key, the heart of an SSL certificate , is kept with the client instead of the server. The server confirms the authenticity of the private key and then paves the way for secure communication.
The typical application of client authentication is where one wants to restrict the access to authenticated users. This is very helpful against attacks emitting from outside sources.
As only the client is in possession of the private key, the need of the password can be eliminated. If you want best results, using both together can give you top-notch security that is extremely hard to crack in. Another splendid use of client authentication can be done in IoT devices. In a massive IoT infrastructure, you can issue one certificate for each device to eradicate the possibility of unauthorized access. In a client handshake, after the client hello and server hello messages, the server requires the client to present itself with a certificate.
Instead of requiring a user to send passwords across the network throughout the day, single sign-on requires the user to enter the private-key database password just once, without sending it across the network. Existing authorization mechanisms based on the authenticated user identity are not affected. In Figure 2—2 , certificate-based authentication is set in the following steps. The client software maintains a database of the private keys that correspond to the public keys published in any certificates issued for that client.
The client asks for the password to this database the first time the client needs to access it during a given session—for example, the first time the user attempts to access an SSL-enabled server that requires certificate-based client authentication. The digital signature can be created only with that private key and can be validated with the corresponding public key against the signed data, which is unique to the SSL session. The server then continues to evaluate whether the identified user is permitted to access the requested resource.
This evaluation process can employ a variety of standard authorization mechanisms, potentially using additional information in an LDAP directory, company databases, and so on. If the result of the evaluation is positive, the server allows the client to access the requested resource. A certificate is an electronic document that identifies an individual, a server, a company, or some other entity.
A certificate also associates that identity with a public key. Certificate authorities, CAs, validate identities and issue certificates. CAs can be independent third parties or organizations that run their own certificate-issuing server software.
The methods used to validate an identity vary depending on the policies of a given CA. In general, before issuing a certificate, the CA must use its published verification procedures for that type of certificate to ensure that an entity requesting a certificate is in fact who it claims to be. A certificate issued by a CA binds a particular public key to the name of the entity the certificate identifies, such as the name of an employee or a server.
Certificates help prevent the use of fake public keys for impersonation. Only the public key certified by the certificate works with the corresponding private key possessed by the entity identified by the certificate.
In addition to a public key, a certificate always includes the name of the entity it identifies, an expiration date, the name of the CA that issued the certificate, a serial number, and other information. Most importantly, a certificate always includes the digital signature of the issuing CA.
Any client or server software that supports certificates maintains a collection of trusted CA certificates. These CA certificates determine which other certificates the software can validate, in other words, which issuers of certificates the software can trust. In the simplest case, the software can validate only certificates issued by one of the CAs for which it has a certificate. In large organizations, it may be appropriate to delegate the responsibility for issuing certificates to several different certificate authorities.
For example, the number of certificates required may be too large for a single CA to maintain; different organizational units may have different policy requirements; or it may be important for a CA to be physically located in the same geographic area as the people to whom it is issuing certificates.
The X. In this model, the root CA is at the top of the hierarchy. That is, the certificate is digitally signed by the same entity, the root CA, that the certificate identifies. Organizations have a great deal of flexibility in terms of the way they set up their CA hierarchies.
Figure 2—3 shows just one example; many other arrangements are possible. CA hierarchies are reflected in certificate chains. A certificate chain is a series of certificates issued by successive CAs. Figure 2—4 shows a certificate chain leading from a certificate that identifies some entity through two subordinate CA certificates to the CA certificate for the root CA based on the CA hierarchy shown in the following figure.
A certificate chain traces a path of certificates from a branch in the hierarchy to the root of the hierarchy. In a certificate chain, the following occur:. More from the IDG Network. Chapter 4: Code Signing. Silberfuchs CC0.
0コメント