Rainer,
You write,
"...Second, I think, that without client-certificates
man-in-the-middle attacks are possible, using tools like dsniff."
and this is not correct. As long as the client does proper checking of the
server certificate AND you use SSLv3 or higher, you are not vulnerable to
MITM attacks.
I think I understand what you are trying to do but are you writing your
own, custom, client software, or are you using MS IE? If the latter, I don't
know how hard it would be to implement what you want, but another resource
you might want to query is the MS Crypto API mailing list archives
(http://discuss.microsoft.com/archives/cryptoapi.html). You might search on
CRYPT_MACHINE_KEYSET to get some posts on similar sorts of issues.
_____________________________________
Greg Stark
Ethentica, Inc.
[EMAIL PROTECTED]
_____________________________________
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, March 09, 2001 10:56 AM
Subject: RE: Client certificates: Key store per workstation, not per user?
> My project is a inter-government project over the internet, with 2400
> independent organizations in the first phase. Authentication is a
important
> issue. We agreed, that smart cards would be a good solution, but are
beyond
> the timescale of the projekt, because we cannot implement that for 10000+
> users within 6 month. Besides, there is a country-wide project going on,
> that targets this issue with a 2-year timeframe.
>
> UserID and password over SSL are considered as insufficient. First,
because
> it is difficult that passwords are kept secret properly in this
environment.
> AKAIK, this is still the security threat #1. Second, I think, that without
> client-certificates man-in-the-middle attacks are possible, using tools
like
> dsniff.
>
> Hence, lacking smart cards, an authentication scheme using userid/pw plus
> client certificates werde devised. An administrator can only download and
> install a certificate, a user can only access the application using the
> userid. Well, the user could export the certificate and post it on a
public
> server, but that is definitely a different thing that just writing down
the
> password on the back of the mousepad.
>
> The authentication service will check the relationship between certificate
> and userid. Ideally a user should be able to work from any PC certified
for
> her organization, but nowhere else. In this sense, we do not use personal
> certificates, but 'organizational' certificates, as a user may use any
> certificate within the organization. We cannot rely on all organizations
> having roaming profiles, where all users would have access to the
> certificate without depending on the location.
>
> The question is the CertStore. To reduce the administrative burden, only
one
> certificate per workstation would suffice. Kind of
"c:\windows\profiles\all
> users\keystorefile".
>
> I would like to your opinion
> Rainer
>
> -----Original Message-----
> From: bruce cartland [mailto:[EMAIL PROTECTED]]
> Sent: Freitag, 9. März 2001 14:50
> To: [EMAIL PROTECTED]
> Subject: Re: Client certificates: Key store per workstation, not per
> user?
>
>
> I thought Kerberos was symmetric?
>
> I'd like to hear more on the requirement(s)? Identify workstations for
> audit? Identify users? Not use clear text?
>
> I'd love to hear opinion but client side certs for workstations sounds a
bit
> strange. The workstation would have to store the keystore/cert unlock code
> somewhere. If you just want to identify the workstation (for audit
> presumably) the server can tell the IP address (can be spoofed though).
> Perhaps it would be better if the server picked up the MAC address of the
> workstation? (haven't found a good way of doing that without running some
> kind of service on the workstation the server can talk back to - which can
> run into problems with routers/proxies/NATs between the server & client).
>
> User identity + encryption can be done just using userid/pwd + server SSL.
>
> What about using smartards & client side certs for mobile users?
>
> I've been told of a nice (commercial) implementation which extends IE or
> netscape where the server can initiate a client cert request over http/s.
> The browser prompts the user to select the keystore/cert, etc. These may
be
> stored on a smartcard. I'm hoping to get a demo soon. I'll be very
> interested to here about alternatives.
>
> regards
> bc
> ----- Original Message -----
> From: <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, March 09, 2001 11:48 PM
> Subject: RE: Client certificates: Key store per workstation, not per user?
>
>
> > Does it work in a browser-only environment? Would communicator support
it?
> >
> > Rainer
> >
> > -----Original Message-----
> > From: Jean-Marc Desperrier [mailto:[EMAIL PROTECTED]]
> > Sent: Freitag, 9. März 2001 13:31
> > To: [EMAIL PROTECTED]
> > Subject: Re: Client certificates: Key store per workstation, not per
> > user?
> >
> >
> > [EMAIL PROTECTED] wrote:
> >
> > > I would like to use SSL with client certificates, but assign them to
> > > workstations instead of users.
> >
> > I think you should watch what can be done with kerberos for this kind of
> > feature.
> >
> > > Does someone know, if there is a way to install a certificate on Win
> > NT/2K,
> > > that is shared by all users of a workstation?
> >
> > 2K supports Kerberos, with certificate I believe
> >
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager [EMAIL PROTECTED]
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager [EMAIL PROTECTED]
> >
> >
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
