Geek asks and answers

Smart card security, how do you authenticate a certificate as not fake?

I am trying to develop an ASP.net site that reads ClientCertificate to ensure that a smart card is used to access the website (attempt to end username / password).

The process that is on my mind:

  • The user registers the account, and C # the user client records. Certificate (publicly available).
  • The user can then log in next time with the same client certificate, and now they are authenticated users if the hash is valid.
  • I will use the code below to guarantee the authenticity of the certificate. The browser must deal with private keys and ensure that the certificate is NOT tampered with.
  • Based on a combination of Subject + Certificate, C # assigns them its access to roles.

Can the following code be used to authenticate certificate authority?

X509Certificate x509Cert = new X509Certificate(Request.ClientCertificate.Certificate);
SHA1 sha = new SHA1CryptoServiceProvider();
byte[] hashvalue = sha.ComputeHash(Request.ClientCertificate.Certificate);
byte[] x509Hash = x509Cert.GetCertHash();
// compare x509Hash WITH hashvalue to ensure they are a match. 
// If not, possibly faked certificate, not a real smartcard???

Is this how the SmartCard authentication process should work?

+3
source share
3 answers

If you just need to authenticate users with client certificates, you must do this in IIS. You do not need to add any code to your application:

Specify whether to use client certificates (IIS 7)

If you do not need to associate client certificates with database accounts or perform an additional verification step. But still, for client certificate authentication, I would stick with IIS settings.

: , :

X509Certificate2 x509Cert2 = new X509Certificate2(Page.Request.ClientCertificate.Certificate);

, :

x509Cert2.Subject

IIS. , asp.net , IIS .

+2

SSL/TLS.

, () , ( , ). , , , :

, . - , CA, . ( - : , : ).

, # . (). clientCertificate, , .

, , .

, , PKI Java.

, SSL/TLS . ( .) - , , .

:

  • , , Certificate Request TLS ( TLS 1.1).
  • Set up the SSL / TLS stack to trust any certificate (once again, when you do this, remember to implement your own verification system in your application, otherwise something will really work).

In .Net, while it should be possible to access the second point using the remote certificate verification callback , I never found a way to change the first point (this was also asked in this question ).

In Java, JSSE X509TrustManagerallows you to get around both points.

+1
source

More articles:


All Articles