SSL Client Authentication

Discussion in 'ASP .Net' started by =?Utf-8?B?d3J5dGF0?=, Apr 2, 2005.

  1. I'm not sure if I'm posting the correct place. I posted it somewhere else,
    but someone told me to post it at another place.

    Anyway, some background first. I am currently building a web application for
    my company. This application is going to be hosted with an ISP on a shared
    server. And my company doesn't have a static IP.

    I want to make part of my web application such that only my company's
    computer can access (something like an 'intranet'). Since we don't have a
    static IP, maybe we can save a file on my company's computer, so when a user
    access this part, the server will locate this file in the client's computer
    and so on.

    I've read up about SSL, and about configuring a web application to require
    client
    certificates. So this is how I understand it. Please correct me if I'm wrong.

    1. Firstly, I need to go to a certificate authority's web site to apply for
    the certificates. The authority will request a CSR file. So, if I'm putting
    my web application on an ISP's web server, my ISP will have to generate the
    CSR file for me?

    2. I'll receive my server certificate from the authority. My ISP will have
    to install the certificate on the web server I'm putting the web application
    on.

    3. My ISP will also have to configure the IIS Settings of the folder where I
    put the part of my application that I want to restrict access, so that client
    certificate authentication is enabled.

    4. I've to install the client certificate on my company's computer's web
    browser.

    Thus far, please tell me if any step is wrong.

    What I don't understand is the last step: Installing the client certificate.

    Will I get a client certificate from the certificate authority? Where
    can I get it? Is this client certificate unique? If not, if
    someone else's computer also has this client certifcate installed, won't he
    be able to get through? Will client certificate authentication
    won't help solve my problem?

    Sorry for making this so long. Please kindly advise. Thank you.
     
    =?Utf-8?B?d3J5dGF0?=, Apr 2, 2005
    #1
    1. Advertising

  2. "wrytat" <> wrote in message
    news:...
    <snip>
    > 1. Firstly, I need to go to a certificate authority's web site to apply
    > for
    > the certificates. The authority will request a CSR file. So, if I'm
    > putting
    > my web application on an ISP's web server, my ISP will have to generate
    > the
    > CSR file for me?


    No, you can generate the CSR yourself using a different machine. In fact,
    this would be the generally preferred approach since it will give you better
    control of the private key and ensure that you can take the certificate with
    you if you change ISPs. However, before choosing any given approach, you
    should check with your current ISP to see what approach(es) they are willing
    to support.



    > 2. I'll receive my server certificate from the authority. My ISP will have
    > to install the certificate on the web server I'm putting the web
    > application
    > on.


    Yes. However, unless you are actively involved in this installation, your
    ISP will gain access to the private key. Depending on your ISP and service
    plan, you may or may not have the option to be participate so as to minimize
    the exposure of your private key.

    There may also be additional considerations related to your site's hosting.
    Depending on how you ISP deals with SSL for shared hosting sites,
    introduction of SSL for your site may require bumping up to a more expensive
    hosting plan. Obviously, you should discuss this with the ISP before making
    any final decisions regarding your approach.



    > 3. My ISP will also have to configure the IIS Settings of the folder where
    > I
    > put the part of my application that I want to restrict access, so that
    > client
    > certificate authentication is enabled.


    Yes.


    > 4. I've to install the client certificate on my company's computer's web
    > browser.


    For a single client machine, this would be the simplest approach.


    > Thus far, please tell me if any step is wrong.
    >
    > What I don't understand is the last step: Installing the client
    > certificate.
    >
    > Will I get a client certificate from the certificate authority?
    > Where can I get it?


    Some commercial CAs do offer this service. Your ISP is also another
    potential source.


    > Is this client certificate unique?


    It is at the time of issuing. If you don't keep it safe from sharing after
    it's issued, it won't be.

    > If not, if
    > someone else's computer also has this client certifcate installed, won't
    > he
    > be able to get through?


    Yup.


    > Will client certificate authentication
    > won't help solve my problem?


    Given the potential complexity of implementing an approach based on client
    certificates in a shared hosting scenario, I wouldn't recommend it unless
    there's really no alternative. I'm guessing that there are better solutions
    in your case, but it's a little difficult to tell from your description of
    the problem. A few questions...

    1. Do you really want to ensure that only one physical machine can connect
    to the relevant portion of your application?
    2. Is it OK for multiple staff members to use this portion of the
    application, or are you trying to limit it to a single staff member?
    3. Do you really want the application to be accessible only from within the
    company's physical premises, or would it be OK for at least some staff to
    access it from elsewhere?


    >
    > Sorry for making this so long. Please kindly advise. Thank you.
     
    Nicole Calinoiu, Apr 4, 2005
    #2
    1. Advertising

  3. Thank you for your reply~ I'm truly touched... Here is my reply,

    > 1. Do you really want to ensure that only one physical machine can connect
    > to the relevant portion of your application?

    Yes, or perhaps not one, but only selective computers within my company's
    physical premises.

    > 2. Is it OK for multiple staff members to use this portion of the
    > application, or are you trying to limit it to a single staff member?

    Any staff with a user account and password with the system can use this
    portion of the application.

    > 3. Do you really want the application to be accessible only from within the
    > company's physical premises, or would it be OK for at least some staff to
    > access it from elsewhere?

    I think my director wishes to make the application to be accessible only
    from within the company's physical premises. That's the start of all
    problems... We don't have static IP, we don't have a web server and a
    database server, and I don't think they are willing to invest on those.

    Anyway, all the ISP I contact with, discouraged me to use SSL client
    authentication. They said that form authentication with SSL should be be
    secure enough. And my manager said that it should be able for an application
    to detect a network card on the client PC, and find its number. But I don't
    think it's possible, am I right?

    How? What should I do? Please help...
     
    =?Utf-8?B?d3J5dGF0?=, Apr 5, 2005
    #3
  4. "wrytat" <> wrote in message
    news:...
    > Thank you for your reply~ I'm truly touched... Here is my reply,
    >
    >> 1. Do you really want to ensure that only one physical machine can
    >> connect
    >> to the relevant portion of your application?

    > Yes, or perhaps not one, but only selective computers within my company's
    > physical premises.


    Is it possible to reach any of these from outside the network using any type
    of remote desktop functionality? If so, anyone who can take advantage of
    this will be able to use your "limited" portion of the application even when
    they're physically located elsewhere.


    >> 2. Is it OK for multiple staff members to use this portion of the
    >> application, or are you trying to limit it to a single staff member?

    > Any staff with a user account and password with the system can use this
    > portion of the application.
    >
    >> 3. Do you really want the application to be accessible only from within
    >> the
    >> company's physical premises, or would it be OK for at least some staff to
    >> access it from elsewhere?

    > I think my director wishes to make the application to be accessible only
    > from within the company's physical premises.


    What would he/she say if the CEO requested access to this portion of the
    application when working from home?


    >That's the start of all
    > problems... We don't have static IP, we don't have a web server and a
    > database server, and I don't think they are willing to invest on those.


    Any one of these options might actually be cheaper than using the client
    certificate approach, particularly when you consider that you might need to
    upgrade your hosting plan. Have you actually looked into how much a static
    IP would cost?


    > Anyway, all the ISP I contact with, discouraged me to use SSL client
    > authentication.


    Personally, I would discourage this approach as well.


    > They said that form authentication with SSL should be be
    > secure enough.


    While it sounds like your application should probably be performing user
    authentication of some type regardless, it won't do anything to limit
    callers to your physical premises.

    > And my manager said that it should be able for an application
    > to detect a network card on the client PC, and find its number. But I
    > don't
    > think it's possible, am I right?


    Not in any way that can't be spoofed quite easily. If you're looking for
    something really cheap and are willing to tolerate some additional
    dependencies and risk, you might want to consider using service like
    dyndns.org to map your dynamic IP to a static name. This would allow your
    application to verify whether the caller's IP address matches the name's IP
    address at any given time. Of course, making this verification will incur a
    pretty big performance hit, so you'll probably want to cache the result of
    the verification for at least a few minutes. Also, since it's possible for
    the service you'll be verifying against to go down, you'll need to decide
    how to handle requests that you can't verify. Please note that I'm not
    advocating this solution (IMO, it's pretty sucky), but it at least has the
    benefit of very low cost, which seems to be a driving factor on your end.


    >
    > How? What should I do? Please help...
     
    Nicole Calinoiu, Apr 6, 2005
    #4
  5. I really have to thank you for your advice. I was feeling so helpless and
    don't know which direction to go before you replied.

    > Is it possible to reach any of these from outside the network using any type
    > of remote desktop functionality? If so, anyone who can take advantage of
    > this will be able to use your "limited" portion of the application even when
    > they're physically located elsewhere.

    My company does not allow anyone to access the company's information
    outside, hence they don't allow any of us to use any remote desktop
    functionality.

    > What would he/she say if the CEO requested access to this portion of the
    > application when working from home?

    Actually this portion only includes functions like assigning passwords to
    members, responding to customer's requests and printing report. So, I don't
    think the CEO will request access to this portion, as only the sales
    department and that director will use it.

    >Have you actually looked into how much a static IP would cost?

    My manager told me that investing on a static IP address will cost more than
    US$700 a month in my country, which is really very expensive. But... recently
    my CEO asked my manager to make the CCTV (live video of more than 10 security
    cameras) online; something like a live webcast from many, many cameras (They
    always have so many "creative" ideas). I have completely no idea how to do
    that, and I don't know how my manager is going to resolve it, but I think
    most probably they need a static IP as well, or ask for help from the CCTV
    provider.

    Anyway, am I right to say that I can only use either a static IP address, or
    a dynamic DNS? Then, I can use either the IIS Manager's security feature (one
    ISP suggests), or the ISP's firewall feature to restrict access based on
    IP/domain name? But comparing static IP with dynamic DNS, static IP will be a
    lot more reliable? Will these 2 ways incur a big performance hit as well?
     
    =?Utf-8?B?d3J5dGF0?=, Apr 7, 2005
    #5
  6. I've got a quotation, and it cost around USD200 per month to get a static IP.
    That's a lot cheaper than what i thought it was. :) Thanks anyway.

    "Nicole Calinoiu" wrote:

    > "wrytat" <> wrote in message
    > news:...
    > > Thank you for your reply~ I'm truly touched... Here is my reply,
    > >
    > >> 1. Do you really want to ensure that only one physical machine can
    > >> connect
    > >> to the relevant portion of your application?

    > > Yes, or perhaps not one, but only selective computers within my company's
    > > physical premises.

    >
    > Is it possible to reach any of these from outside the network using any type
    > of remote desktop functionality? If so, anyone who can take advantage of
    > this will be able to use your "limited" portion of the application even when
    > they're physically located elsewhere.
    >
    >
    > >> 2. Is it OK for multiple staff members to use this portion of the
    > >> application, or are you trying to limit it to a single staff member?

    > > Any staff with a user account and password with the system can use this
    > > portion of the application.
    > >
    > >> 3. Do you really want the application to be accessible only from within
    > >> the
    > >> company's physical premises, or would it be OK for at least some staff to
    > >> access it from elsewhere?

    > > I think my director wishes to make the application to be accessible only
    > > from within the company's physical premises.

    >
    > What would he/she say if the CEO requested access to this portion of the
    > application when working from home?
    >
    >
    > >That's the start of all
    > > problems... We don't have static IP, we don't have a web server and a
    > > database server, and I don't think they are willing to invest on those.

    >
    > Any one of these options might actually be cheaper than using the client
    > certificate approach, particularly when you consider that you might need to
    > upgrade your hosting plan. Have you actually looked into how much a static
    > IP would cost?
    >
    >
    > > Anyway, all the ISP I contact with, discouraged me to use SSL client
    > > authentication.

    >
    > Personally, I would discourage this approach as well.
    >
    >
    > > They said that form authentication with SSL should be be
    > > secure enough.

    >
    > While it sounds like your application should probably be performing user
    > authentication of some type regardless, it won't do anything to limit
    > callers to your physical premises.
    >
    > > And my manager said that it should be able for an application
    > > to detect a network card on the client PC, and find its number. But I
    > > don't
    > > think it's possible, am I right?

    >
    > Not in any way that can't be spoofed quite easily. If you're looking for
    > something really cheap and are willing to tolerate some additional
    > dependencies and risk, you might want to consider using service like
    > dyndns.org to map your dynamic IP to a static name. This would allow your
    > application to verify whether the caller's IP address matches the name's IP
    > address at any given time. Of course, making this verification will incur a
    > pretty big performance hit, so you'll probably want to cache the result of
    > the verification for at least a few minutes. Also, since it's possible for
    > the service you'll be verifying against to go down, you'll need to decide
    > how to handle requests that you can't verify. Please note that I'm not
    > advocating this solution (IMO, it's pretty sucky), but it at least has the
    > benefit of very low cost, which seems to be a driving factor on your end.
    >
    >
    > >
    > > How? What should I do? Please help...

    >
    >
    >
     
    =?Utf-8?B?d3J5dGF0?=, Apr 7, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Salvo
    Replies:
    3
    Views:
    4,849
    John Salvo
    Sep 9, 2003
  2. Krzysztof Pa¼
    Replies:
    1
    Views:
    701
    Krzysztof Pa¼
    Sep 26, 2003
  3. Mfenetre
    Replies:
    11
    Views:
    1,725
    Joe Kaplan \(MVP - ADSI\)
    Oct 12, 2005
  4. Replies:
    1
    Views:
    274
    Brian Candler
    May 16, 2007
  5. Replies:
    1
    Views:
    301
Loading...

Share This Page