使用证书进行SSL身份验证:证书是否应具有主机名? [英] SSL Authentication with Certificates: Should the Certificates have a hostname?
问题描述
问题的快速版本
Gmail,TD(加拿大银行),皇家银行(加拿大银行)都使用ssl。当您检查其证书时,他们都有
公用名(CN)mail.google.com
或更一般地:
名称(CN)< url>
这是否需要防止中间人攻击?
摘要
JBoss允许客户端和服务器使用证书和ssl进行身份验证。似乎很奇怪的一件事是,您不需要在证书上提供您的主机名。
我认为这意味着如果服务器B在您的信任库,Sever B可以假装是他们想要的任何服务器。
(同样:如果客户B在您的信托中心...)
?
验证步骤
客户端服务器
================================================ =====================================
1)客户端发送客户端Hello
订阅:无
- 支持的最高TLS协议
- 随机数
- 密码套件列表
- 压缩方法
2)Sever Hello
ENCRIPTION:无
- 支持的最高TLS协议
- 随机数
- 选择密码套件
- 选择压缩方法
3)证书消息
订阅:无
-
4)ServerHelloDone
订阅:无
5 )证书消息
订阅:无
6)ClientKeyExchange消息
ENCRIPTION:服务器的公钥=>只有服务器可以读取
=>如果服务器可以读取它,他必须拥有证书
- 可能包含PreMasterSecerate,公钥或无(取决于密码)
7)CertificateVerify消息
ENCRIPTION:clients私钥
- 目的是向服务器证明客户端拥有证书
8)两个客户端和服务器:
- 使用随机数和PreMasterSecret计算公共分离
9)完成的消息
- 包含一个has和MAC在以前的握手
(以确保那些没有注释的消息没有坏掉)
10)完成的消息
- samething
/ h1>
-
客户端已发送证书的公钥(步骤7)
-
客户的凭证有效,因为:
- 它已由CA签署
- 它已经自签名,但它在服务器的信任库中
-
重放攻击,因为假设随每个邮件一起发送随机数(步骤1或2)
客户知道
-
服务器具有已发送证书的公钥(步骤6,步骤8)
-
服务器的证书有效
,因为:
- )
- 已自行签署,但在客户的信任库中
-
它不是一个重放攻击,因为大概随着每个消息发送随机数(步骤1或2)
潜在问题
-
假设客户的信任库中有证书:
- 服务器A
- 服务器B(恶意)
-
伺服器A的主机名为www.B.com
-
假设:客户端尝试连接到服务器A,但服务器B启动中间人攻击。
-
服务器B:
- 具有将发送给客户端的证书的公钥
- 具有有效证书(信任库中的证书)
- 并且自:
- 凭证中没有主机名。
客户端已发送证书的公钥(步骤7)
客户的凭证有效,因为:
- 它已由CA签署
- 它已经自签名,但它在服务器的信任库中
重放攻击,因为假设随每个邮件一起发送随机数(步骤1或2)
服务器具有已发送证书的公钥(步骤6,步骤8)
服务器的证书有效
,因为:
- )
- 已自行签署,但在客户的信任库中
它不是一个重放攻击,因为大概随着每个消息发送随机数(步骤1或2)
假设客户的信任库中有证书:
- 服务器A
- 服务器B(恶意)
伺服器A的主机名为www.B.com
假设:客户端尝试连接到服务器A,但服务器B启动中间人攻击。
服务器B:
- 具有将发送给客户端的证书的公钥
- 具有有效证书(信任库中的证书)
- 凭证中没有主机名。
似乎服务器B可以假装是服务器A容易。
有没有我缺少的东西?
但是,当服务器B试图在中级攻击中启动一个人时,你说:它有一个公钥。这是真的,但是要设置ssl连接,您还应该有属于该公钥的私钥。此外,使用的证书耦合到dns名称(在https的情况下)。因此,客户端尝试连接到A,他输入www.a.com。由于我们假设B不知道A的私钥,他将有另一个密钥对。他永远不能从耦合到他不拥有的域的主CA获得有效(即可信任)证书。
所以B永远不会得到一个共同名称为www.A.com的证书,因为这个原因,B不能在中间人攻击中执行一个人。
Quick Version of Question
Gmail, TD (Canadian Bank), Royal Bank (Canadian Bank) all use ssl. When you inspect their certificates they all have
Common Name (CN) mail.google.com
Or more generally:
Common Name (CN) <url>
Is this needed to prevent man in the middle attacks?
Summary
JBoss allows clients and servers to authenticate using certificates and ssl. One thing that seems strange is that you are not required to give your hostname on the certificate.
I think that this means if Server B is in your truststore, Sever B can pretend to be any server that they want.
(And likewise: if Client B is in your truststore...)
Am I missing something here?
Authentication Steps
Client Server
=================================================================================================
1) Client sends Client Hello
ENCRIPTION: None
- highest TLS protocol supported
- random number
- list of cipher suites
- compression methods
2) Sever Hello
ENCRIPTION: None
- highest TLS protocol supported
- random number
- choosen cipher suite
- choosen compression method
3) Certificate Message
ENCRIPTION: None
-
4) ServerHelloDone
ENCRIPTION: None
5) Certificate Message
ENCRIPTION: None
6) ClientKeyExchange Message
ENCRIPTION: server's public key => only server can read
=> if sever can read this he must own the certificate
- may contain a PreMasterSecerate, public key or nothing (depends on cipher)
7) CertificateVerify Message
ENCRIPTION: clients private key
- purpose is to prove to the server that client owns the cert
8) BOTH CLIENT AND SERVER:
- use random numbers and PreMasterSecret to compute a common secerate
9) Finished message
- contains a has and MAC over previous handshakes
(to ensure that those unincripted messages did not get broken)
10) Finished message
- samething
Sever Knows
The client has the public key for the sent certificate (step 7)
The client's certificate is valid because either:
- it has been signed by a CA (verisign)
- it has been self-signed BUT it is in the server's truststore
It is not a replay attack because presumably the random number (step 1 or 2) is sent with each message
Client Knows
The server has the public key for the sent certificate (step 6 with step 8)
The server's certificate is valid because either:
- it has been signed by a CA (verisign)
- it has been self-signed BUT it is in the client's truststore
It is not a replay attack because presumably the random number (step 1 or 2) is sent with each message
Potential Problem
Suppose the client's truststore has certs in it:
- Server A
- Server B (malicous)
Server A has hostname www.A.com
Server B has hostname www.B.com
Suppose: The client tries to connect to Server A but Server B launches a man in the middle attack.
Since server B:
- has a public key for the certificate that will be sent to the client
- has a "valid certificate" (a cert in the truststore)
- And since:
- certificates do not have a hostname feild in them
It seems like Server B can pretend to be Server A easily.
Is there something that I am missing?
I think you're missing something, but I'm not sure if I understand your reasoning.
However, when server B tries to launch a man in the middle attack, you say that it has a public key. This is true, but to setup a ssl connection, you should also have a private key belonging to that public key. Moreover, the certificate used is coupled to the dns name (in case of https). So a client tries to connect to A, he types in www.a.com. Since we assume that B does not know the private key of A, he will have another keypair. He could never receive a valid (i.e. trusted) certificate from a major CA that is coupled to a domain he does not own.
So B could never get a certificate with common name www.A.com, for this reason, B could not perform a man in the middle attack.
这篇关于使用证书进行SSL身份验证:证书是否应具有主机名?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
