客户端证书认证 [英] Client certificate authentication
问题描述
我是SSL和证书的新手.我一直在进行有关客户端证书身份验证的研究.我已阅读 this 和
I am new to SSL and Certificates . I have been doing my research about client certificate authentication. I have read this and wiki.
因此,如果我必须为我的B2B REST服务实现客户端证书身份验证解决方案,我应该执行以下操作
So If I have to implement a client certificate auth solution for my B2B REST service should I do following
- 请客户生成自己的私钥-公钥,并为其公钥生成证书(已发行CA?).通过电子邮件或USB密钥发送该证书.
- 在服务器端,将客户端的公共证书导入信任库并启用客户端身份验证
- 在握手客户端过程中,客户端将提供其证书并通过身份验证,因为服务器在其信任库中拥有证书的副本,并且可以验证 CertificateVerify 消息
- Ask clients to generate their own private-public key and generate certificate (CA issued?) for their public key. Send that certificate over email or USB key.
- On the server side import client's public certificate into trust store and enable client authentication
- During the hand shake client presents it's certificate and gets authenticated, because server has a copy of cert in it's trust store and can verify CertificateVerify message
我的问题是,这如何阻止任何人冒充我的客户.假设黑客X将握手证书的CA发行的认证证书发送到服务器.然后服务器将自动信任它并授予访问权限.
My question is how does it stop anybody to pose as my client. Let's say a hacker X sends a CA issued certified to the server as part of handshake. Then server would automatically trust it and grant access.
推荐答案
我必须将您的问题分为两部分.
I've to break down your question into two parts.
第一部分:Let's say a hacker X sends a CA issued certified to the server as part of handshake. Then server would automatically trust it and grant access.
如果X获得了真实客户端的客户端证书,那就可以了.因为证书本身不包含任何秘密.那些证书可以在任何地方发布而不会造成任何损害(除非您想保密您的电子邮件地址,请尝试不要发布它.但是一段时间后它可能会消失.并且不考虑公司精心制作的X509CertificateExtensions也是.
If X aquires the client certificate of an authentic client then that's ok. Because the certificate itself does not contain any secret. Those certificate can be published anywhere without doing any damage (Except if you want to keep your email address a secret, try not to publish it. But it may will get out there after some time. And company crafted X509CertificateExtensions are not considered as well.).
私钥是重要的密钥,您的客户必须将其保密.如果X也获得了私钥,则X可以强加一个真实的客户端并登录到您的系统.因此,客户必须必须保护那些私钥不被盗!
The private key is the important key which must be kept secret by your client. If X gets the private key as well, X can impose an authentic client and login into your system. Therefore clients must protect those private keys from getting stolen!
那是因为在客户端身份验证握手中,服务器不仅请求客户端证书.客户还必须使用您引用的Wiki :The client sends a CertificateVerify message, which is a signature over the previous handshake messages using the client's certificate's private key.如果客户端提供了属于证书的私有密钥,则只能 进行这样的签名,如Wiki也是如此:This lets the server know that the client has access to the private key of the certificate and thus owns the certificate.!
That's because within the client-auth handshake, the server not only requests the client certificate. The client must also prove that he's the real owner of the certificate, by using his private key as stated in the wiki you referenced: The client sends a CertificateVerify message, which is a signature over the previous handshake messages using the client's certificate's private key. Such a signature can only be done if the client posesses the private key belonging to the certificate, as stated in the wiki as well: This lets the server know that the client has access to the private key of the certificate and thus owns the certificate.!
第二部分:How do establish a initial trust relationship?
如果涉及到许多客户,那么这部分将很困难.这就是建立PKI的原因.您信任CA,CA应该对请求证书的客户端进行身份检查.
That part is difficult if there are many clients involved. That's why the PKI was established. You trust the CA, and the CA should to the identity check on that clients who request a certificate.
对于自制解决方案,在这种情况下,您拥有自己的CA,或者您不信任CA,这取决于您自己. 您必须确保仅对真实的客户拥有对服务的高级访问权限.如果您通过USB密钥进行此操作,然后客户将它们亲自交给您,就可以了.
For homebrew solutions in which case you have your own CA, or you don't trust a CA, the part is up to you. You must be sure that you grand access to your services only to authentic clients. If you do this via USB keys and the clients hand them over to you in person, that's ok.
如果您收到一封电子邮件,其中写明你好,我是ABC的朋友XYZ,还记得吗?这是我的证书" -进行两次检查.
If you receive an email which says "hello, i'm your friend XYZ from ABC, remember? Btw. here's my certificate" - check it twice.
这篇关于客户端证书认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
