RE: Secure web site access and PKI Certs

["Keenan Smith" <kc_smith () clark net>]

All,

Thanks for the good information.

To clarify, the certificate itself isn't password protected.  The
username/password authentication is via a web page.

The certificate is used to identify the user and the login on the web
page authenticates that user.  As one of you said, removing the
authentication portion removes the "what you know" half of the 'what you
have/what you know" security scheme.

For a "secure" site, this seems to be counter to what is desired.

To continue this thread, given that the possessor of the certificate has
full access to this site as me, how transportable is the certificate?
If it is somehow stolen from my machine and a copy of it installed
elsewhere, can it be used in the other location?  My understanding of
certificates would make me think "yes".  

Thoughts?

Keenan Smith

-----Original Message-----
From: Rodrigo Blanco [mailto:rodrigo.blanco.r () gmail com] 
Sent: Friday, April 29, 2005 3:43 AM
To: Justin Roysdon
Cc: Keenan Smith; security-basics () securityfocus com
Subject: Re: Secure web site access and PKI Certs


But I should have thought that if the PKCS12 certificate is password
protected, then it would still ask for the export password each time you
make use of it, wouldn't it?

So even if you gain access to the desktop, you would still be unable to
make use of the cert for client auth or any other purpose, makng the web
access impossible.

Hope this helps,
Rodrigo.

On 4/28/05, Justin Roysdon <justin () roysdon net> wrote:
> Last I checked, if someone has local access to your system, then it's 
> not very difficult to change your password (with a boot disk) and then

> proceed to login as your user.  It sounds like a poor way to 
> authenticate. The benefit of the seperate authentication is lost.
>
> Crypto Geek
>
>
> ---------- Original Message -----------
> From: "Keenan Smith" <kc_smith () clark net>
> To: <security-basics () securityfocus com>
> Sent: Wed, 27 Apr 2005 11:12:02 -0400
> Subject: Secure web site access and PKI Certs
>
> > All,
> >
> > I have access to a secure web site.  It used to require a PKI Cert 
> > to identify the user and then a standard username/password login to 
> > authenticate.
> >
> > Recently a change was made to the site that allows the supplying of 
> > a PKI Subject CN Fragment to a user "profile" on the site.  In this 
> > case, the certificate not only identifies the user but authenticates

> > as well.
> >
> > The end result is an "auto-login" feature that in effect, keeps me 
> > logged in all the time.  Anybody sitting at my machine and logged in

> > as me (Windows XP) can access the web site as me.
> >
> > At first glance this seems like it's a reasonable way to accomplish 
> > a secure access to the web site.  Installing the certificate as me 
> > ties it to my profile and makes it unavailable to other users on my 
> > machine and since the use of the certificate requires a user to 
> > login as me, it moves the authentication piece from the web site to 
> > the Windows domain.
> >
> > This seems to some extent like "security through obscurity" and also

> > substituting convenience for security, an all-to-common problem.
> >
> > Since it's my security-cleared neck on the line, I'd rather be too 
> > concerned rather than not concerned enough.
> >
> > So I'm asking the collective wisdom of the list to consider.  Is 
> > PKI's single sign-on capability reasonable?  Is this implementation
> adequate?
> > Thoughts?  Opinions?  Critiques?
> >
> > Thanks
> > Keenan Smith
> ------- End of Original Message -------