RE: Secure web site access and PKI Certs

["Robert Hines" <b.hines () comcast net>]

Actually,

I know that this is not what you asked but it may help:

The 'Enable Strong Private Key" option is to ensure non-repudiation is
achieved, given that the sender using that key must know the
password/passphrase  to send the mail signed, providing a higher level of
confidence that the actual registrant of the key is the one who sent the
message. 

If you are using say outlook in a POP3 mode, the recipient of the signed
message (public key) can save off the public key to the address book, then
when the sender sends the next message (encrypted option) the message is
sent signed with the senders public key and encrypted with the senders
private key. The recipient who has the senders public key associated to the
senders email address will now be able to read (decrypt) the message.

The work factor associated with the encrypted message is decided at key
registration time with the RA and CA by selecting well proved algorithms say
AES and a Password/Passphrase to generate your key pair. IMHO The difficulty
with "Enable Strong Private Key" option is that now you as the sender must
identify yourself every time to send a signed mail or encrypted mail. 

As a side note when sending email you sign, it is a good idea to try it with
the select the clear text sub option as not to be outwitted by a cautious
proxy server.  

So maybe it would force the user to re-authenticate at your site, but I
think, I may be confused, that when an ssl session is set up the server
issues the key to the user and that security association stays valid as long
as the ssl connection has not been terminated.


Now I also believe that if you are running a private CA server along with
your DNS, users in your community can be forced to sign in with the proper
credentials and have key generated by your DNS/CA which closes your dilemmas
concerning Authentication, Identity, and Confidentiality however your
internal keys will not be recognized as valid to anyone not under your DNS
control, since they came from a private CA.


Ok I am done rambling.

Bob



-----Original Message-----
From: Scott Schwendinger [mailto:swschwen () yahoo com] 
Sent: Wednesday, April 27, 2005 5:38 PM
To: Keenan Smith; security-basics () securityfocus com
Subject: Re: Secure web site access and PKI Certs

Keenan,

   If the PKI certificate is installed on the local
machine with the "Enable Strong Private Key
Protection..." checked, a password will be required
each time the certificate is used.  This will provide
additional security for Single Sign On to PKI enabled
web sites.


--- Keenan Smith <kc_smith () clark net> wrote:
> All,
>
> I have access to a secure web site.  It used to
> require a PKI Cert to
> identify the user and then a standard
> username/password login to
> authenticate.
>
> Recently a change was made to the site that allows
> the supplying of a
> PKI Subject CN Fragment to a user "profile" on the
> site.  In this case,
> the certificate not only identifies the user but
> authenticates as well.
>
> The end result is an "auto-login" feature that in
> effect, keeps me
> logged in all the time.  Anybody sitting at my
> machine and logged in as
> me (Windows XP) can access the web site as me.
>
> At first glance this seems like it's a reasonable
> way to accomplish a
> secure access to the web site.  Installing the
> certificate as me ties it
> to my profile and makes it unavailable to other
> users on my machine and
> since the use of the certificate requires a user to
> login as me, it
> moves the authentication piece from the web site to
> the Windows domain.
>
> This seems to some extent like "security through
> obscurity" and also
> substituting convenience for security, an
> all-to-common problem.
>
> Since it's my security-cleared neck on the line, I'd
> rather be too
> concerned rather than not concerned enough.
>
> So I'm asking the collective wisdom of the list to
> consider.  Is PKI's
> single sign-on capability reasonable?  Is this
> implementation adequate?
> Thoughts?  Opinions?  Critiques?
>
> Thanks
> Keenan Smith

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com