Re: Getting around mutual Certificate authentication using safenet 2032 tokens enforced in a webapp

["Matthew Zimmerman" <mzimmerman () gmail com>]

Rogan, you were right on the money.  Thanks.

On Wed, Nov 19, 2008 at 12:06 PM, Rogan Dawes <lists () dawes za net> wrote:
> Matthew Zimmerman wrote:
> > So my organization recently switched to requiring client
> > authentication as well as server authentication on our web
> > applications.  These places are using PKI certificates issued from our
> > CA.  The client certificates are contained on safenet 2032 tokens
> > (ikey, rainbow token, etc).  This is great for security.
> >
> > It's not great for security testing however.  Because of this, a proxy
> > like Paros / Webscarab / Burp / etc won't work.  The webserver returns
> > 4xx errors to us if we don't use the right cert.
>
> WebScarab supports client certs on a PKCS#11-compliant device. See
> Tools->Certificates->Add Keystore->PKCS#11
>
> Provide the DLL that came with your token, and the PIN/password of the
> token, and you should be good to go. Please write to the WebScarab list
> (owasp-webscarab AT lists.owasp.org) if you are still having difficulties.
I was able to get WebScarab to work with the safenet / rainbow ikey
2032 using the dkck201.dll.  On one machine, WebScarab had almost no
issues once I figured out how to use it.  On some other machines, I
needed to run WebScarab with the -Djava.security.debug=sunpkcs11,pkcs
parameter.  Not sure exactly why, but it works now! :)
> > So there's two ways around it I think.  1) Get the whole certificate
> > off of the token in PKCS#12 (including the private key) so we can
> > import it into these tools.  2) Work directly with the browsers to
> > allow more manipulation other than URLs/GETs.  3) Pass the http
> > protocol through another tool that supports safenet 2032 tokens?
> > (Would be very slow setting up each https connection...)
>
> 1) is not possible, which is the point of the token.
> 2) sounds like a possibility.
> 3) not really that slow, WebScarab does this, and there is not much
> additional overhead, over and above the regular SSL decrypt/recrypt.
3) Yes, I had meant another tool like Putty or stunnel.  Setting up
the SSL tunnel and then push the browser through that.  WebScarab
works MUCH better :)
> > Something that would work for #2 would be a browser addon like Tamper
> > Data for Firefox; however, I can't seem to get the 2032 tokens to work
> > with firefox correctly (seems to be that the 2032 only implements
> > pkcs#11 and firefox is looking for a pkcs#12 device, but I am by no
> > means a PKI guy).
>
> FF *does* support PKCS#11, see Options->Advanced->Security Devices.
I had been looking at Firefox to use the token and just couldn't quite
get it to work.  I got FF to prompt for the password off the token,
but the application would still give access denied (never did figure
out why it wouldn't work).  Our application development & PKI teams
are still looking at it, but not too hard as we don't officially
support it...
> > Which brings me to addons that are available for
> > internet explorer that allow on-the-fly modification; which I found
> > none.
> >
> > 3) The last option is to request software certs (already in PKCS#12
> > format) for all future tests.  Although with this case, it's pretty
> > hard to convince to management to fix their SQL injection issue if you
> > need someone on the inside to issue you a software cert instead of the
> > 2032...
>
> One final possibility is to tamper with the enrollment process, and convince
> your browser to create the cert in the default Windows Keystore, rather than
> on the token. I have done this in the past using WebScarab to dynamically
> modify the client-side javascript which was specifying which keystore to
> use.
Good thought, although in this case the enrollment requires in-person proofing.
> > Any ideas?
>
> Enough for you? :-)
Yes, thank you!
> > Thanks,
> > Matt Z
>
> Rogan
Matt Z

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------