I'm consuming a soap service from a server that uses ssl certificate. Although I don't have any dependency on the server certificate in my code, but what if the server certificate gets expired? Will the communication between the server and my client be OK?
In general: no, the communication will not be OK.
A certificate is an endorsement, by the issuer, that the requester has met the identity (and other) requirements that the issuer has put in place; and that the public key in the certificate really is associated with the subject.
The expiration date for the certificate exists because the longer ago the verification process was, the more likely it won't hold up anymore. Imagine you bought awesomesauce.example.com, and got a TLS server certificate for it, and the cert had no expiration. After a year you forget to pay your registrar and lose the name. Someone else comes along, buys it, and has a popular website there. You realize that you have a certificate that identifies you as that site, so you sell it for a million BTC to some hacker group who uses it to do various identity theft tricks and ...
This is similar to an expiration on a driver's license. Maybe your eyesight has dropped below the acceptable thresholds and you shouldn't drive. Maybe you moved and the address on the card should no longer be trusted. Slap an expiration date on there and you now have to reaffirm the facts therein.
You can get an idea of how your client will handle expiration by making a request to https://expired.badssl.com/. If it works, you're trusting outdated claims. If it doesn't: be happy about your client doing the right thing.
Related
We are trying to implement a smooth rollover for our saml 2 service provider signing certificates.
We have created new certificates with a notBefore at the date of the rollover in the future. Those certificates are exposed on our metadata endpoint, along the certificates currently used to sign saml messages. They are not yet valid since the notBefore property is in the future. Our service provider will start using them when they become valid.
However some partners are having issues with their identity providers complaining that the new certificate is not yet valid.
So my question is the following: are we allowed to expose future certificates that are not yet valid? If not, how are we supposed to manage the signing certificate rollover in saml 2?
Unfortunately the SAML specification doesn't address how certificate roll over should be handled. Therefore, there's no consistent approach.
What you're doing seems reasonable but then I can also understand why some partners would complain about a certificate that isn't (yet) valid.
Some providers simply update their published SAML metadata at the time of certificate roll over. In other words, the metadata contains the current certificate only rather than any past or future certificates. This then places the onus on the partners to ensure they monitor the metadata and switch the certificate immediately.
Of course, this isn't always practicable. In my experience, it's usually best to communicate with the partners that the certificate will roll over on a certain date and provide them with the new certificate and/or metadata prior to that date. Partners should handle signatures generated by either the new or old certificate for an interval of time around the roll over date to ensure a smooth transition. On the roll over date, you'd also publish the new metadata.
You'd probably want an overlap between the old certificate's NotAfter and the new certificate's NotBefore.
I'm interested in signing my Silverlight XAP with a self-signed certificate, so it can auto-update. I haven't tried yet, but figure I can create a certificate easily with this question/answer I found on StackOverflow.
But it's not clear to me what the timestamp server does and can I use a timestamp server from a company (for example, the one from Comodo), even if I didn't buy a certificate from them, but self-signed my certificate?
Putting bits and pieces together I found the following answer by BruceCran:
Any timestamp server can be used: I recently switched from my issuer's
timestamp server to Verisign since I found that GlobalSign's server
was unreliable. Furthermore, Thawte don't run their own timestamp
server but recommend people to use Verisign's.
So, yes I assume I can use any timestamp server.
As for what a timestamp server does, it is explained by Comodo:
Since key pairs are based on mathematical relationships that can be
cracked with a great deal of time and effort, it is a well-established
security principle that a digital certificate should expire. Your
Digital ID will expire one year after it is issued. However, most
software is intended to have a lifetime of longer than one year. To
avoid having to resign software every time your certificate expires,
companies have introduced time stamping services. When you sign code,
a hash of your code will be sent to Certification Authority to be time
stamped. Once your software has been time stamped, you will not need
to worry about resigning code when your Digital ID expires. Microsoft
Authenticode allows you to time stamp your signed code so that
signatures will not expire when your certificate does.
So your certificate expires, but your code doesn't.
A digital certificate is a digital document that certifies that a certain public key is owned by a particular user. Thus if you trust the CA that signed the certificate C, then you can trust that specific public/private key pair is owned by the owner of certificate C.
a) Assume client A wants to establish a connection with server B located at url www.some_domain.com. When establishing a connection with B, A may receive from the other end a X.509 certificate C and a public key, belonging to the owner of certificate C.
But how can client know that owner of C is really a server B and not some other entity that hijacked ( if that is the correct term ) the connection and sent its own certificate and public key to A?
Only way I can think of for client to know whether owner of C is really B, is if C's Subject field also specifies the domain for which this certificate is valid or if it specifies the organization to which this certificate belongs ( but that only helps if client knows to which organization www.some_domain.com belongs )?!
thank you
All a certificate can do is ensure that the communications between A and C are encrypted such that C (or whatever has the certificate installed) is the only one able to decrypt it.
It makes absolutely no representation with regards to who C is owned by. Some Certificate Authorities will try and establish that a given entity is who they say they are prior to disbursing a certificate. However, quite frankly, all of that can be duped and most sites don't bother paying for that level of research anyway (called Extended Validation).
Now, if some crook has stolen the certificate from server C and set up their own server (with the same fully qualified domain name), then yes they can impersonate away. However, this would require an additional step of poisoning DNS resolution so that requests to www.some_domain.com go to the hacker's server and not the original. It's usually much easier just to crack the original server and install your own data capture software.
As a side note there are huge security issues with DNS resolution.
Another note, recently the stuxnet worm used a stolen code signing certificate to get past some of the windows installation protections.
Because 'C' is signed by a CA certificate authority that is already on your system. That is why the scheme can be broken by governments that control the CA's.
If you look at a certificate in your browser then you can see who signed it. For instance gmail is signed by Thawte which is signed by Verisign. The CN field is marked www.google.com so it will only be valid for that domain.
Maybe you are talking about man in the middle:
http://en.wikipedia.org/wiki/Man-in-the-middle_attack
A man-in-the-middle attack can succeed only when the attacker can impersonate each endpoint to the satisfaction of the other—it is an attack on mutual authentication. Most cryptographic protocols include some form of endpoint authentication specifically to prevent MITM attacks. For example, SSL authenticates the server using a mutually trusted certification authority.
So in your scenario only one side would be fooled. Check out step 2 below:
https://ssl.trustwave.com/support/support-how-ssl-works.php
Step 1: A customer makes a connection to xyz.com on an SSL port, typically 443. This connection is denoted with https instead of http.
Step 2: xyz.com sends back its public key to the customer. Once customer receives it, his/her browser decides if it is alright to proceed.
The xyz.com public key must NOT be expired
The xyz.com public key must be for xyz.com only
The client must have the public key for Trustwave installed in their browser certificate store. 99.9% of all modern browsers (1998+) include the Trustwave root certificate. If the customer has Trustwave trusted public key, then they can trust that they are really communicating with XYZ, Inc.
Step 3: If the customer decides to trust the certificate, then the customer will be sent to xyz.com his/her public key.
-Step 4: xyz.com will next create a unique hash and encrypt it using both the customer's public key and xyz.com's private key, and send this back to the client.
Step 5: Customer's browser will decrypt the hash. This process shows that the xyz.com sent the hash and only the customer is able to read it.
Step 6: Customer and website can now securely exchange information.
A is typically configured with a set of trusted CAs, which map C's public key to trusted entities, in this case B. Did you not answer your own question in the first paragraph, or am I missing something?
So the client A needs to know if certificate C is genuine. Whose task is to verify this?
Ans: A's browser.
How will it verify?
Ans: Browser checks who signed the certificate.
Who signed the certificate?
Ans: A C.A(Certification Authority) named AweCerts.Inc
Does the browser know this CA. And does the broswer trust CA?
Ans: Yes. If the broswer does not trust then A cannot proceed further. And not only does the broswer trust AweCerts but her/his friends as well (the whole chain that is).
How does the browser know this certificate was signed by AweCerts.Inc?
Ans: Browser had an agreement with AweCerts. Microsoft does this in IE's case.
If the browser is able to unlock the message(outer covering) with AweCerts public key then it is sure that it was 'encrypted with AweCerts private key' or signed by Awecerts.
We usually encrypt with public keys and have it decrypted with private keys. But the other way around is possible as well and that is infact what we call Digital Signature. And you can check my blog for more interesting info on certificates and messaging.
There is an interesting blog here http://the-blueclouds.blogspot.nl/2011/11/public-key-private-key-hashing-blah.html
I'd like to make requests from an iphone app to a web service I've built. How can I verify that requests made to the web service come from my iphone app (or indeed any authorised source) and are not forged?
I have looked at basic auth over HTTPS but is baking credentials into an application secure?
This question isn't really iphone specific; I'd like to know how to protect and authenticate requests in general.
Authentication can be asserted by presenting something you know, something you have, something you are or a combination of the three.
The iPhone doesn't have retinal or fingerprint scanners, so there are no "something you are" options available.
Client certificates work well as a "something you have" token. Most smartcards work by signing a message with an embedded certificate. When a certificate is compromised, it can be put onto a Certificate Revocation List (CRL) referenced by the webservers. Obviously, you wouldn't want to put your app's embedded certificate in the CRL -- that would deny access to all your users. Instead, you'll want users to download individual certificates to their iPhone.
After that, it's a matter of monitoring for unusual behavior to find the bad actors and adding those certs to the CRL. Two dead giveaways would be clients who send too many requests at once or from too many different IPs in too short a time.
Login/password is a simple "something you know" token. Like certificates, login/password combinations can be compromised and similar monitoring can be set up to find inappropriate behavior. The difference is compromised accounts would be marked "blocked" rather than added to a CRL.
By requiring both a client certificate and a login/password you increase the amount of effort needed to compromise an account.
Of course, you must ensure only valid accounts are added to the database. If there is an automated way to create new accounts and corresponding client certificates, then that account creation server/process becomes the easiest way for bad actors to create viable, unauthorized accounts. Requiring a real person to sign-off on accounts removes the automation process, but means a disgruntled or corrupt employee could create invalid accounts. Requiring a second person to counter-sign the account makes it harder for a single person to be an inside threat.
In short, ensuring high integrity of the clients is a process that can be made arbitrarily complex and expensive. What tools and processes you decide to deploy as the authentication scheme has to be balanced by the value of what it is protecting.
In theory, if you want the connection to be secure, the best is to have the client sign their request using a certificate. There are multiple resources about this. Look for "client certificate" on Google.
This example from Sun is in Java, but the concept is similar whatever the language.
PS: obviously, this doesn't prevent you from using other authentication methods such as passwords, etc...
PPS: Keep in mind that if someone manages to extract the certificate from your application, you are screwed either way ;-). You can imagine a store providing an individual certificate to each app and invalidating the certificates that are compromised.
I'm building a solution consisting of an app and a server. Server provides some methods (json) and the app uses them. My aim is to make those API methods inaccessible to other clients. What is the best way to do so?
Should I take a look at certificates (to sign every outgoing request)? If yes, where do I start and what is the performance impact of doing so?
What are alternatives?
Put another way, you need a way to distinguish a valid client's request from an invalid client's request. That means the client needs to present credentials that demonstrate the request comes from a valid source.
SSL certificates are an excellent way to assert identity that can be validated. The validity of an SSL certificate can be confirmed if the certificate contains a valid signature created by another certificate known to be secure, a root cert. As noted in other answers an embedded certificate won't do the job because that certificate can be compromised by dissecting the app. Once it is compromised, you can't accept any requests presenting it, locking out all your users.
Instead of one embedded app cert, you need to issue a separate certificate to each valid user. To do that, you need to set up (or outsource to) a Certificate Authority and issue individual, signed certificates to valid clients. Some of these certificate will be compromised by the user -- either because they were hacked, careless or intentionally trying to defraud your service. You'll need to watch for these stolen certificates, place them on a certificate revocation list (CRL) and refuse service to these compromised certificates. Any web server is able to refuse a connection based on a CRL.
This doesn't solve the security issues, it just moves them out of the app. It is still possible for someone to create what appears to be a valid certificate through social engineering or by stealing your root certificate and manufacturing new signed certificates. (These are problems all PKI providers face.)
There will be a performance hit. How much of a hit depends on the number of requests from the app. The iPhone NSURLConnection class provides support for SSL client certificates and client certificates can be installed in the phone from an e-mail or authenticated web request. Managing the infrastructure to support the client certs will require more effort than coding it into the app.
Incidentally, voting down any answer you don't like creates a chilling effect in the community. You're not nearly as likely to get advice -- good or bad -- if you're going to take a whack at everyone's reputation score.
I will now freely admit that it's an interesting question, but I have no idea how it could be done.
Original answer:
Interesting question. Assuming people can't reverse-engineer the iPhone app, the only solution that comes to mind would be to sign requests with a public key, or some other secret known only to the application. By that, I mean adding an extra argument to every API call that is a hash of the destination URL and other arguments combined with a secret known only to your server and application.
To expand upon this: suppose your API call has arguments foo, bar and qux. I would add a signature argument, the value of which could be something as simple as sorting the other arguments by name, concatenating them with their values, adding a secret, and hashing the lot. Then on the server side, I would do the same thing (excepting the signature argument) and check that the hash matches the one we were given in the request.
Consider authenticated HTTP.
For a cheaper alternative, there's shared secret/hash scheme. The client and the server have a shared secret string of text. Upon request, the client hashes together (using MD5, or SHA1, or SHA something else - you choose) the request fields and the secret. The hash value is attached to the request - say, as another POST field.
The server does the same operation with the request and with its copy of the secret, then compares the hash values. If they don't match - service denied.
For added security, you may encrypt the hash with a RSA public key. The client has the public key, the server keeps the private key. The server decrypts the hash with the private key, then the same. I did that with a C++ WinMobile client and a PHP-based service - works like a charm. No experience with crypto on iPhone, though.
UPDATE: now that I think of it, if we assume that the attacker has complete control over the client (ahem jailbroken iPhone and a debugger), the problem, as formulated above, is not solvable in theory. After all, the attacker might use your bits to access the service. Reverse-engineer the executable, find the relevant functions and call them with desired data. Build some global state, if necessary. Alternatively, they can automate your UI, screen scraper style. Such is the sad state of affairs.