Infineon Security Platform Solution
Client Authentication
Until recently, computer networks have used a centralized database of accounts to manage users, their privileges, and their access controls. This technique is simple and effective for small networks. However, in the present-day scenario, where large networks with thousands of users are the order of the day, this form of centralized control becomes difficult to administer. The problems with this system range from trying to verify an account against a database located across the Internet, to administering a lengthy list of users. Furthermore, the advent of the Internet has made computer networks more prone to attacks from external entities.
Certificate Use
Public key certificates provide a solution that makes the administration of many users in large networks much easier while reducing the risk of ID / password attacks. These certificates can be widely distributed, issued by numerous parties, and verified by examining the certificate without having to refer to a centralized database.
Certificates can be used for secure communications and user authentication between clients and servers on the web. Certificates enable clients to establish a server's identity, because the server presents a server authentication certificate that discloses its source. If you connect to a web site that has a server certificate issued by a trusted authority, you can be confident that the server is actually operated by the person or organization identified by the certificate. Similarly, certificates enable servers to determine your identity. When you connect to a web site, the server can be assured of your identity if it receives your client certificate. A certificate used to authenticate a server is called a server certificate and the process of actually verifying a server’s identity is called Server Authentication. Similarly, a certificate used to verify a client’s identity is called a client certificate and the process of authenticating a client is called Client Authentication.
For example, if a web server wants to restrict access to information or services to specific users or clients, it requires a client certificate during the establishment of the secure connection (e.g., SSL).
While server authentication ensures secure transmission of data, client authentication enhances the security of such online transactions.
Mapping certificates to user accounts
Public Key technology has provided solutions to many of the security concerns of large networks. Certificates can be used to ascertain the identity of an entity and check for its authenticity without requiring the use of large user databases and lists of user accounts and their access privileges.
However, existing operating systems and administration tools are only equipped to work with user accounts and not with certificates. The simplest solution to maintaining the advantages of both certificates and user accounts is to create an association – or mapping – between a certificate and a user account. Doing this allows the operating system to continue using accounts while the larger system and the user use certificates.
In this model, a certificate that has been issued to a user is mapped to that user’s account on a network. When a user presents his certificate, the system looks at the mapping and determines which account should be logged on.
This guide outlines different approaches to this topic. It covers the manner in which IIS and Active Directory can be prepared for client authentication and the use of client authentication with the Internet Explorer.
For a PKCS #11 environment with Mozilla Firefox, the user certificate mapping and client authentication are also covered.
©Infineon Technologies AG