After reading the other postings on this thread, I think I
see what you're getting at. You need a combination of two
items and a 2-phase authentication process to get the
assurance you're seeking:
1) A token-based credential per user, using a smartcard and
a digital certificate for Client-Auth. Your application
will use this to establish an SSL session in phase 1; and
2) A GPS card in the PC which your application will interact
with to get its physical GPS coordinates and then relay
this as a signed message in phase 2 of the auth process.
The message will be signed by the private key of the user
who just established the SSL session with the application,
which will corroborate the phase-1 authentication.
Your application would receive the latitude/longitude values
and verify that these coordinates matched up with the list
of authorized PC's to establish an authenticated session.
This mechanism can still be attacked because the smallest
GPS measurement - a second - equates to approximately 100
feet. So, someone could move the GPS card from one PC to
another in the same location and then log in from that PC
(which might defeat what you're attempting to achieve).
This is about the closest you can get without the use of a TPM
chip. What the TPM gives you is a keystore that is embedded on
the motherboard by the manufacturer and which cannot be moved
from one PC to another.
Hope that helps.
Arshad Noor
StrongAuth, Inc.
Denis McCarthy wrote:
Hello Arshad,
Thanks for the email. I suppose the one thing I'd like to stress again
is that we wish to authenticate a machine, not a user. Many users may
log in to a certain machine (via a username and password that we would
issue). What we need to do on our system is to ensure that the user
logging is valid to log in on that particular computer ('terminal' as
our customer calls them). The terminal itself is connected to the
company that the user works for in our database.
Regards
Denis
On Fri, Jan 30, 2009 at 12:08 AM, Arshad Noor
<[email protected]> wrote:
Denis,
You have already made the appropriate leap to this conclusion.
I was going to suggest that there is something atypical about
your application architecture if you're relying on authentication
of the *machine* without the use of a hardware token - such as a
smartcard, TPM chip, etc.
What you want are FIPS 140-2 Level 2 (or above) certified crypto
tokens that generate keys on-board and store the certificate of
the user on the token (in addition to the browser). The private
key, however, never leaves the token, thus ensuring its security.
Once your customers are issued these tokens with their personal
certificates, they can use it on any PC they desire (assuming
that the PC has been configured with the appropriate CA cert-
chain).
If you absolutely need to rely on authenticating the PC, then
the only option you have is the TPM chip, because it is built
with the chip on the motherboard by the manufacturer.
As an aside, StrongAuth, Inc., the company I represent has been
in the business of architecting, building & operating some of the
largest closed-PKIs in the world for enterprises, with the use of
crypto-tokens. Most recently, we built a PKI for a bio-technology
company that embedded secure processors with digital certificates
into three different parts of their product, so that they may
strongly authenticate to each other before being used. This was
designed to deter counterfeiters from cloning the consumable part
of their product. The device is currently awaiting FDA approval
before coming to market.
Feel free to get in touch with us, if we can be of any help to you.
Arshad Noor
StrongAuth, Inc.
Denis McCarthy wrote:
Thanks for the suggestion David. Unfortunately we are not connecting
to an active directory domain - our application has to go out over the
internet. I did a bit of fiddling with the certificates snap ins, but
Microsoft only makes certificates installed in the user account
available to IE. One other thing I've been mulling over - is it
possible to get a cheap piece of hardware (i.e. a dongle of some sort)
that you can put an X509 certificate on? If so, could anyone point me
in the direction of a company that provides such a product?
Regards
Denis
--
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
