EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Check certificate vadility time with ElX509CertificateValidator

Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.
#22283
Posted: 10/31/2012 11:16:00
by Zack Jhuang (Standard support level)
Joined: 06/11/2012
Posts: 15

I tried to figure out how the ElX509CertificateValidator check the certificate validity time! According to the experiment, the validity reason changed as I changed the system time. As the system time is set after valid-to, the certificate is expired. On the contrary, we could also make the certificate not valid yet.

In other words, the client-side validation of time validity could rely on comparing with the local system time, and could be manipulated easily. How should I do to avoid the risk?
#22284
Posted: 10/31/2012 11:20:56
by Eugene Mayevski (EldoS Corp.)

Which risk are you talking about when the user intends to fool the check (and consequently fool himself)?


Sincerely yours
Eugene Mayevski
#22285
Posted: 10/31/2012 11:22:41
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

In general local system type manipulations should be forbidden for non-administrative users in secure environments.

However, you can synchronize a local time with some trusted time server before validation.
#22286
Posted: 10/31/2012 12:01:48
by Zack Jhuang (Standard support level)
Joined: 06/11/2012
Posts: 15

We are not able to control user intended manipulation in order to pass the validation. After all, our certificate validation is deployed as client-side Component Object Model(COM), and our web system authentication actually depends on the client-side certificate validation result!

Quote
Vsevolod Ievgiienko wrote:
Thank you for contacting us.

In general local system type manipulations should be forbidden for non-administrative users in secure environments.

However, you can synchronize a local time with some trusted time server before validation.
#22287
Posted: 10/31/2012 12:08:30
by Eugene Mayevski (EldoS Corp.)

Quote
Zack Jhuang wrote:
We are not able to control user intended manipulation in order to pass the validation. After all, our certificate validation is deployed as client-side Component Object Model(COM), and our web system authentication actually depends on the client-side certificate validation result!


I am sorry but this is a faulty design. One of the main principles of distributed computing is "don't trust anything you receive from the client". If the user can cheat your server so easily, he will surely do this sooner or later.


Sincerely yours
Eugene Mayevski
#22288
Posted: 10/31/2012 12:40:27
by Zack Jhuang (Standard support level)
Joined: 06/11/2012
Posts: 15

So what are the purposes of the ActiveX validator? If we use the Microsoft CryptoAPI(CAPI) to validate the certificate, it's the same mechanism!

And as far as I know, the web page is possibly restricted to access client-side windows certificate storage(not sure), not to mention the user private key. If we'd like to sign a document by using user private key, we have to make sure the certificate validity at first! The all of steps could just be done through the ActiveX, doesn't it?
#22289
Posted: 11/01/2012 01:29:56
by Eugene Mayevski (EldoS Corp.)

Quote
Zack Jhuang wrote:
If we'd like to sign a document by using user private key, we have to make sure the certificate validity at first!


No, you don't have to. Signing without timestamping makes little sense due to the problem you mention, and timestamping is performed on trusted third-party server which can't be cheated. In other words - the user can sign the data with expired certificate by changing the clock, but the timestamp will indicate correct time, and the validator will not accept the signature. To say it simple - it's the job of signature validator to ensure that the certificate was valid at the time specified *in the timestamp*.


Sincerely yours
Eugene Mayevski
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 1208 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!