EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Can i authenticate users by smartcard or another certificate?

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
#35505
Posted: 01/11/2016 13:38:50
by Thiago Lima de Vargas (Basic support level)
Joined: 01/11/2016
Posts: 4

I want to do authentication on my website by smart card, token, etc in ASP.NET. Can i do this with SecureBlackBox?

Thanks
#35506
Posted: 01/11/2016 13:59:07
by Eugene Mayevski (EldoS Corp.)

What you are asking about, can be performed in several ways:

1) Client-side authentication during TLS handshake (the one that is part of the HTTPS protocol). If you have ASP.NET, this activity is under IIS control. You can setup IIS to request client-side certificates, and *as I understand it* (no experience, the approach needs to be investigated) you can make IIS accept all certificates and let you do the checks in your code. Such additional checks can be done with SecureBlackbox, though it's not exactly required in this scenario (basic checks can be done with IIS itself and with .NET cryptography classes, and SecureBlackbox is needed for more sophisticated checks).

2) Authentication by signing something (say the HTTP request header) with the certificate located on the client side. This approach is not native for HTTP, and while it's doable relatively easily, both the client and the server must support it. With SecureBlackbox this is doable in maybe a dozen or two of lines of code on each side of communication.

3) signing the data that you post from the client. Here the signature is not a part of the HTTP request, but the part of the payload (data you post). The scheme is not much different from (2), but unlike in (2) you can do such signing either in the client application or, if the request is done from the browser, using Java applet or JNLP (Java application started from the browser).


Sincerely yours
Eugene Mayevski
#35515
Posted: 01/12/2016 06:45:25
by Thiago Lima de Vargas (Basic support level)
Joined: 01/11/2016
Posts: 4

This is my scenario:

The user enter on my web application and will authenticate in it. For this, he has to use your USB Token, SmartCard, etc...

I've downloaded a sample that sign a pdf file using the "SBDCSigner.ocx". Before sign, the user has to choose the certificate and if was USB Token, pop up a PIN screen to type the password and if OK, sign pdf file.

This "SBDCSigner.ocx" will be great for me, but, the component require the Data parameter and i want to only use this for authentication.
#35516
Posted: 01/12/2016 06:59:19
by Eugene Mayevski (EldoS Corp.)

In case of authentication the distributed cryptography would work, however to make it secure and prevent replay attacks you need to send some unique data for each session and have the client sign this unique data. Then, when the client submits back the signed block, you check the data and accept or don't accept authentication.


Sincerely yours
Eugene Mayevski
#35517
Posted: 01/12/2016 07:06:18
by Thiago Lima de Vargas (Basic support level)
Joined: 01/11/2016
Posts: 4

Understand, but to use only for authentication, i have to sign something? What kind of information can i sign to prevent this?

Thank's
#35519
Posted: 01/12/2016 07:25:27
by Eugene Mayevski (EldoS Corp.)

Anything (a) unique, and (b) retrievable locally when the client sends as signature.

For example, you can generate the GUID, save it in server-side session data, then initiate the authentication. When the user sends the signed GUID back, you compare the payload in the signed data with the GUID that you saved in the server-side session data.


Sincerely yours
Eugene Mayevski
#35522
Posted: 01/12/2016 07:52:43
by Thiago Lima de Vargas (Basic support level)
Joined: 01/11/2016
Posts: 4

Thank you very much!! I will do a sample here to try this!!!
Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.

Reply

Statistics

Topic viewed 2052 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!