Digital Certificates And Secure Web Access

Digital Certificates And Secure Web Access



Introduction

This article describes the​ use of​ Digital Certificates as​ a​ mechanism for​ strongly authenticating users to​ web sites where identity information is​ required. Before the​ advent of​ digital certificates the​ only option for​ authenticating users to​ a​ site was to​ assign a​ username and​ password. Digital certificates on the​ other hand provide for​ much more robust access control and​ have a​ number of​ benefits over username and​ password.

Username and​ password authentication

Using username and​ password the​ process is​ generally as​ follows: each time a​ user wishes to​ access a​ web service the​ user navigates to​ the​ site and​ authenticate themselves to​ the​ application using unique username and​ password. This data is​ passed to​ the​ server (hopefully in​ an​ encrypted form), the​ application looks up the​ username and​ the​ password (or a​ representation of​ the​ password) in​ some form of​ access control list and​ provided the​ information matches the​ user is​ granted access.

This method has some obvious limitations:

* the​ username and​ password are passed over the​ web (encrypted or​ unencrypted) with the​ typical security concerns of​ interception.
* the​ systems administrator normally has unrestricted access to​ all usernames and​ passwords with associated security and​ liability concerns for​ the​ service provider (especially with confidential data)
* the​ user needs to​ remember as​ many usernames and​ passwords as​ are required by their applications leading to​ inevitable support issues to​ recover lost access data

Digital Certificate Authentication

The typical digital certificate web access process is:

The user navigates to​ the​ website. Before allowing access it​ checks the​ certificate against the​ access database. the​ user enters the​ password locally to​ confirming their access right to​ the​ certificate and​ is​ allowed to​ the​ website.

Benefits of​ certificates over username and​ password:

* General security is​ enhanced: the​ user needs both the​ certificate itself and​ the​ password to​ the​ certificate to​ gain access.
* the​ password is​ never passed over the​ web, not even during account set-up.
* at​ no stage do systems administrators have access to​ user passwords.
* the​ certificate can electronically sign data on the​ website with the​ benefit of​ non-repudiation.
* the​ user uses one digital identity with one password to​ access a​ range of​ applications (reduces passwords to​ remember).

Implementing Digital Certificates

All major web servers support client authentication via certificates. an​ SSL certificate on the​ web server (to support https) enables configuration of​ client authentication and​ only requires specification of​ the​ access rights for​ each directory served by the​ web server. Amend the​ web application to​ support client authentication by certificates. if​ any code was developed to​ handle user name and​ password, then the​ certificate credentials can be looked up in​ an​ access control list in​ just the​ same way. Client certificates are issued via a​ Public Key Infrastructure (PKI) You can choose implement your own or​ use the​ services of​ a​ Managed Service Provider such as​ Diginus Ltd.

Wider Use

Once customers or​ employees have digital certificates, the​ same certificates can be used to​ digitally sign email, PDF and​ web forms and​ Microsoft Word documents. With a​ few small steps a​ corporate website can be transformed into the​ centre of​ a​ powerful web services infrastructure, with single sign on to​ multiple web applications, signed email and​ forms data exchange, all the​ time knowing exactly who is​ accessing the​ resources and​ data.




You Might Also Like:




No comments:

Powered by Blogger.