Digital Certificates and Secure Web Access by Jonathan Gay BA (hons) CISA MBCS


Digital Certificates and Secure Web Access

Introduction

This paper describes the use of Digital Certificates as a mechanism for strongly authenticating users to web sites where identity information is required. Before the advent of digital certificates the only option for authenticating users to a site was to assign a username and password. Digital certificates on the other hand provide for much more robust access control and have a number of benefits over username and password.

Username and password authentication

Using username and password the process is generally as follows: each time a user wishes to access a web service the user navigates to the site and authenticate themselves to the application using unique username and password. This data is passed to the server (hopefully in an encrypted form), the application looks up the username and the password (or a representation of the password) in some form of access control list and provided the information matches the user is granted access.

This method has some obvious limitations:

* The username and password are passed over the web (encrypted or unencrypted) with the typical security concerns of interception.
* The systems administrator normally has unrestricted access to all usernames and passwords with associated security and liability concerns for the service provider (especially with confidential data)
* The user needs to remember as many usernames and passwords as are required by their applications leading to inevitable support issues to recover lost access data


Digital Certificate Authentication

The typical digital certificate web access process is:

The user navigates to the website. Before allowing access it checks the certificate against the access database. The user enters the password locally to confirming their access right to the certificate and is allowed to the website.

Benefits of certificates over username and password:

* General security is enhanced: the user needs both the certificate itself and the password to the certificate to gain access.
* The password is never passed over the web, not even during account set-up.
* At no stage do systems administrators have access to user passwords.
* The certificate can electronically sign data on the website with the benefit of non-repudiation.
* The user uses one digital identity with one password to access a range of applications (reduces passwords to remember).


Implementing Digital Certificates

All major web servers support client authentication via certificates. An SSL certificate on the web server (to support https) enables configuration of client authentication and only requires specification of the access rights for each directory served by the web server. Amend the web application to support client authentication by certificates. If any code was developed to handle user name and password, then the certificate credentials can be looked up in an access control list in just the same way. Client certificates are issued via a Public Key Infrastructure (PKI) You can choose implement your own or use the services of a Managed Service Provider such as Diginus Ltd.

Wider Use

Once customers or employees have digital certificates, the same certificates can be used to digitally sign email, PDF and web forms and Microsoft Word documents. With a few small steps a corporate website can be transformed into the centre of a powerful web services infrastructure, with single sign on to multiple web applications, signed email and forms data exchange, all the time knowing exactly who is accessing the resources and data.


About the Author
Jonathan Gay BA(hons) CISA MBCS, is an IS Security professional specialising in identity management and Public Key Infrastructure (PKI) related matters. Jonathan works for Diginus Ltd the e-identity solutions company.

You can contact Jonathan via the Diginus Ltd web site www.diginus.com