Re: questions on security API and security



Hello Laszlo,

Thank you for your response.

I think I was not clear on 2nd question and 3rd question-


In second question I was having the query on how receiver will verify
the certificate that it is coming from correct computer. e.g. if
certificate is bound to IP then receiver will compare the IP of sender
with IP given in certificate but I'm not sure how receiver will verify
the certificate if it is bound to host name. As per my understanding
no other data is send in SSL before handshake and during handshake
receiver only know the IP address not the host name of sender. So
question was how receiver (in my case server) will identify if
certificate is coming from correct source?

In third question I was having the query on how to generate the self
signed certificate because in some cases client might not be having
the signed certificate. But I believe I got the answer for it. There
are some function in crypto API which can be used to generated self-
signed certificate.

Thank you for your time.

Regards,
Gurmit



On Aug 31, 8:23 pm, lelteto <lelt...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
See some responses in-line below.

Laszlo Elteto
SafeNet, Inc.

"Gurmit Teotia" wrote:
Hello All,

I’m first time using Crypto API in my application. I’ve some
questions; I’d appreciate if I can get some help on them.

1. In normal usage it is server that send certificate to client and
then they start encryption and decryption process but in my case it is
client that has certificate not the server. Is that a valid case where
client send the certificate not the server and security frameworks
support such usages? In my case application software, act as client,
will communicate with multiple devices, acting as server.

[LE] It depends on the security reason. In your case the (server) devices
want to make sure that the client is authenticated before granting access to
the server. Certificate-based authentication of clients is much better than
simple password authentication, so you are doing the right thing.

2.How a party (in my case server) will decide that the certificate is
coming from correct client. I’m aware of concept (but not crystal
clear) that certificates are bind to either IP address or domain
name.

[LE] The point of certificate based authentication is not just the
certificate. The client (your sw acting as) also needs the PRIVATE KEY
corresponding to the certificate. The way you authenticate:
- cleint sends the cert to server
- server validates the certificate (via the certificate chain up to a
trusted root cert)
- server generates a RANDOM chellenge and sends it to the client
- client SIGNS the random challenge with its private key and sends the
signature to the server
- server extracts the public key from the certificate and verifies the
response
- if the signature is valid, the client is authenticated

3. I’ll be installing a default certificate during installation,
incase user does not have his own signed certificate. How can I
generate that certificate? I know of “makecert” utility but I believe
it is not redistributable.

[LE] the process starts with generating a private+public key pair. You save
the private key (that's what will be used for the client authentication - see
above) and use the public key to generate a certificate request. This cert
request is then sent to a CA (certificate Authority) who signs it,
essentially attesting that the information in it (client data) is valid. The
generated certificate then sent back to the client.

4. On client side I’ll be using Windows Crypto API but device will be
using Open SSL framework. Theoretically both should work without any
problem but just wondering if incompatibilities were discovered in
past.

[LE] This should work fine. The only issue you will encounter is ENDIANNESS.
OpenSSL uses big endian data while CAPI uses little endian. So you will need
to byte-swap the signature before sending it to the server.





Thank you for your time.

Regards,
Gurmit- Hide quoted text -

- Show quoted text -

.