Digital Certificates and Secure Web Access
出典: くみこみックス
Introduction
This report describes the use of Digital Certificates as a mechanism for strongly authenticating customers to web web sites where identity details is essential. Prior to the advent of digital certificates the only alternative for authenticating users to a site was to assign a username and password. Digital certificates on the other hand offer for much much more robust access control and have a number of rewards over username and password.
Username and password authentication
Employing username and password the approach is generally as follows: every single time a user wishes to access a web service the user navigates to the site and authenticate themselves to the application making use of unique username and password. This information is passed to the server (hopefully in an encrypted form), the application looks up the username and the password (or a representation of the password) in some form of access control list and supplied the information matches the user is granted access.
This strategy has some obvious limitations:
* The username and password are passed more than the web (encrypted or unencrypted) with the typical security issues of interception.
* The systems administrator commonly has unrestricted access to all usernames and passwords with related security and liability concerns for the service provider (specifically with confidential data)
* The user needs to keep in mind as numerous usernames and passwords as are necessary by their applications ev ssl certificate major to inevitable support problems to recover lost access data
Digital Certificate Authentication
The typical digital certificate web access process is:
The user navigates to the site. Ahead of permitting access it checks the certificate against the access database. The user enters the password locally to confirming their access correct to the certificate and is allowed to the site.
Positive aspects of certificates more than username and password:
* General security is enhanced: the user wants both the certificate itself code signing and the password to the certificate to obtain access.
* The password is never ever passed over the web, not even throughout account set-up.
* At no stage do systems administrators have access to user passwords.
* The certificate can electronically sign information on the internet site with the benefit of non-repudiation.
* The user uses 1 digital identity with 1 password to access a range of applications (reduces passwords to bear in mind).
Implementing Digital Certificates
All key net servers support client authentication by means of certificates. An SSL certificate on the net server (to support https) enables configuration of client authentication and only needs specification of the access rights for each and every directory served by the net server. Amend the net application to assistance client authentication by certificates. If unified communications certificate any code was developed to deal with user name and password, then the certificate credentials can be looked up in an access control list in just the very same way. Client certificates are issued by means of a Public Key Infrastructure (PKI) You can select implement your own or use the services of a Managed Service Provider such as Diginus Ltd.
Wider Use
As soon as buyers or employees have digital certificates, the exact same certificates can be used to digitally sign e-mail, PDF and internet forms and Microsoft Word documents. With a couple of tiny steps a corporate website can be transformed into the centre of a effective net services infrastructure, with single sign on to multiple net applications, signed email and types information exchange, all the time understanding specifically who is accessing the resources and information.