CodeMeter speaks X.509
Server certificates are a ubiquitous sight. They offer users the certainty that they are indeed on the right website and have not fallen prey to a phishing attack. By contrast, client certificates continue to be held in low regard. They are virtually ignored by the wider public, even though they are a simple, safe, and fully compliant means of authenticating users. This is particularly true when they are stored on secure hardware like CmDongles.
Authentication with certificates
The user possesses a private key and a matching certificate. As part of the handshake and key exchange, the user uses the private key to sign the hash of the message. The signature and the client certificate are then transmitted to the server, where their validity is checked and ascertained. If both are valid, the identity of the user can be retrieved from the certificate and used.
There are many versatile uses for certificates, including:
- Email certificates to sign and encrypt emails
- Client certificates to authenticate end user devices in IT networks
- OPC UA certificates
- User certificates for authentication on computers and in networks
There are many different software products that rely on certificates, such as mail clients or web browsers. At the same time, several providers offer secure hardware that can be used to store certificates or, in many cases, purely software-based storage solutions. The following interface standards have been established to ensure a reasonable degree of interoperability between all of these systems:
- PKCS#11 for all computer platforms
- Microsoft Crypto Service Provider (CSP) for Windows
- Token Daemon (tokenD) for Apple OS X.
Certificates on CmDongles
CodeMeter includes a PKI client application as an add-on module (Charismatics Smart Security Interface - CSSI). The CSSI middleware comes with a Microsoft CSP and a PKCS#11 interface, which makes the private keys and certificates stored on CmDongles available for almost all applications, including Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Apple Safari, and Microsoft Outlook.
A CmDongle can store up to 8 private keys and the matching certificates, using an RSA algorithm with a key length of up to 2048 bit. The private key can either be imported from an external source (using the pfx or p12 format) or created immediately within the CSSI middleware. It is stored in dedicated secret data fields and protected from prying eyes.
The CSSI middleware can request a certificate (Certificate Signing Request – CSR) from a source issuing the certificates and import the resulting certificate itself. Alternatively, it can create a self-signed certificate from within the CSSI middleware itself.
KEYnote 29 – Edition Spring 2015