Unique Certificate Authentication and REST service

Question

I am gathering information for implementing a certificate authentication scheme for a system that requires mobile device clients to be authenticated with a certificate before they can be granted access to services used by the system. I am looking for possible solutions that would allow me to issue unique certificates to trusted users of the system so they can be used with their mobile device, in addition to other login credentials.

Specifically, there is a WCF REST service that would be consumed by a mobile application on the client device, such as an Android application, and would need to check to see if the client has the correct certificate and has valid user credentials provided by the user. Also, security in this case is key and of high concern.

My questions are, in a scenario like the one just described, is it possible to implement unique certificate authentication and with a high regard for security? If not, what are the different alternatives or the best way for this to be achieved?

Additionally, for individually issued certificates that are used for PIV/CAC Cards, is there a way to leverage those certificates for authentication using mobile devices?

Answer 1

Security of this nature is always a difficult issue to tackle. One of the main methods for something of this nature would be to use a diffie hellman key exchange to first establish a key system. Each user would have their own unique key and only the initial handshake would be process intensive. Then, at this point you could run any number of cryptographic algorithms in order to verify the keys each time you authenticate.

So, this begs the question of how to establish the key in the first place before you send it and what unique information you can use to create a key on the mobile client side. This leads us down a gray path because there are many different ways to do this and all have their own considerations. For example, you could use the native architecture of the Android OS to get a unique ID of the phone or the users Google play account ID to use as hash in the original key along. However, keep in mind that diffie hellman is anonymous so you need a way to first authenticate the user BEFORE you exchange keys with them. Afterwards though you can just use the signed requests.

Basically, this delves into an area of security that needs to be well thought out utilizing the given resources and knowing you are on a mobile platform, you need to keep the CPU cycles low which means no intensive crypto algos. The method above is just one such solution you can implement.

Also, if you do develop an Android application, this authentication can easily be done through the application interface by push. You can basically push a cert to the application that either envokes or revokes access, so that should be the most simple route. If you want to use this on a Symbian OS then you are going to have to do more work like what I described above. Also, since you are basically asking for a sign-on and not full encryption the overhead for a key signing system shouldn't be too difficult but may become tricky to implement cross platform.

Hope that gives you a starting point to further research and ideas.