Reputation: 2639
Preventing Undesired Copying of X509 Certificates to Authenticate Other Computers
I'm asking this question because I have gone through the tutorial posted here:
Preventing Duplication of the x509 Certificate Used on a WCF Client?
And I am not understanding why the client couldn't just go to another computer and install the Root CA and install the Public CA to connect from a different computer?
I want to be able to install a certificate on a client's computer that only authorizes that computer to connect to the WCF service. If they "buy" another certificate, I would create it off the Root CA and install it on the other computer they want which would now authorize that computer (2 computers can now connect to this service ONLY).
How does the posted method prevent a different computer from being authenticated if the client just copies the Root CA and Public CA and installs it onto a different computer?
Upvotes: 2
Views: 430
Answers (1)
Reputation: 46080
You can install end-user certificate to Windows certificate storage and when installing the certificate, specify that the private key should be non-exportable. Such key can not be exported and thus copied (at least in theory). Next, you can give the user a hardware with the key -- a USB cryptotoken or smartcard. Such hardware also doesn't let private keys to be exported from the device, yet you need to be aware of this attack.
Upvotes: 3
Related Questions
- X.509 certificates on WCF?
- Secure WCF via X.509 certificate with BinarySecurityToken
- Using X509Certificates to secure WCF services
- How to set x509certificate in a WCF client?
- Disable wcf x509 certificate, using clientCredentialType="UserName"
- WCF Authentication - X509 Certificate
- WCF Message security using certificates -
- WCF and authentications requiring certificates?
- Preventing Duplication of the x509 Certificate Used on a WCF Client?
- How to configure a WCF service to only accept a single client identified by a x509 certificate