Reputation: 53
Certificate based authentication
I'm planning to do a desktop app for secure file exchange in Java. The app needs a reliable authentication method that must guarantee that only authorised users access the system.
In the registration, the users generate a key pair and send their username and public key to the central server of the system. A system admin, which has access to this central server, approves the registration and asks a certificate authority to issue a public key certificate that binds the username to the public key. A x509 certificate is generated and stored at a certificate server.
When the user wants to authenticate, he enters his username and the app creates a digital signature for him, with his private key. This signature is sent to central server, which requests the x509 certificate for the matching private key. If a x509 is found at the certificate server, it sends the certificate for the central server and the user is authenticated.
I think I have the correct idea, but I don't know how to start the implementation in Java. Can you guys give me a few pointers, or correct my ideas if you think I'm a little confused?
Upvotes: 0
Views: 699
Answers (2)
Reputation: 4609
I'd agree with Terry Chia that client auth SSL will give you a fast and easy way to get what you want. Configure your web server with SSL and specifically client authentication, and provide the trusted CAs that the admin will use for signing approved certs.
The Java app will need to use an SSL library and have access to the way to set the credential for the library. I think the default libary for SSL in Java may even do this, and may use the X509Certificate as a way to specify the credential.
What strikes me as odd in your description is that the client is not sending its certificate with the proof of private key (whether you sign it or use SSL, there is a proof of private key as either the signature or the SSL handshake). It's far more typical to have the client say "This is who I am, and here is proof" - ie provide both the X509 Certificate and the proof of private key. I suspect that the server *could• lookup the credential based on the public key, but it would be less efficient.
Upvotes: 1
Reputation: 2162
In your scenario, I don't really see the point of having a certificate authority sign an x509 certificate. It feels needlessly complicated since there isn't a need for a chain of trust.
Instead, I'd look into using something like SSH keys for authentication like what git does.
Upvotes: 2
Related Questions
- How to create a X509 certificate using Java?
- Java HTTPS client certificate authentication
- Java and SSL certificates
- Java Security - X509 Certificate Verification with Public Key
- Java generate secure certificate
- How to verify a certificate using .cer file in Java
- Java SSL Certificate
- Verifying a signature in java using a certificates public key
- Self signed Certificate Based Authentication
- Java certificate based authentication