Reputation: 23
Verify that a certificate belongs to a given user
How can I (or, is it possible) to verify that a user certificate belongs to a given user?
For example, in an e-Voting system I want to prohibit that an user A who has a certificate C1 votes for other people.
How can I detect that when someone presents C1 and tries to vote as, say, user B, that this is the wrong combination, and deny him the right to vote?
Is it even possible to do this with certificates, or should I use additionally an username and password to confirm identity?
Upvotes: 2
Views: 645
Answers (2)
Reputation: 33046
Use the subject field of the X509 certificate to identify the person. That cannot be forged, given that you fully trust the certificate issuer.
If person B has access to person A's certificate, he/she could certainly vote at his/her place, but you cannot do much at this stage (added a password? Who guarantees that B does not know that as well?).
A severe issue is that in many (if not all) democratic voting systems, vote is secret. By having the user identify him/herself via a certificate and possibly storing identity info in their session, you are failing to honour this basic constraint.
If the application is critical (i.e. a real, regional/national e-Voting system), then:
- you should consider using X509 physical tokens, a.k.a. smart cards, to securely store voter certificate and private key.
- you SHOULD NOT seek advice on StackOverflow. Hire a committed and competent security consultant.
Upvotes: 2
Reputation: 23322
When you use client SSL certificates, the certificate fingerprint is checked by the web server, which uniquely authenticates the user. In this type of scenario, you would not have a typical login form, since the server can authenticate your browser without it.
The voting step would only occur after the user/browser is properly authenticated. This does not necessarily mean that you bound the session to a username. You just need to bind it to a unique identifier.
Using an additional authentication step (username/password, TOTP, ...) is possible, and may be desired, but authentication should only succeed if all those steps succeed.
Note that the vast majority of sites do not currently use client certificates for authentication. It's a very uncommon practice nowadays.
Upvotes: 0
Related Questions
- How does the client verify servers certificate in SSL?
- Sign a User certificate with CA.key :openssl
- Is there a way to check if a certificate is client cert or server cert?
- How to verify the client certificate during the tls handshake
- openssl s_client -cert: Proving a client certificate was sent to the server
- Verify user identity on my site, using SSL Certificates
- Verify what client authentication certificates are sent to server?
- how to validate a client Certificate using the trusted internediate CA certificate?
- Verifying the issuer of digital certificate?
- Verifying A Server's Identity