SSL Certs

anev · 14-11-2007 9:28pm #1

Hi,

I'm wondering is it possible to generate ssl certificates that can only be used on specific machines? I was thinking about using something like http://en.wikipedia.org/wiki/Trusted_Platform_Module however, it requires special hardware.

Any suggestions?

Thanks,

A

Martyr · 15-11-2007 3:29pm

if you said what the certs would be used for, there could be another way to solve the problem.

it sounds like you want to control access to a resource, so maybe what you need is some kind of signature verification?

Screaming Monkey · 16-11-2007 10:53am

not sure how you could do something like that without hardware..

Have used the following kit - http://www.ncipher.com/cryptographic_hardware/
stores the SSL certs and the like on the hardware..

anev · 18-11-2007 3:55pm

The certs are being used to control access to a server. But as an additional security feature (to stop people copying the certs) I want to tie them to a specific machine. I was originally looking at a signature verification method, something like mac address + license key but I need a push in the right direction as I haven't implemented something like this before.

Any suggestions?

A

mick.fr · 18-11-2007 5:42pm

Can you please give more details, is this a Windows/Linux/Unix server then we will be able to answer more accurately.
Is it a specific application/database/repository you want to protect ?

Martyr · 19-11-2007 7:52am

Any suggestions?

i think there are only ways you would make it more difficult to copy the ssl cert to another system without tamperproof hardware, no secure way to stop it completely.

IMHO any software solution could be broken..but that depends on how smart your users are, and how determined they would be to copy/use an ssl cert on another system.

my guess would be to generate public/private key pair.
generate individual hashes based on each clients computer hardware + username.
sign each hash with private key, base64 encode the result and store on local clients in either registry/file

write another application which then verifies valid system based on info stored in registry/file.

the cert and public key is wrapped in this application and only decrypts the cert to disk/memory if computed hash of hardware can be verified with signed values stored locally.

have the cert opened with sharing disabled, and securely delete once the server session has ended.

obviously this could be got around various ways..but all depends on skill of attacker/user.
i suppose my idea is security through obscurity

anev · 19-11-2007 7:14pm

How would i go about generating these hashes (i'm assuming md5?) for hardware?

Martyr · 19-11-2007 8:04pm

i'd use HMAC-SHA-2 256.
the username would be the salt, and the key would be of computer (serial number - harddrive,cpu,ethernet,mobo,date of install..etc), and maybe some values from %APPDATA% (if on windows)

anev · 19-11-2007 8:21pm

Ahh cool! Thank you. Do you have any information on how i could go about implementing this in java? I've never done something like this before, i just need a push in the right direction.

Martyr · 19-11-2007 8:44pm

no, but i'm sure there is plenty of code online to show parts of how its done, then you just have to glue it all together.
lookup info on RSA "signature verification"
or perhaps someone in programming forum has already done it before.

Martyr · 23-11-2007 5:42am

@anev

not sure if you've been looking, but the following tutorial would help you, its using C++.

Product Keys Based on Elliptic Curve Cryptography

anev · 24-11-2007 4:33pm

Average_Joe:

Excellent! Thanks!

SSL Certs

Comments