Sunday, December 6, 2009

Using Certificates for Authentication ? Where to store them ?

Question: 
Has anyone deployed a VPN solution that leverages user certificates for authentication?
We are considering the possibility of leveraging digital certificates as an authentication factor for VPN. Has anyone implemented this or looked at solutions that do this? We are not comfortable with solely relying on a certificate and the security/integrity of the PC as an authentication mechanism. If you are currently using certificates, I would be interested in hearing how you are deploying this.

Answer:
.....,
The short answer is yes.  We did deploy several off-the-shelf certificate based authentication solutions for remote access VPN systems such as Cisco, Check Point, Juniper, Citrix, Nortel.. It is again very possible to deploy similar solutions over SSL VPN solutions (This time easier since browser is the client).   I worked with Entrust as the PKI integration provider.  When using certs, most of the questions/problems are generic PKI related questions (CRLs,  OCSP, identity management etc)


9 out of 10, enterprise shops store the certs on PC or mobile devices since they want to avoid using tokens/smart cards. Using a 3rd party storage is ideal but to be honest smart cards share the fate of PKI for complexity so many solution sets avoid tokens/smart cards, unless the policies mandate certificates.
When smart cards are more expensive/complex (readers, personalization etc) enterprises use USB tokens to store certificates. (Several companies  provide tokens with certificate support, ActivIdentity, Aladdin, Authenex, Entrust, SafeNet (merged with Aladdin) , RSA (RSA has a hybrid token for OTP + certs)).


If you would like to use smart cards as the certificate container, or use the same certs for physical security simultaneously, you can simple take one of the ready to use HSPD-12 Personal Identity Verification (PIV) Card solutions (http://fips201ep.cio.gov/apl.php) so that you can avoid designing all components architecture yourself.


Of course do it yourself path is more fun, technically it is straightforward to integrate certs with any 802.1x based authentication server but as you know it usually gets more complex. We have deployed a complete system for enrollment, biometrics, cards, CMS etc, (took 3+ years)


cheers,
-     - yinal ozkan