Term
| How is CCA (Client certificate-based authentication) triggerred from the server side? |
|
Definition
| By sending the CertificateRequest during TLS handshake. |
|
|
Term
| What does the CertificateRequest message contain? |
|
Definition
| A list of distinguished names (DN's) of CA's that the server trusts. |
|
|
Term
| What happens when the client does not wish to perform CCA? |
|
Definition
| It sends an empty Certificate message. |
|
|
Term
| Who sends the CertificateVerify message? |
|
Definition
|
|
Term
| What is the purpose of CertificateVerify message? |
|
Definition
| To prove that the client actually owns the private key corresponding to the public key in the client's certificate. |
|
|
Term
| How is the CertificateVerify message created? |
|
Definition
| A hash of all previous messages between the client and the server is calculated and the signed by the private key. This signature is then sent in the CertificateVerify message. |
|
|
Term
| What is one advantage of CCA? |
|
Definition
| A proof is given that the client possesses the private key, but the key is not disclosed to the server. Unlike credentials/passwords, the private thus cannot be easily stolen. |
|
|
Term
| What is the purpose of HelloRequest message and who sends it? |
|
Definition
| It is a renegotiation request send by the TLS server. Use cases include invocation of CCA for a set of protected resources on a server. |
|
|
Term
| How does TLS session resumption work? |
|
Definition
| This is a mechanism for an abbreviated TLS handshake. In such a case, key negotiation phase would be skipped, which saves one round trip across the network plus one privatek key operation on the server side (and if CCA is used, on client side, as well). The session can be resumed by the client by specifying the session id in the ClientHello message. |
|
|
Term
| What is the most common implementation of CCA on the server side? |
|
Definition
|
|
Term
| What is the main Apache directive to use CCA? |
|
Definition
|
|
Term
| What is the difference between Apache VerifySSLClient require and optional directives? |
|
Definition
| Require will fail if the client sends an empty Certificate message, while optional will not. |
|
|
Term
| The client is getting refused by the server, even though the correct certificate seems to be present on the device. What can be the problem? |
|
Definition
| Certificate caching actually uses previously used, now invalid, certificate. |
|
|
Term
| What issue pertaining to JavaScript is an obstacle in CCA implementation? |
|
Definition
| A common, unified API to clear the TLS cache (and TLS cache only) among all types of browsers (clients) is not available. Hence, login and logout functionality when using CCA is currently not attainable. |
|
|
Term
| Is PKI and CA needed for TLS CCA? |
|
Definition
|
|
Term
| In what cases is PKI and CA needed for TLS CCA? |
|
Definition
| On servers which do not know the user's identity (yet), and the verification of the user's identity is a prerequisite for the opening of the account. In cases where the authentication happens *after* the opening of the account, CA validation is not necessary, as the user cert is simply used for user registration. |
|
|
Term
| If the TLS CCA is used, even a very powerful attacker that can successfully impersonate a legitimate server, cannot reuse the proof given in a CertificateVerify message to impersonate a victim to the legitimate server. Explain. |
|
Definition
| Client's CertificateVerify consist of a hash of all previously exchanged messages between the client and the server, and then signing it with the private key of the client. Hence, the private key itself is never actually retrievable from the proof (due to laws of modular arithmetic), and cannot be reused in future communication. The bad actor cannot impersonate a victim whose proof they have captured, because to perform CCA to the server they would actually need to sign the message hashes with the private key, which they do not possess. |
|
|
Term
| Why is client certificate available to passive attackers? |
|
Definition
| Is is sent within the Certificate message, which happens *before* encryption. |
|
|
Term
| Describe TLS Handshake with TLS CCA implemented. |
|
Definition
1. Client: ClientHello
2. Server: ServerHello, Certificate, *CertificateRequest*, ServerHelloDone
3. Client: Certificate, ClientKeyExchange, CertificateVerify
4. Client: ChangeCipherSpec, Finished
5. Server: ChangeCipherSpec, Finished |
|
|
