A list of puns related to "Mutual Authentication"
Hi, I'm currently reading up on a handshake protocol that supposedly provides mutual authentication.
While looking at an analysis of the protocol, I found two different types/flavors of mutual auth, an injective agreement and an implicit agreement.
THe first injective agreement is defined like this:
>Informally, injective agreement guarantees to an initiator I that whenever I completes a run ostensibly with a responder R, then R has been engaged in the protocol as a responder, and this run of I corresponds to a unique run of R. In addition, the property guarantees to I that the two parties agree on a set S of parameters associated with the run, including, in particular, the session key material Z.
This is pretty understandable to me. If I does a run, then I can be sure that R has completed a corresponding run, and can be sure that they have agrreed on the same session keys.
And then implicit agreement, which should be a weaker property sounds like this;:
>We use the term implicit in this context to denote that a party A assumes that any other party B who knows the session key material Z must be the intended party, and that B (if honest) will also agree on a set S of parameters computed by the protocol, one of which is Z. When implicit agreement holds for both roles, upon completion, A is guaranteed that A has been or is engaged in exactly one protocol run with B in the opposite role, and that B has been or will be able to agree on S. The main difference from injective agreement is that A concludes that if A sends the last message and this reaches B,then A and B have agreed on I, R and S.
This is a bit more wishy-washy to me. And to me, these two defintions sound pretty similar.
Can anyone, maybe in a pedagogical manner, sum up what the actual difference between two properties like this is? They sound very similar to me
Mutual Authentication is a complex and deep subject in cyber security, but itβs also an important aspect of zero trust.
Thatβs why I wrote this doc, explaining the concept and several practical examples across different network layers and configurations: https://www.pomerium.com/docs/topics/mutual-auth.html
Hi. I'm presently doing some research which requires that assess the capabilities of the F5 platform. Let's say a requirement has been presented that an application accessing a resource behind the F5 (which requires authentication) must be accessed via the F5 which in it's own right requires TLS authentication.
Does the F5 platform have a feature which could be used to say offload the secondary authentication onto the platform itself? So once the application has successfully authenticated itself the F5, functioning as a reverse proxy would perform the basic authentication (in this case) to the protected resource?
Thanks in advance for any insight you can share.
can azure apim mutual certificate authentication/ two way ssl. there is an entry in the documentation for this ( api-management-howto-mutual-certificates) whose page title (Secure backend services using client certificate authentication in Azure API Management) and content looks like client certificat authentication/one way ssl to me. In my current setup there is an apim that provides a whole series of APIs. Most of the apis use different authentication methods and must continue to do so. And in the future, another api is to be secured via two way ssl. Therefore the question, is it possible to secure an api via two way ssl? If it is possible, the second question is, is it also possible to secure only one of the apis via this without affecting the rest of the apis?
Targeting Post: here
I wanted to post a comment, but unfortunately, it was archived. So I thought I could make a new post here to comment on it indirectly.
A little intro:
Hey u/primalmotion, u/benegrunt. It's been 9 months since you guys tried to work on the client certificate thingy. I don't know if you guys managed to solve the problem eventually or not, but here's some light that will maybe help you.
First thing first, okay, so... Apparently, there is currently no way to make mutual TLS (client certificate auth) work natively in shortcut without the aid of a third-party app.
As Apple said:
>In iOS, apps have access to a single keychain (which logically encompasses the iCloud keychain). This keychain is automatically unlocked when the user unlocks the device and then locked when the device is locked. An app can access only its own keychain items, or those shared with a group to which the app belongs. It can't manage the keychain container itself.
It's saddening to know that only certain Apple-provided apps like Safari, Mail can access the certificate profile, keychain, etc. Even though that Shortcuts is an Apple-provided app too. 0_0
I tried to use the Shortcuts app to import the certificate directly into its keychain, but oh boy did it worked out. I couldn't find a way to let Shortcuts import the cert itself, so nope...
For now, to have mutual TLS work on your phone you must build an app yourself.
Check out the info from Apple Technical Q&A 1745:
>To use digital identities in your apps, you will need to write code to import them. This typically means reading in a PKCS#12-formatted blob and then importing the contents of the blob into the app's keychain using the function SecPKCS12Import.
>
>This way, your new keychain items are created with your app's keychain access group.
Well...
So... you have to build your iOS app to handle the certificate challenge directly.
After an infinity amount of trials & errors, and checking countless Stack Overflow posts. I finally got it working, well somehow, duh.
To make it simple, I have to build an iOS app with custom intents defined. Inside the app, I have a function to get and import the certificate, then using AF.request from the Alamofire module to handle the certificate chal
A client has a requirement for mutual authentication from a Lambda to their server and have stated the private key must be stored in KMS. However I'm not sure how this will work I could encrypt message using KMS but I feel like I'm missing something.
Curious if anyone has thoughts/opinion:
If you enable client cert passthrough at a load balancer, would that be considered enabling mutual authentication? Or does mutual TLS authentication imply that the certificate is verified in some way by the load balancer?
Appreciate your thoughts ...
Hello, everyone.
I'm trying out OpenBSD for a personal remote server, since I've been wanting to fiddle with it for quite some time now.
I'm using httpd(8) as an HTTP server listening on 127.0.0.1:8080 and serving a directory of static content. In front of it, I'm running relayd(8) to handle TLS termination and adding some cache related HTTP headers and also some of the OWASP security headers.
I want to enable mutual TLS authentication (also known as client CA validation) for this HTTP server. I know this is supported by httpd(8) through the the tls client_ca option, but I can't seem to find a straightforward way to do this with relayd(8). Can anyone who experienced this issue before share some pointers?
I'm sorry if I missed anything obvious.
Thanks in advance.
Do you want to develop mutual TLS Web services in Kotlin? Hexagon 1.2 got released today with that feature, check the following section to learn how: https://hexagonkt.com/port_http_server/#https
You can check all project's examples and source code at GitHub : https://github.com/hexagonkt
If you give it a go, please share your feedback!
Disclaimer: I'm the project's maintainer
Anyone has any experience configuring Mutual Authentication? Please help.
Here the link: stackoverflow
Last week, on 12 October, the Unique Identification Authority of India (UIDAI) wrote to the mutual funds industryβthe registrar and transfer agents (R&T) and some online distributorsβasking them to discontinue using Aadhaar-based authentication to complete the Know Your Client (KYC) norms. Mint has a copy of the letter.
UIDAI has said that the said firms will have to confirm in writing that they have closed the Aadhaar-based authentication and enumerate an exit plan by 20 October. N.S. Venkatesh, chief executive officer, Association of Mutual Funds of India (Amfi; the MF industryβs trade body) told Mint that they will βsoon meet all the stakeholders, including fund houses and R&Ts and come up with an alternative.β
More: https://www.livemint.com/Money/Pbwy2hDq5NHDC2ki9s4voL/Mutual-funds-cannot-use-Aadhaarbased-authentication.html
Hi
I have been tasked to look into, to figure out how to use mutual authentication in a existing webservice application running on .NET Framework 4, so I am just writing here to figure out what my options is.
Currently it works such, that another internal service calls this webservice, which then make a XML file and then makes a HTTP POST request to a external API through an proxy using the HttpWebRequest class. These request have until now been "authenticated" by tunneling through VPN. But since the application will be migrated to a new server setup where VPN will not be used, implementing mutual authentication will be necessary.
What I have gathered about HttpWebRequest, it seems that it does not support a validation check on server certificates in .NET 4.0. Is this correct?
Another option I have explored is using a combination of SslStream and TcpClient to obtain this goal. There are some good examples on SO and CodeProject, so this looks like a viable solution.
The last option would be to refactor the solution to use a newer framework, however this is the least preferred option since we are only talking about a migration to a new server setup. However we are open to this possibility
So what do you guys think?
Hi All
I was thinking about using mutual authentication to block unauthorized access to my applications on my server.
I am using traefik running in docker as my reverse proxy. Apparently traefik supports mutual authentication.
Is this a good idea security wise? How would I configure this?
I am trying to find some guidance on mutual authentication on certificate requirements for TLS based mutual authentication. My understand is that if you are allowing a connection from and outside organization they need to present a certificate that identifies themselves. Does it matter who creates the certificates? Can organization A create a certificate for organization B to present?
I'm having a small problem:
I'm trying to communicate with a https server that requires a client certificate. According to the TLS RFC, the server has to send a CertificateRequest message containing the acceptable client certificate CA Names. This server doesnt send this list though, so my Java client cannot select the correct certificate from its keystore. My question is, according to the standard, does the Server HAVE to send this list or is it optional? The RFC is a little badly worded in that regard.
Please note that this site uses cookies to personalise content and adverts, to provide social media features, and to analyse web traffic. Click here for more information.