|
Home > Archive > IIS Server Security > November 2004 > Client certificates: security vulnerability?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Client certificates: security vulnerability?
|
|
| Max Metral 2004-11-15, 5:52 pm |
| So I have an application that uses client certificates on smart cards. The
problem is that if you "login" to a web site using the cert, and then pull
the smart card, the session stays valid, for a long time.
I think I understand what's happening, namely that the SSL session has been
negotiated and therefore nobody cares that the underlying private key is
gone. But this seems like a gaping hole of sorts, and I wonder what one
could do to close it in a particular application?
Thanks
--Max
| |
| Miha Pihler 2004-11-15, 5:52 pm |
| Hi Max,
I am not sure if it will help, but you could try and use Session.Timeout to
control how long users can leave the web application idle before they need
to authenticate again.
Starting and Ending Sessions in ASP
http://msdn.microsoft.com/library/d...ng_sessions.asp
Session.Timeout
http://msdn.microsoft.com/library/d...m_sesoptime.asp
Next thing you can do is teach your users to always close the browser when
they are done and to always lock their PC (Windows 2000 and newer).
Since you are using Smart Cards, you could deploy "Smart Card removal
behavior" group policy setting (in e.g. domain environment). E.g. if a user
takes out the smart card the screen locks... In combination with
Session.Timeout this should provide some additional security -- still I know
it doesn't provide full proof solution.
Interactive logon: Smart card removal behavior
http://www.microsoft.com/resources/.../en-us/594.mspx
Mike
"Max Metral" <memetral@hotmail.com> wrote in message
news:eQJkq31yEHA.2980@TK2MSFTNGP10.phx.gbl...
> So I have an application that uses client certificates on smart cards.
> The problem is that if you "login" to a web site using the cert, and then
> pull the smart card, the session stays valid, for a long time.
>
> I think I understand what's happening, namely that the SSL session has
> been negotiated and therefore nobody cares that the underlying private key
> is gone. But this seems like a gaping hole of sorts, and I wonder what
> one could do to close it in a particular application?
>
> Thanks
> --Max
>
| |
| Karl Levinson [x y] mvp 2004-11-15, 5:52 pm |
| There may also be similar timeout settings for the IPsec and TCP/IP sessions
on each client.
"Miha Pihler" <mihap-news@atlantis.si> wrote in message
news:%23pUx7%231yEHA.908@TK2MSFTNGP11.phx.gbl...
> Hi Max,
>
> I am not sure if it will help, but you could try and use Session.Timeout
to
> control how long users can leave the web application idle before they need
> to authenticate again.
>
> Starting and Ending Sessions in ASP
>
http://msdn.microsoft.com/library/d...ng_sessions.asp
>
> Session.Timeout
>
http://msdn.microsoft.com/library/d...m_sesoptime.asp
>
> Next thing you can do is teach your users to always close the browser when
> they are done and to always lock their PC (Windows 2000 and newer).
>
> Since you are using Smart Cards, you could deploy "Smart Card removal
> behavior" group policy setting (in e.g. domain environment). E.g. if a
user
> takes out the smart card the screen locks... In combination with
> Session.Timeout this should provide some additional security -- still I
know
> it doesn't provide full proof solution.
>
> Interactive logon: Smart card removal behavior
>
http://www.microsoft.com/resources/.../en-us/594.mspx
>
> Mike
>
> "Max Metral" <memetral@hotmail.com> wrote in message
> news:eQJkq31yEHA.2980@TK2MSFTNGP10.phx.gbl...
then[vbcol=seagreen]
key[vbcol=seagreen]
>
>
| |
| WenJun Zhang[msft] 2004-11-16, 7:47 am |
| Hi Max,
I also noticed this can be a problem as browser may not be able to
detect when the smartcard is removed. We can decrease the SSL session
cache timeout to a small value like 2 mins( by default it's 10 hours
on XP ). However, this cannot be a solution because we cannot manage
external client machines.
HKEY_LOCAL_MACHINE\System\CurrentControl
Set\Control\SecurityProviders\
SCHANNEL\ClientCacheTime
247658 HOW TO: Configure Secure Sockets Layer Server and Client Cache
Elements
http://support.microsoft.com/?id=247658
I'd like to suggest you post a thread to IE newsgroup about this
issue. Probably some IE guys know if there has been a plan to add the
smartcard detecting feature. Also user education is required, closing
all browser windows to kill the process is the safest operation.
Thanks.
Best regards,
WenJun Zhang
Microsoft Online Support
This posting is provided "AS IS" with no warranties, and confers no
rights.
Get Secure! - www.microsoft.com/security
| |
| Ken Schaefer 2004-11-16, 7:47 am |
| Session.Timeout has nothing to do with SSL sessions. This affects ASP's
sessions only.
Cheers
Ken
"Miha Pihler" <mihap-news@atlantis.si> wrote in message
news:%23pUx7%231yEHA.908@TK2MSFTNGP11.phx.gbl...
> Hi Max,
>
> I am not sure if it will help, but you could try and use Session.Timeout
> to control how long users can leave the web application idle before they
> need to authenticate again.
>
> Starting and Ending Sessions in ASP
> http://msdn.microsoft.com/library/d...ng_sessions.asp
>
> Session.Timeout
> http://msdn.microsoft.com/library/d...m_sesoptime.asp
>
> Next thing you can do is teach your users to always close the browser when
> they are done and to always lock their PC (Windows 2000 and newer).
>
> Since you are using Smart Cards, you could deploy "Smart Card removal
> behavior" group policy setting (in e.g. domain environment). E.g. if a
> user takes out the smart card the screen locks... In combination with
> Session.Timeout this should provide some additional security -- still I
> know it doesn't provide full proof solution.
>
> Interactive logon: Smart card removal behavior
> http://www.microsoft.com/resources/.../en-us/594.mspx
>
> Mike
>
> "Max Metral" <memetral@hotmail.com> wrote in message
> news:eQJkq31yEHA.2980@TK2MSFTNGP10.phx.gbl...
>
>
| |
| Steffen 2004-11-16, 7:47 am |
| Hello,
I think that´s a problem at the server side, because the server can renewal
the handshake when the smart card isn´t removed, becose the permission for
the private key is not closed, before the session is finalized or the smart
card is removed. Therefor the user doesn´t have any problems, when the server
will ask for a new authentication after 2 minutes, but when the smart card is
removed the ssl session will also close. I think this is the right way there
we have set our apache with this feature for solve the same problem.
Steffen
"Ken Schaefer" schrieb:
> Session.Timeout has nothing to do with SSL sessions. This affects ASP's
> sessions only.
>
> Cheers
> Ken
>
>
> "Miha Pihler" wrote in message
> news:%23pUx7%231yEHA.908@TK2MSFTNGP11.phx.gbl...
>
>
>
| |
| WenJun Zhang[msft] 2004-11-17, 2:47 am |
| Hi Max,
I think Steffen's reply make perfect sense. Why not try set
ServerCacheTime on IIS server to a small value to test the effect? If
smartcard is removed and server requests client to renew the SSL
session, the new session establishing should fail.
247658 HOW TO: Configure Secure Sockets Layer Server and Client Cache
Elements
http://support.microsoft.com/?id=247658
Look forward to your test result. Thanks.
Best regards,
WenJun Zhang
Microsoft Online Support
This posting is provided "AS IS" with no warranties, and confers no
rights.
Get Secure! - www.microsoft.com/security
|
|
|
|
|