X.509 Digital Signatures/Encryption workflow/library recommendations?

Question

My particular use case is that I have to access digital certificates stored on the client, and use them to perform tasks of signing, verifying, encryption and decryption on the client side and the server side. For the latter part, there are many many solutions. The sticking point is the ability to access certificates stored on the client.

Note that I am saying "certificates stored on the client" which is deliberately vague. I dont want to restrict thoughts to system store, user store, browser store, cryptographic token, java key store, where ever.

Over the years, I used the following ways. Along side each of them I give the pros and cons.

CAPICOM/ActiveX. While this was the easiest to work with, it restricts the user to IE on Windows. What is worse, it is now deprecated and works only on 32bit.
Java applet. This is cross platform and cross browser, but java in the browser is not as common as one would like it to be and is quickly fading away (apparently Apple recently removed it). So there is the added hassle of getting the user to download and install the JRE. Additionally users have to perform the relatively technical task of setting the unlimited strength cryptography extensions for the signer to work.

Things I have heard of/thought of but I have not progressed far

Most javascript solutions. They implement the RSA algorithm but they dont have a way to access digital certificates on the client certificate store. Most of them generate a new key pair.
Flash/Flex. Flash/flex seem to be the most ubiquitous client side technology. They can already access client hardware like cameras and microphones. It would be lovely if they could access certificate stores.
Alternatives to CAPICOM as given on the microsoft website. It prescribes alternatives to CAPICOM which are mostly do things using the .NET framework. This is great for desktop clients. But for "scripts" they say very clearly in an "important note" that you have to write your own activex controls. Which takes us back to square one.

What I am looking for is a way to get over/around the primary problem of getting access to certificates stores on the client. I am not looking for a discussion of the RSA algorithm or why PKI is stupid or some alternative to asymmetric encryption or use of architectures other than web applications, or on Apple.

we are using java applet still. relying on bouncycastle jar – Kinjal Dixit Feb 21 '13 at 05:47 — Kinjal Dixit, Feb 21 '13 at 05:47

CKmum · Answer 1 · 2012-11-05T08:13:38.383

2

My best bet would still be an applet since that's possibly the most cross-platform thing. Alternately, I can develop my own activeX and limiting my reach.

Remember that client side certificate access is big security thing.

edited Nov 05 '12 at 08:13

answered Nov 05 '12 at 08:07

CKmum

641
6
17

You can't access local filesystem with javascript – CKmum Nov 05 '12 at 08:09
A very lousy but workable way to doing it would actually be to ask user to upload the certificate file and then validate it at server side using your code. Invariably, that's what indirectly happens in the backend when you use applet or actives. – CKmum Nov 05 '12 at 08:15
if this was a simple workflow thing, then I guess your suggestions could be sold. unfortunately one of the solution is the domain of public procurement. the government people are very very careful when making any changes. so while our current solutions work perfectly, we are trying to find ways to support more browsers and platforms simultaneously. – Kinjal Dixit Nov 05 '12 at 09:30
Agreed, but as I said before, the client side certificate is high security thing and you need either a thick client or java applet or ActiveX (basically local executable code) to access it. Perhaps java applet remains the best bet as cross browser, cross-platform thing. Flash could be easily blocked in most environments/browsers, especially in corporate/govt networks. Silverlight is MS-bound and so is ActiveX. – CKmum Nov 06 '12 at 07:48
your answer and comments are pragmatic and more or less I agree with what you are saying. but I would like to hold out for a while before accepting your answer in the hope that some more discussions ensues. thanks. – Kinjal Dixit Nov 08 '12 at 07:53

score 0 · Answer 2 · edited May 23 '17 at 12:15

0

Our SecureBlackbox library has a distributed cryptography add-on which does what you need. Currently client-side modules do signing but can be extended by the user (we provide complete source code). You will find detailed description of the add-on on our site or in this SO answer.

edited May 23 '17 at 12:15

Community

1
1

answered Nov 05 '12 at 10:13

Eugene Mayevski 'Callback

45,135
8
71
121

Larry K · Answer 3 · 2013-06-14T07:38:22.397

-1

[Disclosure: I work for CoSign]

A secure alternative to storing the certs on the clients is to store them on a secure, centralized SSCD (Secure Signature Creation Device). A problem with local certs (smart cards, etc) is to use them securely in client/server or web-based applications.

A centralized SSCD takes care of the issue very neatly. The user still needs to authenticate himself to the SSCD, but the SSCD itself holds the certs and does the signing. The authentication step can include 2-factor authentication including One Time Passords (OTP), biometrics, etc. We have customers doing all that.

The idea is to have secure client authentication but keep the secure signing centralized as a service on the network.

See this description. Also available as a cloud-based solution.

ps, This answer covers the slightly more general question of how to securely sign in a web-based application. I agree that it does not cover the specific question of signing by using a user's smart card or client alternative (the OP was deliberately vague).

edited Jun 14 '13 at 07:38

answered Jun 14 '13 at 07:32

Larry K

47,808
15
87
140

I can already hear the protests from vendors and objections from government officials... they prefer to hold on to their digital certicates... putting them on a third party service is something I cannot even think of proposing. Still I will put your link on the to-read list. – Kinjal Dixit Jun 14 '13 at 14:50
@BinaryNights We have many government customers all over the world. The certs live in a box that lives on the government agency's network. – Larry K Jun 16 '13 at 06:27
the problem is that in India, there are many contractors and many government agencies. Besides all the services are provided by third parties (e.g. abcprocure.com, nprocure.com, and many others). If what you have is real, you should really try and convince the certification authorities in India. You should go to http://cca.gov.in/cca/?q=licensed_ca.html and try to open talks with TCS and nCode. – Kinjal Dixit Jun 18 '13 at 11:20

X.509 Digital Signatures/Encryption workflow/library recommendations?

3 Answers3

Linked