Certificate Based Authentication Using PKI

Authentication enables applications to verify that the user trying to access them really is the user they claim to be. Most common web and mobile applications do this is by using:

  1. User ID and Passwords
  2. Multi-factor Authentication (e.g., ID and password, call, text, email link, key generators)
  3. Certificate Based Authentication (CBA)

When 10Pearls is developing new products for our clients, we often recommend CBA above the other methods of authentication. Why? Let’s dive in.

What is CBA (Certificate Based Authentication)?

At a high level, CBA works by granting an application the ability to validate and verify the identity of a user based on a proof of identify through trusted Digital Certificates. Most banking applications use CBA behind the scenes and further protect the digital certificate using a fingerprint or a passcode.

Think of a digital certificate like an ID card: It shows who you are, names the authority that issued the card, and confirms that you are the only person who has this card. It also has an expiration date and is tamper-proof.

Why not just use passwords? A number of reasons, including but not limited to: people are notoriously bad at making and using passwords, password breaches are so common they’re barely a blip in the news, and of course people compromise passwords every day by writing them down on a sticky note. There are certain other cases when a password alone is not compliant with laws, regulations, and policies. In these cases, CBA is often the better option.

CBA | Cybersecurity | Washington DCHow does CBA actually work and how is it implemented?

To break down the process in the simplest possible way, let’s go back to thinking about a digital certificate as an ID card. Imagine you just turned 17 and were heading to see an R-rated movie. You (the client) are stopped by the usher (the server) who requests proof of your age, and you show him your ID (client certificate). The usher is suspicious, so he asks you to tell him your astrological sign (the challenge) to prove yourself. You answer correctly (the solution) and are given a ticket (the token) to the movie.

A more technical breakdown:

  1. The client presents a certificate to the server
  2. The server confirms that the certificate is valid and trusted and stores it
  3. The server sends back a challenge for the client to solve (related to the client certificate)
  4. The client sends back the solution to the challenge to the server
  5. The server checks the solution and if it is accepted, issues the client a token
  6. The client uses this token with all subsequent calls made to the server

To avoid confusion, let’s define the terms certificate, challenge, solution, and token:

  • Certificate – a digital certificate is an electronic document that proves the ownership of a public and private key pair , signed by a trusted third party. The certificate contains information about the key, the identity of the owner (typically including email address), and an expiration date.
  • Challenge – The “Challenge” is typically a random string generated for each authentication request.
  • Solution – The “Solution” is actually a digitally signed version of the challenge itself. The digital signature is created using the private key corresponding to the same certificate which was presented to the server. To verify the solution the server combines the challenge, the public key from the certificate, and the solution to determine if the client possesses the private key.
  • Token – When the server accepts the solution, it creates an access token for the client. This access token in most cases is a JSON Web Token (JWT), which contains user details and role/permission information. This token should have expiry and reissue policies depending on the server and application needs. For example, a reasonable policy would include timeouts so that if the token is somehow stolen, it cannot continue to be used endlessly. It would also include the ability to track expired tokens so that if a client presents expired tokens repeatedly its IP address may be blocked or flagged.

All major programing languages have modules/packages for working with CBA, such as OpenSSL, BouncyCastle, Microsoft Crypto API, wolfCrypt, etc. As with any technology, matching the use case to the most suitable technology provides the best return on investment. If you have questions about how to best protect your company’s applications, contact us for a security consultation.


Imran Suhail Ashraf | 10Pearls

Imran Suhail Ashraf is a Technical PM & Architect at 10Pearls.