3

I recently wrote an application that calls out to a 3rd party service to perform some work. This 3rd party service requires that I authenticate the client calling by using a client certificate. For this, I used the .NET provided C# methods to perform this (adding "client.pfx" to the client certificates with the request).

One of my concerns I have is that the API of this 3rd party mentions that I should perform this secure call using a URI they've provided as part of their auth process. To me, this seems terrible because an attacker could provide arbitrary URLs, and receive the requests themselves, and in turn, the contents of client.pfx.

My question is, how does this client authentication work (from sort of a broad view)? Is the entire certificate sent as part of the request? Is it just a signature of the request signed with the private key in client.pfx? I'm wondering if my worry is justified.

Thanks!

TheTFo
  • 133
  • 1
  • 3

1 Answers1

4

Authentication of the client using a client certificate is very similar to the common authentication of the server using a server certificate.

Essentially the client has a public certificate which contains the public key and the client has the matching private key. Authentication is then done by the client:

The server can validate the signature created by the client using the public key contained in the clients certificate. The server also validates the certificate itself in the usual way, i.e. check if a certificate chain can be build to a locally trusted CA certificate, check for expiration, revocation, key usage etc.

In order to prevent replaying the same signature later the client cannot choose which data get signed but all data send and received so far in the current TLS handshake get signed which include also random data from the server.

Community
  • 1
Steffen Ullrich
  • 201,479
  • 30
  • 402
  • 465