tls – oauth mutual authentication and certificaate bound access token

I have a system where two clients (A, B) ask and receive information from each other.

I am following mutual tls. In order to make this work, I am following this procedure

  1. First I create an authorization server and a CA to issue certificates
  2. Client and server must authenticate each other by presenting a x.509 certificate.
  3. Client ask an access token from the server in order to reach the client B and get back an information
  4. Server hashes the client A certificate and binds it into the access token
  5. The client then uses the certificate that presented in the server and the access token and then reaches client b which also contain the protected resource
  6. Client B hashes the certificate and match it with the hash of the certificate contained in the access token

so I have the following questions

  • How to build the authorization server?
  • The ca must include inside the auth server or must be a different component?
  • Client asks for the token during the handshake or on another call?
  • The server hashes the certificate and binded to the token by using some keys?
  • Client B hashes the certificate using some keys?
  • When the client and the server exchange certificate signed from a CA, must first generates public keys and sent them to CA and so the latter can issue the token?
  • I see that during handshake the client send the certificate to verify message in order to tell that he has the private keys. the server must not do the same procedure?

tls – Is my data sent over Internet stored somewhere, and will it be decrypted someday?

Stack Exchange Network

Stack Exchange network consists of 176 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Visit Stack Exchange

TLS Contact Self Service Uploading Document Strategy For UK Visa

i made an application for uk standard visitor visa.after paying visa fee they redirected me to their partner website named TLS Contact for booki an appointment for providing my biometric.There is a option on their site for self upload service and assistive means if scan i upload myself these documents it will be free but if their stuff scan and upload it for me they will charge about 35€. i dont want to pay extra just for uploading documents so i am thinking abou choosing self upload service. is there anyone who used this service?

Mozilla Meltdown Blues: Is TLS 1.0 safe?

Wifey was caught in the Thunderbird 78.4.1 automatic update disaster. Besides rewriting the Profile file so that no previous version of Tbi… | Read the rest of

tls – HTTPS vs VPN – which is more secure

This question is based on a wrong premise.

VPN’s do NOT protect you end-to-end.
A VPN is basically a second encryption layer to wrap your normal traffic in, it is encrypted until the VPN endpoint (or exit node).
This will “Protect the traffic from being readable” by any intermediate (your ISP mainly). They will see traffic is going from you to the VPN but nothing more.

HTTPS (HTTP with TLS) protects almost all data end-to-end. The data not encrypted are:

  • Source IP
  • Target IP
  • the Hostname connecting to (through the SNI extension allowing for tls with virtual hosting, as an example the URL “HTTPS://” would have the following in clear text in the header for SNI “host:”)

In order to do a MiTM attack (Man in The Middle), you need a certificate that your browser will accept as valid. (E.a. Issued by an authorized Certificate Authority). This is the same with a VPN.

In short. A VPN only gives a limited form of privacy by having many people using the same (set) of IP addresses. (Hiding in the crowd).
HTTPS is about integrity, authenticity and identity (especially with client side certificates)
Or in other words HTTPS ensures the data is not tampered with, is from the original source. And is known from who it came.

tls – Trust store management best practice

A typical scenario: a big company with lots of servers in all shapes and colors (on-premise, private and public cloud)

Each server (or rather each service) needs to maintain a trust store (a file in Java, or a file folder in Node.JS) that contains certificates required to establish SSL/TLS connections to other (mostly internal) services

Certificates change, get recalled, expire, – all that introduces service maintenance overhead

I’m looking for a software or an approach that would shift certificate maintenance from the service teams to the more appropriate group (e.g. information security)

tls – Storing Apache web server’s SSL certificate in HashiCorp Vault

This could be basic question as i’m new to this area. I have apache web server where it load balance to set of servers to provide a web site. Apache server has SSL enabled and we terminate TLS on load balancer level. The TLS certificates lives inside apache servers local storage. Now our target is to use some key management solution to store the TLS certificates and private keys. We choose HashiCorp vault since it’s being open sourced. Following is our mechanism to achieve this. I wanted to know following mentioned methods has any security concerns or issues that I need to aware and research more.

  1. Use Vault PKI engine to store certificate and configure CA so the vault can get new certificate ( automate getting TLS certificate from CA )
  2. Define TTL for certificates
  3. Use vault client to get a certificate to apache web server machine local storage
  4. User retrieved certificate on apache web server

I could not found any other solution beside this. When regarding cost for new certificate I do not hope TTL for certificate would not change with current values ( may be 1 or 2 year not know the exact time). With vault introduction we only get automating certificate request process and easiness of revoking validity of certificate. This seems not a enough benefit to move to vault given we need to run at least 5 vault servers to achieve HA. Am I not using vault correctly here ?

how to implement channel binding feature in TLS

I found some explanations with the concept of tls channel binding. But I cannot find any specific example about how to implement this feature.

I want to know if this feature needs to implement on application layer, like extracting some data related to current connection and verifying it at application level.IF it is, then should I verify this channel binding data with specific rules or just verify it as what I like.

If my understanding is wrong, can anybody correct it?

TLS derived keys – Information Security Stack Exchange

TLS derives a session key from the agreed master secret. That key is then used during the TLS session for encryption and authentication of the session data

It is not true that “… a (single) session key … for encryption and authentication …” gets derived.

While the exact details differ between TLS versions in general different keys are derived for client and server. Up to TLS 1.2 also separate keys were derived for encryption and authentication. With TLS 1.3 only the encryption key is needed since all ciphers are using authenticated encryption.

For the details see for example RFC 5246 (TLS 1.2) section 6.3 or RFC 8446 (TLS 1.3) section 7.3.

Role-based authorisation and TLS

I want to implement role based authorisation in my TLS connections. I.e. when my client authenticates with the server I want them to have certain privileges based on their role.

Are there any provisions in the TLS protocol which facilitate this?