Cryptlib

 « Return to Thread: CMP authentication

Re: CMP authentication

by Tomas Gustavsson-3 :: Rate this Message:

Reply to Author | View in Thread


Hi Juraj and Peter,

I'd be glad if you directed EJBCA specific questions to the EJBCA
mailing list or forums. That would avoid misunderstandings about how
EJBCA works or not. It's pretty well documented at EJBCA.org, although
some clarification can always be done if it's not clear enough.

I completely agree with Peter that CMP is a total mess. This protocol is
not designed for interoperability, that is clear.

I usually recommend people looking for a CMP client in C to look at
cryptlib, since I have tested it myself that EJBCA and Cryptlib is
compatible (you may remember some email a few years back Peter).

EJBCA can handle CMP request authentication in two ways.

1. Using "RA mode", a shared secret is used to authenticate CMP messages
using HMAC. This is the way all products I have seen uses CMP. It is
usually smart card management systems acting as an "RA" to EJBCA. Using
the shared secret HMAC authentication the RAs can request certificates.

This is well tested against cryptlib!

2. If not using "RA mode" an individual user can be authenticated using
a one-time password in the CRMF message (not in the CMP message)
"Registration token control id-regCtrl-regToken". This is pretty well
specified in RFC 4211 section 6.1. Is it really an Entrust think?. It
seems pretty well specified to me?
"When deciding whether to use an authenticator or a regToken, use the
following guidelines. If the value is a one-time usage value, then
regToken would be used. If the value has a long-term usage, then the
authenticator control would be used."

According to RFC4211 the regToken is used specifically for this:
"A regToken control contains one-time information (either based on a
secret value or other shared information) intended to be used by the
CA to verify the identity of the subject prior to issuing a
certificate."

Using MAC authentication for users is not good since it requires the CA
to keep the users password in clear text.

Is it not possible to use a regToken in CRMFs with Cryptlib?
(I can't recall I did test exactly this).

Kind regards,
Tomas

Peter Gutmann wrote:

> Juraj Michalak <juraj.michalak@...> writes:
>
>> I created CMP session (CRYPT_REQUESTTYPE_INITIALIZATION) to obtain
>> certificate from CA. In my project I have used EJBCA (http://www.ejbca.org)
>> as CA. I have created end user with password in EJBCA. I have set that user
>> and password on my cryptlib CMP session and activated it... -> error ...
>>
>> In EJBCA logs I can see that there is problem with user authentication. EJBCA
>> is expecting authentication via regToken attribute in
>> CRMF->CertRequest->Controls (it is only supported auth. by EJBCA).
>
> How does it authenticate the CMP exchange then?  It needs either a MAC or a
> signature, and you can't sign at that point because you don't have a
> certificate.  The regToken isn't meant to be used for this, AFAIK it was some
> Entrust thing based on their one-time pasword tokens that no-one else ever
> used (or even knew what to do with, for that matter).
>
>> What can I do? I'm so far with my project. Till now I have used only
>> those dummy self signed certificates (CRYPT_CERTINFO_XYZZY) or imported
>> certificates.
>
> If EJBCA doesn't implement CMP properly then you'd have to use a proper
> implementation on the CA side.
>
> (A caveat about CMP, the protocol is such a mess that it's more or less just
> blind luck to find two independent implementations that interoperate.  See the
> bit about halfway through "Plug-and-play PKI: A PKI your mother can use"
> linked off my home page for just a small taste of some of the problems).
>
> Peter.
>
> _______________________________________________
> Cryptlib mailing list
> Cryptlib@... via Mail: cryptlib-request@...
> Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
> http://news.gmane.org/gmane.comp.encryption.cryptlib
> Posts from non-subscribed addresses are blocked to prevent spam, please
> subscribe in order to post messages.


_______________________________________________
Cryptlib mailing list
Cryptlib@... via Mail: cryptlib-request@...
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.

 « Return to Thread: CMP authentication

Free embeddable forum powered by Nabble Forum Help