1

This is a follow-up question to "When should I use Message layer encryption vs transport layer encryption".

I need to send a certificate from the mobile phone to the server. Regardless of all the details, my real question is how can I do a challenge-response step between the client and the server, when the communication follow these steps: Client->ReverseProxy->LoadBalancer->...->intendedServer

And that actually is behind my Question!

Community
  • 1
smiley
  • 1,204
  • 2
  • 13
  • 21
  • *"I need to send a certificate from the mobile phone to the server."* - I doubt this is what you really want. (I don't think a certificate is what you think it is.) I encourage you to describe what you are trying to accomplish (e.g., what threats you are trying to prevent, what security goals you are trying to accomplish), without assuming a particular mechanism. – D.W. Jul 11 '11 at 17:47
  • I have a mobile app that generates the client certificate (including the private key). I need to make this key signed by the server/CA. Typically I would need a challenge response protocol here so I can have this signature done securely by signing a blob + the challenge. As you mentioned in the answer to the previous question that TLS is possible I was wondering how I can acheive that. Typically the threats are that i am running in a public infrastructure. – smiley Jul 11 '11 at 19:03
  • 2
    Why do you want the public key to be signed by the server/CA? What assurance is a server/CA signature on the public key intended to convey? What properties of the mobile client is the server/CA checking? If the server/CA signs anything it is asked to, the signature is worthless, so it is important to describe what you intend the server/CA's signature to mean. – D.W. Jul 11 '11 at 19:28

1 Answers1

4

If you own/trust the Reverse Proxy, Load Balancer, and Intended Server(s) then:

  • Your client mobile phone has the client certificate (through some secure means) which it uses to authenticate to the Reverse Proxy.

  • The Reverse Proxy handles the SSL/TLS decryption, then forwards the traffic onto the Load Balancer and the intended server (unencrypted).

  • Load Balancer and Intended Server are hidden from the internet behind routers/firewalls.

The Reverse proxy is configured to only allow connections from the allowed client certificates.

  • Alternatively all the SSL traffic could be passed through the Reverse Proxy and decrypted on the Load Balancer or Intended Servers, but that only allows IP based load balancing.

Unless I am misunderstanding some part of your protocol, I am assuming here that the Certificate you are talking about is for Authentication to the SSL/TLS website and not some other certificate.

Edited to add:

You added a comment above to explain that it is the initial certificate creation (CSR being signed) that needs to be encrypted.

In this scenario you need to determine what initial authentication you require.

  • Are you tying the certificate to a real world or prior identity? Then apply some authentication such as username/password through the SSL tunnel to initially create it.

  • But if you are just creating a random certificate to hang a new identity on, then SSL/TLS from mobile app to server should be OK, verifying the server certificate first is probably a good additional security measure.

Andrew Russell
  • 3,653
  • 1
  • 20
  • 29