• home
• about us
  • Company Overview
  • Calsoft Corporate
• solutions
  • Enterprise Applications
  • Customer Relationship Management
  • Enterprise Information Management
• services
  • Business Consulting
  • License Management
  • Implementation
  • Custom Application Development
  • Managed Services
  • Training
  • Infrastructure
• partners
• resources
  • Case Studies
  • Clients
  • Testimonials
  • White Papers
• news & events
  • Press Releases
  • Events
• careers
• contact us
  • Global Offices
  • Call Me Now
  • Request For Information

E-Commerce Security: Securing Access to E-Commerce Sites

Introduction

With the recent explosion of E-Commerce on the Internet, the concern for security of the data that is sent over the Internet is ever increasing. Digital certificates proved to be the need of the hour. The Microsoft’s Certificate Server is a server application for managing the issuance, revocation, and renewal of digital certificates.

Instead of the traditional form of securing web sites using user name and password where the data is not always safe, a digital certificate-based security provides an easy yet powerful way to send data over the Internet. This technical report explains the operations required for setting up of a Digital certificate based access to web sites, where the web sites allow only the browser with a valid digital certificate to access the site. Moreover by using techniques to map a client certificates to Windows NT user account provides web sites with enhanced security.

Digital Certificates

Public Key algorithm is one of the better ways used in data encryption. The algorithm uses two different keys a public key and a private key. A private key is kept private with the owner of the Key pair. The public is distributed to one who requested them through Certificates. One of the keys is used to encrypt the message and the other to decrypt the message. A digital certificate is a set of data issued by a Certification Authority (CA) and contains the public key. Certification authorities issue digital certificates for those how need them. It must make sure that the public key contained in a certificate belongs to the person to whom the certificate was issued. To ensure this the certification process follows these steps.

• A request containing the name and the corresponding public key is sent to the CA.
• The CA creates a special message and encrypts the message with its private key.
• The CA then send the signed message and the public message bundled called a Certificate.
• Now the certificate can be verified by decrypting the signature of the CA with the CA’s public key.

The user how needs to verify the certificate just needs to have the CA’s public key which is normally distributed by the CA.

The Microsoft Certificate Server can perform the role of a CA also it can function as a subsidiary of another CA.

Installing And Configuring MS Certificate Server As The Root CA

Microsoft Certificate server comes as a part of the Windows NT Option pack. The Certificate server need the following to be installed before it can be installed.

• Microsoft Windows NT Server 4.0 with Service pack 3.0 and above.
• Microsoft Internet Information server version 4.0
• Microsoft Internet explorer 3.0 and above for web based certificate enrollment.

Run the Option Pack Setup and select Certificate Server in the components. When asked for type in the correct directories for storing the certificate. If you checked the Show Advanced Configuration check box then in the advanced configuration make the Certificate server as the default and select Root CA. When prompted for information to identify the CA enter the Root CA’s name and also fill in other fields appropriately. And allow the installation to finish. Now start the Certificate Authority Service. The Root CA is now ready. After installing the Certificate Server you can apply NT SP4. This will help to update the certificate server with the patches for it.

Installing And Configuring MS Certificate Server As A Subsidiary CA

The requirements for a subsidiary are same as that of a Root CA. Instead of selecting Root CA in the Advanced Configuration screen select Non-Root CA. Except for this change there is no difference between the installation of a Root-CA and a Non-Root CA.

Establishing Certificate-Based Trust Between The Root And The Subsidiary

The shared folder (the directory that was given when installing for storing the certificates) in the subsidiary CA contains a file named MacineName_SubordinateCAName.req this file is an BASE64-encoded PKCS #10 certificate request file. This file needs to be copied to the machine that is the Root CA. The root CA certificate server processes this request and generates a Certificate needed to operate the subordinate CA. Copy the MacineName_SubordinateCAName.crt generated by the Root CA to the Shared folder of the subsidiary CA machine. Now run Programs/Windows NT Option Pack/Microsoft Certificate Server (Common)/Certificate Server Hierarchy Configuration in the start menu. Now start the Certificate Authority Service. The installation of the two-level Certificate server hierarchy is now complete.

Configuring the IIS to use the Certificate Server

The default page for Certificate server has all the tools required for issuing and managing the certificates. CertSrv Click on the Certificate Enrollment Tools and navigate to Install Certificate Authority Certificates and download the CA’s certificate file. Run iisca.exe from the directory where IIS is installed. Now install the certificate. Stop and start the WWW service.

Note: If you have SP4 or above there is no need to run the iisca.exe.

Note: if you have SP4 or above Click install certificate when the wizard prompts to select the certificate store Select show physical stores open the Trusted Root Certificate Authorities, and then click Local Computer.

Creating Key Certificate for the Web Server:

Start the Microsoft Management Console (MMC) go to the Internet Service Manager and select the Virtual directory you wish to secure. In its properties dialog select the Directory Security tab. Click on Secure Communication and inside that click on Key Manager. On the Key manager select WWW and select the Create New Key menu. Select Put request in a file that you will send to an Authority.

Open the text file containing the request copy the text in it. On the Certificate server home browse to Process a Certificate Request link. Paste the text on the Textbox in the page and submit. Download the certificate to the disk.

Open the Key manager again select the certificate you created and select Install key Certificate and enter the password. Commit all the Changes in the key manager.

Securing the Directory on the Web Server

In the secure communication property of the directory to be secured select Require secure channel while accessing this resource. Also select Require Client Certificate radio button. Also you have to enable authentication method to access this directory only as Windows NT Challenge/Response in Authentication Control.

The web site is now ready to perform secure communication. Before any actual communication can take place the client need to install the required certificates.

Configuring The Client To Access The Secured Resource

The client needs to have a valid certificate so that it can connect to the secured site. For this the client needs to first install the CA’s certificate and also get itself certified by the CA. This can be done easily by using the tools in the certificate server home.

Installing the CA’s Certificate on the Client

Browse to http://domain/certsrv and Click on Certificate Enrollment Tools / Install Certificate Authority Certificates link. Click on Certificate for \ CA name and download the certificate file and install the certificate.

Note: if you have sp4 or above, Click install certificate when the wizard prompts to select the certificate store Select show physical stores open the Trusted Root Certificate Authorities, and then click Local Computer.

Installing a Certificate on the Client: Browse to http://domain/certsrv Click Certificate Enrollment Tools / Request a client Authentication link. Fill in the required information and submit. When the download page appears click Download to install the client certificate

Note:The above case procedure is highly dependent on the type of browser you use.

Netscape Navigator 4.x: The download screen doesn’t appear instead a wizard pops up and takes you through the certification installation procedure.

Internet Explorer 5.0: The web page used to request the certificate needs a modification as the ASP page fails to recognize the browser type and so a separate ASP page for IE5 is one of the solution to work around this problem.

Now the client is ready to connect to the secured site. When prompted select the correct certificate to enter the secured site.

Mapping Client Certificates To A Valid Windows NT login

The Client certificate can also be used to log on a client to a Windows NT account. This gives the server more permission as to specify the resource the user can access from the server. This is also very useful when the server uses NTFS to specify the files the user can access from the disk.

To map a client certificates to a user account on the server, Export the client certificate from the client machine using Base64 coded X.509 format. Copy the certificate file to the server. On the IIS select the Secure Communication of the secure resource and check the Client Certificate Mapping and click edit. Select add. Select the exported client certificate and the user account.

The Mapping of user account can also be done according to some predefined rules. This allows similar certificates to use a same Windows NT account without you having to map each and every client certificate. This feature is very helpful when securing site that has a lot of clients connecting. Mapping each and every client certificate in this case might prove to be impossible.

Note: Any Certification revocation needs the Certificate Authority and the Word Wide Web Publishing service to be restarted.

Note: The client certificate needs to export in X.509 (Base64) format. The current version of Netscape Navigator doesn’t support this format. One way to work around this problem is to rename the certificate exported by Netscape to .PFX and import the certificate in IE5. Once this is done the certificate can be exported in any format from IE5. Also to export a certificate to a PKCS #12 format file select “Yes, export the private key” option when prompted.

Writing Converters To Change The Certificate Format

The process of importing a client certificate from IE4 to IIS can be made easier by writing a converter to do the job. Since both the format are x.509 format a small program which takes in a DER encoded X.509 certificate and writes a Base64 encoded x.509 certificate. The source code of such a converter is given below.

#include char mapping_table[] = /* 64 entries */ "ABCDEFGHIJKLMNOPQRSTUVWXYZ" /* A-Z = 0-25 */ "abcdefghijklmnopqrstuvwxyz" /* a-z = 26-51 */ "0123456789" /* 0-9 = 52-61 */ "+/" ; /* 62, 63 */ /* * From base64 to octets logic: - * Take 4 characters at a time and express them * (using above mapping table) as: * 00aaaaaa 00bbbbbb 00cccccc 00dddddd (each < 64) * Convert them to 3 octets now as: * aaaaaabb bbbbcccc ccdddddd * * From octets to base64 logic: * Take 3 octets at a time and express them as: * aaaaaabb bbbbcccc ccdddddd * Convert them to 4 octets as: * 00aaaaaa 00bbbbbb 00cccccc 00dddddd * index each octet into the mapping table and * generate the encoding */ int octets_to_base64(unsigned char *data, int len) { int i; unsigned char a, b, c; unsigned char l, m, n, o; static int count = 0; if ((len%3) != 0) return -1; // need multiple of // 3 for simplicity for(i=0; i> 2; m = ((a & 0x3) << 4) | (b >> 4); n = ((b & 0xf) << 2) | (c >> 6); o = c & 0x3f; printf("%c%c%c%c", mapping_table[l], mapping_table[m], mapping_table[n], mapping_table[o]); count += 4; if ((count != 0) && ((count % 64) == 0)) printf("\n"); } return 0; } void main(int argc, char *argv[]) { FILE *fp; unsigned char buffer[3*1024 + 3]; int n_read; if (argc == 1) { printf("Need name of DER/BER encoded certificate file as parameter\n"); return; } fp = fopen(argv[1], "rb"); if (fp == NULL) { perror(argv[1]); return; } printf("-----BEGIN CERTIFICATE-----\n"); while ((n_read = fread(buffer, 1, 3*1024, fp)) > 0) { // printf("Read %d bytes\n", n_read); if ((n_read % 3) != 0) { buffer[n_read] = buffer[n_read+1] = 0; n_read += (3 - (n_read % 3)); } // printf("Set to %d bytes\n", n_read); octets_to_base64(buffer,n_read); } printf("\n-----END CERTIFICATE-----\n"); fclose(fp); }

Programmatic Support To Certificate Server

The whole process of requesting, creating, renewing and revoking of certificates by the certification server can be done programmatically using the various COM interfaces exported by the Server. Also ActiveX controls that help both requesting of certificates from the Client side and issuing of the Certificates from the server side. All these features combined with HTML and some scripting can make the whole process of certification automatic and easy to use even for novice clients.

Conclusion

The Microsoft Certificate server is still in its early days. There are a lot of differences on the format supported also the Certification server hierarchy is not officially supported in the current version (1.0).