Security Blues

  • Thread starter Thread starter smjawad
  • Start date Start date
S

smjawad

Hi,

I am developing a system on which multiple front-end kiosks machines
will be connected to a central server. I am being asked for the
authentication mechanism for the machines, like how will the central
server authenticate the machines on the network. IP authentication or
password authentication is too simple for them. I thinking more on
the lines of some sort of digital certificates. But I have seen them
run
on servers, never on clients.

My server is based on asp pages running on IIS. The client program is
in vb / vb.net. I want to know how can asp pages authentic vb/vb.net
clients by means of certificates or for that matter, anything else.
The client wants the authentication control to himself, so that not
even me can tamper with the system.

I hope you guys understand the question and direct in me in the right
way and I also do hope that this is the right group for such a
question. Many thanks in advance.

Regards
Jawad
 
Hi there,

I understand what it is you are trying to achieve. I am not sure of
the exact method to implement digital certificate handling in ASP,
however there is a more fundamental issue that you need to deal with
first :- What is the PKI model that you are going to follow to reach
your desired goal. For example it is possible to purchase digital
certificates from various vendors, and it is also possible to create
your own servers for this task. I would suggest that it would be a
good idea to speak with a properly qualified security person in your
area to get the security model right, which will then in turn tell you
what you will need to do to achieve your goals, then you can find out
what technical shortcomings you need to overcome. I cant stress enough
how important it is to get the security model right and correctly
implemented. If it is done properly then you will have a safe and
secure system, if not it doesnt really matter how advanced the
certificates or the cryptography used is - you will have a false sense
of security and the system remains a soft target for attack.

If you want some good background info on dealing with certificates and
implementing them then I would suggest any of the study guides /
reading material for the CompTIA Security+ certification wuld be a
good start. You will get a good grounding in the ideas of implementing
certificates from these readings, and also the other related topics /
tasks that have to be taken into consideration.

Good luck with this, and feel free to post back if you need more
advice. If I can assist I will.

Cheers

The Frog
 
Back
Top