ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Client certificate and IP address based multi-factor authentication for J2EE web applications
Full text PdfPdf (103 KB)
Source IBM Centre for Advanced Studies Conference archive
Proceedings of the 2007 conference of the center for advanced studies on Collaborative research table of contents
Richmond Hill, Ontario, Canada
SESSION: Privacy, security and database query processing table of contents
Pages: 167 - 174  
Year of Publication: 2007
ISSN:1705-7361
Authors
Heesun Park  SAS Institute Inc., Cary, NC
Stan Redford  SAS Institute Inc., Cary, NC
Sponsors
: IBM Toronto Software Lab
: IBM Centers for Advanced Studies (CAS)
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 7,   Downloads (12 Months): 78,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1321211.1321229
What is a DOI?

ABSTRACT

Secure and encrypted authentication is an important aspect of J2EE web application security. SSL client certificate authentication provides an encrypted log-on mechanism and a single sign-on capability that does not involve the use of passwords. Unlike SPNEGO-protocol-based Kerberos authentication, which requires both parties to be in the same domain, client certificate authentication works across domain boundaries as long as the user registry for the application server is properly set up to handle the certificate. But client certificate authentication comes with some shortcomings---especially when the client certificate is used from an unauthorized machine. We will examine this potential vulnerability of client certificate authentication and show how to make this type of authentication more secure by using multi-factor authentication. Adding an IP-address-checking servlet filter to the web application is one good approach. We will provide implementation details as well.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
SSL protocol version 3.0, March, 1996 http://wp.netscape.com/eng/ssl3/ssl-toc.html.
 
2
HTTP protocol, June 2007, http://www.w3.org/Protocols/.
 
3
"Cryptography and Network Security: Principles and Practice," Second Edition, William Stallings, 1998.
 
4
X.509 certificate, July 2007, http://en.wikipedia.org/wiki/X.509.
 
5
Lightweight Directory Access Protocol. (LDAP), December 1997, http://www.ietf.org/rfc/rfc2251.txt.
 
6
openSSL project, February, 2007, http://www.openssl.org/.
 
7
Key and Certificate Management Tool, J2SE, 1.3.1 http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html.
 
8
IBM Key Management Utility, IBM HTTP server 1.3 doc, http://www-306.ibm.com/software/webservers/httpservers/doc/v1319/9atikeyu.htm.
 
9
Simple and Protected GSS Negotiation Mechanism, July, 2007, http://en.wikipedia.org/wiki/SPNEGO.
 
10
Kerberos: The Network Authentication Protocol, July, 2007, http://web.mit.edu/Kerberos/
 
11
SSL Client Certificate Authentication, http://publib.boulder.ibm.com/infocenter/wasinfo/v5rl//index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/rsec_csiv2cca.html.
 
12
IBM WebSphere Application Server V6.1 Security Handbook, Chapter 7, http://publib-b.boulder.ibm.com/abstracts/sg246316.html.

INDEX TERMS

Keywords:
IP address checking, J2EE web application, SSL client certificate, certificate based authentication, multi-factor authentication

Collaborative Colleagues:
Heesun Park: colleagues
Stan Redford: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player