Product Documentation

    TLS ClientAuth with FIDO

    Smartcards with X.509 digital certificates on them are powerful credentials since they enable strong authentication using the Transport Layer Security (TLS) Client Authentication (ClientAuth) protocol.

    When integrated with FIDO, this design enables simpler and stronger authentication through the use of public key cryptography and physical hardware devices (called Authenticators).

    Layering TLS ClientAuth with FIDO allows an organization to enable the strongest authentication capability in the world, using two different public key cryptographic protocols on the same Authenticator to authenticate users to applications. TLS ClientAuth mandates that the Authenticator must have a digital certificate from a trusted Certification Authority (CA) before the user can even see the Login screen of the FIDO-enabled application. The FIDO credential on the same Authenticator enables users to conveniently authenticate to the application without skipping a beat.

    This design mitigates “drive-by” attempts to break the web application, or even a “denial-of-service (DoS)” attack since the user needs to strongly authenticate using TLS ClientAuth even before viewing the landing page of the web application where FIDO authentication is required.

    The document highlights steps to test StrongKey's DEMO applications that demonstrate how this capability works.

     

    PREREQUISITES

    1. Browser – we recommend using the current release of Firefox;

    2. FIDO Certified® FIDO Security Key – we have tested this with GoTrust Idem Key Plus and Yubico’s FIPS Certified Yubikey (see MFA Implementations on StrongKey’s Documentation site);

    3. Internet access to be able to connect to port 8282 besides the standard 443 for HTTPS. We realize that most enterprises will deny access to anything other than 443 for browser access; in such a situation, you will have to test this capability from outside your enterprise’s perimeter or request controlled access to https://demo.strongkey.com and https://demoapps.strongkey.com for ports 8282 and 443;

    4. X509 Digital Certificates trusted by the DEMO web applications. StrongKey has made two (2) such digital certificates with their private keys available in a PKCS#12 (aka PFX) file at: https://sourceforge.net/projects/strongkeyfido/files/v4.10.1/sampleapps/certs/

      • A valid user whose certificate will permit a successful TLS ClientAuth connection:

        • PKCS#12 filename: GoodUser2023.p12

        • SHA256 digest: c3c234ed742d0a94537a27acf699a957fe614ca8f3402e3da6204a953afd959d

      • A user with a revoked digital certificate; while this will load into the Security Key, it will fail the PKIX Validation test within the application:

        • Filename: BadUser2023.p12

        • SHA256 digest: 2c4fdcda65997d4c6040f55fc0491d55d38d1fe3c6c929577e29737ce56e054d

     

    STEP 1: Import the Certificates into the browser or the Security Key:  

    Importing Digital Certificates – GoTrust Idem Key Plus

    Please follow instructions shown here. You will need to contact GoTrust to get access to the GoTrust Authenticator Admin Tool.

     

    Importing Digital Certificates – Yubico Yubikey FIPS

    Please follow instructions shown here. You can download the YubiKey Manager from Yubico’s website.

     

    Importing Digital Certificates – Browser

    If you do not have either of the Security Keys named above, you can still import the PKCS#12 files from the referenced link and use any FIDO Certified® Security Key to test the TLS ClientAuth + FIDO enabled applications.

    Follow this section if using 'soft certificates' where the private key and digital certificate are stored in the browser's keystore instead of a Smartcard or a Security Key. The steps to export the private key and certificate will vary depending on the browser.

     

    Importing Digital Certificates – Mozilla Firefox

    1. In Firefox's menu, Go the Settings → Privacy and security → Certificates → View Certificates;

    2. Go to 'Your Certificates' Tab and import the certificates that were downloaded. Use 12345678 as the password and click OK. When successfully imported, the digital certificates must be visible in the Manage Certificate panel.

     

    Importing Digital Certificates – Google Chrome

    1. In Chrome's menu, Go the Settings → Privacy and security → security → Manage device certificates;

    2. Go to 'Your Certificates' Tab and import the certificates that were downloaded. Use 12345678 as the password. When successfully imported, the digital certificates must be visible in the Manage Certificate panel.

     

    Importing Digital Certificates – Edge 

    1. In Edge's menu, Go the Settings → Privacy, search and services → Security → Manage certificates;

    2. Go to Personal and Import the certificates that were downloaded. Use 12345678 as the password. When successfully imported, the digital certificates must be visible in the Manage Certificate panel.

     

    STEP 2: Test the TLS ClientAuth enabled web applications:

    PKI2FIDO

    A basic JAVA application demonstrating how users with X.509 digital certificates can strongly authenticate using TLS ClientAuth and then register a FIDO Security with SKFS.

     

    1. Make sure you have imported the two digital certificates into your browser or on the Security Keys, as described above;

    2. Start a new Private Browser session;

    3. Insert your FIDO Authenticator to a USB Port;

    4. Browse to https://demo5.strongkey.com/pki2fido/angular and follow the steps;

    5. Choose the Bad User digital certificate. Verify that the application refuses to allow you to continue based on the certificate's status;

    6. Start a new Private Browser session and visit the URL shown above; if Chrome does not let you start over (because it remembers the use of the revoked certificate), exit the browser, delete the cookies, restart it, and go back to this URL;

    7. Choose the Good User certificate. Continue on the path the application takes you and register the FIDO Authenticator with the site;

    8. When successful, continue to authenticate with your registered FIDO credential;

    9. You can also deregister the FIDO key by clicking the Deregister button.

     

    SKSO

    StrongKey Sign-On (SKSO) is a purpose-built web application designed to support the registration and management of FIDO credentials with SKFS, as well as inter-operate with Citrix ADC and Citrix Gateway for single sign-on to Citrix environments using SAML Assertions.

     

    1. Make sure you have imported the two digital certificates into your browser or on the Security Keys, as described above;

    2. Start a new Private Browser session;

    3. Insert your FIDO Authenticator to a USB Port;

    4. Browse to https://demoapps.strongkey.com:8282/sksoca and follow the steps;

    5. Choose the Bad User digital certificate. Verify that the application refuses to allow you to continue based on the certificate's status;

    6. Start a new Private Browser session and visit the URL shown above; if Chrome does not let you start over (because it remembers the use of the revoked certificate), exit the browser, delete the cookies, restart it, and go back to this URL;

    7. Choose the Good User certificate. Continue on the path the application takes you and register the FIDO Authenticator with the site;

    8. When successful, authenticate with the new credential into the Credential Management Page;

    9. Continue to the Citrix Gateway Dashboard.

     

    DISCOVER

    A web application demonstrating how to authenticate users to the relying party's site without having the user provide their username - the browser and user's FIDO Authenticator negotiate the capability between them, and make the user experience seamless. 

     

    1. Make sure you have imported the two digital certificates into your browser or on the Security Keys, as described above;

    2. Start a new Private Browser session;

    3. Insert your FIDO Authenticator to a USB Port;

    4. Browse to https://demoapps.strongkey.com:8282/discoverca and follow the steps;

    5. Choose the Bad User digital certificate. Verify that the application refuses to allow you to continue based on the certificate's status;

    6. Start a new Private Browser session and visit the URL shown above; if Chrome does not let you start over (because it remembers the use of the revoked certificate), exit the browser, delete the cookies, restart it, and go back to this URL;

    7. Choose the Good User certificate. Continue on the path the application takes you and register the FIDO Authenticator with the site;

    8. Continue to authenticate without putting the username;

    9. If successful, FIDO Credential Management page would be displayed.