0

Is it possible to allow access to a website only for specific clients on specific machines?

I'm no security expert, but one idea I had is to generate a certificate that would work only on a specific machine (so if the certificate was stolen, it wouldn't work on other computers) and then somehow use that to authorize myself on the website (plus providing a username and password).

The security requirements are very high, and I would like to avoid developing a desktop application for scalability and maintainability reasons, but security becomes an issue.

Is this achievable on the web, or should this be a purely local application?

I would appreciate any reading material about this issue. Thank you.

Shahin Dohan
  • 103
  • 2
  • You might be able to lock a cert/key pair inside hardware. [Locked inside a TPM on the motherboard maybe?](https://blogs.technet.microsoft.com/pki/2014/06/05/setting-up-tpm-protected-certificates-using-a-microsoft-certificate-authority-part-1-microsoft-platform-crypto-provider/) – StackzOfZtuff Sep 21 '16 at 12:58
  • Use a TPM or alternatively a smartcard to store the certificate. If the smartcard is missing, your certificate got stolen! – Josef Sep 21 '16 at 13:34
  • Thanks for your input, I've reached the conclusion that TPM is the way to go. – Shahin Dohan Sep 21 '16 at 17:19

2 Answers2

1

Use TLS client authentication, and only trust the specific issuer certificate at the server. You must be able to securely enroll your clients to use this of course, and the private key of the client must be kept securely. One method is to issue snart cards to the clients.

Client authentication is mostly used for machine to machine communication rather than web-browsers nowadays.

Maarten Bodewes
  • 4,562
  • 15
  • 29
1

You cannot stick clients to their devices. At least, there is no suitable protocol that would check client devices as well. As suggested, your only option is to use TPM to store client authentication certificates.

Smart cards are transferrable to other devices (so, authorized user can use unauthorized device/computer), therefore it might not fit your requirements.

Crypt32
  • 5,750
  • 12
  • 24
  • Thanks, I reached the same conclusion as well.. I was hoping there would be a better solution though. I'll mark this as the answer since I feel it best answers my question, but I appreciate everyone's input! – Shahin Dohan Sep 21 '16 at 17:17