locked
Certificate based authentication without using app specific cert store

    Question

  • I am trying to figure out if it's possible to perform certificate based authentication without storing certificate in app specific certificate store in a store app. The reason i don't want to store it there is it doesn't look like it's secure  - using a text editor, i am able to look at quite a few details. I could imagine a hacker getting hold of a certificate which is used in lieu of a password with some effort. 

    so with that said, only avenue looks like using following certificate constructor to obtain certificate and then provide some kind of custom  httpClient equivalent implementation that would take care of responding to auth challenges. so with that background information. i have two questions:

    1. is this feasible?

    2. if so, According to documentation on MSDN, Windows.Security.Cryptography Certificate class constructor is defined in this manner:

    public Certificate( IBuffer certBlob ) Parameters

    certBlob Type: IBuffer The certificate data as an ASN.1 DER encoded certificate blob (.cer or .p7b).

    http://msdn.microsoft.com/en-US/library/windows/apps/windows.security.cryptography.certificates.certificate.certificate.aspx

    From above information, can i conclude that it doesn't have a way to read certificate with private key? .cer file could contain private key but not recommended. Also, constructor doesn't have a way to specify the password which I think would be needed to decrypt the private key. I wish they had more details then they do here.

    Monday, July 21, 2014 9:11 PM

All replies

  • You're saying that you want to use client-certificate-based authentication but don't want to distribute the certificate with the app - that makes sense to me. So you need to find a new way to distribute a client certificate to the end user for use in your application. Email is one way.  Registration for a certificate is another.  I don't know what your specifications for security are. 

    What I don't understand is the second part of your question.  What does the how the constructor works have to do with using it to get authenticated?

    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

    Tuesday, July 22, 2014 12:35 PM
    Moderator
  • my concerns are around security. that's the reason i dont want to store cert file in app specific store. so the real question is this - 

    In order to perform cert based authentication, Windows store apps allows you to store certificate in app specific certificate store which will create a file like this:

     

    \AppData\Local\Packages\fb8e0b0f-1159-44a7-a25e-ee1f3fcc0f28_6h554a31s3wew\AC\Microsoft\SystemCertificates\My\Certificates\8E9595468938E6D25F46E7EDF92D8359F50DB07C

     

    Do you know if this file contains both public and private key? if it contains private key is it encrypted using something?

    As an alternative to importing certificate into app-specific cert store w wanted to see if i can store the certificate with our own encryption then read that cert data when ready to send it along with httpClient. in order to do that, i would have to construct a certificate object. so certificate constructor was an obvious choice to do so. 
    Tuesday, July 22, 2014 12:56 PM