0

I have a gRPC service and I was thikning about the security aspects in the client side.

I have only one certificate (public and private certificates) for the client, that it is uses for all my clients, WPF clients, Android clients... etc.

By the moment, in my WPF client application, I copy the certificates (certificate and key) in a subfolder of the application folder and when I start the application, it loads the certificate. So it is easy for someone to copy the key certificate.

In an Android client, I add the certificate and and as assests, so I guess it is include in the apk file and it would be possible that someone could extract the certificates for that.

So if someone could get access to the certificates, it could develop an application that could connect to the server.

So I am wondering if there is some better way to handle or protect the certificates in the client side. But the private certificate it is needed to have in some place in the device to can be used.

Thanks.

Álvaro García
  • 425
  • 1
  • 9
  • 2
    I think there's some fundamental misunderstanding about client certificates here. A client certificate is an identity mechanism which identifies and authenticates a client - i.e. each client needs their own unique certificate because it represents their identity and **belongs to** that client. This also means the client owns it and is responsible for its security, just as they would be responsible for their username/password/MFA/etc. Also, you cannot prevent the owner of a device copying their own certificate to another device, since its not your device nor your certificate. – Ben Cottrell Jan 15 '23 at 22:17
  • Thanks for the comment. Well, in my case I want to use gRPC to can request some data from a server, but I don't need to identify each client in a unique way, just i want to encrypt and secure the data. But I would like to develop a client that I can redistributate in a zip and any user could use it just unzipping the application in his computer. So in this case I was thinking that the certificate belongs more to the client application that to the user. – Álvaro García Jan 16 '23 at 10:11
  • Secure it from who? Are you looking for encryption in transit? Realistically once the data is on someone else's device then its security is entirely out of your control I'm afraid. However if you're looking for encryption in transit then I would be strongly inclined to focus on user authentication (e.g. with OAuth/OpenIDConnect) instead. – Ben Cottrell Jan 16 '23 at 10:55
  • @BenCottrell I think he wants to prevent other applications from using the server. You are going to need either a per client certificate, or a public/private key pair per client, where you save the public portion during client registration (and you need this registration). That way any signature from the client can be verified on the server. You need to authenticate the client. – Frank Hileman Feb 03 '23 at 00:38
  • Any certificate or private key distributed as part of the client software is public information, and will be used to contact your server, whether you want that or not, and whether using your client software, or not. – Frank Hileman Feb 03 '23 at 00:40
  • @FrankHileman Yes, I was thinking more how I could allow only my application can use the server. But if the client uses he public certificate to authenticate it, if someone get this certificate is possible to another application use the server. As Ben tells, once a certificate is in a device, it is out of my control. But this make me think about OpenVpn, for example. It uses certificate and key to authenticate and encrypt the data, and this certificate and key are in the user device, that can be stole. But in another side, OpenVpn is considerate secure. This is my main doubt. – Álvaro García Feb 07 '23 at 10:44
  • There is multi-factor authentication. All the OpenVPN client authentication mechanisms rely on some secret stored with the client (or the human). You can augment that with MFA. Anyone using OpenVPN would have the same authentication issue you are dealing with. – Frank Hileman Feb 10 '23 at 18:15

0 Answers0