6

We are considering using digital certs to verify that the machine connecting to our VPN service is in fact a company-owned machine. So one of my co-workers here mentioned that for a knowledgable user (and our users are for the most part CompSci PhD's) it would be trivial to copy the cert keys to another non-company-owned system that they want to use. My question is (and I've searched on Serverfault first :) is there some way to prevent the user from copying (exporting) the keypairs over to another machine? Or make the copied cert invalid if they do so? We in IT plan to be the ones installing the certs on the machines, but our users do need to have admin access to their machines to do their work. As well, the user's machines run a mix of Windows, Mac OS X and Linux OS's.

Thanks in advance for any answers provided...

Will Dennis
  • 304
  • 4
  • 16
  • I believe the answer is going to be there is no way to prevent exporting if the user has admin access and the knowledge/skills to use it. – Zoredache Aug 14 '12 at 20:03
  • Same question, but now the local user doesn't have admin access, any way to secure it now? – Akash Feb 02 '21 at 16:19

2 Answers2

4

In software, no, absolutely not. Even in windows, keys marked as non-exportable can be exported with a well-known GUI hack.

I'd suggest using smart cards for this purpose (wherein the key is stored and used on the card and generally not disclosed to the computer). That way, at least, the inside hacker would have to find the administrative password for the card or otherwise hack it, which is a lot less trivial than copying one stored in software.

You could also consider using computer certificates that encode the computer's hostname, and ensuring your authenticating software validates it. However, as it is generally quite easy to change computers' hostnames, I would suggest this would offer hardly any benefit.

Falcon Momot
  • 25,244
  • 15
  • 63
  • 92
  • One would still need to ensure that the smart card cannot be used in conjunction with a non-company system. – user149408 Aug 13 '18 at 12:37
0

No. Certificates (like everything else) are just bits. And bits can always be copied.

bahamat
  • 6,263
  • 24
  • 28
  • Dedicated crypto hardware exists which keeps the private key inside, performs cryptographic operations (signing, encrypting, decrypting) with it but does not disclose the key itself—not even to admins. Without the private key, the certificate is useless. With a client machine, to which users have physical access, you would have to take measures against the hardware being moved to a different machine, though. – user149408 Aug 13 '18 at 10:53