Advantages of client certificates for client authentication?
I'm no security expert, so please just ask in a comment if I haven't made my question clear enough for an answer.
We have a server running WCF services, and a number of clients connecting. These clients are actually Linux PCs which we build. We need to establish secure communications between our server, and our clients (again we build them, and deploy them to customer sites).
Client trusting the server
We will implement this by allowing the client to establish a trusted connection with the server via implementing SSL communications.
Server trusting the client
We now have the task of authenticating the client. Obviously this is done by keeping some sort of credentials on the client. Once the client is connected, it can send the credentials to the server and the server can validate them.
option for these credentials is to store some sort of Guid or other id/password which is generated by the WCF based application. Upon receiving the credentials, the WCF service does a lookup in the database and verifies they are correct.
Another option is to use Certificate Services to create client certificates which are copied to the client pc before it is sent out. After establishing the secure connection, the client sends the certificate to the server which authenticates the certificate with Certificate Services.
What advantages does using a certificate to authenticate the client have over a username/guid? What disadvantages does it have?
- Complexity of implementation
- Complexity of programming Integration with the application. This includes the workflow of creating the authentication token, associating appropriate (authorization / association) metadata, managing authentication such as disabling access etc.