MAC address binding to the certificate

1720 views
Skip to first unread message

Anoop C

unread,
Sep 9, 2009, 4:55:31 AM9/9/09
to
Hi all

I am using certificates generated by openssl for authenticating the
WiFi useres using EAP-TLS 802.1x authentication.
I would like to add MAC address of the user machines into each user
certificates so that the certificates used by one machine cannot be used in
another machine/PC.

Could anyone please help how to create certificate with MAC address
binded to it.

Regards
Anoop

Get your world in your inbox!

Mail, widgets, documents, spreadsheets, organizer and much more with your Sifymail WIYI id!
Log on to http://www.sify.com

********** DISCLAIMER **********
Information contained and transmitted by this E-MAIL is proprietary to
Sify Limited and is intended for use only by the individual or entity to
which it is addressed, and may contain information that is privileged,
confidential or exempt from disclosure under applicable law. If this is a
forwarded message, the content of this E-MAIL may not have been sent with
the authority of the Company. If you are not the intended recipient, an
agent of the intended recipient or a person responsible for delivering the
information to the named recipient, you are notified that any use,
distribution, transmission, printing, copying or dissemination of this
information in any way or in any manner is strictly prohibited. If you have
received this communication in error, please delete this mail & notify us
immediately at ad...@sifycorp.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Patrick Patterson

unread,
Sep 9, 2009, 8:20:04 AM9/9/09
to
Hi there:

Anoop C wrote:
> Hi all
>
> I am using certificates generated by openssl for authenticating the
> WiFi useres using EAP-TLS 802.1x authentication.
> I would like to add MAC address of the user machines into each user
> certificates so that the certificates used by one machine cannot be used in
> another machine/PC.
>
> Could anyone please help how to create certificate with MAC address
> binded to it.
>

I think that you may want to revisit your assumptions here - it is
rather trivial to spoof a MAC address, so basing your security on that
is not very good.

Besides, as long as the user has a valid certificate, why do you care
which machine they log in from? If you can't trust the holder of the
certificate to keep it safe, then you have a different set of issues
that MAC address binding will not save you from.

Have fun.

Patrick.

Anoop C

unread,
Sep 9, 2009, 8:32:42 AM9/9/09
to
Hi Patrik

Thanks for the quick response.
I totally agree on your point. Our associates often used to try others
certificate .So I want to remove that threat also by incorporating MAC
address also into the certificates apart from the existing set up.

Often Wimax CPE vendors used to bind the MAC along with the certificate so
that ones certificate cannot be installed to another CPE.

I want to remove the risk of certificate stealing. Of course I am usin CRL
for revoking. Still want to know any possibility of adding MAC also to
certificate

Regards
Anoop C
Access Network Engineering
Sify Technologies Ltd.
Chennai

Mobile: +91 - 9884015161
Xtn:2867

Hi there:

Have fun.

Patrick.

No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.409 / Virus Database: 270.13.83/2353 - Release Date: 09/08/09
20:45:00

Serge Fonville

unread,
Sep 9, 2009, 8:42:57 AM9/9/09
to
Just a thought.

If the MAC is part of the client certifcate, why would that prevent anythin=
g?
If you want to check the MAC, do that somewhere else, because if the
client can see it is in the cert, it can be spoofed

HTH

Regards,

Serge Fonville

On Wed, Sep 9, 2009 at 2:32 PM, Anoop C <anoop.ch...@sifycorp.com> wr=
ote:
> Hi Patrik
>
> =A0 =A0 =A0 =A0 =A0 Thanks for the quick response.


> I totally agree on your point. Our associates often used to try others
> certificate .So I want to remove that threat also by incorporating MAC
> address also into the certificates apart from the existing set up.
>

> =A0Often Wimax CPE vendors used to bind the MAC along with the certificat=


e so
> that ones certificate cannot be installed to another CPE.
>

> =A0I want to remove the risk of certificate stealing. Of course I am usin=


CRL
> for revoking. Still want to know any possibility of adding MAC also to
> certificate
>
> Regards
> Anoop C
> Access Network Engineering
> Sify Technologies Ltd.
> Chennai
>
> Mobile: +91 - 9884015161
> Xtn:2867
>
> -----Original Message-----
> From: owner-ope...@openssl.org
> [mailto:owner-ope...@openssl.org] On Behalf Of Patrick Patterson
> Sent: Wednesday, September 09, 2009 5:50 PM
> To: openss...@openssl.org
> Subject: Re: MAC address binding to the certificate
>
> Hi there:
>
> Anoop C wrote:
>> Hi all
>>

>> =A0 =A0 =A0 I am using certificates generated by openssl for authenticat=
ing the
>> WiFi useres using EAP-TLS =A0802.1x authentication.
>> =A0 =A0 =A0 I would like to add MAC address of the user machines into ea=


ch user
>> certificates so that the certificates used by one machine cannot be used
> in
>> another machine/PC.
>>

>> =A0 =A0 Could anyone please help how to create certificate with MAC addr=


ess
>> binded to it.
>>
> I think that you may want to revisit your assumptions here - it is
> rather trivial to spoof a MAC address, so basing your security on that
> is not very good.
>
> Besides, as long as the user has a valid certificate, why do you care
> which machine they log in from? If you can't trust the holder of the
> certificate to keep it safe, then you have a different set of issues
> that MAC address binding will not save you from.
>
> Have fun.
>
> Patrick.
>
>> Regards
>> Anoop
>>
>>
>>
>> Get your world in your inbox!
>>

>> Mail, widgets, documents, spreadsheets, organizer and much more with you=


r
> Sifymail WIYI id!
>> Log on to http://www.sify.com
>>
>> ********** DISCLAIMER **********
>> Information contained and transmitted by this E-MAIL is proprietary to
>> Sify Limited and is intended for use only by the individual or entity to
>> which it is addressed, and may contain information that is privileged,

>> confidential or exempt from disclosure under applicable law. If this is =
a
>> forwarded message, the content of this E-MAIL may not have been sent wit=
h


>> the authority of the Company. If you are not the intended recipient, an

>> agent of the intended recipient or a =A0person responsible for deliverin=
g
> the
>> information to the named recipient, =A0you are notified that any use,


>> distribution, transmission, printing, copying or dissemination of this
>> information in any way or in any manner is strictly prohibited. If you
> have

>> received this communication in error, please delete this mail & notify u=
s
>> immediately at ad...@sifycorp.com
>> ______________________________________________________________________
>> OpenSSL Project =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 http://www.openssl.org
>> User Support Mailing List =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0openssl=
-us...@openssl.org
>> Automated List Manager =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 majo...@openssl.org
>
> ______________________________________________________________________
> OpenSSL Project =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 http://www.openssl.org
> User Support Mailing List =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0openssl-=
us...@openssl.org
> Automated List Manager =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 majo...@openssl.org


> No virus found in this incoming message.
> Checked by AVG - www.avg.com

> Version: 8.5.409 / Virus Database: 270.13.83/2353 - Release Date: 09/08/0=


9
> 20:45:00
>
> ______________________________________________________________________

> OpenSSL Project =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 http://www.openssl.org
> User Support Mailing List =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0openssl-=
us...@openssl.org
> Automated List Manager =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 majo...@openssl.org

Michael S. Zick

unread,
Sep 9, 2009, 11:46:28 AM9/9/09
to
On Wed September 9 2009, Anoop C wrote:
> Hi all
>
> I am using certificates generated by openssl for authenticating the
> WiFi useres using EAP-TLS 802.1x authentication.
> I would like to add MAC address of the user machines into each user

> certificates so that the certificates used by one machine cannot be used in
> another machine/PC.
>

? ? ? ?

In general, the MAC address is programmable, not etched in silicon.
It would probably be trivial for the "un-intended user" to reset the
MAC address to match the certificate.

If you want to "node lock" a certificate - better to use a device
intended for that purpose rather than the NIC's MAC address.

Mike

> Could anyone please help how to create certificate with MAC address
> binded to it.


>
> Regards
> Anoop
>
>
>
> Get your world in your inbox!
>

> Mail, widgets, documents, spreadsheets, organizer and much more with your Sifymail WIYI id!


> Log on to http://www.sify.com
>
> ********** DISCLAIMER **********
> Information contained and transmitted by this E-MAIL is proprietary to
> Sify Limited and is intended for use only by the individual or entity to
> which it is addressed, and may contain information that is privileged,

> confidential or exempt from disclosure under applicable law. If this is a
> forwarded message, the content of this E-MAIL may not have been sent with

> the authority of the Company. If you are not the intended recipient, an

> agent of the intended recipient or a person responsible for delivering the
> information to the named recipient, you are notified that any use,

> distribution, transmission, printing, copying or dissemination of this
> information in any way or in any manner is strictly prohibited. If you have

> received this communication in error, please delete this mail & notify us
> immediately at ad...@sifycorp.com
> ______________________________________________________________________

Steffen DETTMER

unread,
Sep 9, 2009, 12:15:03 PM9/9/09
to
* Anoop C wrote on Wed, Sep 09, 2009 at 18:02 +0530:
> Thanks for the quick response.
> I totally agree on your point. Our associates often used to try others
> certificate .So I want to remove that threat also by incorporating MAC
> address also into the certificates apart from the existing set up.

Typically, SSL/TLS security is bound to the secrecy of a private
key (secret key), not to the secrecy of a MAC address (which may
be easy to disclose by looking to some label or sticker).

A stolen certificate cannot be used (in a reasonable
cryptosystem, such as SSL/TLS) without having the private
(secret) key.

Don't know what EAP-TLS is doing, but SSL/TLS usually work on top
of TCP and TCP does not know anything MAC. You may even have PPP
with TCP but without any MAC addresses.

oki,

Steffen

--[ end of message ]---------------------------------------------->8=======

Sanket Diwale

unread,
Jun 17, 2022, 11:17:51 AMJun 17
to
I think it is still worthwhile to know how to include some identifying information such as the MAC address and other machine parameters in the generated certificate using openssl.

This may serve as a first step in binding the certificate to a machine. The problem of spoofing such information can be tackled by a second layer of encryption on the certificate as is done in OMA V2 digital rights management (DRM) system (see https://www.researchgate.net/publication/220855429_Towards_Trust_in_Digital_Rights_Management_Systems or https://link.springer.com/chapter/10.1007/11824633_17 )
Reply all
Reply to author
Forward
0 new messages