Using TLS Client Authentication with AIR Applications

Passwords remain de rigueur for authenticating clients, but applications with stricter security requirements may require an additional authentication factor. Adobe AIR-based applications can use client-side Transport Layer Security (TLS, also still referred to as SSL) authentication to add this second factor.

Many developers are familiar with the use of TLS in the HTTPS protocol to establish the identity of the server to which a client is connected. The server uses a private key to assert its identity, which is in turn validated via a trusted certificate installed on the client machine. What is less well known is that TLS authentication can be symmetric. The same certificate-based validation scheme can be used to authenticate both the server to the client and the client to the server.

The setup details will vary based on which web server and operating systems you’re running. Still, here’s a sketch of the steps involved to get it working. On the server:

  1. Create or select a certificate authority that will issue certificates for each client machine.
  2. Configure your web server to require TLS client authentication.
  3. Configure your web server to trust, for TLS authentication purposes, certificates issued by your certificate authority.

Then, for each client:

  1. Generate a private key for the client.
  2. Generate a certificate signing request for the client, based on this key.
  3. Create, using your certificate authority, a signed certificate for the client.
  4. Install this certificate into the system trust store on the client.

Note that none of these steps are specific to AIR. AIR uses the underlying OS network stack for HTTP, HTTPS, and TLS support. All AIR TLS connections use the system trust store to look up certificates and access private keys. This helps produce consistent behavior across all applications on your machine, whether they are built on AIR or not. If you have an existing enterprise solution in place for managing the trust store, it also means you can re-use this solution to distribute and maintain certificates and keys for AIR applications, too.

The certificates used in TLS client authentication, by virtue of being installed on and tied to a specific machine, authenticate by proving something you have. This makes them a perfect complement to passwords, which are something you know. Together, they create a reasonable and available two-factor authentication scheme for your AIR applications.