Abstract
This paper analyzes several recent breaches of major players in the security industry, in particular security products vendors and Certificate Authorities (CAs). Distinct patterns and relationships have emerged that have allowed the prediction of the next set of potential targets. Without the implementation of stringent compliance standards for CAs, one can expect that governments will intervene with the only outcome being a global impact on the freedom of trade.
Download full PDF
Note to the Reader:
The research included in this paper does not address the circumstances around how the Certificate Authorities (CAs) were breached nor how their Rogue Certificates were issued. What is questioned is ‘Trust’ – Trust with the CAs and their ability to maintain a high level of security within their industry.
The Certificate Authority (CA):
A certificate authority, or CA, holds a trusted position because the certificate that it issues binds the identity of a person or business to the public and private keys (asymmetric cryptography) that are used to secure most Internet transactions.
When a business or person wants to use these technologies, they apply to a Certification Authority. The CA collects information about the person or business that it will certify. Depending on the intended use and level of security required, certain rules are followed, called “certificate policies”.
These rules may make it necessary to verify the applicant’s information before issuing the certificate. For example, when a business wants to offer products for sale on a secure website, the CA will usually check to make sure that the applicant really has responsibility for the domain.
However, this particular policy wouldn’t apply to someone who just wants to encrypt his or her personal e-mail.
The processes that use the public key, such as a web browser, check the certificate to make sure that it comes from a trusted CA and may also check to be sure that the information is consistent with the way that it’s being used. All major web browsers “trust” a series of CAs and have packaged them in the “web of trust” for each browser’s store.
Digital certificates would typically be issued from a CA, i.e., Entrust.com, Thawte, or other CAs that vouches for the authenticity of their public keys. (There are over 500 CAs.)
Overall, a digital certificate from a trusted CA is like getting a passport, or government identification card. Someone like a Notary Public, the CA, verifies that you are who you say you are. Each CA is unique because each CA has its own CA Public Key that is used to determine the CA’s own identity.
Background:
With several CAs reporting breaches, compromised or rogue certificates have emerged, as have clear trends and patterns that tie breaches of certain CAs together.
Subsequent links of trust between the CAs display a sobering commonality. Further modeling also provides grounds to anticipate potential breaches or the issuance of rogue certificates with certain CAs.
Consideration was given to the type, amount, and proliferation of network security breaches of the CAs. Relevancy was also given to the issuance of rogue certificates and in one instance a possible private key compromise[2].
Attention has been given to the business relationships between the CAs that have been targeted, and the timing of the attacks. How the breaches occurred is not relevant to this discussion.
Chronology:
The pattern between the compromised CAs that has been reviewed focuses on CAs with one or several of the following in common: breached networks, rogue or compromised certificates, or a compromised private key.
A chronological timeline of the breached CAs will be discussed first. With this timeline details that are relevant to the actual event. Lastly, we will note the relationships to the compromised CA or RA and their relationships with DigiNotar and Symantec CAs.
Key Points:
Currently, there is no auditable industry security standard for CAs. There is also no compliance standard or governance from which the general public can determine the security or compliance status of accredited CAs.A catastrophic network breach or the issuance of “rogue” CAs in the near term, from other CAs, is of great concern.
Roel Schouwenberg, a senior security researcher with Kaspersky Lab, is advising internet users to exercise extreme caution when dealing with online certificates in the wake of the DigiNotar certificate authority (CA) systems hack. “We are still talking about 500 or so CAs out there,” he explained on a conference call with analysts and researchers this week, noting that the DigiNotar CA hack was industrial espionage that has the potential to have the same effect on the industry as the Stuxnet malware.39
Remediation Plan: The CA industry must have a regulatory and compliance standard that assesses the security or integrity of the CAs. For anyone to assume that the CAs have an inherently secure environment is naïve at best. The industry must create a certification program that would be mandated to all publicly accessible CAs.
From his article, Tenuous Chains Of Trust In Digital Certificates 40, Mike Fratto outlines some obvious conclusions.
“… because there is an inordinate amount of trust in all things SSL/TLS and the Golden Lock. (Don't get me going on that farce called Extended Validation Certificates.) The SSL/TLS protocol and the public key cryptography that underpins it are, as far as I know, well designed and trustworthy. Barring software vulnerabilities and poorly designed SSL/TLS libraries, such as the Python SSL library's default implicit trust of certificates that Brian Keefer points out in Unauthenticated SSL Sends a Dangerous Message, we can trust the protocol and the math.”
So if we can trust both the protocol and math where did we go wrong? Trust. The trust with CAs to protect their critical environments according to industry security standards cannot be assumed.
Compliance and Validation: Trust validation can be conducted in the form of an auditable ISO security standard (for example under the umbrella of the ISO), or by a consortium between the major browser players and ISPs that would be similar to the approach taken in the financial sector by the Payment Card Industry Security Standards Council.
There is a compelling need for stringent security standards for all CAs/RAs. This also needs to be confirmed with a public validation and compliance process that is enforceable and auditable.
Conclusion:
Our trust in the CAs is in jeopardy.
The survey of 174 IT and IT security pros had several red flags about digital certificate management. Some 72 percent of organizations don't have an automated process in place in case their CA is hacked, so they can't automatically replace digital certificates. The risk there, of course, is a website or application outage in the event of an expired certificate.
Many (46 percent) can't even generate a report on digital certificates that are about to expire; it's a manual process to track certs that are reaching their expiration date.
"The survey confirmed our suspicions" based on what we've seen out there, says Jeff Hudson, CEO of Venafi. "People don't know what the hell's going on out there [with their certificates]."(Emphasis Added)
The “TRUST” that businesses and governments have in these models can no longer be assumed to be safe and secure and must be validated.
The inevitable conclusion is the creation of a rigorous set of security and compliance standards and certifications for all CAs is required.
Author:
Bill Corbitt has over 20 years of military and commercial computer security, investigative, and computer forensic experience. Bill has experience in breach analytics, post-mortem breach analysis as well as risk impact determinations for Fortune 500 companies. As a former Federal Agent, he was Program Security Officer (SAF/AQ) for advanced weapon systems and focused beam technologies.