Author: Bill Corbitt
This paper analyzes several recent breaches of major players in the security industry, in particular security products vendors and Certificate Authorities (CAs). Distinct patterns and relationships have emerged that have allowed the prediction of the next set of potential targets. Without the implementation of stringent compliance standards for CAs one can expect that governments will intervene with the only outcome being a global impact to the freedom of trade.
Note to the Reader:
The research included in this paper does not address the circumstances around how the Certificate Authorities (CAs) were breached nor how their Rogue Certificates were issued. What is questioned is ‘Trust’ – Trust with the CAs and their ability to maintain a high level of security within their industry.
The Certificate Authority (CA):
A certificate authority, or CA, holds a trusted position because the certificate that it issues binds the identity of a person or business to the public and private keys (asymmetric cryptography) that are used to secure most Internet transactions.
When a business or person wants to use these technologies, they apply to a Certification Authority. The CA collects information about the person or business that it will certify. Depending on the intended use and level of security required, certain rules are followed, called “certificate policies”.
These rules may make it necessary to verify the applicant’s information before issuing the certificate. For example, when a business wants to offer products for sale on a secure web site, the CA will usually check to make sure that the applicant really has responsibility for the domain.
However, this particular policy wouldn’t apply to someone who just wants to encrypt his or her personal e-mail.
The processes that use the public key, such as a web browser, check the certificate to make sure that it comes from a trusted CA and may also check to be sure that the information is consistent with the way that it’s being used. All major web browsers “trust” a series of CAs and have packaged them in the “web of trust” for each browser’s store.
Digital certificates would typically be issued from a CA, i.e., Entrust.com, Thawte, or other CAs that vouches for the authenticity of their public keys. (There are over 500 CAs.)
Overall, a digital certificate from a trusted CA is like getting a passport, or government identification card. Someone like a Notary Public, the CA, verifies that you are who you say you are. Each CA is unique because each CA has its own CA Public Key that is used to determine the CA’s own identity.
With several CAs reporting breaches, compromised or rogue certificates have emerged, as have clear trends and patterns that tie breaches of certain CAs together.
Subsequent links of trust between the CAs display a sobering commonality. Further modeling also provides grounds to anticipate potential breaches or the issuance of rogue certificates with certain CAs.
Consideration was given to the type, amount and proliferation of network security breaches of the CAs. Relevancy was also given to the issuance of rogue certificates and in one instance a possible private key compromise.
Attention has been given to the business relationships between the CAs that have been targeted, and the timing of the attacks. How the breaches occurred is not relevant to this discussion.
The pattern between the compromised CAs that has been reviewed focuses on CAs with one or several of the following in common: breached networks, rogue or compromised certificates, or a compromised private key.
A chronological timeline of the breached CAs will be discussed first. With this timeline details that are relevant to the actual event. Lastly, we will note the relationships to the compromised CA or RA and their relationships with DigiNotar and Symantec CAs.
Bill Corbitt has over 20 years of military and commercial computer security, investigative and computer forensic experience. Bill has experience in breach analytics, post-mortem breach analysis as well as risk impact determinations for Fortune 500 companies. As a former Federal Agent he was Program Security Officer (SAF/AQ) for advanced weapon systems and focused beam technologies.