On the Octopus Blog, we’ve delved quite a bit into the vulnerabilities of contemporary encryption standards.
The system of Public Key Infrastructure (PKI) which forms the basis of most of the worlds authentication platforms, while presenting a powerful, easy to use encryption model, still left several holes through which attackers can breach networks and steal identities.
Perhaps the single biggest problem with PKI is its reliance on third party verification.
Authenticating through PKI requires that when one digital user reaches out to another, a negotiation called a digital “handshake” must occur that sets up the terms for communication. The problem with this was how would any one user know for sure who’s “hand” they were “shaking” from the get go? Digital certificates and the certificate authorities (CAs) that issue them, became the industry-standard answer to this problem. When an entity convinces a CA it is trustworthy, it receives a certificate it can then “present” to any other group or user trying to interact with it digitally. In other words, certificates and CAs form the foundation for the whole PKI system.
Authentication with No Control
The main issue with certificates is that they create a point-of-failure that is not in the user’s control.
Imagine certificates as locks. The important difference between real locks and these digital ones is that locksmiths don’t keep a copy of the keys they make with the home address of their clients attached. When a certificate authority becomes compromised on the other hand, it means the door is now wide open for cyber-criminals to breach any user that trusts that Certificate authority (CA).
This painful fact is being demonstrated a lot lately.
Back in July, security researchers discovered a new malware campaign misusing stolen but valid digital certificates from Taiwanese tech-companies. The sources of the certificates included the Taipei based D-Link, one of the largest manufacturers of networking equipment in the world. Cyber criminals were able to use these credentials to sign their malware programs. This meant that any browser that came across these applications “recognized” their source as one of the most trusted names in information technology. The scheme worked. The hackers involved, later identified as belonging to a well known cyber espionage group, were able to infect several networks with a wide range of computer viruses including remote-controlled backdoors and password stealers.
But it doesn’t take the malicious actions of hackers to undermine certificates and CAs.
Certificate authorities can simply lose the private keys or misuse them in a way that makes them exposed and therefore compromised. When this happens, sometimes the breach is identified and the certificate is revoked in time to stave off any repercussions. In other instances though, users aren’t so lucky.
Earlier this year, the IT world learned of what might be the single biggest act of negligence on the part of a security executive in recent memory. In early February the CEO of Trustico, a vendor that re-sells digital certificates from well known CAs, forwarded an email to a colleague containing 23,000 private keys of certificates. By March, the communications of the Trustico director were exposed. Thousands of the company’s clients were informed their certificates would be soon be rendered useless.
Think of the situation these users found themselves in:
Unless the affected certificates were replaced, visitors to their websites would be turned away by their browsers, due to the site being unable to present valid authentication.
Summing up the Threat
The vulnerability of certificates can be boiled down to two factors:
A Human Factor
Certificates are a digital commodity. Thus they circulate through the hands of vendors and resellers (Trustico for example). This means that mistakes are an inevitability. Someone is bound to leak sensitive data, expose the credentials of clients, and ultimately undermine the veracity of certificates. Certificate Revocation Lists that lay out which companies and products have been compromised–and kept by every certificate authority–proves just how much of a clear and present danger this threat is.
A trusted authority relies on its reputation more than anything else. But this reputation can backfire. In the case of the July malware campaign for instance, it was the very fact that D-Link and other compromised companies were so trusted that allowed hackers to bypass their victims’ security protocols and execute attacks.
Perhaps most troubling is that the certificate based system creates a tempting target for cyber criminals. With so much authentication security being held up by certificates, a tremendous incentive is created to breach the holders of these devices. The trend of hackers targeting CAs is nothing new. The infamous breach of certificate vendor Comodo by a rogue Iranian hacker was probably what first put this threat on the radar. And the tools of hackers keep growing. New families of malware and hacking strategies known as advanced persistent threats, or APTs, are now being designed specifically to target certificates and CAs.
The solution to the current certificate based system is not to shore up its flaws. The solution is to get rid of it.
The authentication alternatives of the future cut out the need for certificates, and put control back in the hands of users, leaving network authentication both smoother and safer.
Practice What you Preach – IT’s Achilles Heel