CPSC 257: Information Securityin the Real World

Ewa Syta

April 14, 2016

CPSC 257 April 14, 2016 1 / 36

1 Public Key Infrastructure and Trust Cont.

2 Attacks Against PKI

3 Defending PKI

CPSC 257 Outline April 14, 2016 2 / 36

Public Key Infrastructure and Trust Cont.

CPSC 257 Public Key Infrastructure and Trust Cont. April 14, 2016 3 / 36

Certificate Types Source:“Baseline Requirements Documents”. CA/Browser Forum

Before a certificate is issued, a CA verifies the entity requesting acertificate.

The type of the certificate depends on the level of checking the CAdoes.

CPSC 257 Public Key Infrastructure and Trust Cont. April 14, 2016 4 / 36

Certificate Types

• Individual Validation (IV) - normally intended for an individualwho needs to prove he controls an email address the certificate isissued for.

• Domain Validation (DV) - issued for a domain and requires abasic form of domain validation to be performed, normally thecontrol of a restricted email address (admin@domain.com) or theone included in the WhoIs record.

CPSC 257 Public Key Infrastructure and Trust Cont. April 14, 2016 5 / 36

Certificate Types

• Organization Validation (OV) - in addition to the above check,the company name is checked against a company register, i.e theChamber of Commerce.

• Extended Validation (EV) - like OV, a company search isperformed, however the physical location is also checked and thecontact who requested the certificate is also validated.

CPSC 257 Public Key Infrastructure and Trust Cont. April 14, 2016 6 / 36

Certificate Verification1

There are several steps involved in the certificate verification processwhen a browser connects to a website requested by a user.

1 The browser obtains the server’s certificate and checks it ifendorses the server’s supplied public key.

2 It verifies that the certificate has not been revoked.

3 It checks the validity of the certificate.• Expiration date, allowed uses, and the name field in the certificate

against the desired hostname.

1Moserware, The First Few Milliseconds of an HTTPS Connection

CPSC 257 Public Key Infrastructure and Trust Cont. April 14, 2016 7 / 36

Certificate Verification

4 It verifies the signature on the certificate against the CA whoissued it.

• If the CA is not trusted by the browser, it checks that CA’scertificate until it is endorsed by a trusted CA.

5 Depending on the result of the above process, the browserdisplays a proper notification for the user.

Firefox will display one of the following icons.

CPSC 257 Public Key Infrastructure and Trust Cont. April 14, 2016 8 / 36

Green padlock

• The site presented a valid DV certificate.

• You are connected to the website whose address is shown in theaddress bar.

• The connection to the website is encrypted to preventeavesdropping.

CPSC 257 Public Key Infrastructure and Trust Cont. April 14, 2016 9 / 36

Green padlock with an organization name

• Security as before.

• The site presented a valid EV certificate.

CPSC 257 Public Key Infrastructure and Trust Cont. April 14, 2016 10 / 36

Green padlock with gray warning triangle

• The connection to the site is secure.

• Mixed active content blocked.• The site may not display or work entirely correctly.• <script>, <link>, <iframe>

CPSC 257 Public Key Infrastructure and Trust Cont. April 14, 2016 11 / 36

Gray padlock with red strikethrough

• The connection to the website is not secure.

• The connection may only be partially encrypted.

• Mixed active content allowed.

CPSC 257 Public Key Infrastructure and Trust Cont. April 14, 2016 12 / 36

Gray padlock with yellow warning triangle

• The connection to the website is only partially encrypted anddoesn’t prevent eavesdropping.

• Mixed passive content loaded.• <img>, <audio>, <video>

CPSC 257 Public Key Infrastructure and Trust Cont. April 14, 2016 13 / 36

Certificate Revocation2

Occasionally, private keys get compromised and the correspondingcertificates must be revoked.

Certificate revocation list (CRL)

• A list of certificate serial numbers that have been revoked.

• Issued every 5-14 days; lots of info to parse.

• If no CRL, the clients defaults to accepting the certificate.

Online Certificate Status Protocol (OCSP)

• An online protocol to obtain the revocation status of a certificate.

• One request per certificate; browsers silently ignore timed out requests.

2FIR3NET:Certificate Revocation

CPSC 257 Public Key Infrastructure and Trust Cont. April 14, 2016 14 / 36

PKI Weaknesses

CPSC 257 Public Key Infrastructure and Trust Cont. April 14, 2016 15 / 36

Issues with PKI

There are several types of weaknesses of the PKI.

• Protocols used in PKI (SSL/TLS).

• Implementation of the X.509 standard.

• Centralized-trust approach.

CPSC 257 Public Key Infrastructure and Trust Cont. April 14, 2016 16 / 36

A quote from Carl Ellison and Bruce Schneier

“Security is a chain; it’s only as strong as the weakest link.The security of any CA-based system is based on many linksand they’re not all cryptographic. People are involved.” 3

3Carl Ellison and Bruce Schneier, “Ten Risks of PKI: What You’re not Being Told about Public Key Infrastructure”

CPSC 257 Public Key Infrastructure and Trust Cont. April 14, 2016 17 / 36

Trust Propagation

CPSC 257 Public Key Infrastructure and Trust Cont. April 14, 2016 18 / 36

Root CAs

Recall:

A root CA is the top-most certificate in the CA chain.

• Establishes a point of ultimate trust for a CA hierarchy.

• Can delegate its signing power to intermediate CAs.

This gives intermediate CAs a lot of power.

CPSC 257 Public Key Infrastructure and Trust Cont. April 14, 2016 19 / 36

Certificate Authorities

EFF SSL Observatory

• ∼650 CAs trusted either directly or indirectly by Mozilla orMicrosoft.

• Mozilla includes 176 root certificates4.

• Apple provides a similar number of certificates for its OS.5.

• Owned by a much smaller set of organizations.

Any CA - root or intermediate - can issue certificates for any domain.

4Mozilla Included CA Certificate List

5OS X Yosemite: List of available trusted root certificates

CPSC 257 Public Key Infrastructure and Trust Cont. April 14, 2016 20 / 36

Relations between CAs

CPSC 257 Public Key Infrastructure and Trust Cont. April 14, 2016 21 / 36

Attacks Against PKI

CPSC 257 Attacks Against PKI April 14, 2016 22 / 36

Certificate Authorities

The CA “ecosystem” is very complex. Each CA, root or not, has thesame power. This creates a “weakest-link” system.

In fact, it takes one malicious, incompetent, compromised, orsubverted CA to threaten the security of the entire PKI.

• Issue certificates with invalid or incorrect values.

• Issue certificates to wrong people.

• Issue certificates they are not authorized for.

CPSC 257 Attacks Against PKI April 14, 2016 23 / 36

Direct threat to users

MITM = Man in the Middle Attack

FakeGoogle.com(MITMA2acker)

google.com

Client

Cer9ficateAuthori9es

CPSC 257 Attacks Against PKI April 14, 2016 24 / 36

CA compromises Source 1, Source 2

DigiNotar’11

• Hacked, ∼500 fake certificates used for MITM attacks.

Comodo’11

• Hacked, 9 certificates across ∼7 different domains.

• mail.google.com, login.yahoo.com, google.com, login.live.com,addons.mozilla.org, login.skype.com

CPSC 257 Attacks Against PKI April 14, 2016 25 / 36

CA compromises Source 1, Source 2

CNNIC/MCS’15

• China Internet Network Information Center, almost universallytrusted by all browsers and OSs.

• Misused its power and issued a CA-cert to MCS Holdings, anEgyptian-based company.

• MCS issued a fraudulent google.com certificate.• For a man-in-the-middle proxy, a device that intercepts secure

connections by masquerading as the intended destination, for“testing purposes”.

• Sometimes used by companies to monitor employees’ encryptedtraffic for legal or human resources reasons.

• Google and Mozilla revoked, Apple did not.

CPSC 257 Attacks Against PKI April 14, 2016 26 / 36

SuperFish Source 1, Source 2

Some Lenovo laptops shipped preinstalled with ad injecting software.

Superfish:

• Injects ads into encrypted web pages.

• Installs a self-signed root certificate and using a SSL interceptionengine by Komodia.

• Now Superfish is a recognized root CA.

• Each time when a user visits a website which uses HTTPS,Superfish creates and self-signs a fake certificate for this website.

CPSC 257 Attacks Against PKI April 14, 2016 27 / 36

SuperFish

Problem? We just described a man-in-the-middle attack.

• Each machine had the same Superfish installed.

• Private key must be on the machine as well to sign certificates.

• The same private key was password protected.

• Extracting a single password-protected private key allows toprepare certificates valid on any Superfish-infected machine.

• The password was “komodia”, if anyone is curious.

In essence, Lenovo facilitated / launched a large-scale MITM attack!

CPSC 257 Attacks Against PKI April 14, 2016 28 / 36

Defending PKI

CPSC 257 Defending PKI April 14, 2016 29 / 36

Possible defenses

It is extremely difficult to come up with a solution to completely fixthe current PKI system.

However, there are some efforts attempting to mitigate the issues PKIfaces.

CPSC 257 Defending PKI April 14, 2016 30 / 36

CAs oversight by industry organizations

Certificate Authority Security Council (CASC)

• Founded in 2013 by the seven largest CAs as an industry advocacy

organization dedicated to addressing industry issues and educating the

public on internet security.

Common Computing Security Standards Forum (CCSF)

• Founded in 2009 to promote industry standards that protect end users.

CA/Browser Forum

• Founded in 2005 as a consortium of Certificate Authorities and webbrowser vendors to promote industry standards and baselinerequirements for internet security.

CPSC 257 Defending PKI April 14, 2016 31 / 36

Certificate Pinning6

Goal: to protect against the proliferation of CAs and to reduce thescope of their authority.

• A certificate/public key or a CA (or a limited set of CAs) is“pinned” to a specific domain.

• Only specific certificates are accepted or specific CAs can issuecertificates for these select domains.

Chromium and Google Chrome pin the *.google.com certificates.Firefox uses the same pins as well as its own (Mozilla, Twitter,Dropbox, Facebook, etc.)

6OWASP:Certificate Pinning

CPSC 257 Defending PKI April 14, 2016 32 / 36

Pinning levels7

There are 4 levels of pinning that can be set in a browser.

• Level 0. Pinning disabled

• Level 1. Allow User MITM (pinning not enforced if the trustanchor is a user inserted CA)

• Level 2. Strict. Pinning is always enforced.

• Level 3. Enforce test mode.

Currently, Level 1 is set as default in Firefox.

• This is why certificate pinning would not work againstSuperfish/Komodia.

7Mozilla:Public Key Pinning

CPSC 257 Defending PKI April 14, 2016 33 / 36

EFF SSL Observatory8

The EFF SSL Observatory is a project to investigate the certificatesused to secure all of the sites encrypted with HTTPS on the Web.

• Downloaded all of the publicly-visible SSL certificates.

• Search for vulnerabilities, document the practices of CertificateAuthorities, and aid researchers interested in the web encryptioninfrastructure.

8https://www.eff.org/observatory

CPSC 257 Defending PKI April 14, 2016 34 / 36

Certificate Transparency9

An open framework for logging, monitoring and auditing digitalcertificates.

• Identify mistakenly or maliciously issued certificates.

• Identify certificate authorities (CAs) that have gone rogue.

CT creates a central, publicly-auditable append-only log ofcertificates.

9http://www.certificate-transparency.org/

CPSC 257 Defending PKI April 14, 2016 35 / 36

Certificate Transparency

Consists of log server, monitors, auditors.

• Log servers sign on the new certs (run by Google)

• Monitors watch for suspicious certs in logs (e.g., run by a CA).

• Auditors verify overall log integrity and specific certs (e.g., runby a browser).

CPSC 257 Defending PKI April 14, 2016 36 / 36