Solved

X.509 key compromise

Posted on 2009-05-18
9
430 Views
Last Modified: 2013-11-16
Hello,

This is a theorotical question.
As we know, the X.509 certificates are signed by the private key of the certification authority (CA).
The certificate information is hashed using a hash algorithm and this hash is encrypted by private key of CA and then the result is attached to the certificate. This is how a signed certificate is created.

I want to know what will happen or what steps have to be taken if private key of CA is compromised?
What does the Ca needs to do in this case?
0
Comment
Question by:swaroop_d
9 Comments
 
LVL 1

Assisted Solution

by:firemouse
firemouse earned 100 total points
Comment Utility
If the Key is compromised, you should have that key revoked as it is a huge security risk.  For example Microsoft had 2 of their VeriSign Private keys compromised through social engineering, they had to revoke the key so users know its untrusted.  You can see this even today if you go to internet explorer -> tools -> content -> certificates -> untrusted publishers

So push out a revoke of the key and the clients should know not to trust it
0
 

Author Comment

by:swaroop_d
Comment Utility
Thanks a lot for that answer.
What can be the possible misuse of the compromised private key?
Can any attacker use that private key and pretend to be signing certificates for users?
How can a CA find out that the key has been compromised?
 
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 350 total points
Comment Utility
CA private key revocation is a big ordeal.  This is one of the primary reasons why it is best to have at least a 2 tier PKI with the root CA being offline (never connected to the network, domain, etc.) so you can give the highest level of assurance that that key will never be compromised (although there is always technically a chance, having it offline significantly reduces the likelihood).  That way you can sign the CRL to revoke the online subordinate CA that issues all your certs.

If the root is still good, then you can just sign a new sub CA and be back in business.  All of your previous certs will be revoked upon revocation of the CA cert, so they will all need to be reissued - if it were to happen it would be a good thing to dump the CA database (review that all certs are there by date as CA database likes to timeout - if so, filter by date and export each).  This log will also help you determine what certs need to get re-issued.

If your root CA gets compromised, there is no CRL that can properly "revoke" it - you need to rely on trusting parties to put that root cert in their untrusted publishers list, unless you're microsoft there's no way to force the rest of the world to do it - they have to take the time.  You would need to issue a new root cert and all certs below it, deploy the new root cert to everybody, and probably look for a new job.  

An online CA compromise sucks but is understandable since its on the wire; there is rarely a good excuse for the root besides being improperly set up or improperly secured.

In higher security environments, the room itself is like a vault - multiple person entry, biometric scanners, motion detectors in the room and above and below it, etc., multiple security cameras, safes to store backups in, etc. for physical security of the root key in particular.  Add to that using an HSM to protect the private key off the server which should be done for the offline and online CA servers.






So how can it be misused?  They can now assert that whatever they create - server, user account, email address, etc. - is valid within your organization.  They can issue a smartcard logon cert and log in, they can validate that their rogue web server collecting credit cards, etc., is owned by your company making you liable for it (at least until you spend hundreds of thousands in lawyer fees to prove your innocence - if you actually have enough evidence to prove it), they can send out business contracts to whomever with a signed email making it legitimate, they can send out a signed email breaking a contract or just cussing people out, they can issue a virus that is code signed so all your company trusts it, and the rest of the world will know that your PKI was cracked.  That's just a general feel for it...

Attackers don't pretend to sign certs for users - they actually sign certs for non-users.  Its like giving someone a fake ID manufacturing machine.

CA key compromise can be difficult to detect.  The best way is to have heavy audit logging of your CA and review it regularily.  Intrusion detection systems help, too, although tend to be costly.  Beyond that, once it happens and they actually use it for an attack - it may or may not be dramatic enough to be noticed immediately.  Some companies prefer to have their internal CA not publicly accessible so it can only be validated within the company, making abuse of a compromised key less likely and easier to control the damage - however this is not common as it is nice to have the functionality for business partners.
0
 

Author Comment

by:swaroop_d
Comment Utility
Thanks for the answer.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 31

Expert Comment

by:Paranormastic
Comment Utility
Unless there is something you are still wondering about (if so please ask), could you close this out please, by accepting an answer.  If you are not sure how to do this, please ask.  Thanks!
0
 

Author Comment

by:swaroop_d
Comment Utility
Just one more query before accepting the answer:

One thing is not clear from above reply:

Suppose CA has already issued 25 certificates, and then it knows that its private key is compromised, so what will happen to the status of those already issued certifcates ?

It makes sense that once CA revokes its private key, no user will trust anything being signed by the CA's private key after revocation.

Will all the certificates already issued will be termed invalid ? Do they need to be termed invalid?

0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 350 total points
Comment Utility
When you revoke the CA cert, all certs issued from it are effectively revoked as well.  It is also common practice to revoke all certs first, extend the length of the CRL and publish one last CRL prior to revoking the CA cert.  Cuts all the guesswork out.

Some applications may still function, however, that do not do revocation checking.  EFS is one of them.  Also, some applications allow the user to bypass CRL checking and unfortunately it is getting to be common place as 'troubleshooting' (*cough) to do this instead of getting a proper fix - for example IE - Internet Options - Advanced tab - scroll to the bottom and look for:
"Check for publisher's certificate revocation" (this would be the CA cert)

"Check for server certificate revocation (requires restart)" (this would be the website cert)

I see people tell people to uncheck these all the time for a 'fix' for a cert issue - i.e. they are ignoring the problem so it no longer pops up a warning.  Just because it works doesn't make it right...  Scary.  This is part of the reason why it is common to revoke all the certs first prior to the CA cert - got twice the chance of it getting caught by the validation process.
0
 
LVL 1

Assisted Solution

by:DJM2009
DJM2009 earned 50 total points
Comment Utility
I see your username is the source of info here Para :-)

"
Some applications may still function, however, that do not do revocation checking.  EFS is one of them"

That is kind of scary.A disgruntled ex helpdesk guy who was designated a recovery agent with his card that he doesnt hand back manages to logon to a laptop that hasnt downloaded the newest CRL (the one including his revoked cert) and the guy could decipher all EFS ciphered files correct?
0
 
LVL 31

Expert Comment

by:Paranormastic
Comment Utility
DJM - technically - yes.  This is part of the reason why EFS DRA certs:
1. Should be associated to a unique user account (so the account itself can be disabled if necessary)
2. Should be restricted in issued and control - only highly trusted users should have access to the DRA cert.  I would not allow a standard helpdesk to be in control of it, unless maybe through scripted access (and I would still be hesistant about that).  Usually only enterprise admins should be in control of this level of cert.  In larger organizations that may have a dedicated PKI team then they may have access instead / in addition to the ent. admins.  In smaller companies, the admin and the CEO or CIO should have access.
3. Should be exported to .pfx file immediately after creation and stored in a secure fashion (i.e. locked up in a safe or offsited).  To use the DRA cert, you need to install it on the user workstation to use the private key (unless using smartcards) - after recovering you should remove the media (to protect against accidental deletion) and then delete the private key from the machine (delete the cert, then install a new copy of the .crt file that doesn't have the private key).
4. Upon replacement of any DRA cert, the GPO must be updated.  In addition to this, you should push a logon script to run the command 'cipher /u' to update all encrypted files with the new DRA cert(s).  As a side note, all of the DRA certs must be current - if any of these expires then you will not be able to update as they must be current in order to encrypt.

0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now