Four Must Know Certificate and Key Management Threats That Can Bring Down Your Business
Upcoming SlideShare
Loading in...5
×
 

Four Must Know Certificate and Key Management Threats That Can Bring Down Your Business

on

  • 1,114 views

In this on demand webinar, learn how to identify these risks and the steps to keep your enterprise in control over trust. ...

In this on demand webinar, learn how to identify these risks and the steps to keep your enterprise in control over trust.

1. Learn the four certificate and key management threats to your business
2. Hear how criminals are ruining businesses with attacks on certificates
3. Get insights into the five simple steps to prevent your own disaster

Statistics

Views

Total Views
1,114
Views on SlideShare
1,114
Embed Views
0

Actions

Likes
1
Downloads
12
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Four Must Know Certificate and Key Management Threats That Can Bring Down Your Business Four Must Know Certificate and Key Management Threats That Can Bring Down Your Business Presentation Transcript

  • Four Must Know Certificate and Key Management Threats Prepared for: Intelligent People1
  • Use of Certificates and Keys in Enterprise Environments Certificate Authorities Server Authentication Secure Communications Client-side Server Authentication Server Authentication Secure Communications2 © 2013 Venafi
  • Certificate and Key Management Challenges Certificate Authorities3 © 2013 Venafi
  • Downtime Risk4 © 2013 Venafi
  • Certificate-based Downtime Expired Certificate Application outage. Browser error message. Application server certificate expires Web server certificate expires5 © 2013 Venafi
  • Certificate-based Downtime Expired Intermediate Root Certificate Multiple simultaneous application outages. Expired Intermediate Root Certificates CA16 © 2013 Venafi
  • Certificate-based Downtime Trusted Root Certificates Not Updated Downtime because new certs from CA2 are not trusted. Move to Trusted Root new CA Certificates from CA1 CA1 CA2 New Certificates7 from CA2 © 2013 Venafi
  • Certificate-based Causes of Downtime • Scenarios – Certificate expires – Intermediate root certificate expires – Root certificates not updated • Causes 1. No inventory certificates to track expiration 2. Correct administrators NOT notified of impending expiration 3. Administrators notified but don’t not take action 4. Certificates renewed but not installed 5. Certificates installed but applications not restarted 6. No tracking or management of intermediate root 7. No tracking or management of trusted roots8 © 2013 Venafi
  • Security Risks9 © 2013 Venafi
  • The Threat is Evolving Stuxnet CA Compromises Adobe Duqu Flame Buster Attackers stole private Attackers Attackers exploited keys from two compromise or dupe MD5 to create a face Taiwanese companies certificate authorities Microsoft CA and Adobe to sign to issue fraudulent certificate and then code. certificates for further sign code. attacks. Hackers are increasingly targeting public key infrastructure for attacks because it is a broadly used security mechanism. Poor certificate management practices put you at risk.10 © 2013 Venafi
  • Public Key Infrastructure (PKI) The Foundation of Digital Certificates Root CA Issuing CA Certificate Issuing CACA Registration CRL Authority CRL OCSP Responder End Entity Certificate CRL Distribution Subject Point Root Relying Certificate Party11 © 2013 Venafi
  • Private Key Compromise Risk12 © 2013 Venafi
  • Putting Private Keys at Risk Same password used on multiple keystores. Private keys and Keystore 2 passwords are not Password = abc123 changed when admins Keystore leave the organization passwords are not changed regularly. Keystore 1 Password = abc123 Server Server Performance Monitoring Customer Experience Monitoring Admins manually manage private keys, Security Monitoring making it possible to copy them. Private keys are manually passed to other groups/admins for distribution.13 © 2013 Venafi
  • CA Compromise Risk14 © 2013 Venafi
  • Recent Public Certificate Authority & Fraudulent Certificate Incidents Year Incidents • VeriSign issues Microsoft Corporation code signing certificate to a 2001 non-Microsoft employee. • Thawte issues certificate for Live.com to non-Microsoft employee 2008 • Comodo issues mozilla.org certificate to Startcom • Organization forges VeriSign RapidSSL certificates • Comodo issues nine counterfeit certificates (Google, Yahoo, Live, etc.) when registration authority is compromised. • StartSSL CA compromised 2011 • DigiNotar compromised. 531 fraudulent certificates issued. Dutch government experiences major service outages. • Boeing CA compromised 2013 • Microsoft CA certificates forged by exploiting MD5 (Flame) 2013 • Buster: DigiCert issues code signing certificate to bogus company * Electronic Freedom Foundation uncovers many more unpublicized CA incidents by analyzing CRLs from public CAs15 © 2013 Venafi
  • NIST Alert on CA Compromise http://csrc.nist.gov/publications/nistbul/july-2013_itl-bulletin.pdf These recent attacks on CAs make it imperative that organizations ensure they are using secure CAs and are prepared to respond to a CA compromise or issuance of a fraudulent certificates. - NIST, July 201316 © 2013 Venafi
  • Using Fraudulent Certificates: A Two-Phased Attack Use the Get fraudulent fraudulent certificate(s) certificate(s). for nefarious purposes.17 © 2013 Venafi
  • CA Compromise and Fraudulent Certificate Scenarios CA Key Theft: Stolen or derived copy of CA private D key is used to issue fraudulent certificates. CA System Compromise: Malware or other infiltration used to get fraudulent certificate signed by CA RA Compromise: CA (without getting copy Infiltrate RA or steal of CA private key). credentials and authorize fraudulent certificates. B C Impersonation: Trick RA into issuing RA a fraudulent certificate. A Subject Hacker18 © 2013 Venafi
  • Man-in-the-Middle Subject: Alice.com Subject: Alice.com Issuer: CAx Issuer: CA1 Public Key: Public Key: Fraudulent Alice.com Alice.com Certificate Certificate Eve’s Alice.com Private Key Private Key Eve Bob is redirected thru Eve’s server and presented with the fraudulent certificate. Eve can Bob normally connects to view all encrypted Alice.com directly and data. verifies the authenticity of the server using its certificate Bob19 © 2013 Venafi
  • Impersonation Subject: Bob Alice.com Issuer: CA1 Public Key: Bob authenticates to Alice.com using his certificate Eve authenticates as Bob’s Bob to Alice.com Subject: Bob Certificate using the fraudulent Issuer: CAx Bob certificate Public Key: Bob’s Private Key Eve Fraudulent Certificate Eve’s Private Key20 © 2013 Venafi
  • Forge Digital Signatures Bob digitally signs documents Subject: Bob authorizing fund Issuer: CA1 transfers Alice Public Key: Eve is able to forge Bob’s Bob’s signature Subject: Bob using the fraudulent Certificate certificate Issuer: CAx Bob Public Key: Bob’s Private Key Eve Fraudulent Certificate Eve’s Private Key21 © 2013 Venafi
  • Fallout from a CA Compromise All Certificates must be Replaced All certificates from compromised CA must be replaced. Must move to new CA CA1 CA222 © 2013 Venafi
  • Weak Algorithm Risk23 © 2013 Venafi
  • Flame and MD5 Attack on Microsoft 1 2 3 4 Microsoft  Services  Fake Code  Information  Impersonated Compromised Signing Stolen • Focused on  • Microsoft  • Code was signed  • Malware stole  MD5 Certificate Licensing  using the fake,  small parts of  • Certificate was  Services  remanufactured  files remanufactured  Compromised certificate • Information was  using well‐ • Microsoft  • Windows  sent to 80  known attack Update Services  allowed the  different URLs • Man‐in‐the‐ Compromised malware to  • Once analyzed,  middle was  • Machines still  spread quickly  instructed to  setup thought they  and run return and get  • Targeted  were working  interesting files machines  securely with  detected no  Microsoft difference24 © 2013 Venafi
  • Are Your Doors Open? • Nearly 1 in 5 certificates relies on outdated, “hackable” MD5 algorithm • Not a hypothetical risk • Security doors are open today • IDS, IPS, AV, firewalls do not close these doors (appears as authentic) • Legal and risk management departments are mandating that MD5 certs be removed25 © 2013 Venafi
  • Summary • Your organization uses certificates broadly for SSL/TLS today…and use is growing • Attackers are increasingly targeting certificates and PKI (non-hypothetical risk) • Risks include: – Downtime – Private key compromise – CA compromise – Algorithm breakage • Lack of certificate and key management puts your organization at risk26 © 2013 Venafi
  • Next Steps • Attend the second half of this webinar series: “5 Must Haves to Prevent Today’s Presentation Encryption Disasters” Feb 20, 10am EST, 7am PST, 3pm GMT • Download NIST’s ITL Bulletin: “Preparing for and Responding to CA Compromise” NIST ITL Bulletin www.venafi.com/NIST • Questions? – Paul Turner27 info@venafi.com © 2013 Venafi
  • ? ? ?28 Discussion © 2013 Venafi
  • Unpublished Work of Venafi, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Venafi, Inc. Access to this work is restricted to Venafi employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Venafi, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Venafi, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Venafi, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Venafi marks referenced in this presentation are trademarks or registered trademarks of Venafi, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.29 © 2013 Venafi © 2013 Venafi