Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Four Must Know Certificate and Key Management Threats That Can Bring Down Your Business


Published on

In this on demand webinar, learn how to identify these risks and the steps to keep your enterprise in control over trust.

1. Learn the four certificate and key management threats to your business
2. Hear how criminals are ruining businesses with attacks on certificates
3. Get insights into the five simple steps to prevent your own disaster

Published in: Technology
  • Be the first to comment

Four Must Know Certificate and Key Management Threats That Can Bring Down Your Business

  1. 1. Four Must Know Certificate and Key Management Threats Prepared for: Intelligent People1
  2. 2. Use of Certificates and Keys in Enterprise Environments Certificate Authorities Server Authentication Secure Communications Client-side Server Authentication Server Authentication Secure Communications2 © 2013 Venafi
  3. 3. Certificate and Key Management Challenges Certificate Authorities3 © 2013 Venafi
  4. 4. Downtime Risk4 © 2013 Venafi
  5. 5. Certificate-based Downtime Expired Certificate Application outage. Browser error message. Application server certificate expires Web server certificate expires5 © 2013 Venafi
  6. 6. Certificate-based Downtime Expired Intermediate Root Certificate Multiple simultaneous application outages. Expired Intermediate Root Certificates CA16 © 2013 Venafi
  7. 7. Certificate-based Downtime Trusted Root Certificates Not Updated Downtime because new certs from CA2 are not trusted. Move to Trusted Root new CA Certificates from CA1 CA1 CA2 New Certificates7 from CA2 © 2013 Venafi
  8. 8. Certificate-based Causes of Downtime • Scenarios – Certificate expires – Intermediate root certificate expires – Root certificates not updated • Causes 1. No inventory certificates to track expiration 2. Correct administrators NOT notified of impending expiration 3. Administrators notified but don’t not take action 4. Certificates renewed but not installed 5. Certificates installed but applications not restarted 6. No tracking or management of intermediate root 7. No tracking or management of trusted roots8 © 2013 Venafi
  9. 9. Security Risks9 © 2013 Venafi
  10. 10. The Threat is Evolving Stuxnet CA Compromises Adobe Duqu Flame Buster Attackers stole private Attackers Attackers exploited keys from two compromise or dupe MD5 to create a face Taiwanese companies certificate authorities Microsoft CA and Adobe to sign to issue fraudulent certificate and then code. certificates for further sign code. attacks. Hackers are increasingly targeting public key infrastructure for attacks because it is a broadly used security mechanism. Poor certificate management practices put you at risk.10 © 2013 Venafi
  11. 11. Public Key Infrastructure (PKI) The Foundation of Digital Certificates Root CA Issuing CA Certificate Issuing CACA Registration CRL Authority CRL OCSP Responder End Entity Certificate CRL Distribution Subject Point Root Relying Certificate Party11 © 2013 Venafi
  12. 12. Private Key Compromise Risk12 © 2013 Venafi
  13. 13. Putting Private Keys at Risk Same password used on multiple keystores. Private keys and Keystore 2 passwords are not Password = abc123 changed when admins Keystore leave the organization passwords are not changed regularly. Keystore 1 Password = abc123 Server Server Performance Monitoring Customer Experience Monitoring Admins manually manage private keys, Security Monitoring making it possible to copy them. Private keys are manually passed to other groups/admins for distribution.13 © 2013 Venafi
  14. 14. CA Compromise Risk14 © 2013 Venafi
  15. 15. Recent Public Certificate Authority & Fraudulent Certificate Incidents Year Incidents • VeriSign issues Microsoft Corporation code signing certificate to a 2001 non-Microsoft employee. • Thawte issues certificate for to non-Microsoft employee 2008 • Comodo issues certificate to Startcom • Organization forges VeriSign RapidSSL certificates • Comodo issues nine counterfeit certificates (Google, Yahoo, Live, etc.) when registration authority is compromised. • StartSSL CA compromised 2011 • DigiNotar compromised. 531 fraudulent certificates issued. Dutch government experiences major service outages. • Boeing CA compromised 2013 • Microsoft CA certificates forged by exploiting MD5 (Flame) 2013 • Buster: DigiCert issues code signing certificate to bogus company * Electronic Freedom Foundation uncovers many more unpublicized CA incidents by analyzing CRLs from public CAs15 © 2013 Venafi
  16. 16. NIST Alert on CA Compromise These recent attacks on CAs make it imperative that organizations ensure they are using secure CAs and are prepared to respond to a CA compromise or issuance of a fraudulent certificates. - NIST, July 201316 © 2013 Venafi
  17. 17. Using Fraudulent Certificates: A Two-Phased Attack Use the Get fraudulent fraudulent certificate(s) certificate(s). for nefarious purposes.17 © 2013 Venafi
  18. 18. CA Compromise and Fraudulent Certificate Scenarios CA Key Theft: Stolen or derived copy of CA private D key is used to issue fraudulent certificates. CA System Compromise: Malware or other infiltration used to get fraudulent certificate signed by CA RA Compromise: CA (without getting copy Infiltrate RA or steal of CA private key). credentials and authorize fraudulent certificates. B C Impersonation: Trick RA into issuing RA a fraudulent certificate. A Subject Hacker18 © 2013 Venafi
  19. 19. Man-in-the-Middle Subject: Subject: Issuer: CAx Issuer: CA1 Public Key: Public Key: Fraudulent Certificate Certificate Eve’s Private Key Private Key Eve Bob is redirected thru Eve’s server and presented with the fraudulent certificate. Eve can Bob normally connects to view all encrypted directly and data. verifies the authenticity of the server using its certificate Bob19 © 2013 Venafi
  20. 20. Impersonation Subject: Bob Issuer: CA1 Public Key: Bob authenticates to using his certificate Eve authenticates as Bob’s Bob to Subject: Bob Certificate using the fraudulent Issuer: CAx Bob certificate Public Key: Bob’s Private Key Eve Fraudulent Certificate Eve’s Private Key20 © 2013 Venafi
  21. 21. Forge Digital Signatures Bob digitally signs documents Subject: Bob authorizing fund Issuer: CA1 transfers Alice Public Key: Eve is able to forge Bob’s Bob’s signature Subject: Bob using the fraudulent Certificate certificate Issuer: CAx Bob Public Key: Bob’s Private Key Eve Fraudulent Certificate Eve’s Private Key21 © 2013 Venafi
  22. 22. Fallout from a CA Compromise All Certificates must be Replaced All certificates from compromised CA must be replaced. Must move to new CA CA1 CA222 © 2013 Venafi
  23. 23. Weak Algorithm Risk23 © 2013 Venafi
  24. 24. Flame and MD5 Attack on Microsoft 1 2 3 4 Microsoft  Services  Fake Code  Information  Impersonated Compromised Signing Stolen • Focused on  • Microsoft  • Code was signed  • Malware stole  MD5 Certificate Licensing  using the fake,  small parts of  • Certificate was  Services  remanufactured  files remanufactured  Compromised certificate • Information was  using well‐ • Microsoft  • Windows  sent to 80  known attack Update Services  allowed the  different URLs • Man‐in‐the‐ Compromised malware to  • Once analyzed,  middle was  • Machines still  spread quickly  instructed to  setup thought they  and run return and get  • Targeted  were working  interesting files machines  securely with  detected no  Microsoft difference24 © 2013 Venafi
  25. 25. Are Your Doors Open? • Nearly 1 in 5 certificates relies on outdated, “hackable” MD5 algorithm • Not a hypothetical risk • Security doors are open today • IDS, IPS, AV, firewalls do not close these doors (appears as authentic) • Legal and risk management departments are mandating that MD5 certs be removed25 © 2013 Venafi
  26. 26. Summary • Your organization uses certificates broadly for SSL/TLS today…and use is growing • Attackers are increasingly targeting certificates and PKI (non-hypothetical risk) • Risks include: – Downtime – Private key compromise – CA compromise – Algorithm breakage • Lack of certificate and key management puts your organization at risk26 © 2013 Venafi
  27. 27. Next Steps • Attend the second half of this webinar series: “5 Must Haves to Prevent Today’s Presentation Encryption Disasters” Feb 20, 10am EST, 7am PST, 3pm GMT • Download NIST’s ITL Bulletin: “Preparing for and Responding to CA Compromise” NIST ITL Bulletin • Questions? – Paul Turner27 © 2013 Venafi
  28. 28. ? ? ?28 Discussion © 2013 Venafi
  29. 29. Unpublished Work of Venafi, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Venafi, Inc. Access to this work is restricted to Venafi employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Venafi, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Venafi, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Venafi, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Venafi marks referenced in this presentation are trademarks or registered trademarks of Venafi, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.29 © 2013 Venafi © 2013 Venafi