RSA Keys Quality in a Real-world Organizational Certificate Dataset: a Practical Outlook

• Autorzy: Kamiński Konrad , Mazurczyk Wojciech

Identyfikatory

DOI

10.24425/ijet.2023.147704

• Języki publikacji: EN

Abstrakty

EN

This research investigates the intricacies of X.509 certificates within a comprehensive corporate infrastructure. Spanning over two decades, the examined enterprise has heavily depended on its internal certificate authority and Public Key Infrastructure (PKI) to uphold its data and systems security. With the broad application of these certificates, from personal identification on smart cards to device and workstation authentication via Trusted Platform Modules (TPM), our study seeks to address a pertinent question on how prevalent are weak RSA keys within such a vast internal certificate repository. Previous research focused primarily on key sets publicly accessible from TLS and SSH servers or PGP key repositories. On the contrary, our investigation provides insights into the private domain of an enterprise, introducing new dimensions to this problem. Among our considerations are the trustworthiness of hardware and software solutions in generating keys and the consequential implications of identified vulnerabilities on organizational risk management. The obtained results can contribute to enhancing security strategies in enterprises.

Słowa kluczowe

EN

certificates; X.509; RSA keys; PKI; vulnerabilities; RSA factorization

• Wydawca: Polish Academy of Sciences, Committee of Electronics and Telecommunication
• Czasopismo: International Journal of Electronics and Telecommunications
• Rocznik: 2023
• Tom: Vol. 69, No. 4
• Strony: 803--810
• Opis fizyczny: Bibliogr. 28 poz., fot., rys., tab., wykr.

Twórcy

autor

Kamiński Konrad

• Faculty of Electrical Engineering and Communication, Warsaw University of Technology, Warsaw, Poland; Security Technology Development and Transformation Division, Orange Polska S.A.,Warsaw, Poland

• https://orcid.org/0009-0004-0031-7507

autor

Mazurczyk Wojciech

• Security Technology Development and Transformation Division, Orange Polska S.A.,Warsaw, Poland

• https://orcid.org/0000-0002-8509-4127

Bibliografia

• [1] Z. Durumeric, J. Kasten, M. Bailey, and J. A. Halderman, “Analysis of the HTTPS certificate ecosystem,” ser. IMC ’13. New York, NY, USA: Association for Computing Machinery, 10 2013, p. 291-304, [Online; accessed 2023-04-26]. [Online]. Available: https://dl.acm.org/doi/10.1145/2504730.2504755
• [2] M. Hastings, J. Fried, and N. Heninger, “Weak Keys Remain Widespread in Network Devices,” ser. IMC ’16. New York, NY, USA: Association for Computing Machinery, 11 2016, p. 49-63, [Online; accessed 2023-07-30]. [Online]. Available: https://dl.acm.org/doi/10.1145/2987443.2987486
• [3] A. K. Lenstra, J. P. Hughes, M. Augier, J. W. Bos, T. Kleinjung, and C. Wachter, “Ron was wrong, Whit is right,” [Online; accessed 2023-04-26]. [Online]. Available: https://eprint.iacr.org/2012/064.pdf
• [4] L. M. Kohnfelder, “Towards a practical public-key cryptosystem.” Ph.D. dissertation, 1978, accepted: 2005-08-04T15:38:48Z. [Online]. Available: https://dspace.mit.edu/handle/1721.1/15993
• [5] N. Serrano, H. Hadan, and L. J. Camp, “A Complete Study of P.K.I. (PKI’s Known Incidents),” 7 2019, [Online; accessed 2023-08-15]. [Online]. Available: https://papers.ssrn.com/abstract=3425554
• [6] “Timeline of Certificate Authority Failures - SSLMate,” [Online; accessed 2023-08-15]. [Online]. Available: https://sslmate.com/resources/certificate authority failures
• [7] “Replace Your Symantec SSL/TLS Certificates | Digicert & Symantec,” [Online; accessed 2023-08-15]. [Online]. Available: https://www.secure128.com/blog/replace-your-symantec-ssl-tls-certificates
• [8] N. van der Meulen, “Diginotar: Dissecting the First Dutch Digital Disaster,” Journal of Strategic Security, vol. 6, no. 2, 7 2013. [Online]. Available: https://digitalcommons.usf.edu/jss/vol6/iss2/4
• [9] Z. Dong, K. Kane, and L. J. Camp, “Detection of Rogue Certificates from Trusted Certificate Authorities Using Deep Neural Networks,” ACM Transactions on Privacy and Security, vol. 19, no. 2, pp. 1-31, 9 2016.
• [10] J. Amann, O. Gasser, Q. Scheitle, L. Brent, G. Carle, and R. Holz, “Mission accomplished? HTTPS security after diginotar,” ser. IMC ’17. New York, NY, USA: Association for Computing Machinery, 11 2017, p. 325-340, [Online; accessed 2023-08-15]. [Online]. Available: https://dl.acm.org/doi/10.1145/3131365.3131401
• [11] Q. Scheitle, T. Chung, J. Hiller, O. Gasser, J. Naab, R. van Rijswijk-Deij, O. Hohlfeld, R. Holz, D. Choffnes, A. Mislove, and G. Carle, “A First Look at Certification Authority Authorization (CAA),” ACM SIGCOMM Computer Communication Review, vol. 48, no. 2, p. 10-23, 5 2018.
• [12] D. J. Bernstein, “How to find smooth parts of integers.”
• [13] M. Nemec, M. Sys, P. Svenda, D. Klinec, and V. Matyas, “The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli,” ser. CCS ’17. New York, NY, USA: Association for Computing Machinery, 10 2017, p. 1631-1648, [Online; accessed 2023-08-14]. [Online]. Available: https://doi.org/10.1145/3133956.3133969
• [14] S. Yilek, E. Rescorla, H. Shacham, B. Enright, and S. Savage, “When private keys are public: results from the 2008 Debian OpenSSL vulnerability,” ser. IMC ’09. New York, NY, USA: Association for Computing Machinery, 11 2009, p. 15-27, [Online; accessed 2023-07-30]. [Online]. Available: https://doi.org/10.1145/1644893.1644896
• [15] “Debian - Security Information - DSA-1571-1 openssl,” [Online; accessed 2023-08-14]. [Online]. Available: https://www.debian.org/security/2008/dsa-1571
• [16] D. Bernstein, N. Heninger, and T. Lange, “Facthacks: RSA factorization in the real world.” [Online]. Available: http://events.ccc.de/congress/2012/Fahrplan/events/5275.en.html
• [17] Z. Durumeric, E. Wustrow, and J. A. Halderman, “ZMap: Fast Internet-wide Scanning and Its Security Applications,” 2013, pp. 605-620, [Online; accessed 2023-08-15]. [Online]. Available: https://www.usenix.org/conference/usenixsecurity13/technical-sessions/paper/durumeric
• [18] Y. Zhang, B. Liu, C. Lu, Z. Li, H. Duan, J. Li, and Z. Zhang, “Rusted Anchors: A National Client-Side View of Hidden Root CAs in the Web PKI Ecosystem,” ser. CCS ’21. New York, NY, USA: Association for Computing Machinery, 11 2021, p. 1373–1387, [Online; accessed 2023-08-15]. [Online]. Available: https://doi.org/10.1145/3460120.3484768
• [19] “Zlint,” 8 2023, original-date: 2016-11-30T18:42:16Z. [Online]. Available: https://github.com/zmap/zlint
• [20] “Orange | FR0000133308 | Euronext exchange live quotes,” [Online; accessed 2023-08-15]. [Online]. Available: https://live.euronext.com/en/product/equities/FR0000133308-XPAR/company-information
• [21] “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates.”
• [22] D. J. Bernstein, N. Heninger, and T. Lange, “FactHacks: Batch gcd.”[Online]. Available: https://facthacks.cr.yp.to/batchgcd.html
• [23] zugzwang, “(C++)+GMP BatchGCD algorithm,” Feb. 2022, original-date 2019-11-21. [Online]. Available: https://github.com/zugzwang/batchgcd
• [24] “ROCA detection tool,” 7 2023, original-date: 2017-10-13T15:28:41Z. [Online]. Available: https://github.com/crocs-muni/roca
• [25] T. Hudek, “Update device firmware using Windows Update - Windows drivers,” 10 2022, [Online; accessed 2023-08-16]. [Online]. Available: https://learn.microsoft.com/en-us/windows-ardware/drivers/install/updating-device-firmware-using-windows-update
• [26] “Exploiting (Almost) Every Antivirus Software - RACK911 Labs,” [Online; accessed 2023-08-15]. [Online]. Available: https://rack911labs.ca/research/exploiting-almost-every-antivirus-software/
• [27] K. W. Hamlen, V. Mohan, M. M. Masud, L. Khan, and B. Thuraisingham, “Exploiting an antivirus interface,” Computer Standards & Interfaces, vol. 31, no. 6, pp. 1182-1189, 11 2009.
• [28] “Searching for vulnerabilities in Security Products,” [Online; accessed 2023-08-15]. [Online]. Available: https://www.cvedetails. com/product-search.php?vendor_id=0&search=security

Uwagi

Opracowanie rekordu ze środków MNiSW, umowa nr SONP/SP/546092/2022 w ramach programu "Społeczna odpowiedzialność nauki" - moduł: Popularyzacja nauki i promocja sportu (2024).