Análise de segurança da distribuição de raízes na ICP-Brasil
Abstract
This work presents a security analysis of the distribution of root certificates in the Brazilian Public Key Infrastructure (ICP-Brasil). A simple proof of concept is provided to replace a root certificate downloaded from the official repository with a fake certificate, compromising the trusted store of the client machine even when the suggested verification procedure is strictly followed. Finally, some recommendations are offered to strengthen the certificate distribution processin hope of contributing to make ICP-Brasil more robust.
References
AccessNow (2011). The weakest link in the chain: vulnerabilities in the SSL certificate authority system and what should be done about them. [link].
Bernstein, D. J., Chou, T., Chuengsatiansup, C., Hülsing, A., Lambooij, E., Lange, T., Niederhagen, R., and van Vredendaal, C. (2015). How to manipulate curve standards: A white paper for the black hat. In SSR, volume 9497 of LNCS, pages 109–139. Springer. http://bada55.cr.yp.to.
Cooper, D. A. (1998). A Closer Look at Revocation and Key Compromise in Public Key Infrastructures. In Proceedings of the 21st National Information Systems Security Conference. NIST.
Huang, L. S., Rice, A., Ellingsen, E., and Jackson, C. (2014). Analyzing Forged SSL Certificates in the Wild. In IEEE Symposium on Security and Privacy, pages 83–97.
Kerner, S. M. (2015). Symantec Issues Fraudulent Google SSL Cert. [link].
Kohnfelder, L. M. (1978). Towards a practical public-key cryptosystem. B.S. Thesis, supervised by L. Adleman.
Kuhn, D. R., Hu, V., Polk, W. T., and Chang, S.-j. H. (2001). SP 800-32. Introduction to Public Key Technology and the Federal PKI Infrastructure. Technical report, Gaithersburg, MD, United States.
Laurie, B., Langley, A., and Kasper, E. (2013). Certificate transparency. RFC 6962: https://www.rfc-editor.org/rfc/rfc6962.txt.
Leavitt, N. (2011). Internet Security under Attack: The Undermining of Digital Certificates. Computer, 44(12):17–20.
Li, N. and Feigenbaum, J. (2001). Nonmonotonicity, user interfaces, and risk assessment in certificate revocation. In Financial Cryptography, volume 2339 of LNCS, pages 157–168. Springer.
Merkle, J. and Lochter, M. (2010). Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation. RFC 5639: https://www.rfc-editor.org/rfc/rfc5639.txt.
Mozilla (2015). The MCS Incident and Its Consequences for CNNIC. https://blog.mozilla.org/security/files/2015/04/CNNIC-MCS.pdf.
Prins, J. (2011). DigiNotar Certificate Authority breach: “Operation Black Tulip”. Interim report, Cybercrime Business Unit.
Roosa, S. B. and Schultze, S. (2013). Trust Darknet: Control and Compromise in the Internet’s Certificate Authority Model. IEEE Internet Computing, 17(3):18–25.
WebTrust (2011). Trust Service Principles and Criteria for Certification Authorities v2.0. http://www.webtrust.org/homepage-documents/item54279.pdf.
WebTrust (2017). Principles and criteria for certification authorities: Ssl baseline with network security v2.2. http://www.webtrust.org/principles-and-criteria/docs/item83987.pdf.
Bernstein, D. J., Chou, T., Chuengsatiansup, C., Hülsing, A., Lambooij, E., Lange, T., Niederhagen, R., and van Vredendaal, C. (2015). How to manipulate curve standards: A white paper for the black hat. In SSR, volume 9497 of LNCS, pages 109–139. Springer. http://bada55.cr.yp.to.
Cooper, D. A. (1998). A Closer Look at Revocation and Key Compromise in Public Key Infrastructures. In Proceedings of the 21st National Information Systems Security Conference. NIST.
Huang, L. S., Rice, A., Ellingsen, E., and Jackson, C. (2014). Analyzing Forged SSL Certificates in the Wild. In IEEE Symposium on Security and Privacy, pages 83–97.
Kerner, S. M. (2015). Symantec Issues Fraudulent Google SSL Cert. [link].
Kohnfelder, L. M. (1978). Towards a practical public-key cryptosystem. B.S. Thesis, supervised by L. Adleman.
Kuhn, D. R., Hu, V., Polk, W. T., and Chang, S.-j. H. (2001). SP 800-32. Introduction to Public Key Technology and the Federal PKI Infrastructure. Technical report, Gaithersburg, MD, United States.
Laurie, B., Langley, A., and Kasper, E. (2013). Certificate transparency. RFC 6962: https://www.rfc-editor.org/rfc/rfc6962.txt.
Leavitt, N. (2011). Internet Security under Attack: The Undermining of Digital Certificates. Computer, 44(12):17–20.
Li, N. and Feigenbaum, J. (2001). Nonmonotonicity, user interfaces, and risk assessment in certificate revocation. In Financial Cryptography, volume 2339 of LNCS, pages 157–168. Springer.
Merkle, J. and Lochter, M. (2010). Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation. RFC 5639: https://www.rfc-editor.org/rfc/rfc5639.txt.
Mozilla (2015). The MCS Incident and Its Consequences for CNNIC. https://blog.mozilla.org/security/files/2015/04/CNNIC-MCS.pdf.
Prins, J. (2011). DigiNotar Certificate Authority breach: “Operation Black Tulip”. Interim report, Cybercrime Business Unit.
Roosa, S. B. and Schultze, S. (2013). Trust Darknet: Control and Compromise in the Internet’s Certificate Authority Model. IEEE Internet Computing, 17(3):18–25.
WebTrust (2011). Trust Service Principles and Criteria for Certification Authorities v2.0. http://www.webtrust.org/homepage-documents/item54279.pdf.
WebTrust (2017). Principles and criteria for certification authorities: Ssl baseline with network security v2.2. http://www.webtrust.org/principles-and-criteria/docs/item83987.pdf.
Published
2017-11-06
How to Cite
RIBEIRO, Bruno C. Dias; S. JUNIOR, Edson Floriano; ARANHA, Diego F..
Análise de segurança da distribuição de raízes na ICP-Brasil. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 17. , 2017, Brasília.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2017
.
p. 549-556.
DOI: https://doi.org/10.5753/sbseg.2017.19530.
