PKI Under Attack

DEVELOPING AND CONNECTING ISSA CYBERSECURITY LEADERS GLOBALLY

PKI Under Attack

By Jeff Stapleton – ISSA member, Fort Worth, USA Chapter

In the September 2012 ISSA Journal, the author looked at a concise history of public key infrastructure and mentioned several Certificate Authority compromise incidents from 2011. This trend seems to be continuing as PKI continues to be under attack. This article explores various PKI vulnerabilities.

PKI and SSL framework n the September 2012 ISSA Journal, we looked at a concise history of public key in- Ifrastructure (PKI) and mentioned several Certificate Authority (CA) compromise incidents from 2011. This trend seems to be continuing as PKI continues to be under attack. To explore this further, let’s first establish a typical PKI framework, shown in figure 1, to discuss the various vulnerability points and attack vectors. For Figure 1 – PKI and SSL framework this discussion we will focus on a secure socket layer (SSL) [1] scenario which includes a CA consisting of a root certificate of the Red subordinate CA. The Blue root CA typi- (Blue) and two subordinates (Red and Green), a server (S), cally operates in an offline manual mode, and does not issue and the relying parties consisting of the browser manufactur- any other certificates, except possibly to other Red peer-level er (M) and the browser (B). The most common PKI and SSL subordinate CAs not shown. Note that most root CAs have option is using the RSA algorithm for server-side certificates. numerous sub-CAs dedicated to various PKI techniques and As a quick refresher, the browser recognizes the SSL certifi- usage (e.g., RSA keys, other asymmetric algorithms, SSL, cate sent to it by the server. Essentially the browser gener- code signing, email, disk encryption), but for this discussion ates a random symmetric key and encrypts it using the server we will only look at SSL sub-CA. The Red subordinate CA RSA public key for subsequent session encryption which es- signs the certificate of the Green subordinate CA; it might sentially is the SSL tunnel. Actually the browser encrypts a operate in an offline manual or online automatic or manual master secret with the public key which is used by both par- mode, and it does not issue any other certificates, except pos- ties to derive a symmetric encryption key; however, for this sibly to other Green peer-level subordinate CAs not shown. discussion it is easier to just envision the public key encrypt- The Green subordinate CA operates in an online automatic ing the symmetric key. SSL and Transport Layer Security mode, and signs the certificate of the server (S) and many (TLS) [2, 3, 4, and 5] also support a keyed hash as a message other servers not show. During the SSL handshake, the server authentication code (HMAC) [7] for data integrity. From a has provided the certificate chain to the browser, consisting cryptography viewpoint, for the browser to trust the server of the server certificate, the Green sub-CA certificate, and the public key, the server SSL certificate must be validated. For Red sub-CA certificate, but not the Blue root CA certificate. this to occur, the browser needs the root CA public key of the Thus, for the browser to validate the certificate chain, it fol- certificate chain. Let’s look at the certificate in more detail. lows the issuance links from the server certificate to the Blue For this scenario, the Blue root CA is the highest authority root CA certificate. The Blue root CA certificate is a trust- an in this PKI structure, and signs its own certificate, and the chor in the browser (B), as provided by the browser manufac-

March 2013 | ISSA Journal – 33 ©2013 ISSA • www.issa.org • [email protected] • All rights reserved. PKI Under Attack | Jeff Stapleton turer (M). The Blue root CA public key is then used to vali- is compromised, then an adversary can “peek” inside the tun- date the Red subordinate CA certificate by verifying the Blue nel by decrypting the session key and then decrypting the data signature. The Red subordinate CA public key is then used packets sniffed on the connection. An adversary, having both to validate the Green subordinate CA certificate by verifying the private key and public key certificate, could masquerade the Red signature. The Green subordinate CA public key is as the server; however the domain name matching makes this then used to validate the server SSL certificate by verifying problematic. More significantly, if the Green subordinate CA the Green signature. The server public key is then used by the private key is compromised, then an adversary can issue any browser to encrypt the random symmetric key. server certificate in any name for any key pair whose certifi- In addition to following the issuance links and verifying the cate chain still validates to the Blue root CA trust anchor. As certificate signatures, the browser is expected to validate that another example, if any CA private key is compromised, then the domain name in the certificate matches the server uni- an adversary can issue any certificate, including the creation form resource locator (URL), and that all of the certificate of a whole fraudulent PKI. validity dates are legitimate. Further, if any of the certificates However, as it turns out, the ability to issue a fraudulent cer- provide a link to a certificate revocation list (CRL) or an on- tificate does not necessarily require compromising the CA line certificate status protocol (OCSP) responder, the browser private key. Asymmetric private keys are usually protected is also expected to check the status of the certificates to en- using cryptographic hardware modules so the ability to “see” sure none have been revoked prior to expiration dates. or copy the private key unencrypted is infeasible [6]. But, as it However, the PKI trust model has come under attack from turns out, gaining access to the issuance application that uses counterfeit SSL certificates issued by adversaries external to the CA private key is much easier, since systems and individ- the CA. uals are vulnerable to password cracking, phishing, malware, and social engineering. The frontend of any CA is a registra- Counterfeit certificates tion authority (RA) to process certificate signing requests Interestingly, most PKI risks were focused on the vulnerabil- (CSR). The RA might be a functional component of the CA; ity of the private key, and what might occur if the private key it might be a standalone system; or it might be an authorized of any of the participants is compromised. Certificates are re- affiliation to CA. The following CA compromises are based voked for a variety of operational reasons including known or on publicly available information. suspected compromise, but if the compromise is undetected At the USENIX Security 2011 Symposium, Jesse Burns and and the certificates are not revoked, then an adversary can Peter Eckersley reported that their study of the Certificate Re- mount various attacks. For example, if the server private key vocation Lists (CRLs) published by CAs seen by the SSL Ob-

DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY

Click here for On-Demand Conferences

Cyber Attacks: Past, Present and Future Asset Management in a Consumerized World Recorded Live: February 19, 2013 Recorded Live: August 28, 2012 Security Reflections of 2012 and Predictions for 2013 Social Media Gone Wild Recorded Live: January 22, 2013 Recorded Live: June 26, 2012 Data Loss Prevention: Gone in Under 60 Milliseconds You’ve Got Humans on Your Network: Securing the End User Recorded Live: November 20, 2012 Recorded Live: May 22, 2012 GRC: Is There Such a Thing as TMI? Breach Report: Lessons Learned Recorded Live: October 30, 2012 Recorded Live: April 24, 2012 Application Security: Is That Malware in Your Package? Security and Legislation Recorded Live: September 25, 2012 Recorded Live: March 27, 2012

A Wealth of Resources for the Information Security Professional – www.ISSA.org

34 – ISSA Journal | March 2013 ©2013 ISSA • www.issa.org • [email protected] • All rights reserved. PKI Under Attack | Jeff Stapleton servatory revealed that 14 CAs had been compromised. The An attacker obtained the username and password of a Como- names of the alleged compromised CA were not published as do Trusted Partner in Southern Europe. We are not yet clear the research was still ongoing; however, there are several pub- about the nature or the details of the breach suffered by that licly available articles on DigiNotar, Comodo, GlobalSign, partner other than knowing that other online accounts (not StartSSL, and TurkTrust certification authorities. with Comodo) held by that partner were also compromised at about the same time. The attacker used the username and DigiNotar password to login to the particular Comodo RA account and DigiNotar was a Dutch certificate authority owned by VAS- effect the fraudulent issue of the certificates. The attacker was CO Data Security International. The CA issued two types of still using the account when the breach was identified and the certificates: certificates under their own name (where the root account suspended. The attacker may have intended to target CA was “DigiNotar Root CA”) and certificates for the Dutch additional domains had he had the opportunity. government’s PKIoverheid (“PKIgovernment”) program [9]. Remediation efforts began immediately once the breach was On July 10, 2011, a wildcard certificate, which could be used discovered. The certificates have all been revoked and no web with multiple subdomains of a domain, was issued by Digi- browser should now accept the fraudulently issued certificates Notar’s systems for Google by an attacker with access to their if revocation checking is enabled. Additional audits and con- systems. This certificate was subsequently used by unknown trols have been deployed as described in the detailed incident persons in Iran to conduct a man-in-the-middle attack report. The IP address of the initial attack was recorded and against Google services. On August 28, 2011, certificate prob- has been determined to be assigned to an ISP in Iran. A web lems were observed on multiple Internet service providers in survey revealed one of the certificates deployed on another Iran. The fraudulent certificate was posted on pastebin. -Ac IP address assigned to an Iranian ISP. The server in question cording to a subsequent news release by VASCO, DigiNotar stopped responding to requests shortly after the certificate had detected an intrusion into its certificate authority infra- was revoked. While the involvement of two IP addresses as- structure on July 19, 2011, but reportedly DigiNotar did not signed to Iranian ISPs is suggestive of an origin, this may be publicly reveal the security breach at the time. the result of an attacker attempting to lay a false trail. According to DigiNotar’s own investigation, they found It does not escape notice that the domains targeted would be out that they were compromised on July 19, 2011, and sev- of greatest use to a government attempting surveillance of eral rogue SSL certificates had been issued including the one Internet use by dissident groups. The attack comes at a time to *.google.com. All the other ones were revoked, but for when many countries in North Africa and the Gulf region are some reason, DigiNotar missed revoking the one issued for facing popular protests, and many commentators have iden- Google’s domain. With the rogue certificate issued by a trust- tified the Internet and in particular social networking sites as ed CA, it’s possible to do man-in-the-middle attacks and lis- a major organizing tool for the protests. Government attacks ten in to any traffic going to Google’s services, such as Google against social networking sites are not a new phenomenon. Mail, Google Docs, Google Plus, and Google Apps, without In the wake of the 2009 protests, Twitter was disabled for any visible warnings to users. an hour by a group calling itself the Iranian Cyber Army. In On September 20, 2011, Vasco announced that its subsidiary recent months we have seen a complete shutdown of the In- DigiNotar was declared bankrupt after filing for voluntary ternet in Egypt and in Libya. The Tunisian government au- bankruptcy at the Haarlem court. Effective immediately the thorities also attempted an attack against login credentials at court appointed a receiver, a court-appointed trustee who social networking sites through a JavaScript attack. A recent took over the management of all of DigiNotar’s affairs, as it article in the London Daily Telegraph describes measures tak- proceeds through the bankruptcy process to liquidation [10]. en against the Tor onion routing infrastructure by Iran. Comodo GlobalSign On March 15, 2011, a Comodo affiliate registration author- GlobalSign, the certificate authority that the attacker who ity was compromised, resulting in the fraudulent issue of compromised Comodo and DigitNotar claimed he had infil- nine SSL certificates to sites in seven domains. Although the trated as well, said it has completed its months-long security compromise was detected within hours and the certificates review and found no evidence that its CA infrastructure was revoked immediately, the attack and the suspected motiva- compromised or that any rogue certificates had been issued. tion required urgent attention of the entire security field [8]. The investigation did confirm that the company’s public web Phillip Hallam-Baker clarified in his March 23, 2011, blog server had been compromised, and GlobalSign decided to re- that at no time were any Comodo root keys, intermediate voke its own SSL certificate and key [11]. CAs, or secure hardware compromised. The compromise oc- After the attacker, who goes by the name of Comodohacker, curred at an affiliate authorized to perform primary valida- claimed in September that he had compromised GlobalSign, tion of certificate requests. It was promptly reported to the the company began an investigation and temporarily stopped owners of the domains affected, the major browser providers, issuing digital certificates. The company restarted its CA op- and the relevant government authorities. Detailed information can be found in the incident report.

March 2013 | ISSA Journal – 35 ©2013 ISSA • www.issa.org • [email protected] • All rights reserved. PKI Under Attack | Jeff Stapleton erations shortly thereafter, but continued the investigation lighted the lack of security in the worldwide certificate au- once it discovered the breach of its web server. thority structure. “There were too many authorities and the The GlobalSign incident report says that while the company system was not being implemented as designed,” James Lyne, didn’t find any evidence of an intrusion in its CA infrastruc- director of technology strategy at Sophos, told eWEEK. “SSL ture or certificate-issuance system, it considers the attack to no longer provides meaningful security, since users can just be part of an ongoing series of such attacks on CAs and other ignore the warning that a site has an invalid certificate and critical pieces of the Internet’s infrastructure. proceed to a website,” Lyne said. StartSSL TurkTrust StartSSL, a certification authority offering free SSL certifi- TurkTrust was notified of two fraudulent Google certificates cates, was compromised by unknown attackers and the com- in January 2012, issued by a subordinate CA [15]; however, pany suspended issuing security certificates for websites as a initially concerned of another compromised CA, officials “defensive measure.” Attackers hit StartSSL on June 15, 2011, clarified that the company had mistakenly issued two subor- and the company suspended issuing SSL certificates indefi- dinate certificates, one to a bank and another to a government nitely, according to a short statement on the site. Certificates affiliated agency, in 2011. Reportedly, the first certificate was that have already been issued to customers were not compro- revoked quickly at the request of the customer principal; the mised, and visitors to those sites are not affected, according other one was installed on a web server as part of a webmail to the statement [29]. deployment. It was used as a normal SSL certificate for some time until it was exported to a firewall and later used to gen- Unlike the attacks on Comodo and other certificate authori- erate a wildcard certificate for “*.google.com” in December ties, these attackers did not gain enough access to issue valid 2011 [14]. certificates for arbitrary domains to themselves, StartSSL said. The attackers were also unsuccessful in generating an Countermeasures intermediate certificate that would allow them to act as their The primary chink in the PKI armor seems to be the registra- own certificate authority, The Register reported. “Due to a tion authority (RA) with inadequate security practices that security breach that occurred at the 15th of June, issuance are susceptible to server hacking, phishing attacks, and social of digital certificates and related services has been suspend- engineering. The role of the RA is to process certificate and ed. Our services will remain offline until further notice,” revocation requests, which include authentication and autho- StartSSL said. It’s not clear what the attackers were able to rization of the requestor. If the RA security controls are com- access, nor what it means for the company’s ability to con- promised, then administrator or application accounts might tinue issuing certificates in the future. “Our services will be be accessed. If an administrator account for managing sys- gradually reinstated as the situation allows,” the company tem hardware component, software components, or applica- said on the site. The message was still on the site as of June 22. tion accounts is compromised, then hardware eavesdropping The company stressed that existing certificates were not com- devices or rogue monitoring software can be installed, or il- promised. More than 25,000 websites use certificates issued licit application accounts can be allocated. If an application by StartSSL, according to Paul Mutton, a security researcher account for managing certificate and revocation requests is with British security firm Netcraft. compromised, then counterfeit certificates can be issued, or The StartSSL attack follows earlier attacks on other certificate legitimate certificates can be revoked. authorities. Root certificate authority Comodo was compro- Thus, the RA must be operated with a formal information se- mised in March when an attacker breached a reseller’s sys- curity management system. While there are many security tem and received several valid certificates for major domains. models to choose form, there are fundamental elements of any Certificates for seven addresses were forged, including Google information security plan. The RA needs to have documented Mail, www.google.com, login.yahoo.com, login.skype.com, security policy, practices, and procedures. A security organi- addons.mozilla.com, and Microsoft’s login.live.com. zation needs to exist within the RA to support the policy and StartSSL certificates are accepted by default by most major practices. Security areas addressed by the policy and practic- browsers, including Google Chrome, Mozilla Firefox, and es include asset management for hardware and software, data Internet Explorer. Once a certificate authority’s root certifi- classification for protecting personal and confidential infor- cate is included within a browser, it can validate hundreds of mation, personnel security including background checks, thousands of individual websites, making it impractical to re- physical security for facilities and datacenters, access controls move the compromised authority from the browser entirely. for employees and contractors, vulnerability management for The attackers were after valid certificates for a list of websites handling software modifications, network security for avail- similar to those targeted by the Comodo attacker, Eddy Nigg, ability and reliance, incident response plan, business conti- CTO and COO of StartSSL’s parent company StartCom, told nuity and disaster recovery, and compliance management for The Register. The attack did not succeed because the author- legal, regulatory, and contractual obligations. To ensure secu- ity’s private encryption key was stored on a computer that rity continuity, the RA should also engage an external auditor isn’t connected to the Internet, Nigg said. The incident high- for independence.

However, counterfeit Figure 2 – PKI man-in-the-middle certificates SSL certificates issued by adversaries external to a CA are not the only issue weakening the PKI trust model. Counterfeit SSL certificates allow an external party to masquerade as the legitimate server, but what about impersonating the legitimate client? As it turns out, there are sce- narios where man-in-the- middle (MITM) certificates are being used to disrupt the anticipated client-to-server SSL connections. Man-in-the-middle certificates Organizations that monitor their employee’s Inter- There are several issues with using the common name of the net activities cannot “see” into encrypted SSL or TLS tunnels web server in the MITM certificate. such that the data cannot be analyzed. Allegedly this lack of analysis has allowed intrusion of malware and leakage of sen- • The employee may be unaware that there is MITM moni- sitive data. The industry approach has been man-in-the-mid- toring. The employer can notify the employee of its moni- dle (MITM) certificates that enable monitoring by a proxy toring policy, provide a warning per MITM connection, server between the web server and the employee desktop (see and even offer an option to discontinue the web connec- figure 2). tion. However, by reusing the server common name the browser does not recognize the difference between the two As discussed earlier in the PKI and SSL framework above, the SSL certificates. Thus, personal information may inadver- web server has an SSL certificate issued by commercial CA. tently be accessible by the employer. For example, if the The HTTPS connection request from the employee desktop employee accesses online banking, then personal or other to the web server is redirected to the proxy server which es- sensitive information may be disclosed. tablishes the secured tunnel with the web server. The proxy server dynamically issues a MITM certificate and establishes • The server is unaware that there is MITM monitoring. The a second secure tunnel with the employee desktop. In this proxy server plays the role of the client such that the server manner, the proxy server can interrogate all inbound pack- is not aware that its tunnel has been terminated before it ets for malware and all outbound packets for sensitive data. reaches the actual employee desktop. Thus, sensitive data Next, we look at three related issues for using MITM certifi- intended for the employee is accessible by the employer. cates: the server X.500 common name (CN), the proxy CN, For example, if the web service is for credit card payments and the proxy notification to the client and the server. then the primary account number is disclosed, which is likely non-compliant to the Payment Card Industry (PCI) Server common name requirements. From an industry perspective, the current practice is for the • The browser may be unaware that there is a MITM cer- proxy server to also be the MITM root CA that dynamically tificate. Since the certificate common name matches the generates a different MITM certificate using the server com- server URL, the browser does not reject the certificate. mon name (CN). The MITM root CA takes the server SSL Note that some browsers support the option to disable cer- certificate issued by the commercial CA, substitutes a new tificate address mismatch. public key, and resigns the certificate, essentially forging an If the server provides an extended validation (EV) certificate, SSL certificate for the legitimate server. Since the employee the proxy server uses the EV certificate but the client does desktop has both the commercial root CA certificate and the not. The client uses the MITM certificate, which per the CAB MITM root CA certificate, either SSL certificates validate; Forum program cannot be an EV certificate as the CA must however, only the commercial-root-CA-issued certificate is pass both a WebTrust for CA and WebTrust for EV audit be- legally legitimate. There are several commercial products that fore its root CA certificate is accepted as an EV root CA. Thus, provide MITM services. the employee’s browser “green bar” does not appear despite that the fact that the server is using an EV certificate.

Proxy common name Secure (HTTPS) [17]. Technically, HTTPS is not a standards- based protocol; rather it is the result of layering the Hypertext An alternate approach to forging MITM certificates is a proxy Transfer Protocol (HTTP) on top of the SSL/TLS protocol. certificate. The HTTPS connection is still redirected to the An analysis of CRL samples taken in June 2011 showed 55 proxy server, the server still establishes its secure tunnel with certificates revoked due to CA compromise, and four months the proxy server, but the proxy server establishes a second- later in October showed 248 certificates revoked due to CA ary tunnel to the employee desktop using a proxy certificate. compromise, an increase of over 350%. The number of certifi- The proxy certificate contains the common name of the proxy cates revoked due to key compromise, presumably by the SSL server with no imitation of any web servers, and in fact a sin- server, was 59,527 in June and 73,345 in October, a compa- gle SSL certificate can be used by the proxy server. Benefits of rable increase of only 23%. Clearly a CA compromise affects this approach include the following: a larger population than an individual key compromise [19, • The proxy certificate does not need to be generated -dy 20]. namically, and therefore can be a customary component The problem is severe enough that the National Institute of of an organization’s conventional PKI. Standards and Technology (NIST) Information Technology • The proxy server no longer needs to include the MITM Lab (ITL) issued the bulletin in 2012, Preparing for and Re- root CA, and can in fact use a regular SSL certificate. sponding to Certification Authority Compromise and Fraudu- lent Certificate Issuance [12]. • The proxy server or desktop can provide a warning to the employee regarding the MITM monitoring and for the In 2011, several public certification authorities were at- employee to opt out depending on whether the web server tacked, and at least two attacks resulted in the successful is business or personal related. issuance of fraudulent certificates by the attackers…These However, the web server is still unaware that there is MITM recent attacks on CAs make it imperative that organiza- monitoring. tions ensure they are using secure CAs and must also be prepared to respond to a CA compromise or issuance of a Proxy notification fraudulent certificate. The missing component from MITM monitoring seems to The NIST bulletin attack list includes impersonation, RA be notification. The SSL/TLS protocol connection end only compromise, CA system compromise, and CA signing key recognizes “client” or “server” as end entities. If “proxy” or compromise as the top four risks. The bulletin recommends “MITM” were added as an optional end entity, the server or both preventive measures for internal and external CAs to the browser could decide whether to allow or disallow the se- follow security best practices, while at the same time prepare cured connection. Further, the browser could likewise query for a CA compromise as another security incident with moni- the user as whether he were willing to accept a monitored, se- toring and an incident response plan. cured session. In this manner, either endpoint, the employee A corollary question is what are other CA or certificate vul- or the server, can proactively assess the relative risk and de- nerabilities that an adversary might attack? The same SSL termine whether the session can continue with MITM moni- Observatory project [20] and Peter Gutmann at the RSA toring, or terminate the session. 2011 Conference [21] have pointed out that certificates have PKI cryptonomics cryptographic, syntax, or semantic errors, yet applications, including browsers, often overlook such errors and accept er- Similar to other fields of study, cryptography has its own roneous certificates. Gutmann demonstrated so-called valid unique “laws” and knowledge areas based on mathematics, certificates that had missing or invalid names, missing serial symmetric cryptography, asymmetric cryptography, and numbers, invalid dates, invalid public keys, and other fields. key management. Thus we use the term “cryptonomics” to Yet browsers and PKI-savvy applications, including freeware, embrace all things related to cryptography [30]. PKI has its accepted invalid certificates. And even if the certificate is rec- own relatively unique domains that include not only cryp- ognized to be invalid, many applications including browsers tography, but also legal obligations and operational issues for offer the user the option to continue to the website. Thus, the certificate management typically codified in certificate poli- cryptography of PKI is not necessarily at risk, but the opera- cies and certificate practice statements (CPS). PKI even has its tional aspects of certificate issuance and processing are at risk own industry standards [22, 23, 25] and auditing standards and vulnerable to manipulation or zero-day attacks, just like [26, 27] recognized word wide. Thus we coin the term “PKI any other information technology. Further, organizations are cryptonomics” to capture all things PKI. now manipulating PKI certificates internally that affect -ex So the obvious question becomes, how bad is the PKI cryp- ternal parties. I would suggest that none of these issues were tonomics? Are these isolated incidents or just ones publicly foreseen by the original “PKI forefathers” and certainly are known that represent the tip of an iceberg [13, 16]. The Elec- not addressed by the current PKI-related standards. tronic Frontier Foundation (EFF) runs the SSL Observatory Security best practices include ANSI, ISO, and auditing stan- project [18] to investigate the certificates used to secure all dards. However, these standards can be enhanced to address of the web sites encrypted with Hypertext Transfer Protocol many of these issues. This is not to say that there are not other

PKI topics that need addressing, including the limitations of 12. NIST ITL Bulletin, Preparing for and Responding to Certi- extended validation (EV) certificates [27]; however, we can- fication Authority Compromise and Fraudulent Certificate not address every issue in this article. Suffice it to say that Issuance, 2012. updating PKI-related security standards is a necessary step 13. Digital Certificates, Paul Roberts, Dark Readings, November 2012. towards realigning the industry to better products and prac- 14. Chrome, Firefox, IE to block fraudulent digital certificate, tices. Network World, 01/04/2013, http://www.networkworld.com/ One of the first PKI security standards was ANSI X9.57 Cer- community/blog/chrome-firefox-ie-block-fraudulent-digital- tificate Management [22], which was later translated to ISO certificate?source=NWWNLE_nlt_security_2013-01-07. 15782 [24]. Another standard was ANSI X9.79 PKI Policy and 15. ThreatPost, The Kaspersky Lab News Service, TURKTRUST Officials Say No Evidence of Malice in Certificate Incident, Practices Framework [23], which was also internationalized January 7, 2013, http://threatpost.com/en_us/blogs/turktrust- to ISO 21188 [26]. The X9.79 security criteria was also adopted officials-say-no-evidence-malice-certificate-incident-010713. by the American Institute for Certified Public Accountants 16. Slashdot, Four CAs Have Been Compromised Since (AICPA) and the Canadian Institute of Chartered Accoun- June, October 28, 2011, http://tech.slashdot.org/sto- tants (CICA) and published as Webtrust for CA [26, 28]. Later ry/11/10/28/1954201/four-cas-have-been-compromised-since- the CA Browser Forum was established, which published the june. Webtrust for EV certificates [27]. The ISO Technical Com- 17. Electronic Frontier Foundation, How secure is HTTPS today? How often is it attacked?, Peter Eckersley, October 25, 2011, mittee 68 Financial Services plans to merge the ISO 15782 https://www.eff.org/deeplinks/2011/10/how-secure-https- and ISO 21188 standards. The Accredited Standard Commit- today. tee (ASC) X9 is both the TC68 secretariat and US technical 18. Electronic Frontier Foundation, SSL Observatory, https:// advisory group (TAG) to TC68, and is preparing USA com- www.eff.org/observatory. ments to ISO. In particular, the X9F4 Cryptographic Protocol 19. An Observatory for the SSLiverse, SSL Obvservatory, Peter and Application Security workgroup is reviewing the existing Eckersley, Jesse Burns, Defcon 18, July 2010, https://www.eff. ANSI and ISO security standards, the Webtrust for CA and org/files/DefconSSLiverse.pdf. EV auditing standards, and industry PKI issues to develop 20. The (Decentralized) SSL Observatory, USENIX Security 2011, Peter Eckersley, Jesse Burns, http://static.usenix.org/events/ the USA comments to ISO. sec11/tech/slides/eckersley.pdf. Readers interested in participating can visit www.x9.org to 21. PKI: Lemon Markets and Lemonade, RSA Conference 2011, see if their organizations are members of X9 to join the X9F4 Peter Gutman, www.cs.auckland.ac.nz/~pgut001/pubs/ workgroup efforts, and directly influence the ISO work on rsa2011.pdf. PKI standards. 22. American National Standard X9.57 Certificate Management, 1997, www.x9.org. References 23. American National Standard X9.79 PKI Policy and Practices Framework, 2001, www.x9.org. 1. The SSL Protocol, Netscape Corporation, 1997. 24. ISO 15782 Certificate Management, 2001, www.iso.org. 2. The Transport Layer Security (TLS) Protocol Version 1.0, IETF 25. ISO 21188 PKI Policy and Practices Framework, 2006, www. Network Working Group RFC 2246, 1999. iso.org. 3. The Transport Layer Security (TLS) Protocol Version 1.1, IETF 26. AICPA/CICA Webtrust Program for Certification Authorities, Network Working Group RFC 4346, 2006. 2000. 4. The Transport Layer Security (TLS) Protocol Version 1.2, IETF 27. Webtrust for Certification Authorities – Extended Validation Network Working Group RFC 5246, 2008. Audit Criteria v1.1, CA/Browser Forum, CICA, 2008. 5. The Transport Layer Security (TLS) Protocol Version 1.3, IETF 28. PKI Note: CA Trust, Jeff Stapleton, PKI Forum, 2001. Network Working Group RFC 5746, 2010. 29. Threat Post, The Kaspersky Lab Security News Service, CA 6. Federal Information Processing Standard (FIPS) Publication StartSSL Compromised, But Says Certificates Not Affected, 140-2 Security Requirements For Cryptographic Modules, June 21, 2011, https://threatpost.com/en_us/blogs/ca-startssl- 2001. compromised-says-certificates-not-affected-062111. 7. Federal Information Processing Standard (FIPS) Publica- 30. Neal Stephenson, Cryptonomicon, Avon Books, Harper-Col- tion 198-1 The Keyed-Hash Message Authentication Code lins-Publisher, ISBN 0-06-051280-6. (HMAC), 2007. 8. Comodo Blogs, The Recent RA Compromise,http://blogs. About the Author comodo.com/it-security/data-security/the-recent-ra-compromise/. Jeff Stapleton and has over 25 years expe- 9. Wikipedia – DigiNotar, http://en.wikipedia.org/wiki/DigiNo- rience in the cryptography, security, and tar. financial industries. He has participated 10. Vasco Announces Bankruptcy Filing by DigiNotar B.V., in developing dozens of ISO and X9 Amer- September 20, 2011, http://www.vasco.com/company/about_ ican National Standards for information vasco/press_room/news_archive/2011/news_vasco_announc- security for over 20 years and is chair of es_bankruptcy_filing_by_diginotar_bv.aspx. the X9F4 working group that develops 11. Wikipedia – GlobalSign, http://en.wikipedia.org/wiki/Global- standards for cryptographic protocols and Sign. application security. He has been an ISSA member for many years. You can reach him at [email protected].