Wednesday, November 11, 2015

Bad news for encryption security, PKI certificate revocation

While one group of researchers reported that certificate revocation -- a fundamental feature of public key infrastructure security -- was almost completely dysfunctional, and just as open source encryption project GnuPG announced two new features to make its personal encryption program safer and easier to use, another research group reported that modern personal encryption software was virtually unusable by ordinary people.
And the one big cryptography success story this week was not good news: Dark Web vendors have been reported to be offering malware packages that include Stuxnet-style code signing certificates for signing malicious code, thus making it virtually undetectable.

Revoked certificates widely used, rarely verified

Researchers from Northeastern University in Boston, the University of Maryland, Duke University in Durham, N.C., and Stanford University in Stanford, Calif., reported that "a surprisingly large fraction (8%) of the certificates served" on live Internet Web servers have been revoked, which was bad enough, but they also found that most browsers don't check certificate revocation status, "including mobile browsers, which uniformly never check."
They wrote: "This uncertainty leads to a chicken-and-egg problem: Administrators argue that they need not revoke because clients rarely check, while clients argue they need not check because administrators rarely revoke."
Apple, Adobe and the U.S. government were found to be using revoked certificates; of the browsers tested for certificate verification, Internet Explorer 11 was the best at verifying certificates, while none of the mobile browsers correctly tested or validated TLS certificates.
The group also published research last year on the effects of the Heartbleed vulnerability, which it suggested was the reason many of the certificates found had been revoked.
The researchers found that certificate revocation lists (CRLs) "impose significant bandwidth and latency overhead on clients: The median certificate has a CRL of 51 KB, and some certificates have CRLs up to 76 MB in size."
One possible route to better distribution of certificate revocation is via the Online Certificate Status Protocol (OCSP), which allows clients to query the status of one digital certificate at a time, thus reducing the overhead of frequent CRL updates.
However, the researchers found that "OCSP Stapling, which addresses many of the difficulties of obtaining revocation information, is not widely deployed: Only 3% of certificates are served by hosts supporting OCSP Stapling." Even when OCSP is used, there is still a performance issue, as it "requires the client to delay accepting the connection until the OCSP responder can be contacted."
Another troubling result: They discovered 18 nonrevocable, top-level certificate authority (CA) certificates that can be used to issue trusted certificates for any domain. "Being unable to revoke a CA certificate is particularly worrisome, as possessing a CA certificate's private key allows one to generate certificates for any Internet domain -- and private keys for CA certificates have been inappropriately given out multiple times in the past."
They concluded: "Overall, our results paint a bleak picture of the ability to effectively revoke certificates today." However, they also note that there are ways to improve significantly in the near term, including by using an improved method for constructing certificate revocation lists to make them smaller, and thus, less of an issue for Web browsing performance.

GnuPG introduces a new trust model, DANE support for key distribution

Meanwhile, open source encryption project GnuPG introduced a new trust model, Trust on First Use (TOFU), which does what it says: It trusts that the key belongs to who says it belongs to the first time it encounters that key. The downside of this model is that there is no guarantee as far as the identity of the key holder; the only thing a recipient can trust is that the key is associated with the key's source. The new feature will ship in the next release of GnuPG and will be turned off by default.



Also newly implemented from GnuPG is support for DNS-Based Authentication of Named Entities (DANE), a protocol that uses "the DNSSEC infrastructure to store and sign keys and certificates that are used by TLS." According to GnuPG, "The basic idea is that users publish their keys in the Secure DNS. Then, when someone is looking up a key, they simply use DNS to find it."
DANE is implemented in the current release of GnuPG.

But even modern PGP is practically unusable for most users

Researchers at Brigham Young University in Provo, Utah, published Why Johnny Still, Still Can't Encrypt: Evaluating the Usability of a Modern PGP Client, in which they reported that "modern [Pretty Good Privacy] PGP tools are still unusable for the masses."
The 20 participants, grouped into 10 pairs, attempted to exchange encrypted email using the highly rated Mailvelope browser extension front end for PGP; only one pair -- the one with the single PGP-experienced user in the group -- was able to exchange encrypted messages in the time allotted to the task.
None of the participant teams were able to encrypt without making some egregious errors -- such as revealing secrets or encrypting with a public key rather than private key. And even the successful team needed the maximum time allotted, one hour, to complete the task -- and they also stumbled before succeeding.

Yet, not entirely bad for everyone

One place the public key infrastructure is working: the dark side. InfoArmor Inc., based in Scottsdale, Ariz., identified a new trend: underground malware vendors selling digital certificates for code signing. InfoArmor reported that the GovRAT malware includes the ability to take malware binaries and sign them with apparently valid digital certificates to defeat antivirus and other malware detection methods.
InfoArmor wrote, "Signed binary code is interpreted as potentially trusted and verified software, which allows it to slide under the radar of antiviruses and proactive defense systems." This technique is similar to that used for the Stuxnet worm and in the Sony attack, and previously had been associated with "state-sponsored cyberattacks."
InfoArmor reported that Dark Web vendors were offering authentic code signing certificates from CAs, including Thawte and Comodo for as little as $600. For the budget-conscious attacker, Dark Web vendors offered code signing of individual malware files for as little as $60.

No comments:

Post a Comment