PKI - Breaking the Yellow Lock

PKI - Breaking the Yellow Lock
Richard Forno, 2002-02-13

PKI provides Web users with a false sense of security that undermines the security of their on-line information.

Before I start this week's column, I thought that I would update some information on my last column, Software Licensing: the Hidden Threat to Information Security, in which I discussed some potential hidden vulnerabilities that software licenses may create for users. Since that article went on-line, we’ve seen the State of New York sue Network Associates over its software licensing provisions (for more detailed information, see the article "Network Associates is Sued Over Review Ban"), it has been revealed that the anti-piracy feature of Microsoft Office X presents an application denial of service opportunity for Macintosh systems running the product (see the SecurityFocus vulnerability description), and it has become public knowledge that Windows XP has some unique ‘Redmond controls your system’ clauses. (See Ed Foster’s column Check the Fine Print on InfoWorld.com.) This month, I’m going to share some thoughts about Public Key Infrastructures (PKI) and some of the issues surrounding this technology. For readers who may not be familiar with PKI, and how it is relevant to them, it is a public and private cryptographic key pair (for more information on public and private keys, see the SecurityFocus article Introduction to Encryption) that is obtained and shared through a trusted authority. This key pair enables users of the Internet to securely and privately exchange data and money. Without getting into too much detail, PKI is the foundation technology that makes SSL (Secure Sockets Layer) possible. SSL is, essentially, the little yellow lock that appears on Web browsers, signifying that the Web session is ostensibly secure. Users may not know that’s because of PKI, but seeing that lock makes them feel more comfortable on-line. As such, they continue to shop, bank, and communicate, safe in the knowledge that that yellow lock means their session is secure from all but the most prying of eyes. The problem is, they AREN’T secure. This is a fundamental problem with how PKI is deployed by the industry. And it’s something the PKI vendors such as VeriSign, Entrust, and others don’t want to discuss publicly, since it’s their profit that may be at stake. The appearance of the yellow lock may do users more harm than good, as it may give on-line shoppers a false sense of security and false confidence to disclose their personal information in an inherently insecure environment. While there are numerous problems with the technology, let’s consider two of the primary concerns with PKI as it is currently deployed. The Myth of the Yellow Lock As mentioned earlier, people assume that the yellow lock on the browser indicates that their e-commerce session is totally secure. This is a misconception. In reality, all the lock indicates is that the Web-based Internet link between the browser and the Web server is encrypted to prevent data sniffing. While PKI ensures that the initial transmission of information along the Internet is encrypted, in subsequent steps (“behind the Web server”) the customer’s personal information may be communicated in clear text so that anyone who has access to it can read. Nothing guarantees the security of that information as it gets bandied about the e-commerce site, moving from the Web-server to payment server to order fulfillment server to customer relations management server to the Oracle database, and so forth. Even worse, many commercial sites store this information in unencrypted databases and in clear-text queues waiting for credit card authorization to occur! Thus, anyone with access to the site’s data center, or even a network drop on the right section of the network, could quite easily deploy a laptop and sniff customer information from these unencrypted data streams. Worse yet, an unscrupulous system administrator could simply and manually copy these unencrypted data queues from a legitimate account on such systems. The effectiveness of PKI as a sole secure solution is questionable at best. In addition to providing Internet encryption, PKI should be used by commercial sites to enable all systems involved with customer transactions to authenticate to each other prior to exchanging encrypted information, including an active, third-party authentication of certificates and presenting servers. This would allow PKI to serve as a more effective ‘defense in depth’ layer, and help prevent man-in-the-middle interception attacks and data sniffing. Humans Are Still the Weakest Link – Good-bye! PKI technology relies on digital certificates that are used to authenticate can identity of individuals or organizations on the Web. Unfortunately, PKI vendors seem to believe that generating certificates requires security measures that are the equivalent of those required to launch a nuclear missile. As a result, they build vault-like rooms with biometric devices, video surveillance, cipher locks, and only enter the room in two-person teams to perform key generations. Sounds secure, right? Wrong. While the process (and facility) used to physically generate a certificate is generally secure, the old programming adage “garbage in, garbage out” comes to mind. In March 2001, it was reported that virus writers had obtained illicit digital certificates that could potentially be used to authenticate malicious code as legitimate Microsoft software. According to the CNet news.com story, "a person using the VeriSign-issued certificates could post a virus on the Web that would appear to be from Microsoft but could actually be used to wipe out a person's hard drive." The certificate granting process had worked as intended; however, the virus writers were able to hijack the process by submitting fraudulent information on the application form. This incident highlighted a fundamental flaw in PKI technology: fraudulent information in, fraudulent certificate out. The problem was that VeriSign required that the application for this particular certificate be witnessed (and, therefore, authenticated) by a notary public. For the uninitiated, notary publics simply verify that a signature on a document, such as VeriSign’s certificate application, matches the identification that the bearer presents, such as a drivers’ license. The notary has no interest in the contents of the document; they simply confirm that the signature matches the government-issued identification presented to them. Needless to say, it’s quite easy to obtain fraudulent drivers licenses to use as ‘authentication’ to get a false identity verified by an unsuspecting notary public. The value of a notary as a reliable way to authenticate digital certificate applicants is questionable. Yet it is the standard method of authentication for several PKI firms. The incident described above shows that the problem lies not in the technology, but in the PKI vendor’s ability to accurately verify the authenticity of a digital certificate holder with the necessary certainty. If one puts garbage into the PKI generation process, one gets garbage out: in this case, in the form of a certificate that is worthless as a means of ensuring security. These are only two of the more substantial vulnerabilities associated with PKI. It is beyond the scope of this discussion to go into greater detail about the others, some of which include: the lack of real-time third-party authentication of certificates for each transaction; an environment in which certificates expire but signing certificates from PKI vendors don’t; and the PKI industry’s push to use PKI more for copy prevention, targeted marketing and “know-your-customer” programs than for the end-to-end security for users. All of this is not to imply that PKI technology does not have its value: it does. It can serve as a valuable means of ensuring the personal information of on-line shoppers. However, commercial sites and certificate granting authorities must do more to ensure that it is employed in the most effective way possible, and not simply as a subscription-based business model that offers little benefit for users. Until that happens, PKI technology will continue to be a half-measure, the implementation of which gives Web users a false sense of trust that jeopardizes their on-line security. In its current implementation, PKI may be a passable business model, but it is not an effective security tool. Today, the sole beneficiaries of PKI deployments are the PKI vendors. Until the various problems of providing ‘trust’ are remedied, PKI is more a marketing tool than an effective security tool. Further Reading Ten Risks of PKI: What You're Not Being Told about Public Key Infrastructure (Ellison and Schneier.)
http://www.counterpane.com/pki-risks-ft.txt Inside Risks 132, CACM 44, 6, June 2001
PKI: A Question of Trust and Value (Forno and Feinbloom)
http://www.csl.sri.com/users/neumann/insiderisks.html#132 Microsoft Security Bulletin
Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard
http://www.microsoft.com/technet/security/bulletin/ms01-017.asp?frame=true Gartner Group Statement on VeriSign PKI Fakes
http://news.com.com/2009-1001-254676.html

Richard Forno is the coauthor of Incident Response (O'Reilly) and The Art of Information Warfare (Universal). He helped to establish the first incident response team for the U.S. House of Representatives, and is the former Chief Security Officer at Network Solutions. Richard is currently writing and consulting in the Washington, DC area.