Security of the PKI ecosystem
Public Key Infrastructure (PKI) is the backbone of trust for many systems on the Internet. One of the most common uses of PKI is the HTTPS protocol, which provides security, authenticated connectivity to web pages.
When a user visits an HTTPS site, the web server presents its certificate, which is designed to prove the identity of the website. This proof is based on a chain of trust stretching back to a trusted root certificate authority (CA). If the chain of trust and root CA are both secure and trusted, then the authenticity of the website can be trusted as well.
Security assumptions of PKI
Public key infrastructure does its job well, but it’s a fragile system built on assumptions. The two main security assumptions that PKI is built on are that the chain of trust is secure and that root CAs are trustworthy.
Chain of trust
Digital certificates are designed to implement a chain of trust. Each certificate in the chain is digitally signed by the certificate above it all the way up to the root CA, which signs its own certificate. These digital signatures indicate that the identity of the owner of each certificate in the chain has been verified by the owner of the one above.
This system makes two major assumptions:
- Digital Signatures Are Valid: Digital signatures are cryptographic algorithms, and cryptographic algorithms occasionally are broken. A few years ago, the SHA-1 hash algorithm, which was commonly used in digital certificates, was shown to be insecure. This prompted a slow transition over to SHA-256 where certificates that lagged behind may have been vulnerable to impersonation.
- CAs Do Their Jobs: Each intermediate CA in the chain of trust is responsible for verifying the authenticity of any certificate that they sign. If a CA fails to do so or loses control over the keys that they use for signing certificates, then invalid but trusted certificates could be created.
Historically, the cryptographic algorithms that digital certificates are based on have been broken and CAs have failed to do their job, These violations of the core assumptions of PKI put the security and integrity of the chain of trust in jeopardy.
Trust in root CAs
Each link in PKI’s chain of trust is verified by the link above. However, root CAs are at the top of the chain with no-one to verify their authenticity. Computers trust certain root CAs by default, but the system has several potential weak points:
- Root CAs Can Misbehave: Root CAs are trusted implicitly, and the assumption is that they properly validate every certificate that they issue. However, some root CAs are closely connected to governments (opening them up to being influenced), and root CAs have issued misleading certificates in the past.
- Root CA Keys Can Be Stolen: A root CA’s private keys can be used to sign any digital certificate. If these keys are stolen, an attacker can make valid digital certificates for any domain that they wish. This happened to DigiNotar, a Dutch CA.
- Root CA Lists Can Be Changed: A computer has a list of root CAs that it trusts implicitly, but this list can be easily modified. While many companies take advantage of this to perform SSL interception, it can also be abused by an attacker.
The security of the PKI ecosystem relies on the trustworthiness of the root CAs. A chain of trust based on an untrustworthy root CA can be verifiable but malicious.
PKI is central to how trust works in the modern Internet. However, it is a fragile system. PKI is based on a series of assumptions that are easily broken, which causes the entire system to fall apart.
Websites Are Still Using Insecure SHA-1 Certificates
Nope, this isn’t the HTTPS-validated Stripe website
Final Report on DigiNotar Hack