Security of the PKI ecosystem
Public Key Infrastructure (PKI) is the backbone of trust for many systems on the Internet. One of the most common uses of PKI is the HTTPS protocol, which provides security, authenticated connectivity to web pages.
When a user visits an HTTPS site, the web server presents its certificate, which is designed to prove the identity of the website. This proof is based on a chain of trust stretching back to a trusted root certificate authority (CA). If the chain of trust and root CA are both secure and trusted, then the authenticity of the website can be trusted as well.
Learn Applied Cryptography
Security assumptions of PKI
Public key infrastructure does its job well, but it’s a fragile system built on assumptions. The two main security assumptions that PKI is built on are that the chain of trust is secure and that root CAs are trustworthy.
Chain of trust
Digital certificates are designed to implement a chain of trust. Each certificate in the chain is digitally signed by the certificate above it all the way up to the root CA, which signs its own certificate. These digital signatures indicate that the identity of the owner of each certificate in the chain has been verified by the owner of the one above.
This system makes two major assumptions:
- Digital Signatures Are Valid: Digital signatures are cryptographic algorithms, and cryptographic algorithms occasionally are broken. A few years ago, the SHA-1 hash algorithm, which was commonly used in digital certificates, was shown to be insecure. This prompted a slow transition over to SHA-256 where certificates that lagged behind may have been vulnerable to impersonation.
- CAs Do Their Jobs: Each intermediate CA in the chain of trust is responsible for verifying the authenticity of any certificate that they sign. If a CA fails to do so or loses control over the keys that they use for signing certificates, then invalid but trusted certificates could be created.
Historically, the cryptographic algorithms that digital certificates are based on have been broken and CAs have failed to do their job, These violations of the core assumptions of PKI put the security and integrity of the chain of trust in jeopardy.
Trust in root CAs
Each link in PKI’s chain of trust is verified by the link above. However, root CAs are at the top of the chain with no-one to verify their authenticity. Computers trust certain root CAs by default, but the system has several potential weak points:
- Root CAs Can Misbehave: Root CAs are trusted implicitly, and the assumption is that they properly validate every certificate that they issue. However, some root CAs are closely connected to governments (opening them up to being influenced), and root CAs have issued misleading certificates in the past.
- Root CA Keys Can Be Stolen: A root CA’s private keys can be used to sign any digital certificate. If these keys are stolen, an attacker can make valid digital certificates for any domain that they wish. This happened to DigiNotar, a Dutch CA.
- Root CA Lists Can Be Changed: A computer has a list of root CAs that it trusts implicitly, but this list can be easily modified. While many companies take advantage of this to perform SSL interception, it can also be abused by an attacker.
The security of the PKI ecosystem relies on the trustworthiness of the root CAs. A chain of trust based on an untrustworthy root CA can be verifiable but malicious.
Learn Applied Cryptography
Conclusion
PKI is central to how trust works in the modern Internet. However, it is a fragile system. PKI is based on a series of assumptions that are easily broken, which causes the entire system to fall apart.
Sources
Websites Are Still Using Insecure SHA-1 Certificates
Learn applied cryptography and cryptanalysis
What you'll learn:
- Cryptography fundamentals
- Public key infrastructure
- Blockchain technology
- SSL and TLS
- And more
In this Series
- Security of the PKI ecosystem
- How does hashing work: Examples and video walkthrough
- How does encryption work? Examples and video walkthrough
- Planning for post-quantum cryptography: Impact, challenges and next steps
- Beginner’s guide to the basics of data encryption
- Structures of cryptography
- Role of digital signatures in asymmetric cryptography
- What is homomorphic encryption?
- Encryption and etcd: The key to securing Kubernetes
- Quantum cyberattacks: Preparing your organization for the unknown
- An Introduction to asymmetric vs symmetric cryptography
- Breaking misused stream ciphers
- Entropy calculations
- Blockchain and asymmetric cryptography
- Elliptic curve cryptography
- Methods for attacking full disk encryption
- Introduction to Public Key Infrastructure (PKI)
- Introduction to the TLS/SSL cryptography protocol
- Introduction to Diffie-Hellman Key Exchange
- Introduction to the Rivest-Shamir-Adleman (RSA) encryption algorithm
- Introduction to full disk encryption
- 8 reasons you may not want to use VPNs
- Rivest Cipher 4 (RC4)
- Understanding stream ciphers in cryptography
- Cryptography Errors
- Understanding block ciphers in cryptography
- How to mitigate Credential Management Vulnerabilities
- How To Exploit Credential Management Vulnerabilities
- Poor Credential Management
- How Is Cryptography Used In Applications?
- Decrypting Downloaded Files
- Introduction to hash functions
- Introduction to Asymmetric Cryptography
- The Advanced Encryption Standard (AES)
- Fundamentals of symmetric and asymmetric cryptography
- Case Studies in Poor Password Management
- The ultimate guide to encryption key management
- Principles of cryptography
- Encryption vs Encoding
- Introduction to Cryptanalysis
- Secure Credential Management
- Introduction to Blockchain
- Blockchain Technology
- Virtual Private Networks (VPNs)
- Public Key Infrastructure: Architecture & Security
- Hash Functions
- Asymmetric Cryptography
- Fundamentals of Cryptography
- Symmetric Cryptography
- Introduction to cryptography
- Best tools to perform steganography [updated 2020]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
