Threats to Certificate Services

Previous page
Table of content
Next page

Threats to Certificate Services

When you deploy Certificate Services, threats exist to CAs on the network. These include the following:

  • Compromise of a CA s key pair

  • Attacks against servers hosting certificate revocation lists (CRLs) and CA certificates

  • Attempts to modify the CA configuration

  • Attempts to modify certificate template permissions

  • Attacks that disable CRL checking

  • Addition of nontrusted CAs to the trusted root CA store

  • Issuance of fraudulent certificates

  • Publication of false certificates to the Active Directory directory service

Compromise of a CA s Key Pair

If attackers can gain access to a CA s private key, they can build a replica of the CA and issue network-valid certificates. You must protect all the CA s private and public key pairs so that attackers cannot gain access. The keys can be protected by monitoring membership in groups that have access to the private key material and implementing hardware solutions that remove the private key material from the physical computer hosting Certificate Services.

Attacks Against Servers Hosting CRLs and CA Certificates

If an application or service performs CRL checking, the application or service must validate the certificate to ensure that the certificate is not revoked. If an attacker can prevent access to the servers hosting the CRLs or CA certificates, a client will not be able to validate presented certificates. If an application cannot determine the revocation status of a presented certificate, the application might prevent access to the user or computer presenting the certificate.

Attempts to Modify the CA Configuration

If an attacker can gain local administrator access to the computer running Certificate Services, the attacker can modify the CA configuration. This modification can include altering URLs for CRL publication, revoking legitimate certificates, and issuing certificates to nonvalid computers or users.

Attempts to Modify Certificate Template Permissions

If attackers gain Enterprise Admins level access, they can modify certificate template permissions in the CN=Certificate Templates, CN=Public Key Services, CN=Services, CN=Configuration, CN=ForestName container (where ForestName is the LDAP distinguished name of the forest root domain). Modifying permissions might enable an attacker to enroll a certificate that provides excess permissions (such as an Enrollment Agent certificate), thereby permitting the attacker to request certificates on behalf of other users.

Attacks that Disable CRL Checking

Attackers might attempt to turn off revocation checking for an application. If CRL checking is turned off, the application does not determine whether a presented certificate is revoked. A certificate revocation invalidates the certificate before its validity period has expired. Common reasons for revoking a certificate include compromised private keys and terminated users.

Addition of Nontrusted CAs to the Trusted Root CA Store

If attackers can publish a nontrusted CA certificate to the trusted root store, all certificates that chain to that trusted root CA certificate are considered trusted. A certificate that chains to a trusted root CA certificate is trusted for any and all purposes, thereby allowing attackers to create their own trusted certificates. Alternatively, if attackers can create a certificate trust list (CTL) a list of CA certificates that are not issued by your company s CA hierarchy but are trusted for specific purposes and periods of time they can use a certificate issued by CAs on your network.

Issuance of Fraudulent Certificates

Before the creation of the 329115 hotfix, Certificate Validation Flaw Might Permit Identity Spoofing, it was technically possible for attackers to sign certificates with their own user certificates. This created a false certificate chain that included a certificate that was not issued by a CA in the CA hierarchy but was still trusted. This type of attack worked because Windows 2000 did not enforce basic constraints. Basic constraints ensure that only CAs can issue certificates and prevent a user or computer certificate from signing another user or computer certificate.

Publication of False Certificates to Active Directory

If an attacker gains administrative access to a user account in Active Directory, the attacker can add a certificate to the properties of the user s account. The attacker can use this certificate to authenticate as that user without providing a password. If an attacker holds the private key associated with the certificate, he can perform any action permitted for that user.


Previous page
Table of content
Next page
Microsoft Windows Security Resource Kit
Microsoft Windows Security Resource Kit
ISBN: 0735621748
EAN: 2147483647
Year: 2003
Pages: 189
Authors: Ben Smith, Brian Komar
BUY ON AMAZON
CompTIA Project+ Study Guide: Exam PK0-003
WebLogic: The Definitive Guide
Cisco CallManager Fundamentals (2nd Edition)
InDesign Type: Professional Typography with Adobe InDesign CS2
.NET System Management Services
Python Standard Library (Nutshell Handbooks) with
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy