[cryptography] An appropriate image from Diginotar

Michael Nelson nelson_mikel at yahoo.com
Fri Sep 2 17:32:43 EDT 2011


> They must have had the run of the CA for
> quite some time to get all that done.


I haven't seen anything about how they carried out the attack.  Did they actually get inside and execute commands to generate certs?

I seem to recall  that with Comodo, the attackers duped the RA into accepting their request, but I don't know more than that.  There are two obvious ways of doing it.  One is to guess/hack the password to the account for XYZ_inc, and then request the cert.  The other is to open up a new account claiming to be for the target and fool whatever vetting procedures they have in place.  I have been through that to get a code signing cert from Thawte, but I forget the details.  I think that when you open the account you give the CA your company DUNS, and based on this, the CA calls the company to check on the request (I think) and the requestor.  Then they deliver the password to the requestor via email.  If I have recalled this correctly, this is not very strong authentication, considering the significance of the cert.  A combination of a stooge in the company, and/or hijacked email could defeat it.

Anyone know how the Diginotar attackers did it?

Mike




More information about the cryptography mailing list