[cryptography] [SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail

Peter Gutmann pgut001 at cs.auckland.ac.nz
Mon Sep 5 23:07:48 EDT 2011


[As a general response, rather than retype a whole pile of stuff yet again,
 I'm going to answer some of these by reference, which also allows me to go
 into more detail and include diagrams.  Sorry about this level of
 indirection, but it does make it a lot easier to explain the problems fully].

Gervase Markham <gerv at mozilla.org> writes:
>On 04/09/11 07:15, Peter Gutmann wrote:
>> Blacklist-based validity checking, the Second Dumbest Idea in Computer
>> Security (Marcus Ranum), doesn't work:
>>
>>   Diginotar issued certs for which there was no record of issuance, therefore
>>   they couldn't be revoked.  Whitelist-based checking would have prevented
>>   this.
>
>Surely OCSP is whitelist-based checking? (I can't imagine engineering an OCSP
>server which, when asked about a certificate for which it had no record, said
>"Fine, no problem!")

No, and yes, respectively.  See "Problems with OCSP" on page 527 of
http://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf.

>I would disagree that _this_ makes the entire system as weak as its weakest
>link. It only makes systems which choose to interlink in any way as weak as
>the weakest link.

But browser PKI already is interlinked, via universal implicit cross-
certification (as I said).  Thus, any CA can usurp any other CA.  See
"Certificate Chains" on page 512 of the above ref.

>This is true, but I'm not sure it's particularly relevant. (Who claims that
>HSMs are magic pixie dust?)

CAs, when they issue a press release saying "everything's OK, we never lost
control of our private key"?  Some European countries also seem to have a
near-fixation on smart cards for certificate use when they really only
contribute epsilon to the overall security.  The point is that security is
more than just an HSM or smart card.

>> Lack of breach disclosure requirements for CAs means that they'll cover
>> problems up if they can get away with it:
>
>Do you think that remains true? Comodo didn't cover their problems up,

They did, it only got public attention when it was reverse-engineered out of
patches (and the browser vendors helped them in this).  See the earlier
discussion of this on this list.

>and are still in business.

Because they've crossed the magic too-big-to-fail threshold.  AIG is also
still in business.

>What sort of "trivial checks" are you suggesting?

See "Security through Diversity" on p.239, same ref as before.  I'm also doing
a talk on this at EuroPKI next week (the timing is purely a coincidence, I'd
planned the talk six months ago but I think it was very kind of Diginotar to
help turn a general talk on security into something quite topical).  See
http://www.cosic.esat.kuleuven.be/europki2011/, I'll also put the slides
online after the talk (they're actually up now, but I haven't publicly linked
to them yet).

>I think there are definitely searching questions to ask of DigiNotar's
>auditors.

I read in a comment in a Dutch news article that it was PWC, but haven't seen
it confirmed yet.

>Patches welcome? (Or did we reject them already? :-)

Yes.  Nelson Bolyard said, in response to several requests for this, that they
(PSK mechanisms like -PSK and -SRP) would never be included in NSS.  I can dig
up the original message if required.

Peter.



More information about the cryptography mailing list