Off-Path Attacks Against PKI

Presented at Black Hat Europe 2018, Dec. 6, 2018, 4 p.m. (25 minutes)

The security of Internet-based applications fundamentally relies on the trustwortiness of Certificate Authorities (CAs). We practically demonstrate for the first time that even a very weak attacker, namely, an off-path attacker, can effectively subvert the trustworthiness of popular commercially used CAs. Our attack targets CAs which use Domain Validation (DV) for authenticating domain ownership; collectively these CAs control 99% of the certificates market. The attack exploits DNS Cache Poisoning and tricks the CA into issuing fraudulent certificates for domains the attacker does not legitimately own -- namely certificates binding the attacker's public key to a victim domain.

We discuss short and long term defences, but argue that they fall short of securing DV. To mitigate the threats we propose Domain Validation++ (DV++). DV++ replaces the need in cryptography through assumptions in distributed systems. While retaining the benefits of DV (automation, efficiency and low costs) DV++ is secure even against Man-in-the-Middle (MitM) attackers. Deployment of DV++ is simple and does not require changing the existing infrastructure nor systems of the CAs. We demonstrate security of DV++ under realistic assumptions and provide open source access to our DV++ implementation.

Presenters:

• Elias Heftrig - Security Researcher, Fraunhofer Institute for Secure Information Technology SIT
  Elias Heftrig is an IT Security Researcher at Fraunhofer Institute for Secure Information Technology SIT. He explores Internet Security with a focus on DNS infrastructure and caches.
• Haya Shulman - Dr., Fraunhofer Institute for Secure Information Technology SIT
  Haya Shulman is the director of cybersecurity and analytics division at Fraunhofer SIT. Before that, she was a network security research group leader in the European Center for Security and Privacy by Design (EC-SPRIDE) and earlier a postdoctoral researcher in EC-SPRIDE. Her research interests are in network and cyber security, focusing on attacks and on devising countermeasures. Haya conducted her Ph.D. with Prof. Dr. Amir Herzberg, with thesis in network security. In 2011 and 2013 she received the 'Checkpoint Institute for Information Security (CPIIS)' awards, in 2013 she received the Feder prize for her research in communication technologies and in 2013 and 2014 ICANN research fellowships. In 2014 Haya received the Bar-Ilan university Rector prize for her achievements in research, and in 2015 she was awarded an IETF/IRTF Applied Networking Research Prize.

Links:

• https://www.blackhat.com/eu-18/briefings/schedule/#off-path-attacks-against-pki-12681
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2018/Off-Path Attacks Against PKI.mp4
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2018/Off-Path Attacks Against PKI.eng.srt (subtitles)
• https://www.youtube.com/watch?v=Dcl2ZuE_myY

Similar Presentations:

• VB2016 / Trusted code signing abuse by malware and their exploitation of the CA verification process (sponsor presentation)
• DeepSec 2018 „I like to mov &6974,%bx“ / Offpath Attacks Against PKI
• 31C3 (2014) / Let's Encrypt: A Free Robotic Certificate Authority