Offpath Attacks Against PKI

Presented at DeepSec 2018 „I like to mov &6974,%bx“, Unknown date/time (Unknown duration)

The security of Internet-based applications fundamentally rely on the trustworthiness of Certificate Authorities (CAs). We practically demonstrate for the first time that even a very weak off-path attacker can effectively subvert the trustworthiness of popular and commercially used CAs. Our attack targets CAs which use Domain Validation (DV) for authenticating domain ownership; collectively these CAs control 99% of the certificate market. The attack exploits DNS cache poisoning and tricks the CA into issuing fraudulent certificates for domains that the attacker does not own. Namely, certificates binding the attacker's public key to victim domain.

Our work is the first to weaponise DNS cache poisoning and to apply it to circumvent security of a critical PKI system.

Presenters:

• Markus Brandt - Fraunhofer Institute for Secure Information Technology SIT
  Markus Brandt is a researcher in the field of cybersecurity and presented his work at top tier academical conferences. Mr Brandt has 30 years of programming experience and is an established hacker and security researcher. His main interests lie in network security (attack and defense), including routing and naming systems, Internet infrastructure, software security and reverse engineering, new and emerging paradigms like IoT, and he also likes breaking cryptography. Mr Brandt is involved with different industry and research activities, mentors groups in a cybersecurity accelerator, and teaches at TU Darmstadt.

Links:

• https://deepsec.net/archive/2018.deepsec.net/speaker.html#PSLOT395

Similar Presentations:

• VB2016 / Trusted code signing abuse by malware and their exploitation of the CA verification process (sponsor presentation)
• DEF CON 26 (2018) / Lost and Found Certificates: dealing with residual certificates for pre-owned domains
• Black Hat Europe 2018 / Off-Path Attacks Against PKI