RSA Keys Quality in a Real-world Organizational Certificate Dataset: a Practical Outlook

Authors

Abstract

This research investigates the intricacies of X.509 certificates within a comprehensive corporate infrastructure. Spanning over two decades, the examined enterprise has heavily depended on its internal certificate authority and Public Key Infrastructure (PKI) to uphold its data and systems security. With the broad application of these certificates, from personal identification on smart cards to device and workstation authentication via Trusted Platform Modules (TPM), our study seeks to address a pertinent question on how prevalent are weak RSA keys within such a vast internal certificate repository. Previous research focused primarily on key sets publicly accessible from TLS and SSH servers or PGP key repositories. On the contrary, our investigation provides insights into the private domain of an enterprise, introducing new dimensions to this problem. Among our considerations are the trustworthiness of hardware and software solutions in generating keys and the consequential implications of identified vulnerabilities on organizational risk management. The obtained results can contribute to enhancing security strategies in enterprises.

Author Biographies

Konrad Kamiński, Orange Polska S.A., Warsaw University of Technology

Security Technology Development and Transformation in

Orange Polska

Faculty of Electronics and Information Technology in
Warsaw University of Technology

Wojciech Mazurczyk, Warsaw University of Technology

Faculty of Electronics and Information Technology

References

Z. Durumeric, J. Kasten, M. Bailey, and J. A. Halderman, “Analysis of the HTTPS certificate ecosystem,” in Proceedings of the 2013 conference on Internet measurement conference, in IMC ’13. New York, NY, USA: Association for Computing Machinery, Oct. 2013, pp. 291–304. doi: 10.1145/2504730.2504755.

M. Hastings, J. Fried, and N. Heninger, “Weak Keys Remain Widespread in Network Devices,” in Proceedings of the 2016 Internet Measurement Conference, in IMC ’16. New York, NY, USA: Association for Computing Machinery, Nov. 2016, pp. 49–63. doi: 10.1145/2987443.2987486.

A. K. Lenstra, J. P. Hughes, M. Augier, J. W. Bos, T. Kleinjung, and C. Wachter, “Ron was wrong, Whit is right.” Accessed: Apr. 26, 2023. [Online]. Available: https://eprint.iacr.org/undefined/undefined

L. M. Kohnfelder, “Towards a practical public-key cryptosystem.,” Thesis, Massachusetts Institute of Technology, 1978. Accessed: Aug. 24, 2023. [Online]. Available: https://dspace.mit.edu/handle/1721.1/15993

N. Serrano, H. Hadan, and L. J. Camp, “A Complete Study of P.K.I. (PKI’s Known Incidents).” Rochester, NY, Jul. 23, 2019. doi: 10.2139/ssrn.3425554.

N. van der Meulen, “DigiNotar: Dissecting the First Dutch Digital Disaster,” J. Strateg. Secur., vol. 6, no. 2, Jul. 2013, doi: http://dx.doi.org/10.5038/1944-0472.6.2.4.

Z. Dong, K. Kane, and L. J. Camp, “Detection of Rogue Certificates from Trusted Certificate Authorities Using Deep Neural Networks,” ACM Trans. Priv. Secur., vol. 19, no. 2, pp. 1–31, Sep. 2016, doi: 10.1145/2975591.

J. Amann, O. Gasser, Q. Scheitle, L. Brent, G. Carle, and R. Holz, “Mission accomplished? HTTPS security after diginotar,” in Proceedings of the 2017 Internet Measurement Conference, in IMC ’17. New York, NY, USA: Association for Computing Machinery, Nov. 2017, pp. 325–340. doi: 10.1145/3131365.3131401.

Q. Scheitle et al., “A First Look at Certification Authority Authorization (CAA),” ACM SIGCOMM Comput. Commun. Rev., vol. 48, no. 2, pp. 10–23, May 2018, doi: 10.1145/3213232.3213235.

M. Nemec, M. Sys, P. Svenda, D. Klinec, and V. Matyas, “The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli,” in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, in CCS ’17. New York, NY, USA: Association for Computing Machinery, Oct. 2017, pp. 1631–1648. doi: 10.1145/3133956.3133969.

S. Yilek, E. Rescorla, H. Shacham, B. Enright, and S. Savage, “When private keys are public: results from the 2008 Debian OpenSSL vulnerability,” in Proceedings of the 9th ACM SIGCOMM conference on Internet measurement, in IMC ’09. New York, NY, USA: Association for Computing Machinery, Nov. 2009, pp. 15–27. doi: 10.1145/1644893.1644896.

D. J. Bernstein, N. Heninger, and T. Lange, “FactHacks: RSA factorization in the real world”.

Z. Durumeric, E. Wustrow, and J. A. Halderman, “{ZMap}: Fast Internet-wide Scanning and Its Security Applications,” presented at the 22nd USENIX Security Symposium (USENIX Security 13), 2013, pp. 605–620. Accessed: Aug. 25, 2023. [Online]. Available: https://www.usenix.org/conference/usenixsecurity13/technical-sessions/paper/durumeric

Y. Zhang et al., “Rusted Anchors: A National Client-Side View of Hidden Root CAs in the Web PKI Ecosystem,” in Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, in CCS ’21. New York, NY, USA: Association for Computing Machinery, Nov. 2021, pp. 1373–1387. doi: 10.1145/3460120.3484768.

K. W. Hamlen, V. Mohan, M. M. Masud, L. Khan, and B. Thuraisingham, “Exploiting an antivirus interface,” Comput. Stand. Interfaces, vol. 31, no. 6, pp. 1182–1189, Nov. 2009, doi: 10.1016/j.csi.2009.04.004.

Downloads

Published

2023-10-28

Issue

Vol. 69 No. 4 (2023)

Section

Cryptography and Cybersecurity

License

Copyright (c) 2023 International Journal of Electronics and Telecommunications

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

1. License

The non-commercial use of the article will be governed by the Creative Commons Attribution license as currently displayed on https://creativecommons.org/licenses/by/4.0/.

2. Author’s Warranties

The author warrants that the article is original, written by stated author/s, has not been published before, contains no unlawful statements, does not infringe the rights of others, is subject to copyright that is vested exclusively in the author and free of any third party rights, and that any necessary written permissions to quote from other sources have been obtained by the author/s. The undersigned also warrants that the manuscript (or its essential substance) has not been published other than as an abstract or doctorate thesis and has not been submitted for consideration elsewhere, for print, electronic or digital publication.

3. User Rights

Under the Creative Commons Attribution license, the author(s) and users are free to share (copy, distribute and transmit the contribution) under the following conditions: 1. they must attribute the contribution in the manner specified by the author or licensor, 2. they may alter, transform, or build upon this work, 3. they may use this contribution for commercial purposes.

4. Rights of Authors

Authors retain the following rights:

- copyright, and other proprietary rights relating to the article, such as patent rights,

- the right to use the substance of the article in own future works, including lectures and books,

- the right to reproduce the article for own purposes, provided the copies are not offered for sale,

- the right to self-archive the article

- the right to supervision over the integrity of the content of the work and its fair use.

5. Co-Authorship

If the article was prepared jointly with other authors, the signatory of this form warrants that he/she has been authorized by all co-authors to sign this agreement on their behalf, and agrees to inform his/her co-authors of the terms of this agreement.

6. Termination

This agreement can be terminated by the author or the Journal Owner upon two months’ notice where the other party has materially breached this agreement and failed to remedy such breach within a month of being given the terminating party’s notice requesting such breach to be remedied. No breach or violation of this agreement will cause this agreement or any license granted in it to terminate automatically or affect the definition of the Journal Owner. The author and the Journal Owner may agree to terminate this agreement at any time. This agreement or any license granted in it cannot be terminated otherwise than in accordance with this section 6. This License shall remain in effect throughout the term of copyright in the Work and may not be revoked without the express written consent of both parties.

7. Royalties

This agreement entitles the author to no royalties or other fees. To such extent as legally permissible, the author waives his or her right to collect royalties relative to the article in respect of any use of the article by the Journal Owner or its sublicensee.

8. Miscellaneous

The Journal Owner will publish the article (or have it published) in the Journal if the article’s editorial process is successfully completed and the Journal Owner or its sublicensee has become obligated to have the article published. Where such obligation depends on the payment of a fee, it shall not be deemed to exist until such time as that fee is paid. The Journal Owner may conform the article to a style of punctuation, spelling, capitalization and usage that it deems appropriate. The Journal Owner will be allowed to sublicense the rights that are licensed to it under this agreement. This agreement will be governed by the laws of Poland.

By signing this License, Author(s) warrant(s) that they have the full power to enter into this agreement. This License shall remain in effect throughout the term of copyright in the Work and may not be revoked without the express written consent of both parties.