Machine Identity part 2 – Certificates
If one could travel back in time, maybe ten years ago, and tell about how many devices we have today, many would not believe how the Internet works today for us, making everyday life easier, even relying on these technologies.
Among so many questions that people from that era (even us today) would ask about, possibly the most difficult to answer would be: With all this technology, are connections secure and free from unauthorized access?
For this question, we do not have a definitive answer yet. While we have a vastness of technologies that can provide us with security, we still fail to know how to apply and manage them, such as certificates.
In the first article, we explained what certificates are and the importance of machine identity. Certificates are an essential matter in access control and communication between machines, as it is the electronic “credentials” that allow the secure exchange of information.
These electronic “credentials” ensure access authenticity when devices need to transfer data to other devices, access the network, process data, and more. Even with such an important role, these certificates are often not managed correctly. They are shared between devices and applications and their responsibilities are not defined, not to mention they are often present in the system even when they have already expired.
Certificates – also called digital identities or public key certificates – are the usernames and passwords used by users and employees, but also used by machines to access a system, and therefore should be treated accordingly. Passwords cannot be shared, they are personal and non-transferable, and have a defined person in charge or holder who takes care of changing them when necessary or disabling them when they are no longer needed.
We can compare certificates with a passport or ID. The relevance and importance of these documents are such that in certain places one cannot enter without providing them or if they are expired, because they are the means to prove the authenticity of a person’s identity. The data included there is verified, the photo is compared with the appearance that the person has at the moment. These are all steps taken to authenticate the document and the person, and then authorize access.
These documents are generated and produced by trusted agencies, so when someone introduces themselves and says their name is one, but in their passport or ID there is another, of course, the trust that these documents have discredits the person’s statement. Machines are similar in this sense. When they first connect or establish a connection with one another, they rely on the certificate information they have to know each other and establish a “relationship” of trust.
These machine identities are so important in today’s organizational infrastructure and for the security of machine interaction that even cybercrime already exploits them to access environments and steal information. That is so true that stolen or falsified certificates are sold and shared on the dark web for prices ranging from $ 260 to $ 1,600 – more valuable than credit card information or DDoS attacks, according to research done by Venafi in 2018 and 2019.
In 2014, the Chinese group “APT 18“, also known as Wekby, was responsible for stealing hundreds of medical files from an American healthcare system by exploiting a bug (Heartbleed) that allows theft of keys and certificates to bypass security controls. In possession of credentials, even from machines, attackers gained access to the network and obtained the information they sought in the same way as ordinary user credentials are obtained.
As this is a subject that is still little explored and discussed, it is necessary to know some related terms that can help in understanding the concepts applied to digital identities and certificates, and thus being able to actually add them to an organization’s infrastructure and properly manage them.
Some key aspects of certificates used in an organization include:
- Certificate Authority (CA): A trusted and recognized public or private authority that issues certificates.
- A1 Certificates: Software-based certificates stored on the system or at the workstation itself.
- A3 Certificates: Certificates written to hardware (token or card).
- Root Certificates: These are basically certificates that legitimize other certificates. The certificates have a certification path that leads to the Certificate Authority (CA), so one can verify that the certificate comes from a trusted source. If one of the certificates in this path is not found, the certificate is considered insecure because its certificate authority was unable to be found. In short, the certificate available to the user has one or more intermediate certificates that lead to the CA-self-signed root certificate, which proves that the certificate was generated by a trusted institution and is authentic.
- Private Key: One of the keys of the asymmetric encryption key pair, which decrypts data or information encrypted by the corresponding public key.
- Public Key: One of the keys of the asymmetric encryption key pair, which encrypts data or information.
- Expiration: Certificates have an expiration date, otherwise they would be authentic and secure forever, which is impossible. Expired certificates can be a big problem when they are not renewed or changed on time, as a machine with an expired certificate can be unable to create connections, also preventing certain services and tasks from performing.
- Public Key Infrastructure (PKI): This is a series of methods and processes for managing certificates and their key pairs, as well as issuing, revoking, and maintaining certificates.
- Renewal: A little different from the idea behind the name, renewing a certificate does not extend the expiration date, but instead changes the expiring certificate for a new one that is exactly the same as the previous one.
- Revocation: When one no longer wishes to use a certain certificate, it can be revoked, which makes it invalid and unreliable even before its expiration.
- S/MIME: This type of certificate is commonly used to encrypt and authenticate the sending of emails. Applying a digital signature to outgoing messages, the sender’s public key is used to verify the authenticity of the signature, ensuring that the message actually came from the supposed source.
- TLS/SSL: This is a type of certificate that basically creates secure sessions on browser connections, which means it encrypts all traffic between the web server and the browser. It is visually identified when the browser displays the address bar in green or just a lock in the same color. However, it is important to notice that not all sessions with these characteristics can be considered authentic. It is up to the connecting client to validate the data presented by the certificate and to certify whether the website accessed is, in fact, true or a fake page, for example.
Understanding these concepts is critical to successfully applying certificates to organizations. In the next and last part (part 3) of this series of articles, we will cover how to manage the use of these certificates and how to mitigate attack-based threats that exploit certificate and key trust.
MIMOSO, Michael. APT Group Exploiting Hacking Team Flash Zero Day. 2015. Available at: https://threatpost.com/apt-group-exploiting-hacking-team-flash-zero-day/113715/.