Editor’s Note: Attached below is a Bulletin from NIST’s Information Technology Laboratory. The Executive Summary of the Bulletin is printed below.
From: NIST
As the use of Public Key Infrastructure (PKI) and digital certificates (e.g., the use of Transport Layer Security [TLS] and Secure Sockets Layer [SSL]) for the security of systems has increased, the certification authorities (CAs) that issue certificates have increasingly become targets for sophisticated cyber-attacks. In 2011, several public certification authorities were attacked, and at least two attacks resulted in the successful issuance of fraudulent certificates by the attackers. An attacker who breaches a CA to generate and obtain fraudulent certificates does so to launch further attacks against other organizations or individuals. An attacker can also use fraudulent certificates to authenticate as another individual or system or to forge digital signatures.
These recent attacks on CAs make it imperative that organizations ensure they are using secure CAs and must also be prepared to respond to a CA compromise or issuance of a fraudulent certificate. Responding to a CA compromise may require replacing all user or device certificates or trust anchors.1 If an organization is not prepared with an inventory of certificate locations and owners, the organization will not be able to respond in a timely manner and may experience significant interruption in its operations for an extended period of time. This document provides an overview of CA compromise and fraudulent certificate issuance scenarios and recommends steps for preparing for and responding to these incidents.
Many organizations have certificates issued from an external CA, and some organizations operate their own CAs. Nearly all organizations have users and/or systems that establish security using certificates belonging to the parties with whom they communicate. Since many of today’s applications are sold with installed trust anchors that users may not be aware of or explicitly trust, anyone may be at risk if one of those CAs is compromised. Therefore, this bulletin is aimed at all users and organizations that use or rely on public key certificates.
Leave a Reply