CAs exposed as a weak point in web crypto

Study finds five in 17 Certificate Authorities vulnerable to IP fragmentation attack

Presentations at Black Hat Europe last week gave contrasting views the state of cryptography on the web.

Hackers are unlikely to find it easy to break elliptic curve crypto, but according to a separate study they might well be able to subvert the trustworthiness of popular commercially-used Certificate Authorities (CAs).

Five examples in a sample of 17 CAs were vulnerable to an IP fragmentation attack, according to Elias Heftrig, one of the researchers from the Fraunhofer Institute for Secure Information Technology, who carried out the study alongside others.

CAs that use Domain Validation (DV) to authenticate domain ownership were targeted and probed for weaknesses.

“The attack exploits DNS Cache Poisoning and tricks the CA into issuing fraudulent certificates for domains the attacker does not legitimately own – namely certificates binding the attacker's public key to a victim domain,” the researchers explained.

A paper (PDF) put together by the computer scientists who carried out the study further explains the issues they uncovered alongside suggestions for mitigation and remediation.

Curveball

On a different front, security researchers have uncovered shortcomings in real-world elliptic curve crypto implementations on the web.

However, the results didn’t turn up anything so severe that it would allow them to force clients to use weaker (breakable) crypto.

The finding came from passive internet-wide scans for TLS on a large number of ports, as well as Secure Shell (SSH) and IPsec, in a series of tests designed to gauge elliptic curve support and implementation behaviors.

The two researchers – Luke Valenta, a PhD student at the University of Pennsylvania, and Nick Sullivan, head of cryptography at Cloudflare – also carried out “active measurements to estimate server vulnerability to known attacks against elliptic curve implementations, including support for weak curves, invalid curve attacks, and curve twist attacks”.

Around “0.77% of HTTPS hosts, 0.04% of SSH hosts, and 4.04% of IKEv2 hosts that support elliptic curves do not perform curve validity checks as specified in elliptic curve standards”.

Such vulnerabilities could potentially be used to carry out an elliptic curve parameter downgrade attack called CurveSwap for TLS, in theory.

In practice the researchers found themselves unable to exploit these weak behaviors to run a CurveSwap attack.

There are much easier ways for a nation-state to attack systems than by attempting to downgrade elliptic curve connections, Valentine told The Daily Swig.

He added that there might still be insecure (badly configured) servers out there, so the possibility is not wholly out of scope.

After the scanning, the two researchers went on to examine the source code for elliptic curve implementations.

They found instances where libraries fail to perform point validation for JSON Web Encryption, as well as some coding shortcomings in multiplication algorithms.

A white paper based on the research can be found here (PDF).