Public key infrastructure (PKI) is an excellent technology to help users certify that the people or companies they are corresponding with are who they say they are. It has proven itself invaluable in e-commerce among other areas. As with any technology, however, it is not without its own security risks. Eliana Stavrou discusses these risks, and ways to minimize them.
Each issuing authority usually maintains a list containing the serial number of all the digital certificates that have been cancelled due to various reasons i.e. compromised private keys or changes in the information contained on the digital certificate. This list is called the CRL (Certification Revocation List) and the process of verifying whether a digital certificate has been cancelled is called revocation checking.
The risk related to the CRL is concerned with the availability of the list. Assume that the private key of Bob is compromised by Trudy the intruder. Bob has detected the compromise and asked the issuing authority to revoke his certificate and issue him another one. The issuing authority revokes Bob’s digital certificate and places it in the CRL. Then, due to a virus infection, the issuing authority and its services become unavailable. In the meanwhile, Trudy the intruder has sent a digitally signed message to Alice, pretending to be Bob, asking her ID number because he will send her a present. When Alice receives the signed message, her email program, if configured appropriately, will try to verify the status of the digital certificate. Since the CRL is currently not available to any end entity, Alice’s email program could not verify the certificate, even though it has been revoked. This would lead to the acceptance of the certificate as valid. Thus:
digital signatures are wrongly viewed as valid, and
confidentiality has been compromised without the knowledge of sender or recipient.
Alice is excited about her present, so she emails her ID number to Bob, and the message that is intercepted by Trudy the intruder for her own nefarious purposes.
How to minimize the risk: The responsibility of minimizing the risk associated with the CRL availability depends entirely on the issuing authority. Thus, the issuing authority must maintain a strong and secure architecture to avoid security breaches, and a comprehensive fail-over plan that provides a secondary infrastructure to maintain availability of services in the case of a failure of the primary infrastructure.
