Sep 232013

What happens if an attacker compromises your root private key?

SSL certificates are used to authenticate clients and servers and to provide a means of securely sharing a secret key which is then used to encrypt communication between the server and client.

In order to do this, you have to have a level of trust in the body which issues the certificates; the Certification Authority or CA.

The way this works in practice is that you place the Root Certificate of the Certification Authority in your ‘Trusted Root Certification Authorities’ store on your computer. This says ‘I trust all certificates signed by the private key associated with this certificate’. Since the private key is only known by the Certification Authority, any certificate signed with the key must have been issued by the authority, and passed all the checks as defined in their CPS (Certification Practice Statement).

Once the infrastructure is in place, the flow is as follows:

SSL flow

Over complicated diagram showing keys and certificates.

  1. The client connects to the web server and requests a secure connection.
  2. The web server sends its certificate which includes a public key.
  3. The client verifies the certificate by checking the name matches the site name, that it has not expired (or been revoked) and that it is signed by a trusted authority.
  4. The client chooses a symmetric encryption key and encrypts it with the public key from the certificate. This is sent to the server
  5. The server decrypts the message with its private key. The browser and web server now share a symmetric key which is unknown to anyone else. This key is used to encrypt all communication for the rest of the session.

The security of the above transaction relies on the private key being stored securely by the web server. If someone had access to that key, they could decrypt the message containing the secret symmetric session key and therefor read all the encrypted messages which follow during that session. However, its unlikely that the owner of the web server would allow the key to leave the server. If an attacker managed to compromise the server to such an extent that he had access to the key, he would have full control of the server and would be able to access the communication anyway. If a government requested the key through legal means, they would be able to read all the communication but, again, they would get much more information by just requesting full access to the server.

So everything is nice and safe as long as the private key is kept secure. (There are, of course, other problems if, for example, there is malware on either end, but I’m ignoring that here).

So, what happens if someone gets access to the Certification Authority’s Private Key either by compromising their key store or by demanding it via legal channels?

Having the root private key would still not allow the attacker to intercept the symmetric key as it is encrypted using the public/private keypair generated by the web server, and the private key is still only known by the web server. It would, however, allow the attacker to create his own certificate and sign it with the Root CA private key. This would mean that it is trusted by the client computer and it would be very difficult to tell it apart from the genuine server certificate.

The attacker can now perform a ‘Man-in-the-middle’ (MITM) attack to capture all the traffic between the client and server. He does this by posing as the web server and authenticating with the client. The client now sends the symmetric key to the attacker encrypted with the attacker’s public key. The attacker decrypts the key and sets up a secure connection with the client. At the same time, the attacker connects to the genuine site and poses as the client. The attacker acts as a proxy between the client and server and can read both sides of the communication. Further, the attacker can change the information from either side. Say, for example, you think you are connected to your bank and you check your balance. The attacker can report the correct balance, but in the background could transfer all your money into his own account. If he needs any extra passwords, or a two-factor authentication, he can prompt you for those details and, if its convincing enough, you may be fooled into providing what he needs.