COMPUTER RESEARCH & TECHNOLOGY
 

ETopics Internet Certificates

Open

In what one of the worlds leading Internet security experts’ terms as crimes of the century another major Digital Identity theft has occurred. On March 22 Microsoft warned computer users that someone posing as a company executive had tricked a major company called VeriSign Inc, who provides digital signatures, into issuing fraudulent electronic certificates in Microsoft's name. Highlighting again the very tricky nature of ensuring trust on the Internet.

What’s wrong with the Digital Identities in this case?

A certificate authority, VeriSign, erroneously issued two digital certificates to a person who claimed to be a Microsoft employee. The certificates say that the owner of the certificate is Microsoft, when in fact this is not the case.

What is the actual problem?

Software virus writers or other vandals trying to trick unsuspecting users into running or downloading hostile programs onto their computers could potentially use the false identity documents to mislead them into doing so! These hostile programs can be delivered as e-mail attachments or be received on visits to Web pages.

As a note of further caution, similar certificates, issued by companies like VeriSign are also used in creating secure Internet transactions with commercial Web sites, sending secure and authentic e- mail and in related applications.

It would seem this is a case where Microsoft trusted VeriSign. Obviously these trust issues are fairly slippery because we, the consumer, don't understand that when you're trusting Microsoft you're actually trusting VeriSign's certification procedures."

What is a digital certificate?

To answer that question, we first need to have a little understanding of cryptography. Cryptography is the science of converting information between its normal, readable state (called plaintext) to one in which the information is obscured or scrambled for transmission.

Encryption is the same as enclosing information in an opaque envelope; decryption is removing it from the envelope. Signature is similar to physically signing a document, and initialling each section to show that no portion of the document has changed. Verification of signature is roughly equivalent to matching the signature to a "signature on file" card, and verifying that no portion of the document has changed. Certificates are signed documents, which match public keys to private keys.

  • Cryptography can be used to achieve secure communications, even over untrustworthy mediums like the Internet. You can also use cryptography to encrypt your sensitive files, so that an intruder cannot understand them.
  • Authenticity. Cryptography can be used to ensure information on the Internet is not tampered with as well as maintain secrecy. If someone modified any encrypted data while it was in transit, the recipient wouldn’t be able to decrypt it.
  • Proof of origin. Using cryptography, it becomes possible to verify the origin of information and messages. This is done using digital signatures.
  • When using cryptographic methods, the only part that must remain secret is the cryptographic keys. The algorithms, the key sizes, and file formats can be made public without compromising security.

In a method known as public key cryptography, one of the keys, known as the private key, must be kept secret. The other key, known as the public key, is intended to be shared with the world. However, there must be a way for the owner of the key to tell the world who the key belongs to. Digital certificates provide a way to do this. A digital certificate is a tamperproof piece of data that packages a public key together with information about it – who owns it, what it can be used for, when it expires, and so forth.

VeriSign, as well as other companies, issue digital certificates to prove an identity in a digital era where commerce is increasingly transacted anonymously over computer networks. They are intended to ensure computer users that Web sites and software are who and what they say they are.

But what ensures these "keys" really belong to the person listed on the digital certificate?

Digital certificates are generated and themselves digitally signed by organisations known as certificate authorities. It’s the job of a certificate authority to verify the identity of the person requesting a digital certificate before issuing one to them.

How did we find out about the theft?

Officials of VeriSign took responsibility for the issuing of the fraudulent digital certificates on Jan. 30 and 31 via an automatic Internet-based system. Strangely there has been no reason forthcoming as to why there has been such a long delay in going public by either of the two companies.

Mahi Desilva, vice president and general manager for applied trust services at VeriSign claimed this was a failure of the human part of our verification process. He said that the company discovered the fraud at a later point in its verification process and then notified both Microsoft and the Federal Bureau of Investigation.

Microsoft have urged people to be on the alert for programs that displayed a security warning on their screen asking if they want to install and run a particular program distributed by Microsoft and verified by VeriSign.

What should we be on the lookout for?

Microsoft says that computer users should look for programs that displayed digital signatures that were dated Jan. 29 and 30, because no genuine Microsoft certificates were issued on those dates.

Are these stolen Digital Identities out in the Wild?

Verisign say that based on a digital time-stamping process used to complete the certification they did not believe that the false certificates had been used, but then they quickly added that they had no way of being certain of that because of a particular procedure that allowed the certificates to be employed in a test mode.

Both Microsoft and Verisign stressed that they had no evidence that the illicit certifications had been used to date. Once again they have quickly cautioned, however, that they had a limited ability to be certain of that in anyway whatsoever.

So what is being done to control the situation?

Information on the VeriSign Web site shows that one of the certificates was revoked on March 9 and the second one was revoked on March 12. However, in a bizarre turn of events, an automatic procedure for revoking digital certificates that had originally been added to some versions of Microsoft's software have been turned off by the company for what are called incompatibility issues. These incompatibilities are currently still not resolved.

Microsoft said the company was working on a security patch that would detect the illicit certificates, but that it would not issue it for a week or two because it was still being tested.

A Microsoft security official said the company had decided to publicise the potential threat to allow computer users to be vigilant for an attack. He stated, "One of the reasons we went public was to reduce the value of these certificates".


Arthur Hissey
Computer Research & Technology
www.crt.net.au


RELEVANT LINKS
find additional information quickly

ETOPICS
what are they?

Keep up to date with the latest in the IT/Communications industry by listening to ABC Local Radio on FM107.1, every Tuesday morning at 9.15AM.

Computer Research & Technology Managing Director Arthur Hissey and Morning Host Janice McGilchrist will be discussing current matters of interest and future directions in the IT industry.

Transcripts of these discussions and other topics are available, just click on the links.


ETopic Archives
browse the archived ETopics
Check out the ETopic Archives
Full Archive List
Browse Alphabetically
A - E
F - J
K - O
P - U
V - Z
Last 5 ETopics
A Map? On Flickr? Is that a question?
Net ID scheme offers passport to online safety, especially for children online
What is ViewDo? ViewDo Helps People Help Themselves
Australian Dictionary of Biography Online
Google Earth Revisited