Skip to main content
banner image
venafi logo

Do Not Blindly Trust Keys and the Encrypted Tunnels They Create

Do Not Blindly Trust Keys and the Encrypted Tunnels They Create

January 4, 2017 | Nick Hunter

Recently the Department of Homeland Security and FBI released a joint analysis report (JAR) that provides the details of methodologies used to compromise and exploit sensitive data related to the U.S. election, as well as a range of U.S. Government, political, and private sector entities. That this attack could occur in a nation where critical infrastructure standards are so well defined highlights the need for increased scrutiny—in this case for encryption assets, such as digital keys and cryptographic certificates. 

The techniques used by adversaries to infiltrate the victims’ infrastructure for these election attacks are not unique. They are certainly not revolutionary. And these kinds of attacks will continue to remain undetected anywhere that encrypted traffic is natively trusted and minimally inspected. The problem is even more likely to occur when the associated private keys are not scrutinized and protected.

How can we prevent an attack of this severity from happening again? We can learn from physical attacks of a similar nature. Let’s take the example of a bank robbery where no one saw the robber. How was it robbed? Criminals may have used tunnels that went underground and came through the floor within the vault. Lately, there has been a lot of talk about building walls to protect borders, but a wall cannot protect against tunnels that go from a church in Mexico to a warehouse in California. Attacks that hijack encryption face essentially the same problem.

Tunneling is used in the internet world to communicate via SSL/TLS & SSH. These types of tunnels are natively trusted because their “identities” are linked to known certificates. When we natively trust a tunnel, we assume the certificate presented is that of the trusted actor, and therefore we trust whatever they do within the tunnel. In the case referenced in the diagram below, the espionage adversaries didn’t have to use “trusted” keys and certificates. They used their own unique private keys to appear to be trusted to establish an encrypted session, or “tunnel”. Once this trust was established and the tunnel was set up they could perform their attack and remain undetected.

image004.png

If the unique rogue keys had been discovered, it would have indicated a possible attack. But that discovery would have required the organization to have the complete visibility that would identify keys that were not trusted or were installed in a location (or locations) they shouldn’t be. Because the organizations that were attacked did not have this intelligence, they were unable to locate this illegitimate tunnel, and the malicious actor remained free to perform the attack and steal data through the tunnel.

As encryption becomes more widely used and more tunnels exist, every organization will need to have complete control and visibility of all the keys end certificates that enable them. The only way to verify that our tunnels are legitimate, is to have real-time intelligence that can help us identify which tunnels can truly be trusted, where they are trusted to exist, and most importantly, exactly who is using them.

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

roca factorization attacks

ROCA Risks: Are Your Keys Safe?

Are You on Krack? How Widespread Is the Latest Wi-Fi Attack?

change certificate authority

3 Reasons to Change Certificate Authorities—Even If Your Browser Doesn’t Tell You To

About the author

Nick Hunter
Nick Hunter

Nick Hunter writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat