Certificates for Authenticity, Authentification or both
Transcript of Certificates for Authenticity, Authentification or both
03.05.2023 Certificates for authenticity, authentification or both? 1
Certificates for Authenticity,Authentification or both?
Wolfgang Voelker | Director Product [email protected]
Ruediger Kuegler | Security [email protected]
CertificatesSpeaker 3
03.05.2023 Certificates for authenticity, authentification or both? 2
What are Certificates?
03.05.2023 Certificates for authenticity, authentification or both? 3
Send
er
Sending a Signed Message
Data
Data
Signature
CalculateHash
CalculateSignature
PrivateKey
Data
Signature
CalculateHash
VerifySignature
PublicKey
Recip
ient
Yes No
03.05.2023 Certificates for authenticity, authentification or both? 4
The Challenge!
How do I know that the public key is genuine?
03.05.2023 Certificates for authenticity, authentification or both? 5
The Solution
Certificates(Public Key Certificate, X.509)
03.05.2023 6
A Certificate
Certificates for authenticity, authentification or both?
Confirms the owner of a public key Identity:
Person
Company
IT-system (i.e. server)
Signed by issuer Attributes
Certificate
Issued for:Common name (CN): Wolfgang Voelker
Company (O): WIBU-SYSTEMS AG
Business unit (OU): WOPS
Serial number: 1be10001000220613…
Public key: 0x15, 0x3c, 0xd0, 0x26, 0xd6, 0x71, 0xfa, 0xae, 0x20, 0xa6, 0x15, 0x58, 0xea, 0x3d, 0xdd, 0x36, 0x89, …
Issued by:Common name (CN): Root
Company (O): WIBU-SYSTEMS AG
..
Valid until: 31.12.2015
03.05.2023 Certificates for authenticity, authentification or both? 7
The next Challenge!
How do I know that the certificate is genuine?
03.05.2023 Certificates for authenticity, authentification or both? 8
The next Solution
The certificate is signed by the issuer.
(Validation through the public key of the issuer)
03.05.2023 Certificates for authenticity, authentification or both? 9
The… Challenge!
…?
03.05.2023 Certificates for authenticity, authentification or both? 10
The final Solution
I already know a root certificate from a certification authority.
(Root Certificate / Certificate Authority)
03.05.2023 Certificates for authenticity, authentification or both? 11
Examples of Root Certificates
03.05.2023 Zertifikate für Authentizität, Authentifizierung oder beides? 12
Certificate Hierarchy
Root Certificate
CN: Root
Certificate
CN: Inter 2
Certificate
CN: Wolfgang
Certificate
CN: Daniel
Certificate
CN: Marc
Certificate
CN: Christian
Certificate
CN: Ruediger
Certificate
CN: Stefan
Certificate
CN: Inter 1
Certificate
CN: Inter 3
03.05.2023 Certificates for authenticity, authentification or both? 13
Self-signed Certificates
Self-signed No Root-Certificate Usually not accepted
Users have to trust the certificate manually
Certificate
Issued for:Common name (CN): Ruediger Kuegler
Company (O): WIBU-SYSTEMS AG
Business unit (OU): Professional Services
Serial number: 1be10001000220613…
Public key: 0x15, 0x3c, 0xd0, 0x26, 0xd6, 0x71, 0xfa, 0xae, 0x20, 0xa6, 0x15, 0x58, 0xea, 0x3d, 0xdd, 0x36, 0x89, …
Issued by:Common Name (CN): Ruediger Kuegler
Company (O): WIBU-SYSTEMS AG
..
Valid until: 31.12.2015
03.05.2023 Certificates for authenticity, authentification or both? 14
Blacklists
CRL (Certificate Revocation List) Includes invalid certificates (certificate revocation) Online enquiry possible, Online Certificate Status Protocol (OCSP)
03.05.2023 Certificates for authenticity, authentification or both? 15
Use Cases
03.05.2023 Certificates for authenticity, authentification or both? 16
Use Cases
Server Certificates Client Certificates E-Mail Certificates / VPN Certificates OPC UA Certificates Authenticode Code integrity of software …
03.05.2023 Certificates for authenticity, authentification or both? 17
Server Certificates
03.05.2023 Certificates for authenticity, authentification or both? 18
Clie
nt
Server Certificate
ServerPrivate
Key
Serv
er
Root Certificate
CN: Root
https
Certificate
CN: wibu.com
Client verifies the identityof the server
03.05.2023 Certificates for authenticity, authentification or both? 19
Server Certificate – Secure Connection
03.05.2023 Certificates for authenticity, authentification or both? 20
Server Configuration…
SSLEngine onSSLCertificateKeyFile "c:/cert/my_private_key.pem"SSLCertificateFile "c:/cert/the_cert_I_got_from_verisign.crt"
03.05.2023 Certificates for authenticity, authentification or both? 21
… Server Configuration
SSLEngine on Activates SSL, SSL mode must be enabled
SSLCertificateKeyFile „c:/cert/my_private_key.pem“ Private Key
SSLCertificateFile „c:/cert/the_cert_I_got_from_verisign.crt “ Certificate
03.05.2023 Certificates for authenticity, authentification or both? 22
Client Certificates
03.05.2023 Certificates for authenticity, authentification or both? 23
Clie
nt
Client Certificate
ServerPrivate
Key
Serv
er
Root Certificate
CN: Root
https
Certificate
CN: wibu.com
Client verifies the identityof the server
ClientPrivate
Key
Certificate
CN: user
Root Certificate
CN: Wibu Root
Server verifies the identityof the client
03.05.2023 Certificates for authenticity, authentification or both? 24
Server Configuration for Client Certificates
SSLEngine onSSLCertificateKeyFile "c:/cert/my_private_key.pem"SSLCertificateFile "c:/cert/the_cert_I_got_from_verisign.crt"SSLCACertificateFile "c:/cert/my_own_ca_root_cert.crt"SSLVerifyClient requireSSLVerifyDepth 10SSLRequire %{SSL_CLIENT_S_DN_CN} eq "[email protected]"SSLOptions +StdEnvVars
03.05.2023 Certificates for authenticity, authentification or both? 25
… Server Configuration for the Client Certificate
SSLCACertificateFile „c:/cert/my_own_ca_root_cert.crt“ Certificate Authority (CA) for Client Certificates
SSLVerifyClient require Client Certificate required
SSLRequire %{SSL_CLIENT_S_DN_CN} eq [email protected] Example of a validation
SSLOptions +StdEnvVars Transmission of the parameters to PHP / Application
03.05.2023 Certificates for authenticity, authentification or both? 26
Issuance of a Client Certificate (recommended)
Client: Generate the key pair
Generate the Certificate Signing Request (CSR)
Send the CSR to a CA
CA / Server: Generate a certificate
Send the certificate to a client
Client: Import the certificate
03.05.2023 Certificates for authenticity, authentification or both? 27
Creation of a Client Certificate (easy)
CA / Server: Generate the key pair
Generate the certificate
Export the private key
Send certificate + private key to a client
Client: Import the certificate
Import the private key
03.05.2023 Certificates for authenticity, authentification or both? 28
Certificate / Private Key Storage
03.05.2023 Certificates for authenticity, authentification or both? 29
Saving Private Keys
File on the file system (PEM file with key) Certificate Storage
PKCS#11
Microsoft CSP (Crypto Service Provider)
Physical medium On a disk
In a token
03.05.2023 Certificates for authenticity, authentification or both? 30
PKCS#11 / Microsoft CSP
PKCS#11 Microsoft CSP
CmDongle
Internet ExplorerOutlookFirefox OpenVPN
My Application
03.05.2023 Certificates for authenticity, authentification or both? 31
Example with a Token: CSSI Middleware
03.05.2023 Certificates for authenticity, authentification or both? 32
Authenticode
03.05.2023 Certificates for authenticity, authentification or both? 33
Motivation: the Application
Signed Application
03.05.2023 Certificates for authenticity, authentification or both? 34
Started Application
03.05.2023 Certificates for authenticity, authentification or both? 35
Motivation: the Patch
03.05.2023 Certificates for authenticity, authentification or both? 36
Motivation: the Question
Is the application still runnig?
03.05.2023 Certificates for authenticity, authentification or both? 37
Started Application (with invalid signature)
03.05.2023 Certificates for authenticity, authentification or both? 38
Is the application still runnig?
The scary answer:
YES
03.05.2023 Certificates for authenticity, authentification or both? 39
Summary
Microsoft Windows starts any application Without signature
With valid signature
With invalid signature
On-board tools are not suitable for copy / integrity protection
03.05.2023 Certificates for authenticity, authentification or both? 40
Yes, but…
Yes, but…
03.05.2023 Certificates for authenticity, authentification or both? 41
Software Check
Signature validation Valid / Invalid?
Who has signed?
When was the application signed?
Reaction in case of invalid signature Exit (hiding the calls?)
„Wrong calculation“ !?
03.05.2023 Certificates for authenticity, authentification or both? 42
Started Application (with Authenticode check via API)
03.05.2023 Certificates for authenticity, authentification or both? 43
Started Application (Patched)
03.05.2023 Certificates for authenticity, authentification or both? 44
The Vulnerability
Own Software
WINTRUST.DLL
03.05.2023 Certificates for authenticity, authentification or both? 45
The Vulnerability
A well known and documented Windows API verifies the signature !? Attacks:
Patching WINTRUST.DLL
Hooking function with standard tools
Overwriting functions in the dll at runtime from the patched application
03.05.2023 Certificates for authenticity, authentification or both? 46
Overwrite at runtime
...fake[0] := $31;fake[1] := $C0;fake[2] := $C3;lib := LoadLibrary('WINTRUST.DLL');p := GetProcAddress(lib, 'WinVerifyTrust');VirtualProtect(p, 3, PAGE_EXECUTE_READWRITE, old);move(fake, p^, 3);VirtualProtect(p, 3, old, old);...
03.05.2023 Certificates for authenticity, authentification or both? 47
Started Application (Patched + Code Inject)
03.05.2023 Certificates for authenticity, authentification or both? 48
Conclusion: Authenticode
Certificates provide security only if the validation occurs in a trusted environment
Authenticode = Protect the user from viruses Authenticode ≠ Protection against piracy
03.05.2023 Certificates for authenticity, authentification or both? 49
Code Signature with AxProtector
03.05.2023 Certificates for authenticity, authentification or both? 50
Protection Suite
Wibu-Systems Protection Suite
Automatic Proctection(IP Protection)
Anti-Debug Methods
UsedCodeMeter Variant
IndividualEncryption of Functions
Integrity Protection(Tamper Protection)
Authenticity of Software(Secure Loader / Authenticity)
Java SEJava EE
EmbeddedOperating System
.NETPC (Windows,Linux, OS X)
CodeMeterRuntime
CodeMeterRuntime
CodeMeterRuntime
CodeMeter Embedded
CodeMeter Embedded
IxProtector
AxProtector
AxProtector .NET
AxProtector Java
AxProtector CmE
ExProtector
03.05.2023 Certificates for authenticity, authentification or both? 51
Functions of Protection Suite
Software authenticity (Secure Load) Prevention of the execution of non-validated software
Integrity Protection (Tamper Protection) Detection of changes (in memory!) and reaction
Automatic Protection (IP Protection) Protection against reverse engineering and piracy
Anti-Debug Methods Individual Encryption of Functions
Encryption at method level
03.05.2023 Certificates for authenticity, authentification or both? 52
AxProtector
Protected ApplicationCompiled Application
Header
AxEngine(Security Engine + Public Key)
AxProtector
EncryptedCode Section
EncryptedData Section
EncryptedResource Section
Header
Data Section
Resource Section
Code Section
Signature
Private KeyPublic Key
03.05.2023 Certificates for authenticity, authentification or both? 53
Self-Check
Executable
Signature
Check Signature
(Hash, Public Key, Signature)
Calculate Hash of the Executable
Error
Yes
No
AxEngine(Security Engine + Public Key)
03.05.2023 Certificates for authenticity, authentification or both? 54
Check of another Module
Executable Dynamic Link Library
AxEngine(Security Engine + Public Key)
Signature
AxEngine(Security Engine + Public Key)
Signature
exe - exe
exe - dll
dll - dll
dll - exe
03.05.2023 Certificates for authenticity, authentification or both? 55
AxProtector
[WIBU-SYSTEMS Control File]...
[Commandline]...-cav...
[CheckCodeIntegrity Dlls]Image1 = ShowHex.dll...
Check of other
modules
SelfCheck
03.05.2023 Certificates for authenticity, authentification or both? 56
ExProtector
ExProtector = Protection of executable files on embedded operating systems
Integration of the "AxEngine" as ExEngine in the loader of the operating system / boot loader
Use of signatures and certificates Rights Management: Who can sign the applications?
03.05.2023 Certificates for authenticity, authentification or both? 57
Usage of certificates within CodeMeter
03.05.2023 Certificates for authenticity, authentification or both? 58
Secure Firmware Update
There is a Wibu root certificate There are production certificates, derived from the root certificate Each CmDongle gets the public root key during production Firmware update is signed with a production certificate Old firmware checks the update (signature and certificate) before it applies
the new firmware into the CmDongle
03.05.2023 Certificates for authenticity, authentification or both? 59
CodeMeter Universal Firm Code
Licenses are signed by the vendor Licenses consist of a certificate and an encrypted part The license certificate can contain an authorization for license transfer In case of transfer, the original certificate is sent through and a new
certificate of the issuing CmContainer is generated With CodeMeter, everything is done transparently in the background
Deutschland: +49-721-931720
USA: +1-425-7756900
China: +86-21-55661790
http://www.wibu.com
Germany: +49-721-931720
USA: +1-425-7756900
China: +86-21-55661790
http://www.wibu.com
03.05.2023 Certificates for authenticity, authentification or both? 60
Thank you for your attentionVielen Dank für Ihre Aufmerksamkeit