So you have a private/public certificate that needs to be installed on your server. You want to ensure that no one can take this certificate’s private/public keys to another server, and thus impersonating your server. So during the import process you intentionally leave the option “Mark this key as exportable” unchecked:
After completing the import process you double check that you are unable to export the private key by looking for a grayed out “Yes, export the private key” option:
No you feel assured that your private key is safe and sound inside your server.
Except, is it really safe?
If you happen across a link to iSec Partners and their page labeled Jailbreak, you will discover that your private key is actually no safer than if you had just clicked the “Mark this key as exportable” option. By simply downloading their tool you can export out private keys with little regard to the original desires of the server administrators. I had to see this for myself and was truly dumbfounded when this tool worked as promised.
Jailbreak is a tool for exporting certificates marked as non-exportable from the Windows certificate store. This can help when you need to extract certificates for backup or testing. You must have full access to the private key on the filesystem in order for jailbreak to work.
After doing some thinking and discussing with my peers I came to the conclusion that this isn’t really a vulnerability or flaw in the storage of the private key. Rather, it’s an example of a poorly designed and labeled menu. The import wizard shouldn’t make it appear to the user that there is no way to get access to the private key. After all, the Windows server must be able to get to the private key in order to use it during the encryption/decryption negotiation.
And let’s not forget Rule #6 of the 10 Immutable Laws of Security:
A computer is only as secure as the administrator is trustworthy
As with anything you download from the interent it is always a good idea to peform some sort of scan to ensue the files isn’t malware or whatnot. One place I rely on is VirusTotal, which can scan any file with over 40 different anti-virus engines and report out what they find, all for free.
Ultimately this tool changes the game for server administrators managing server certificates. You can no longer continue to believe that your private keys are safely stored on the Windows certificate store. Perhaps you already knew this and I’m late to the game?
Mon, Jul 20, 2009
Security, Technology