A friend of mine from France sent me a link to an article talking about a court decision regarding digital signatures (in French). One bank could apparently not recover some money they loaned because of a technical issue with the digital signature on the contract.
Not the security story of the year, but since this is my area of work — CISSP, PKI expert, working for banks a lot — I was intrigued. I went on to check and played a bit with the bank web site. And what I found was weird… and scary. Read on.
The bank site is Carrefour Banque, part of Carrefour, the largest retailer in the world after Walmart.
To make a long story short, I went there, filled a few forms with random junk — sometimes very randomly as I could not understand everything — and eventually received a contract with a digital signature myself. I open it with Adobe Reader and not only there is a certificate filled with my random junk, but Reader tells me that the digital signature is valid, and that the identity is verified and trusted.
I played a bit more, and got a digital certificate for Obama and an other one for Jobs. I tried *.google.com and Adobe and I also received certificates! And they were legit and valid! You can download the signed documents and check for yourself. (junk, Jobs, Obama, Adobe, Google).
That’s pretty bad, since digital certificates are supposed to identify people (and web sites), not random junk typed by a random user. Very few certification authorities in the world can issue certificates trusted by Adobe, who has the most stringent policy requirements of most of the major players for accepting certification authorities.
So how can my random junk be “green”? Is there a major security hole in Adobe Reader? Has the bank site been hacked? Is it a configuration error? Let us take a closer look (or jump to the bottom of the page if you are bored already).
Let us take a look at the signature in more details.
As shown, the bogus certificates link directly to Adobe root. This means that this is not the newer AATL scheme, but the CDS scheme, which is much more stringent security wise. The certificate is issued through two intermediate CA from Keynectis, a small French CA, and which appear to have been set up for this scheme, since they both have CDS in their names.
The details pane show us the following:
The email and the CN are whatever I typed in the forms, and one OU seem to encode the date and some info. Other fields show us the certificate is valid for 5 minutes, and in yet another one, we find the OID of the Adobe CPS policy.
The Legal Notice tab confirms that:
This certificate has been issued in accordance with the Adobe CPS, KEYNECTIS CDS Certificate Policy and K.Websign PGP.
This is, quite obviously, not true. I did recheck the Adobe CPS to see if I could find a sentence allowing the issuance of bogus certificates without any kind of validation, but did not.
So, is it a big deal? Yes and no.
No, because, these certificates are obviously fake, and there is not much one can do with it (I did not have the private key by the way, I assume it was generated by Keynectis for the sole purpose of making a fake signature, and probably discarded afterwards).
Yes, because, we have a CA who is not following its policy and not following Adobe policy. Who would trust such a CA for other purposes?
An other question is: why are they doing this? And, a more interesting one, how the h%*! did they manage to have their CA signed by Adobe root?
For the first question, I can only guess that a bank would feel more comfortable when suing their own customers with a “green bar” in Adobe Reader than with a message saying there is a problem with the signature. That’s borderline producing fake evidence in front of a court, but IANAL and that’s not the point here.
As regards the second question, I see only a few options:
- Adobe compliance auditors are morons
- Adobe knew all along but wanted the money from the CDS scheme (well, I guess that’s not soooo much money, so probably not)
- Keynectis cheated on Adobe
I don’t know the exact procedure Adobe has set up to get into the CDS or the AATL scheme, but here is what most CA browser vendors do:
- they check the the Certification Practice Statement (CPS) of the candidate CA fulfills all the requirements of their own Certification Policy (CP)
- they check the result of an audit, performed by a reliable auditor, to ensure that the CA abides by its CPS
So, let us pretend we are Adobe compliance team and let us try to do these checks for ourselves.
This Certification Practice Statement, found on Keynectis web site, appears to be the one regulating the issuance of Adobe approved (CDS) certificates. And when you read it, things seem quite all right.
In the overview:
You the user, acknowledge that KEYNECTIS or RA organization has advised you to seek training and obtain adequate information to become familiar with digital signatures and certificates before requesting, using and trusting a certificate. It is your responsibility to decide whether or not the certificate offered by KEYNECTIS meets your needs.
Before submitting a certificate request, you must generate a key pair and protect the private key from any violation using a reputable method, as further described herein. Approved external devices and software programs are responsible for providing this security.
You must accept a certificate as specified in section 4 before releasing it to others or using it in any way. By accepting a certificate you acknowledge that you are making important representations.
Looks fine. If you except the fact that both the key and certificate were generated without my knowledge…
It is even more funny afterward:
The RA confirms during telephone interviews that the RA initaites that the identity of contacts listed on the certificate applications is correct. During these interviews, various client information is verified. These verifications include confirmation of secret information sent by the client with the certificate application (see section 4.3).
3.1.8 Unverified Information
Unverified information is not included in certificates.
ROTFL. In other words, it is at least option 3: Keynectis cheated on Adobe, since there are lying like crazy all over their CPS.
A question remains. How could they pass an audit? An auditor is supposed to see these kind of things. Their CPS tells who their auditor is. So I went to their auditor web site, and downloaded every list I could find.
It gets interesting again here. The OID of the CPS above is: 22.214.171.124.4.1.22126.96.36.199.1.1 and there are a lot of OID very close to the one above in the list for Keynectis, but this specific one is not. So again, we have a number of options:
- they were, in fact, never audited
- their auditors are morons
- Keynectis cheated on their auditors
It is hard to guess, since I do not know if the auditor’s lists include each and every CA. It’s hard to believe that Adobe could accept an CDS application without a single audit result. So maybe they have been fooled when being provided with the audit result of a different CA? Or maybe Keynectis produced a fake audit result? Or maybe they managed to hide their bogus certificates from their auditors? Time may tell…
By they way, on Keynectis website, there is a page dedicated to their KWebSign CA (the one producing the fake certificates). They list as customers no less than: BNP, AXA, AIG, Allianz, IngDirect… And claim they sign more than 1 million contracts per year… If they are all produced with fake certificates, some banks need to worry… (And Keynectis too).
And what about SSL?
I did not find them at first in the major browsers. So I googled a bit a found they are in fact included in IE and Firefox, etc but under a different name: CertPlus. Keynectis has a subca under the CertPlus root. So they also deliver SSL certificates (including EV). Well, deliver… they appear to delegate the registration work to a company called SSL Europa. The OID in their certificate is not listed on their auditors list. I did not find any kind of audit results for SSL Europa on the web. No sign of any wrongdoing here, but shallow enough for me to remove their CA from my web browser root stores, after what I saw above…
While many questions remain, one thing appears clear: they cheated on Adobe. When you issue a certificate with Adobe’s OID inside, you play by their rules. Period.
CA like that are harming the whole industry and should be terminated. In a sense, while not as critical security wise, it is worse than DigiNotar. When a CA gets hacked, the trust in the system goes down. If CA starts to cheat without being hacked, what kind of trust will remain?
Anyway, congrats to the French judge who ruled that the signature on the contract was not acceptable. I’d be curious to have the full case transcript to find out his reasons. I’m not sure the judge was presented with all the above, but at a bare minimum, he had a great intuition!