French CA Keynectis cheating?

A friend of mine from France sent me a link to an article talking about a court decision regarding digital signatures (in French). One bank could apparently not recover some money they loaned because of a technical issue with the digital signature on the contract.

Not the security story of the year, but since this is my area of work — CISSP, PKI expert, working for banks a lot — I was intrigued. I went on to check and played a bit with the bank web site. And what I found was weird… and scary. Read on.

Context

The bank site is Carrefour Banque, part of Carrefour, the largest retailer in the world after Walmart.

To make a long story short, I went there, filled a few forms with random junk — sometimes very randomly as I could not understand everything — and eventually received a contract with a digital signature myself. I open it with Adobe Reader and not only there is a certificate filled with my random junk, but Reader tells me that the digital signature is valid, and that the identity is verified and trusted.

I played a bit more, and got a digital certificate for Obama and an other one for Jobs. I tried *.google.com and Adobe and I also received certificates! And they were legit and valid! You can download the signed documents and check for yourself. (junk, Jobs, Obama, Adobe, Google).

That’s pretty bad, since digital certificates are supposed to identify people (and web sites), not random junk typed by a random user. Very few certification authorities in the world can issue certificates trusted by Adobe, who has the most stringent policy requirements of most of the major players for accepting certification authorities.

So how can my random junk be “green”? Is there a major security hole in Adobe Reader? Has the bank site been hacked? Is it a configuration error? Let us take a closer look (or jump to the bottom of the page if you are bored already).

Analysis

Let us take a look at the signature in more details.

path

As shown, the bogus certificates link directly to Adobe root. This means that this is not the newer AATL scheme, but the CDS scheme, which is much more stringent security wise. The certificate is issued through two intermediate CA from Keynectis, a small French CA, and which appear to have been set up for this scheme, since they both have CDS in their names.

The details pane show us the following:

cn

The email and the CN are whatever I typed in the forms, and one OU seem to encode the date and some info. Other fields show us the certificate is valid for 5 minutes, and in yet another one, we find the OID of the Adobe CPS policy.

The Legal Notice tab confirms that:

cps

This certificate has been issued in accordance with  the Adobe CPS, KEYNECTIS CDS Certificate Policy and K.Websign PGP.

This is, quite obviously, not true. I did recheck the Adobe CPS to see if I could find a sentence allowing the issuance of bogus certificates without any kind of validation, but did not.

So, is it a big deal? Yes and no.

No, because, these certificates are obviously fake, and there is not much one can do with it (I did not have the private key by the way, I assume it was generated by Keynectis for the sole purpose of making a fake signature, and probably discarded afterwards).

Yes, because, we have a CA who is not following its policy and not following Adobe policy. Who would trust such a CA for other purposes?

An other question is: why are they doing this? And, a more interesting one, how the h%*! did they manage to have their CA signed by Adobe root?

For the first question, I can only guess that a bank would feel more comfortable when suing their own customers with a “green bar” in Adobe Reader than with a message saying there is a problem with the signature. That’s borderline producing fake evidence in front of a court, but IANAL and that’s not the point here.

As regards the second question, I see only a few options:

  1. Adobe compliance auditors are morons
  2. Adobe knew all along but wanted the money from the CDS scheme (well, I guess that’s not soooo much money, so probably not)
  3. Keynectis cheated on Adobe

I don’t know the exact procedure Adobe has set up to get into the CDS or the AATL scheme, but here is what most CA browser vendors do:

  1. they check the the Certification Practice Statement (CPS) of the candidate CA fulfills all the requirements of their own Certification Policy (CP)
  2. they check the result of an audit, performed by a reliable auditor, to ensure that the CA abides by its CPS

So, let us pretend we are Adobe compliance team and let us try to do these checks for ourselves.

This Certification Practice Statement, found on Keynectis web site, appears to be the one regulating the issuance of Adobe approved (CDS) certificates. And when you read it, things seem quite all right.

In the overview:

You the user, acknowledge that KEYNECTIS or RA organization has advised you to seek training and obtain adequate information to become familiar with digital signatures and certificates before requesting, using and trusting a certificate. It is your responsibility to decide whether or not the certificate offered by KEYNECTIS meets your needs.
Before submitting a certificate request, you must generate a key pair and protect the private key from any violation using a reputable method, as further described herein. Approved external devices and software programs are responsible for providing this security.
You must accept a certificate as specified in section 4 before releasing it to others or using it in any way. By accepting a certificate you acknowledge that you are making important representations.

Looks fine. If you except the fact that both the key and certificate were generated without my knowledge…

It is even more funny afterward:

Individual identification
The RA confirms during telephone interviews that the RA initaites that the identity of contacts listed on the certificate applications is correct. During these interviews, various client information is verified. These verifications include confirmation of secret information sent by the client with the certificate application (see section 4.3).

3.1.8 Unverified Information
Unverified information is not included in certificates.

ROTFL. In other words, it is at least option 3: Keynectis cheated on Adobe, since there are lying like crazy all over their CPS.

A question remains. How could they pass an audit? An auditor is supposed to see these kind of things. Their CPS tells who their auditor is. So I went to their auditor web site, and downloaded every list I could find.

It gets interesting again here. The OID of the CPS above is: 1.3.6.1.4.1.22234.2.8.2.1.1 and there are a lot of OID very close to the one above in the list for Keynectis, but this specific one is not. So again, we have a number of options:

  1. they were, in fact, never audited
  2. their auditors are morons
  3. Keynectis cheated on their auditors

It is hard to guess, since I do not know if the auditor’s lists include each and every CA. It’s hard to believe that Adobe could accept an CDS application without a single audit result. So maybe they have been fooled when being provided with the audit result of a different CA? Or maybe Keynectis produced a fake audit result? Or maybe they managed to hide their bogus certificates from their auditors? Time may tell…

By they way, on Keynectis website, there is a page dedicated to their KWebSign CA (the one producing the fake certificates). They list as customers no less than: BNP, AXA, AIG, Allianz, IngDirect… And claim they sign more than 1 million contracts per year… If they are all produced with fake certificates, some banks need to worry… (And Keynectis too).

And what about SSL?

I did not find them at first in the major browsers. So I googled a bit a found they are in fact included in IE and Firefox, etc but under a different name: CertPlus. Keynectis has a subca under the CertPlus root. So they also deliver SSL certificates (including EV). Well, deliver… they appear to delegate the registration work to a company called SSL Europa. The OID in their certificate is not listed on their auditors list. I did not find any kind of audit results for SSL Europa on the web. No sign of any wrongdoing here, but shallow enough for me to remove their CA from my web browser root stores, after what I saw above…

Conclusion

While many questions remain, one thing appears clear: they cheated on Adobe. When you issue a certificate with Adobe’s OID inside, you play by their rules. Period.

CA like that are harming the whole industry and should be terminated. In a sense, while not as critical security wise, it is worse than DigiNotar. When a CA gets hacked, the trust in the system goes down. If CA starts to cheat without being hacked, what kind of trust will remain?

Anyway, congrats to the French judge who ruled that the signature on the contract was not acceptable. I’d be curious to have the full case transcript to find out his reasons. I’m not sure the judge was presented with all the above, but at a bare minimum, he had a great intuition!

 

Advertisements

5 thoughts on “French CA Keynectis cheating?

  1. JY Faurois

    Dear Sir or Madam,
    Normally, Keynectis would not have bothered to respond to an unknown blogger with no readership who seems to have created his or her site with the sole purpose of anonymously besmirching our reputation. However, as your accusations attack the very core of our business – our integrity – we have felt it necessary to respond.
    We would have appreciated if you had identified yourself while claiming serious and slanderous accusations against a reputable company.
    We also would have appreciated if you or your French friend had taken some time to investigate more thoroughly the alleged issues raised. A relevant and reliable investigation involves interviewing all the actors concerned and to the best of our knowledge, you have made no attempt to contact Keynectis to hear our side of the story. We would have been pleased though to explain the results of your random tests and the reason why they mislead you into false interpretations. Having said that, we have been reading your blog article with particular attention and we would like to clear up a few things.
    First of all, you apparently confused two separate subjects. The first one is a court ruling against Carrefour Banque that has nothing to do with the so-called “junk name” issue. In this first matter, the decision was in favor of the litigant because Carrefour produced a printed document as evidence of the customer commitment. Instead of this printed document with no legal value, Carrefour Banque should have used the digitally signed document in accordance with the French statutory order covering digital signatures. This digital proof is provided through the entire evidence workflow set-up by the Keynectis signing product (K.Websign™) and the Carrefour evidence management policy. Carrefour has since then filed an appeal that contradicted the first instance court ruling.
    Concerning the so-called junk name issue:
    The large BtoC companies who use K.Websign to have their contracts signed online are, by contract, committed to Keynectis to perform ID verification of the signatories. In some special cases, those companies deal with prospects and therefore perform the verification in Back Office during the days following the actual transaction. In the event the verification fails, the transaction is discarded. The “friend of yours from France” transmitted the signed contract to you, but he apparently omitted to explain that the Carrefour Banque procedure also requires him to transmit a scan or paper copy of an official ID document to confirm his identity. Based on this, the Back Office of Carrefour Banque can perform the verification and then approve or reject the transaction. As long as the approval is not granted by the Back Office, the transaction is not valid.
    As you correctly noticed, there is absolutely no security concern regarding this situation:
    – the digital certificate and the associated private key are issued only for the transaction
    – the signatory has no control of the private key after the transaction is processed (the private key is generated on a secure device (HSM), never delivered to the signatory, and erased immediately after the signature is performed)
    – the digital certificate validity period is 5 minutes long and the key usage is restricted to “non-repudiation”.
    In the physical (paper) world, nothing can prevent anyone from performing a fake signature on a document, the question is: “Can such a fake signature have legal consequences?” In the present situation, the answer is clearly NO, as explained above.
    There remains the question of the damage to the reputations of Adobe, Keynectis, and more generally the CA business. Here, we agree that, even if we (Keynectis and our customers) are compliant with our legal commitments, as shown above, the present situation can project a negative image to the market. Therefore, in total transparency with our partner Adobe, we are currently working with our customers to avoid a situation where a delayed ID verification can result in fake CDS signatures on PDF contracts.

    Conclusion:
    Keynectis is a reputable company, accountable for millions of trusted transactions with some of the largest financial institutions in the world. We transparently publish our commitments (CP, CPS, PGP) and take all appropriate measures to comply with them.
    Keynectis never had any intention of deceiving its partner Adobe (or anyone else!) ; as soon as we were informed of this situation, we immediately cooperated with Adobe to analyze it and propose appropriate corrections, together with our customers.
    There is no security concern nor any legal risks caused to any third party in the present situation.

    Jean-Yves Faurois,
    CSO, Keynectis
    February, 26th 2013

    Reply
  2. Jeunehomme

    Pretty awesome…for a french CA which claims to have secure procedures compliant with the french standards RGS.
    No return of this “security hole” on french forums…Do you receive some explanation from the CA ? Or do they remain silent to avoid the “buz” ?

    Reply
  3. Anon

    I’m pretty sure disclosing security failures like this violates the ISC2 Code of Ethics, and you could lose your CISSP certification.

    Protect society, the common good, necessary public trust and confidence, and the infrastructure.
    Act honorably, honestly, justly, responsibly, and legally.
    Provide diligent and competent service to principals.
    Advance and protect the profession.

    Your finding is interesting, but the report is poorly written.

    In an acronym : tl;dr
    Either you write for the general public, and all of the technical details are useless, or you write for an expert public, and you can summarize all of this blog post in a bunch of lines.

    Reply
  4. Vieilhomme

    If you take EPO to win the race, this is cheating.

    If you are in the game you have 3 solutions;
    You do not play,
    You play but you know you will loose,
    You think this is unfair, you also want to play the game, so you also take forbidden substances. But as there are testing, you have to find cunning solutions to avoid them.

    I think you have discovered a new French scandal of “Tour de France of CAs”.

    Reply
  5. F

    Mr Fauroy,

    You are missing the point of the post. You are trying to demonstrate that you system is “secure”. This is not the point. The point is that you are lying in your certification policy. This is not acceptable.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s