Author Archives: sato1sato

French CA CertEurope cheating (too)?

A few months ago, I posted about a French CA that appeared to be cheating.

For those who do not want to read the previous post, short story is: go to some bank web site. Enter a fake name. Receive an e-signed document with your fake name, included in a certificate that is approved by Adobe. So the document looks legit. I still invite you to read the previous post, since I will not go through the details in this one, but detail some other aspects.

Context

Following a comment I received, I decided to try the same with an other French CA.

I found a website that was “powered” by CertEurope, this time. And I did the same. Filled random forms in French with random junk. And … ? And … ? And … ? Yes, you guessed it : same outcome. I obtained legit looking PDF signed by junk, Obama, Jobs, Adobe

One French CA cheating is weird. Two French CA cheating tells me I screwed up with my analysis and that they are, in fact, NOT cheating. Or are they?

Analysis

Let us take a look at the signature in more details.

cert

Contrary to the previous case, the bogus certificate does not chain up to Adobe root. It means this is the newer AATL scheme, not the old CDS scheme. The certificate issued issued from one intermediary CA from CertEurope, a small French CA.

The details pane show us the following:

cdet

The email and the CN are whatever I typed in the forms, and there is one unknown attribute. Other fields show us the certificate is valid for 1 day, and in yet another one, we find the OID of the policy: 1.2.250.1.105.16.1.1.0

It is very similar to my last experience with Keynectis. Short-lived certificate, no identity checks, I did not have access to the private key, I did not got to choose with document to sign, but I did have the green bar in Adobe Reader.

Back to the OID. Experienced from last time, I speedily open the list of audited CA from the French site LTSI. And I find …

  • 1.2.250.1.105.9.1.1.2
  • 1.2.250.1.105.10.1.2
  • 1.2.250.1.105.12.1.1.0
  • 1.2.250.1.105.18.1.1.0
  • 1.2.250.1.105.7.1.1.1.

All close, none just right. Again, we have an unaudited CA that does not perform any identity checks before issuing a certificate, but that is approved by Adobe.

So, is it a big deal? Well, yeah, it is starting to be.

Of course, as with Keynectis, the signature is obviously a fake, and I could not reuse the private key since I never got it. However, French people need to be educated on the meaning of COMPLIANCE.

Not compliance as in “Yeah, sure, we do stuff all right, my mate. Have an other glass of wine”, but as in: “Here are the rules. Follow them. Period”.

So, the rules…

This time, I went and found the AATL Adobe requirement on the web. And it says:

4. Non-governmental Members must have successfully passed, within the past 18 months, and continue to pass on an annual basis, any or all of the following:

4.1 WebTrust for CA audit;

4.2 ETSI 101 456 audit;

4.3 ETSI 102 042 audit;

4.4 ISO 21188:2006; and/or

4.5 German Digital Signature law audit

Anyone? Didn’t you mates forgot something? … The audit?

7.2 The Member must demonstrate the use of strong identification and authorization procedures and be willing to provide documentation to Adobe on the processes. In particular, the Member must warrant that all information and representations made by the Subscriber and ICAs that chain up to the Certificate are true;

Ooooooops. My bad. Forgot to warrant the identity. Have an other glass of wine.

From this information, I decided to revise the hypothesis of my previous post regarding Adobe compliance team:

  1. Adobe compliance auditors do not even look at the applications
  2. Adobe compliance auditors have been given to much wine to drink
  3. Keynectis AND CertEurope both cheated on Adobe

And for point #3, a possible explanation came to my mind:

  1. Set up a compliant CA and have it approved by Adobe
  2. Cross-certify it with a non-compliant CA and hope no-one will see
  3. Profit !!!

Again, the thing I’m not sure of is whether the French auditor list includes all CA. If they were really audited, I would not want to be their auditor today.

Conclusion

I found 4 (or 5?) French CA in the AATL list of members. Therefore, at least between 40% and 50% of the French CA are cheating Adobe, by not being compliant with the rules of the program (I’ll check the others when I have time). The harm done to the rest of the industry is starting to be unbearable. The “Green bar” in Adobe will soon be an Internet joke.

 

French CA Keynectis cheating?

A friend of mine from France sent me a link to an article talking about a court decision regarding digital signatures (in French). One bank could apparently not recover some money they loaned because of a technical issue with the digital signature on the contract.

Not the security story of the year, but since this is my area of work — CISSP, PKI expert, working for banks a lot — I was intrigued. I went on to check and played a bit with the bank web site. And what I found was weird… and scary. Read on.

Context

The bank site is Carrefour Banque, part of Carrefour, the largest retailer in the world after Walmart.

To make a long story short, I went there, filled a few forms with random junk — sometimes very randomly as I could not understand everything — and eventually received a contract with a digital signature myself. I open it with Adobe Reader and not only there is a certificate filled with my random junk, but Reader tells me that the digital signature is valid, and that the identity is verified and trusted.

I played a bit more, and got a digital certificate for Obama and an other one for Jobs. I tried *.google.com and Adobe and I also received certificates! And they were legit and valid! You can download the signed documents and check for yourself. (junk, Jobs, Obama, Adobe, Google).

That’s pretty bad, since digital certificates are supposed to identify people (and web sites), not random junk typed by a random user. Very few certification authorities in the world can issue certificates trusted by Adobe, who has the most stringent policy requirements of most of the major players for accepting certification authorities.

So how can my random junk be “green”? Is there a major security hole in Adobe Reader? Has the bank site been hacked? Is it a configuration error? Let us take a closer look (or jump to the bottom of the page if you are bored already).

Analysis

Let us take a look at the signature in more details.

path

As shown, the bogus certificates link directly to Adobe root. This means that this is not the newer AATL scheme, but the CDS scheme, which is much more stringent security wise. The certificate is issued through two intermediate CA from Keynectis, a small French CA, and which appear to have been set up for this scheme, since they both have CDS in their names.

The details pane show us the following:

cn

The email and the CN are whatever I typed in the forms, and one OU seem to encode the date and some info. Other fields show us the certificate is valid for 5 minutes, and in yet another one, we find the OID of the Adobe CPS policy.

The Legal Notice tab confirms that:

cps

This certificate has been issued in accordance with  the Adobe CPS, KEYNECTIS CDS Certificate Policy and K.Websign PGP.

This is, quite obviously, not true. I did recheck the Adobe CPS to see if I could find a sentence allowing the issuance of bogus certificates without any kind of validation, but did not.

So, is it a big deal? Yes and no.

No, because, these certificates are obviously fake, and there is not much one can do with it (I did not have the private key by the way, I assume it was generated by Keynectis for the sole purpose of making a fake signature, and probably discarded afterwards).

Yes, because, we have a CA who is not following its policy and not following Adobe policy. Who would trust such a CA for other purposes?

An other question is: why are they doing this? And, a more interesting one, how the h%*! did they manage to have their CA signed by Adobe root?

For the first question, I can only guess that a bank would feel more comfortable when suing their own customers with a “green bar” in Adobe Reader than with a message saying there is a problem with the signature. That’s borderline producing fake evidence in front of a court, but IANAL and that’s not the point here.

As regards the second question, I see only a few options:

  1. Adobe compliance auditors are morons
  2. Adobe knew all along but wanted the money from the CDS scheme (well, I guess that’s not soooo much money, so probably not)
  3. Keynectis cheated on Adobe

I don’t know the exact procedure Adobe has set up to get into the CDS or the AATL scheme, but here is what most CA browser vendors do:

  1. they check the the Certification Practice Statement (CPS) of the candidate CA fulfills all the requirements of their own Certification Policy (CP)
  2. they check the result of an audit, performed by a reliable auditor, to ensure that the CA abides by its CPS

So, let us pretend we are Adobe compliance team and let us try to do these checks for ourselves.

This Certification Practice Statement, found on Keynectis web site, appears to be the one regulating the issuance of Adobe approved (CDS) certificates. And when you read it, things seem quite all right.

In the overview:

You the user, acknowledge that KEYNECTIS or RA organization has advised you to seek training and obtain adequate information to become familiar with digital signatures and certificates before requesting, using and trusting a certificate. It is your responsibility to decide whether or not the certificate offered by KEYNECTIS meets your needs.
Before submitting a certificate request, you must generate a key pair and protect the private key from any violation using a reputable method, as further described herein. Approved external devices and software programs are responsible for providing this security.
You must accept a certificate as specified in section 4 before releasing it to others or using it in any way. By accepting a certificate you acknowledge that you are making important representations.

Looks fine. If you except the fact that both the key and certificate were generated without my knowledge…

It is even more funny afterward:

Individual identification
The RA confirms during telephone interviews that the RA initaites that the identity of contacts listed on the certificate applications is correct. During these interviews, various client information is verified. These verifications include confirmation of secret information sent by the client with the certificate application (see section 4.3).

3.1.8 Unverified Information
Unverified information is not included in certificates.

ROTFL. In other words, it is at least option 3: Keynectis cheated on Adobe, since there are lying like crazy all over their CPS.

A question remains. How could they pass an audit? An auditor is supposed to see these kind of things. Their CPS tells who their auditor is. So I went to their auditor web site, and downloaded every list I could find.

It gets interesting again here. The OID of the CPS above is: 1.3.6.1.4.1.22234.2.8.2.1.1 and there are a lot of OID very close to the one above in the list for Keynectis, but this specific one is not. So again, we have a number of options:

  1. they were, in fact, never audited
  2. their auditors are morons
  3. Keynectis cheated on their auditors

It is hard to guess, since I do not know if the auditor’s lists include each and every CA. It’s hard to believe that Adobe could accept an CDS application without a single audit result. So maybe they have been fooled when being provided with the audit result of a different CA? Or maybe Keynectis produced a fake audit result? Or maybe they managed to hide their bogus certificates from their auditors? Time may tell…

By they way, on Keynectis website, there is a page dedicated to their KWebSign CA (the one producing the fake certificates). They list as customers no less than: BNP, AXA, AIG, Allianz, IngDirect… And claim they sign more than 1 million contracts per year… If they are all produced with fake certificates, some banks need to worry… (And Keynectis too).

And what about SSL?

I did not find them at first in the major browsers. So I googled a bit a found they are in fact included in IE and Firefox, etc but under a different name: CertPlus. Keynectis has a subca under the CertPlus root. So they also deliver SSL certificates (including EV). Well, deliver… they appear to delegate the registration work to a company called SSL Europa. The OID in their certificate is not listed on their auditors list. I did not find any kind of audit results for SSL Europa on the web. No sign of any wrongdoing here, but shallow enough for me to remove their CA from my web browser root stores, after what I saw above…

Conclusion

While many questions remain, one thing appears clear: they cheated on Adobe. When you issue a certificate with Adobe’s OID inside, you play by their rules. Period.

CA like that are harming the whole industry and should be terminated. In a sense, while not as critical security wise, it is worse than DigiNotar. When a CA gets hacked, the trust in the system goes down. If CA starts to cheat without being hacked, what kind of trust will remain?

Anyway, congrats to the French judge who ruled that the signature on the contract was not acceptable. I’d be curious to have the full case transcript to find out his reasons. I’m not sure the judge was presented with all the above, but at a bare minimum, he had a great intuition!