Certificate Authentication

Photo by Lewis Keegan on Unsplash

Understanding Certificate-based Authentication

A certificate for authentication is a document called a public-key certificate that allows one computer to securely identify itself to another across a network connection using cryptographic techniques. It is commonly used in internet security protocols like SSL/TLS, where an end user’s device sends a certificate to prove its identity to gain access to server or network resources (Network World). Client Certificate Authentication is a form of mutual certificate-based authentication where the client provides its Client Certificate to the server during the SSL handshake to prove its identity (Microsoft). More generally, certificate-based authentication is a cryptographic technique that allows one computer to securely identify itself to another across a network connection, using a digital certificate. It is more secure than traditional password-based authentication methods and can be applied to various endpoints, including servers, personal computers, and IoT devices (Network World, Yubico, Infosec Institute).

Public Key Infrastructure (PKI) plays a crucial role in certificate-based authentication by using cryptographic public keys linked to digital certificates issued by a trusted source, known as a certificate authority (CA). These digital certificates act as a digital passport to authenticate the identity of the sender in digital communications, ensuring that they are who they claim to be. PKI underlies the SSL/TLS protocol that secures the internet and enables entities like websites and users to authenticate each other securely. By utilizing PKI and certificate-based authentication, organizations can ensure legitimate access to protected resources without the need for traditional password-based login protocols, thereby enhancing security and access management in enterprises (Okta, Network World, Yubico).

Examples: CAWE and CEWS

Certificate Authority Web Enrollment (CAWE) is a role service that allows client computers to submit Public-Key Cryptography Standards (PKCS) #10 certificate requests interactively through a web browser and an Internet Information Services (IIS) web site. It enables users to access an interactive website where they can upload requests, download completed certificates, and obtain certificate revocation lists (CRLs) without requiring specific client components or configuration. It supports a wide range of client operating systems and is distinct from the Certificate Enrollment Web Services role service, despite both using HTTPS technology (Microsoft, Microsoft).

The Certificate Enrollment Web Service (CEWS) is an Active Directory Certificate Services (ADCS) role service that allows users and computers to enroll for certificates using the HTTPS protocol, enabling policy-based certificate enrollment for non-domain member client computers or domain members not connected to the domain. It was first introduced in Windows Server 2008 R2 and continues to be available in subsequent versions like Windows Server 2012 and 2012 R2 (Forsenergy, Microsoft, Microsoft).

Exploits and Vulnerabilities in Certificate-based Authentication

Exploits targeting certificate-based authentication include local administrators modifying CA policy settings to craft certificates for Public-Key Initial Authentication (PKINIT) on privileged users, ACL exploits on user objects to compromise accounts, and vulnerabilities like CVE-2022–26923 which can allow attackers to elevate privileges to domain administrator through Active Directory Certificate Services (AD CS) (Risk Insight, GovLoop, Security Intelligence).

Certificate-based authentication can be further exploited through targeting other, system-specific vulnerabilities in Certificate Authorities (CA), certificates, and private keys. If these components are compromised, hackers can gain unauthorized access to systems or data, effectively bypassing cybersecurity measures. Misconfigurations in the authentication logic, such as the lack of proper verification methods, can also lead to exploitation in certificate-based authentication systems (GovLoop, GoTeleport).

Mitigation for certificate-based authentication vulnerabilities includes following cryptography best practices, implementing a full certificate verification with scoped attributes, and avoiding the usage of insecure hash functions like MD5 and SHA-1, which are prone to collision attacks and compromise the security of the authentication process (GoTeleport). It is essential to address security risks associated with certificate authorities, certificates, and private keys being compromised, as once the key is compromised, the cybersecurity measures become ineffective and cannot differentiate between a hacker and a legitimate employee (GovLoop). It’s also important to note that there isn’t one best security measure. Each authentication method has its own set of vulnerabilities and exploits unique to it. For another such example, check out my Multi-Factor Authentication (MFA) Exploits and Vulnerabilities article

Certificate Revocation and Management

Certificate revocation is the process of invalidating a certificate before the end of its validity period. This is often done due to reasons such as a compromised private key, the certificate holder leaving an organization, or administrative requirements. Mechanisms for managing revoked certificates include Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP). CRLs are lists maintained by CAs that contain serial numbers of revoked certificates, while OCSP provides real-time certificate validation by querying the CA’s database. Organizations can use a combination of these mechanisms to ensure the security and integrity of their certificate management system (Securew2, Entrust, SSLTrust).

There are various mitigation strategies to protect against certificate-based vulnerabilities, include but not limited to the following (Digicert, GoTeleport):

1. Deciding on certificate validity periods and replacement
2. Protecting private keys
3. Using certificate revocation, as discussed above
4. Following cryptography best practices
5. Avoiding collision attacks by steering clear of weak hashing algorithms like MD5 and SHA-1
6. Implementing full certificate verification with scoped attributes
7. configuring proper access control for certificate templates
8. enabling manager approval (if reasonable)
9. requiring authorized signatures
10. ensuring secure PKI object access control
11. enforcing HTTPS or disabling HTTP-based enrollment interfaces
12. auditing AD CS architecture and certificate templates regularly,

Additionally, resetting passwords and reimaging compromised machines, invalidating certificates tied to compromised accounts, and deciding on certificate validity periods and replacement, can be essential mitigation strategies to protect against certificate-based exploits. Furthermore, leveraging tools like PSPKIAudit and Get-CertRequest to audit and triage certificates associated with compromised accounts allows for the ability to track down specific targets and weak-points within an organization by monitoring for any regularly attempted exploits (GoTeleport, RedFoxSec, Digicert).

Benefits and Drawbacks of Certificate-based Authentication

There are various benefits for using certificate-based authentication in different environments, including enhanced security through verification of authorized devices and users, flexibility in implementation, ease of use for users without added burden, and simplified certificate management through platforms (GlobalSign, GlobalSign). Drawbacks may include potential costs associated with investing in a certificate management platform, the need for careful consideration of the security versus convenience trade-off, and the complexity of integrating certificates into IoT device manufacturing processes (GlobalSign, MicrosoftI).

Some common challenges or limitations associated with implementing and managing certificate-based authentication include security risks such as outage and breach if certificates are not managed properly, complexity in administering PKI-based authentication systems which can be challenging for IT departments under significant pressure, and the need to issue, deploy, and revoke certificates for each device and application as the number of connected devices and people within an organization increases (GoTeleport, KeyTOS, Zensar).

Certificate-based authentication stands as a cornerstone in modern cybersecurity, offering robust verification methods through cryptographic techniques like Public Key Infrastructure (PKI). By leveraging digital certificates, organizations can authenticate entities securely, enhancing access management and thwarting common exploits associated with traditional password-based systems. Despite its strengths, certificate-based authentication necessitates diligent management to mitigate vulnerabilities, including those stemming from compromised certificates or PKI components. While challenges persist, such as complexity in administration and integration, the benefits of enhanced security and streamlined authentication processes underscore its significance in safeguarding digital assets and infrastructure. As technology evolves, continual vigilance and adaptation in certificate management remain paramount to ensure resilience against emerging threats and sustain the integrity of authentication systems.

References

• Digicert. What is a Digital Certificate and Why are Digital Certificates. Retrieved from https://www.digicert.com/faq/trust-and-pki/what-is-a-digital-certificate-and-why-are-digital-certificates-important
• Entrust. What is PKI (Public Key Infrastructure)?. Retrieved from https://www.entrust.com/resources/certificate-solutions/learn/what-is-pki
• Forsenergy. Certificate Enrollment Web Service Overview. Retrieved from https://www.forsenergy.com/en-us/certmgr/html/964edfbd-d935-4352-b054-5e3dfe6c547e.htm
• GlobalSign. An Introduction to Certificate-based Authentication. Retrieved from https://www.globalsign.com/en-sg/blog/introduction-certificate-based-authentication
• GlobalSign. Certificate Management: Challenges & Solution. Retrieved from https://www.globalsign.com/en-in/blog/certificate-management-challenges-solution
• GoTeleport. 7 Best Practices for Certificate-Based Authentication. Retrieved from https://goteleport.com/blog/certificate-authentication-best-practices/
• GovLoop. Certificate Authentication is Vulnerable. Retrieved from https://www.govloop.com/community/blog/certificate-authentication-vulnerable/
• KeyTOS. Why You Need a Cloud Based Certificate Authority for Azure IoT Hub. Retrieved from https://www.keytos.io/blog/pki/how-to-set-up-a-cloud-certificate-authority-for-azure-iot.html
• Microsoft. Apply mitigations to help prevent attacks through vulnerabilities. Retrieved from https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exploit-protection?view=o365-worldwide
• Microsoft. Certification Authority Web Enrollment Guidance. Retrieved from https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831649(v=ws.11)
• Microsoft. Troubleshooting PKCS certificate deployment in Intune. Retrieved from https://learn.microsoft.com/en-us/troubleshoot/mem/intune/certificates/troubleshoot-pkcs-certificate-profiles
• Microsoft. Active Directory Certificate Services (AD CS) Introduction. Retrieved from https://social.technet.microsoft.com/wiki/contents/articles/1137.active-directory-certificate-services-ad-cs-overview.aspx
• Microsoft. Certificate Enrollment Web Services in Active Directory Certificate. Retrieved from https://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx
• Microsoft. Client Certificate Authentication (Part 1) — Microsoft Community Hub. Retrieved from https://techcommunity.microsoft.com/t5/iis-support-blog/client-certificate-authentication-part-1/ba-p/324623
• Network World. How does certificate-based authentication work?. Retrieved from https://www.networkworld.com/article/748294/infrastructure-management-simply-put-how-does-certificate-based-authentication-work.html
• Okta. 5 Identity Attacks that Exploit Your Broken Authentication. Retrieved from https://www.okta.com/resources/whitepaper/5-identity-attacks-that-exploit-your-broken-authentication/
• RedFoxSec. Exploiting Active Directory Certificate Services (AD CS). Retrieved from https://redfoxsec.com/blog/exploiting-active-directory-certificate-services-ad-cs/
• Infosec Institute. Zero-day attacks: Protections, best practices and how to implement them. Retrieved from https://resources.infosecinstitute.com/topics/general-security/zero-day-attacks-protections-best-practices-and-how-to-implement-them/
• Risk Insight. Microsoft ADCS — Abusing PKI in Active Directory Environment. Retrieved from https://www.riskinsight-wavestone.com/en/2021/06/microsoft-adcs-abusing-pki-in-active-directory-environment/
• Securew2. PEAP Exploit Explained. Retrieved from https://www.securew2.com/blog/peap-exploit-explained
• Security Intelligence. Attacker exploits vulnerability in Active Directory Certificate. Retrieved from https://securityintelligence.com/x-force/attacker-exploits-vulnerability-in-active-directory-certificate-services/
• SSLTrust. Certificate Revocation, How it Works with CRLs or OCSP. Retrieved from https://www.ssltrust.com/blog/how-certificate-revocation-works
• Yubico. What is Certificate-Based Authentication. Retrieved from https://www.yubico.com/resources/glossary/what-is-certificate-based-authentication/
• Zensar. Certificate Management — Challenges and How to Manage Effectively. Retrieved from https://www.zensar.com/insights/blogs/certificate-management-challenges-and-how-manage-effectively/