How To Do A Better Job Protecting Certificates
Ever heard the adage about "everyone's strength is also their greatest weakness?" There is always a downside to every upside. It's like that with Domino certificates. A tough, 128 bit public-key infrastructure that signs code, authenticates users, generates digital signatures and encrypts data. But that hard exterior can't hide a soft under-belly: certificates need passwords to be secured, and the certificates are easily portable. The Certificate Authority (CA) in ND6 addresses the challenge of keeping the certificates from being copied and distributed all over the Internet. So now, it's possible to safeguard a certificate by limiting its access through the CA application. Limiting the rampant distribution of a certificate through the CA is a reasonable resolution, but what about assigning a password? This password thing is tougher with certificates than with user ids.
- Unlike a user ID, which is used by only one person, any number of people (administrators, senior IT staff) may need to access the root or high-level OU certificates
- A certificate password might have been created by an administrator who is no longer employed at the company or agency. It doesn't make much sense to simply ask the certificate creator to remember the password if they might not be around when it needs to be activated.
- It's not a good idea to keep the cert ID (root) available on a network drive. It's recommended to burn a copy and hand it over to be stored off-site, securely. This means that most people end up including a copy of the password with the certificate, trusting the physical storage of the certificate over its password protection.
- Or, if the password is written down and included with the certificate ID, then administrators rely on really simple, default passwords for the root certificate because they need something that can be recalled months or even years later.
- The password needs to be complex, because unlike user ids, they are rarely changed.
Start off by opening up the administration client and choosing "Edit Multiple Passwords" under the Tools/Certification drop menu.
Now, you'll see the requestor box for entering names and their passwords. Guess what? The names are only there as a suggestion--the identity of whoever is accessing the ID is never checked. The concept for multiple passwords is something called "missile-lock," where two people have to enter their own password and the combination of both permits access. The name is merely a reminder of who has a password for the ID. We can use this information to our advantage.
Instead of a prompt for a user's name, how about a question? It's possible to simply put the following sentence into the entry for a name: "What is your favorite color?". Match "blue" as the password and now you have something different. You have a question for an answer you already know. This isn't a bad solution, ask a question for which you know an answer and you don't need to remember some weird password. If I'm the only person who will ever need to access the certificate, then a simply knowledge question is workable--but that's not likely, is it? Other people need to be able to use this certificate, and I'm guessing they have their own favorite color.
In the example I'm showing, I ask the social security number (SSN) of the CIO. That's a piece of information that would not be widely known, but could be easily found within the organization. Now the bar has been raised, the question can refer to information that only a few have access, or is very specific organizational knowledge.
Not good enough? Let's keep raising the standard.
Notice that there is a box for entering the number of required passwords. If I put in "2," then two correct passwords must be entered. In order for me to access the certificate I have to be able to correctly answer two of the questions. Having multiple passwords makes it much tougher to run a dictionary attack against the ID. It's even possible to further increase the difficulty of compromising the certificate.
If I choose "blue," I'm relying on knowledge I possess alone--that makes personal questions pretty reliable. Problem is, personal questions aren't a good enough solution for certificate passwords. Relying on organizational knowledge helps out, because now a wider number of individuals can access the certificate ID. But, it may be too much of a challenge to come up with unique organizational information, or the security level is simply higher for some companies than for others. We can raise the bar one more level.
In the final example, I have a table of random numbers. This table is stored separate from the certificate ID. When I need to use the certificate, I'll need to rely on the table to answer the questions. The values in the table, by themselves, are insufficient to access the ID. I need the questions to ferret out the answers, and unlike questions about color or staff SSNs, there is no indication of what the answer is, as it is stored in the table.
| 678575 | 493740 | 603798 |
| 574844 | 140580 | 090985 |
| 295748 | 508473 | 843030 |
- Use questions for which only you know the answer, and you've created unique passwords that never require being written down, you don't have to struggle to remember, and cannot be compromised
- Use questions that are based in organizational knowledge and only a privledged few will be able to respond.
- For highly secure installations, a password list may be necessary, and the table is a workable solution. The values don't actually reveal the passcodes, until the ID is accessed and the questions guide the administrator.
That's it ! Now you can password protect your certificates, even if the answers are never written down and the IDs need to be accessed by future administrators you have yet to meet.
- 
Comments
I agree with you that I wouldn't want to introduce the complexity of multiple-passwords at all certificate levels. I do think it makes sense for the root, and maybe for a few other high level certs that should be packed off and store offsite.
You bring up some caveats that deserve attention (thank you). I'm never sure how much to say or not in a post. For instance, another problem with multiple-passwords is that if you use them on server IDs, then not all platforms will allow you to install a new server using multiple-password protected server IDs. It's a strange world.
All the best,
Jack
Posted by Jack Dausman At 07:13:30 PM On 05/15/2005 | - Website - |
Nice post. The suggestions on how to secure these certifiers are indeed compelling.
As a developer, there's a down-side to your suggestions. Once a certifier file has had multiple passwords assign it can never again be used programatically, even if it is later assigned a single password.
IMHO these suggestions work fine for root (Organisation) certifiers, but as you go up the chain to OU1, OU2 and OU3 (and yes, there are companies that use optional OU4 certifiers even though they don't exist in a physical sense) then this becomes less attractive.
HAD Software http://www.hadsl.com (hands up - I'm a director company) has a product called FirM - Federated Identity and Resource Management) that automates Notes ID creation using a "hands off" proxy authentication model. Whilst the certifier files and their associated passwords are stored in seperate encrypted repositories, we still need to "know" tha password when creating an ID. As I mentioned, ff the certifier has at any time had multiple passwords we can't use them programatically.
RoyH.
Posted by Roy Holder At 07:28:10 AM On 05/14/2005 | - Website - |