Evaluating certification authority security

A growing number of applications in the Internet are making use of X.509 public key certificates. Examples include security protocols such as SSL (used in web browsers), IPsec (used in firewalls and desktop computers), S/MIME (a secure e-mail protocol), and SET (the electronic commerce credit card transaction protocol). The public key certificates employed by the applications are created by Certification Authorities (CAs), that vouch for the binding of various attributes (e.g., identity) to a public key. Thus security of these applications is dependent on the security of the CA function. This paper examines security for CAs. It begins with a characterization of security requirements for CAs and continues with an exploration of the wide range of attacks that can be mounted against CAs. Included are attacks against network communications, against the operating systems used by CAs, "close-in" technical attacks against CA components (including cryptographic modules), and even misbehavior by human operators. The paper concludes with an examination of three approaches to implementing CA cryptographic support functions, analyzing each relative to the attack scenarios developed earlier in the paper.