34

I've read that using Intermediate CA certificates is more secure because this way the Root CA is offline. So, if the Intermediate is compromised it does not impact the Root CA.

What I understand is doing that:

  1. Allows to CA to revoke the Intermediate CA certificate.
  2. Thus, new server certificates with compromised Intermediate CA certificates are invalidated.
  3. Root CA can issue new Intermediate CA certificates, which in turn can create new server certificates.

But, anyway, CA must issue new Intermediate CA certificates and revoke the old ones... so the only benefit that I can find is that CA issue different Intermediate certificate for different purposes.

So the "universe" of compromised certificates is smaller that if Root CA would have signed all of the certificates.

Is that correct? Is there another benefit?

randers
  • 111
  • 4
sebelk
  • 459
  • 1
  • 5
  • 8

3 Answers3

39

Yes, the number of compromised certificates are much larger with Root Certificate compromise. But it's not just the number certificates. Getting a new root certificates deployed due to compromised root is massively more difficult than replacing the certificates whose intermediates are compromised.

For starters, replacing Root Certificate of a public CA, even in normal scenario, involves lots of paperwork and audits. In the scenario of a compromised root, the CA need to convince software vendors (browsers and OS) to readd their new Root Certificate to the default trust store. In the fall out of a leak, the CA pretty much lost all the trust that had been built over the years, and vendors would rightly be skeptical about the capability of the CA and the viability of the CA's business going forward. At the very least, vendors would demand reauditing and lots of additional paperworks before allowing the new Root Certificate Authority.

Vendors then would need to deploy the new trusted Certificate. This is extremely hard to do in a short time. People don't upgrade their browser often enough. Some softwares like browsers have mechanism to quickly broadcasts revoked root certificates, and some software vendors have processes to rush release when a critical security vulnerability is found in their product, however you could be almost sure that they would not necessarily consider adding a new Root to warrant a rush update. Nor would people rush to update their software to get the new Root.

These are in addition to having to resign and reissue the certificates.

There were a number of Intermediate certificate compromises (e.g. Comodo) where the CA quickly handled the situation and leave without any major consequences. The closest we have ever got to root certificates compromise of a public CA, is DigiNotar. DigiNotar went bankrupt in the following weeks after the compromise was made public.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93
15

Is that correct? Is there another benefit?

An offline Root CA sacrifices convenience to gain security.

But, anyway, CA must issue new Intermediate CA certificates and revoke the old ones... so the only benefit that I can find is that CA issue different Intermediate certificate for different purposes.

Yes, in case of a compromised Intermediate, the Root CA must be used to revoke old and issue new certs... however, as you note, we're assuming

the Root CA is offline

so, unlike an Intermediate CA, you can't simply connect over the network, submit the CSR, and get the certificate back. "Offline" in this context usually means "air-gapped." Someone needs to pack the CSR for the new Intermediate onto a USB disk, walk to the server room, sit at the keyboard in front of the Root CA, and perform the operation locally. The new certificate needs to be put on the USB disk and carried back out, then connected to a networked system to allow it to be uploaded to the Intermediate CA.

Doing that when Intermediate certs need updating is not difficult. Doing it in any volume becomes impractical, which is why Root CAs generally don't sign individual certificates.

From that point on, the Intermediate CA begins signing certificate requests, but in online mode - network connections transmit the CSRs, and network connections distribute the certs.

So the difference is that the Intermediate CA is online for fast, convenient servicing of requests. The Root CA is offline for slow, awkward, but more secure servicing of requests. The use of multiple Intermediate CAs allows the "risk" of having the authority online and accessible to be divided into different sets of certificates; the eggs are spread into different baskets.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • 1
    I hope they're not actually using USB for that. That's probably riskier than a network connection. – CodesInChaos Jun 30 '16 at 14:55
  • 4
    @CodesInChaos it's probably not. If the root CA machine (R) is in some local network connected to internet, compromising any other machine in it will put the R under the risk of being compromised too. It can be done remotely. If R is behind air gap and is set up correctly (USB drive is used exclusively for this, it was obtained from trusted vendor, system allows it only as storage and disallows any other operations (i.e. execution of code from it), etc.) the only remaining vectors that I see are either compromised operator or actual physical attack, both are much riskier for attacker. – Ivan Kolmychek Jun 30 '16 at 15:09
  • Also, the compromised operator way can also be mitigated by requiring multiple people be present during the rare occasions of generation of new intermidiate certificates, including some kind of stakeholders of company, that are interested in company being all right. And physical attack is really not discreet and will be probably not only easily noticed, but covered by the press, which will lead to root CA cert being dropped by the most vendors, which leads to its cost becoming zero pretty fast, which leads to really lame cost-to-benefit ratio of this attack. :) – Ivan Kolmychek Jun 30 '16 at 15:22
  • 1
    @CodesInChaos if they are, they'd typically be using a write-blocker when connecting the USB drive to the 'destination', less trusted system. – Gwyn Evans Jun 30 '16 at 17:56
  • 3
    @CodesInChaos, rather than get into a detailed discussion of the various methods of air gapping a system, I simply mentioned "having to carry a USB over" as what kids today consider "disconnected"... (although something like Ironkey combined with USB filters is reasonable security for that sort of purpose) – gowenfawr Jun 30 '16 at 18:42
  • 2
    @IvanKolmychek "really lame cost-to-benefit ratio of this attack" It depends on the goal of the attack. If the goal is, "make a mess and cause work and problems for everyone," or "bankrupt this company," that might be a success. – jpmc26 Jun 30 '16 at 23:13
  • @jpmc26 oh yes, I've missed that option. Still, the risk of exposure for attacker is pretty high in this case anyway and is much higher than that of remote attack. – Ivan Kolmychek Jul 01 '16 at 05:56
  • What would be the problem even if Root CA is online, anyway they are in our computer hard disk? – Suraj Jain Aug 09 '19 at 03:58
  • What would be the problem even if Root CA is online, anyway they are in our computer hard disk? Do you mean because they are not exposed (connected over network for CSR), the private key has far less chance of getting compromised? – Suraj Jain Aug 09 '19 at 04:12
  • @SurajJain the Root CA _public key_ is on our computer hard disks. the Root CA _private key_ is stored on the hard disk of an offline computer at the Certificate Authority; offline so that it has less chance of getting compromised. Yes, that is what I mean, they're not connected over the network for CSR. – gowenfawr Aug 09 '19 at 11:10
4

So the "universe" of compromised certificates is smaller that if Root CA would have signed all of the certificates.

Sure, you could put it that way. But until the intermediate CA has it's certificate revoked (and even after that, it could still be problematic), it could continue to create bad certificates that users will trust. Because revocation isn't great, it probably weakens some of your assumptions about certificate security (this related question is specifically about offline CA revocation)

Also consider this -- with just one root CA, there's just one private key that needs to be protected well. With many intermediate CAs, there are many, many more keys that need to be protected. Then, it's only really as secure as the weakest link.

This makes it difficult to say that having intermediate CAs is more secure.

Community
  • 1
Fishy
  • 171
  • 7
  • No, it's not really about the number of certificates to be protected, but the number vulnerable to each successful attack. There is a degree of protection in numbers. – Pieter Geerkens Jul 01 '16 at 06:35