OWASP AppSec Latam 2013

Public Key Cryptography is a reality in Brazil. For the past three years more than five million digital certificates were issued under the Brazilian Public Key Infrastructure (Infraestrutura de Chaves Públicas Brasileira – ICP-Brasil). This number is expected to grow more and more insofar as new applications created for using digital certificates are incorporated in the Brazilian’s everyday life.
A digital certificate is a digital file that binds a public key to a specific subject. It is usually issued by Certificate Authorities (CA), entities that are trusted by the public. The public key is mathematically related to a private key, which is supposed to be kept by (and only by) the subject.
The process of issuing digital certificates is crucial to the Certificate Authority operation. Through it, the digital certificate requesters perform the key pair generation and create a formal request (Certificate Signing Request), which is sent to the CA for validation and certificate file generation (formatted according the X.509 standard).
Important parts of this process take place in the requester/end-user environment, that is, the key pair generation, formal request creation and final installation of the digital certificate into the cryptographic repository. Security is obviously a critical issue in this scenario, mostly because we are dealing with an environment that is not controlled by the certificate authority: the end user’s one.
The purpose of this talk is to describe the path followed by Certisign Certificadora Digital S.A. through the years, searching to improve the digital certificate issuing operations that take place in the end user’s environment, focusing on usability and security. We are going to show the software components adopted, their evolution, problems faced and solutions applied. We are also going to take the opportunity to discuss trends, standards and projects under development in the field.
Emphasis will be placed on the Web Application security issues related to the digital certificate issuing process, since most of the existing Certificate Authorities make use of this kind of application to deliver services to their stakeholders and customers. It keeps representing a challenge to the application developers, as long as Web Browsers and Operating Systems impose a great number of restrictions on the interactions between the web page and cryptographic key repositories. Also, the currently known Web Application vulnerabilities represent an important threat to the end user and to the whole Public Key Infrastructure.