Exporting Non-exportable Certificates
The May/June 2009 issue of Hakin9 contained an article I wrote about breaking client-side certificate protection. The article talks about how user certificates are often used for seamless authentication in corporate WiFi installations and that the private key of the certificate is usually marked as non-exportable as a security control. A non-exportable private key means the user or an attacker cannot make a complete copy of the certificate which could be used to authenticate and gain access from a rogue device.
Presented in the article is an approach for reverse-engineering the certificate protection using a debugger to find out where the private key is stored, how it is being accessed and how it is decrypted by the operating system. Some scripts were written to extract the key, transform it, and combine with the public key to recreate the complete digital certificate. This certificate can then be imported on another device.
Finally, I discussed some additional controls that could be put in place so that the protection of the network is not solely reliant on the client-side protection of the certificate.
Hakin9 is an internationally distributed IT Security magazine and their focus on technical content means they are one of the more interesting around. I highly recommend you check out either their digital version -or get a copy of the printed magazine from any good book store- Update (2010-08-07) they no longer produce the printed version.
