Exporting Non-exportable Certificates

The May/June 2009 issue of Hakin9 contained an article I wrote about breaking client-side certificate protection on Windows. The article talks about how user certificates are often used for seamless authentication in corporate WiFi installations and that the private key of the certificate is usually marked as non-exportable as a security control. A non-exportable private key means the user or an attacker cannot make a complete copy of the certificate which could be used to authenticate and gain access from a rogue device.

Magazine Article Cover

Presented in the article is an approach for reverse-engineering the certificate protection using a debugger to find out where the private key is stored, how it is being accessed and how it is decrypted by the operating system. Some scripts were written to extract the key, transform it, and combine with the public key to recreate the complete digital certificate. This certificate can then be imported on another device.

Finally, I discussed some additional controls that could be put in place so that the protection of the network is not solely reliant on the client-side protection of the certificate.

Side note: Hakin9 is an internationally distributed IT Security magazine. Originally it was quite a good read and was a printed magazine you could pick up in book stores. It went digital-only in 2010 and declined in quality to the point where it became an in-joke in the community.

Download the source code from GitHub or read a copy of the article (pdf).