Exporting Non-exportable Certificates01 May 2009
The May/June 2009 issue of Hakin9 contained an article I wrote about breaking client-side certificate protection on Windows. The article talks about how user certificates are often used for seamless authentication in corporate WiFi installations and that the private key of the certificate is usually marked as non-exportable as a security control. A non-exportable private key means the user or an attacker cannot make a complete copy of the certificate which could be used to authenticate and gain access from a rogue device.
Presented in the article is an approach for reverse-engineering the certificate protection using a debugger to find out where the private key is stored, how it is being accessed and how it is decrypted by the operating system. Some scripts were written to extract the key, transform it, and combine with the public key to recreate the complete digital certificate. This certificate can then be imported on another device.
Finally, I discussed some additional controls that could be put in place so that the protection of the network is not solely reliant on the client-side protection of the certificate.
Share via Twitter