Detection of Malicious Certificates with the ROSCO System

OData support
Dr. Buttyán Levente
Department of Networked Systems and Services

The digital certificates are widespread in the IT domain because with a digital certificate an entity can authorize itself in the public key infrastructure. In case a software vendor publishes a software or an update, one can get an assurance of the fact that the digital signature originates from the vendor’s private key, if his public key has been certified. The checking can be performed by the machine, for example in the case of an automatically installing update. Websites, too, authorize themselves to the user with digital certificates. Currently used browsers contain many integrated digital certificates, which are trusted as such by default.

If a certificate authority is trustworthy, the certificates issued by it shall be trustworthy as well. It may be questionable whether a digital certificate is trustworthy or just looks like it. Recently there were cases when public key infrastructures had been out tricked and successfully used for the execution of cyberattacks.

The purpose of my thesis is designing and developing a software package enabling analysis of digital certificates and filtering of suspicious ones. The ROSCO system developed by the BME CrySys Lab is used by my software to access digital certificates. Signed objects and digital certificates are continuously added to ROSCO. Essentially, the software package developed by myself allows a continuous evaluation of certificates contained in the ROSCO database. This should help the proactive identification of probably malicious certificates and thereby an early detection of attacks.

In the course of my work on the thesis I could get familiarized with the main concepts of the domain, the structure of the certificates and the ROSCO database. I have defined possible anomalies to be found in a certificate which can render it suspicious. Should my software detect a certificate as suspicious, its owner can be notified in order to confirm its legitimacy. The earlier a certificate is detected as fake, the earlier it can be revoked. Consequently, the certificate becomes unacceptable and attackers cannot appear in the role of trusted vendors. The ultimate goal is to disrupt, at the earliest possible, an attack that tries to exploit the weaknesses of the public key infrastructure.


Please sign in to download the files of this thesis.