Microsoft Security Advisory 3. Adobe Acrobat 9 Pro Extended Key Generator . What is the scope of the advisory The purpose of this advisory is to notify customers that the private keys for an SSLTLS digital certificate for xboxlive.The SSLTLS certificate could be used to perform man in the middle attacks against Xbox Live customers.What caused the issue The issue was caused by the inadvertent disclosure of private key information for a cryptographic certificate for There are a variety of ways to create a trusted SSL certificate in the Windows world, but this article will focus on an internal network that has a Windows Server.Does this update address any other digital certificates Yes, in addition to addressing the certificate described in this advisory, this update is cumulative and includes digital certificates described in previous advisories What is cryptography Cryptography is the science of securing information by converting it between its normal, readable state called plaintext and one in which the data is obscured known as ciphertext.In all forms of cryptography, a value known as a key is used in conjunction with a procedure called a crypto algorithm to transform plaintext data into ciphertext.Microsoft Certificate Authority Server 2012' title='Microsoft Certificate Authority Server 2012' />In the most familiar type of cryptography, secret key cryptography, the ciphertext is transformed back into plaintext using the same key.However, in a second type of cryptography, public key cryptography, a different key is used to transform the ciphertext back into plaintext.What is a digital certificate In public key cryptography, one of the keys, known as the private key, must be kept secret.The other key, known as the public key, is intended to be shared with the world.However, there must be a way for the owner of the key to tell the world who the key belongs to.Digital certificates provide a way to do this.A digital certificate is a tamperproof piece of data that packages a public key together with information about it who owns it, what it can be used for, when it expires, and so forth.What are certificates used for Certificates are used primarily to verify the identity of a person or device, authenticate a service, or encrypt files.Normally you wont have to think about certificates at all.You might, however, see a message telling you that a certificate is expired or invalid.In those cases you should follow the instructions in the message.What is a certification authority CA Certification authorities are the organizations that issue certificates.They establish and verify the authenticity of public keys that belong to people or other certification authorities, and they verify the identity of a person or organization that asks for a certificate.What is a Certificate Trust List CTL A trust must exist between the recipient of a signed message and the signer of the message.One method of establishing this trust is through a certificate, an electronic document verifying that entities or persons are who they claim to be.A certificate is issued to an entity by a third party that is trusted by both of the other parties.So, each recipient of a signed message decides if the issuer of the signers certificate is trustworthy.Crypto. API has implemented a methodology to allow application developers to create applications that automatically verify certificates against a predefined list of trusted certificates or roots.This list of trusted entities called subjects is called a certificate trust list CTL.For more information, please see the MSDN article, Certificate Trust Verification.What might an attacker do with these certificates An attacker could use these certificates to perform man in the middle attacks against What is a man in the middle attackA man in the middle attack occurs when an attacker reroutes communication between two users through the attackers computer without the knowledge of the two communicating users.Each user in the communication unknowingly sends traffic to and receives traffic from the attacker, all the while thinking they are communicating only with the intended user.What is Microsoft doing to help with resolving this issue Although this issue does not result from an issue in any Microsoft product, we are nevertheless updating the CTL and providing an update to help protect customers.Microsoft will continue to investigate this issue and may make future changes to the CTL or release a future update to help protect customers.After applying the update, how can I verify the certificates in the Microsoft Untrusted Certificates Store For Windows Vista, Windows 7, Windows Server 2.Windows Server 2.R2 systems that are using the automatic updater of certificate trust lists see Microsoft Knowledge Base Article 2.Windows 8, Windows 8.Windows RT, Windows RT 8.Windows Server 2.Windows Server 2.R2, Windows 1. 0, and Windows 1.Version 1. 51. 1 systems, you can check the Application log in the Event Viewer for an entry with the following values Source CAPI2.Level Information.Event ID 4. 11. 2Description Successful auto update of disallowed certificate list with effective date Tuesday, December 1, 2.For systems not using the automatic updater of certificate trust lists, in the Certificates MMC snap in, verify that the following certificate has been added to the Untrusted Certificates folder Certificate.Issued by. Thumbprintxboxlive.Microsoft IT SSL SHA28b 2e 6.Note For information on how to view certificates with the MMC Snap in, see the MSDN article, How to View Certificates with the MMC Snap in.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
November 2017
Categories |