SSL Interception on corporate ground – Black Hat or White Hat Hack?
This is a blog entry about a serious security topic, SSL Interception or transitive trust. This is not an blog entry inspired by hype, secrecy or some speculations of some National Agencies..
I came across this technology on more than one client side recently, and this theme will proliferate in future, for sure.
At the end of the blog, you will get some very brief hands-on information what this means for SAP security, the SAP Security Framework SSF and the STRUST-transaction.
I do not judge right or wrong in security: If there is someone hiding or protecting his assets, than there must be obviously someone who is trying to get it. As an SAP consultant working in a security context, you are usually confronted with both sides. And if you are working in a corporate world, the assets are in systems and the value is in non-persistent electronic information. I worked for some time on SAP installation in the surroundings of American agencies, so be assured, I know both sides and appreciate and respect both point of views.
SSL Interception and transitive trust
What is “SSL Interception” ? The security topic here is more precisely “Transitive trust”. If I would be “Blackhat Hacker”, I would call it “Man In The Middle Attack”, the traditional method of intercepting secure communication, putting yourself in the middle and impersonating client and server to the respective sides. If I would be “Whitehat Hacker”, I would called it corporate security.
There are a few vendors offering appliances (like firewalls) which will act as “Man in the Middle” machines to monitor all incoming and outgoing SSL traffic unencrypted, so that there could be payload inspection. Because cipher/decipher the whole payload traffic would be to “expensive” in terms of processing time, to act as a valid SSL end point/start point instead is much more effective. These appliances act as a SSL endpoint, taking all requests for ssl-communication, terminate all connections and impersonating the requested server. Than they act as “clients” towards the real servers, taking the collected client certificates and impersonates the client to the real endpoint. This means, that in-between the impersonated server endpoint and the “spoofed” client side, the communication is clearly readable and not encrypted.
This is a very short description of “Transitive trust”. There is an excellent article (and very long) from Dell Secureworks about the Interceptor Appliances and transitive trust.
Is it on your site?
How do you find out if this is used in the environment of your SAP system? Well, one way is that someone explicitly tells you, how the security infrastructure is designed. Or, and this is more often the case, most people involved don’t even know how the exact infrastructure or the different new methods of inspection are designed or in place. Fire up your browser, select any kind of https-connection (even Google is using https these days) and watch and click the “Key Locked” button on your browser
As a result, you will see the traditional display of Certificates and the associated Root Certificate, which is not like a known “Verisign ROOT CA” or the likes, but something like “MyCo ROOT CA”. And the associated “Issuer” has usually the phrase “Interception” in its name (Certificates Details) In SAP design of certificates and communication, this SSL Interception has some real consequences for the configuration of the SAP systems, especially in the area of web services, SSF Framework and the famous transaction STRUST and their key stores. This is also valid for the related SAP Java Stack configuration. ( See SAP HELP STRUST & HTTPS for more explanations) In order to make this in STRUST working, you need to get the ROOT CA of the local Company (MyCo) and the ROOT CA of the target company (RealCo) into the STRUST. (in the default https keystore for example.)
The appearance of multiple certificates is another sign for a security design on interception. This is already a long blog post, but could only be very brief about everything. Check the web links for more details) . As always with serious security, you need to Google a little bit more than usual, to get some details.