This research investigates the intricacies of X.509 certificates within a comprehensive corporate infrastructure. Spanning over two decades, the examined enterprise has heavily depended on its internal certificate authority and Public Key Infrastructure (PKI) to uphold its data and systems security. With the broad application of these certificates, from personal identification on smart cards to device and workstation authentication via Trusted Platform Modules (TPM), our study seeks to address a pertinent question on how prevalent are weak RSA keys within such a vast internal certificate repository. Previous research focused primarily on key sets publicly accessible from TLS and SSH servers or PGP key repositories. On the contrary, our investigation provides insights into the private domain of an enterprise, introducing new dimensions to this problem. Among our considerations are the trustworthiness of hardware and software solutions in generating keys and the consequential implications of identified vulnerabilities on organizational risk management. The obtained results can contribute to enhancing security strategies in enterprises.

Z. Durumeric, J. Kasten, M. Bailey, and J. A. Halderman, “Analysis of the HTTPS certificate ecosystem,” in Proceedings of the 2013 conference on Internet measurement conference, in IMC ’13. New York, NY, USA: Association for Computing Machinery, Oct. 2013, pp. 291–304. doi: 10.1145/2504730.2504755.

M. Hastings, J. Fried, and N. Heninger, “Weak Keys Remain Widespread in Network Devices,” in Proceedings of the 2016 Internet Measurement Conference, in IMC ’16. New York, NY, USA: Association for Computing Machinery, Nov. 2016, pp. 49–63. doi: 10.1145/2987443.2987486.

A. K. Lenstra, J. P. Hughes, M. Augier, J. W. Bos, T. Kleinjung, and C. Wachter, “Ron was wrong, Whit is right.” Accessed: Apr. 26, 2023. [Online]. Available: https://eprint.iacr.org/undefined/undefined

L. M. Kohnfelder, “Towards a practical public-key cryptosystem.,” Thesis, Massachusetts Institute of Technology, 1978. Accessed: Aug. 24, 2023. [Online]. Available: https://dspace.mit.edu/handle/1721.1/15993

N. Serrano, H. Hadan, and L. J. Camp, “A Complete Study of P.K.I. (PKI’s Known Incidents).” Rochester, NY, Jul. 23, 2019. doi: 10.2139/ssrn.3425554.

N. van der Meulen, “DigiNotar: Dissecting the First Dutch Digital Disaster,” J. Strateg. Secur., vol. 6, no. 2, Jul. 2013, doi: http://dx.doi.org/10.5038/1944-0472.6.2.4.

Z. Dong, K. Kane, and L. J. Camp, “Detection of Rogue Certificates from Trusted Certificate Authorities Using Deep Neural Networks,” ACM Trans. Priv. Secur., vol. 19, no. 2, pp. 1–31, Sep. 2016, doi: 10.1145/2975591.

J. Amann, O. Gasser, Q. Scheitle, L. Brent, G. Carle, and R. Holz, “Mission accomplished? HTTPS security after diginotar,” in Proceedings of the 2017 Internet Measurement Conference, in IMC ’17. New York, NY, USA: Association for Computing Machinery, Nov. 2017, pp. 325–340. doi: 10.1145/3131365.3131401.

Q. Scheitle et al., “A First Look at Certification Authority Authorization (CAA),” ACM SIGCOMM Comput. Commun. Rev., vol. 48, no. 2, pp. 10–23, May 2018, doi: 10.1145/3213232.3213235.

M. Nemec, M. Sys, P. Svenda, D. Klinec, and V. Matyas, “The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli,” in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, in CCS ’17. New York, NY, USA: Association for Computing Machinery, Oct. 2017, pp. 1631–1648. doi: 10.1145/3133956.3133969.

S. Yilek, E. Rescorla, H. Shacham, B. Enright, and S. Savage, “When private keys are public: results from the 2008 Debian OpenSSL vulnerability,” in Proceedings of the 9th ACM SIGCOMM conference on Internet measurement, in IMC ’09. New York, NY, USA: Association for Computing Machinery, Nov. 2009, pp. 15–27. doi: 10.1145/1644893.1644896.

D. J. Bernstein, N. Heninger, and T. Lange, “FactHacks: RSA factorization in the real world”.

Z. Durumeric, E. Wustrow, and J. A. Halderman, “{ZMap}: Fast Internet-wide Scanning and Its Security Applications,” presented at the 22nd USENIX Security Symposium (USENIX Security 13), 2013, pp. 605–620. Accessed: Aug. 25, 2023. [Online]. Available: https://www.usenix.org/conference/usenixsecurity13/technical-sessions/paper/durumeric

Y. Zhang et al., “Rusted Anchors: A National Client-Side View of Hidden Root CAs in the Web PKI Ecosystem,” in Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, in CCS ’21. New York, NY, USA: Association for Computing Machinery, Nov. 2021, pp. 1373–1387. doi: 10.1145/3460120.3484768.

K. W. Hamlen, V. Mohan, M. M. Masud, L. Khan, and B. Thuraisingham, “Exploiting an antivirus interface,” Comput. Stand. Interfaces, vol. 31, no. 6, pp. 1182–1189, Nov. 2009, doi: 10.1016/j.csi.2009.04.004.