In august, Red Hat informed that some packages of OpenSSH have been illegally signed. An intruder succeeded to penetrate Red Hat’s IT infrastructure and to access the signing computer of Red Hat. Thus, he succeeded to sign his/her own variants of OpenSSH. There was no evidence that they leaked out. Nevertheless, Red Hat provided tools to detect these variants and issued a new clean version signed with a new signature key. the old one will be revoked.
This is extremely serious. Today, most trust models are based on the assumption that the access to signing key is secured. Three main events may shatter this assumption for company X:
– company X’s private key leaks out. Then Alice, Bob, Eve are able to sign on the behalf of company X
– Alice is able to get company X to sign without controlling the data
– Alice is able to get a trusted certification authority to issue a digital certificate with the name of company X. Then Alice can impersonate company X. This is what happened in March 2001 with Verisign and Microsoft (see http://news.cnet.com/2100-1001-254586.html.
In this case, it is second attack.
Signature key is the core of many security system. It is the most important asset to protect. Red Hat probably protected correctly it (there is no evidence that the key leaked out), but not its usage. Security policy definition and implementation is a big problem.