Monday the 13th of January Brian Krebs published on his blog that he had sources telling him that the day after, Microsoft would release software updates that would fix a vulnerability in the Windows Crypto API.

1月13日星期一，布莱恩·克雷布斯(Brian Krebs)在他的博客上发表了消息，他说有消息说，第二天，微软将发布可修复Windows Crypto API中漏洞的软件更新。

And indeed, the day after on the 14th of January, NSA released a cybersecurity advisory that disclosed a vulnerability in the crypto API. This vulnerability allowed an attacker to defeat the certificate validation in Windows 10 and it would affect TLS, code signing etc.

确实，在1月14日之后的第二天，NSA发布了一份网络安全公告，其中披露了加密API中的漏洞。 此漏洞使攻击者无法通过Windows 10中的证书验证，这会影响TLS，代码签名等。

Less than 24 hours later, security researcher Salim Rashid published a proof of concept on his twitter account showing that he successfully “rick rolled” github.com and nsa.gov using a custom-made CA certificate.

不到24小时后，安全研究员Salim Rashid在其Twitter帐户上发布了概念证明，表明他使用定制的CA证书成功地“ rickrick”了github.com和nsa.gov。

Shortly after this, Ollypwn aka. Oliver Lyak, a security researcher from Denmark, published a proof of concept exploit on GitHub for anyone to use. And what struck the world was that the exploit consisted of less than 10 rows of code and anyone could do it.

此后不久，又名Ollypwn。 来自丹麦的安全研究员Oliver Lyak在GitHub上发布了概念证明漏洞，供任何人使用。 震惊世界的是，该漏洞利用不到10行代码，任何人都可以做到。

For the rest of this blog post I’m going to try to explain how this vulnerability works on a very high level, and point out why this exploit is extremely powerful.

对于本博文的其余部分，我将尝试解释此漏洞的工作原理，并指出为什么此漏洞利用非常强大。

CA证书 (CA Certificates)

Let’s start by looking at what a basic CA Certificate consists of. These types of certificates are used to sign other certificates, as a form of trust. You have a certificate and you let a well-known certificate authority (CA) sign your certificate. By signing, they sort of “vouch” that you are who you claim to be.

让我们从基本的CA证书组成。 这些类型的证书用于签署其他证书，作为一种信任形式。 您有一个证书，并且让知名的证书颁发机构(CA)对您的证书进行签名。 通过签名，他们可以“证明”您的身份。

A typical CA certificate contains information such as the subject (who issued it), for how long it is valid, a key usage (what the key is used for), a public key and a declaration of what type of algorithm that is used in the CA certificate.

典型的CA证书包含以下信息：主题(颁发证书的人)，证书的有效期限，密钥用法(密钥的用途)，公共密钥以及在其中使用的算法类型的声明。 CA证书。

Two of the most common types of algorithms used are Elliptic Curve and RSA. It’s important to know that CVE 2020–0601 aka. Curveball only affects Elliptic Curve certificates. RSA type CA certificates are unaffected.

使用的两种最常见的算法类型是椭圆曲线和RSA。 重要的是要知道CVE 2020–0601又名。 Curveball仅影响椭圆曲线证书。 RSA类型的CA证书不受影响。

Elliptic curve is a mathematical concept used in cryptology. There are many different types of mathematical curves that can be used when using Elliptic curve cryptography so each elliptic curve certificate must include what type of curve that was used in the specified certificate.

椭圆曲线是密码学中使用的数学概念。 使用椭圆曲线密码术时，可以使用许多不同类型的数学曲线 ，因此每个椭圆曲线证书必须包括在指定证书中使用的曲线类型。

Each curve is made up a series of parameters called p, a, b, G etc. and by declaring that we want a predefined curve like secp256r1, these values (p, a, b, G) will be set for us automatically, and our certificate will use that specified curve.

每条曲线均由一系列称为p ， a ， b， G等的参数组成，并且通过声明我们想要像secp256r1这样的预定义曲线，这些值(p，a，b，G)将自动为我们设置，并且我们的证书将使用该指定曲线。

Sometimes you want to use a custom curve or a “not yet implemented” curve and to do so you can include all the needed parameters in the CA Certificate directly instead of defining a predefined curve.

有时，您想使用自定义曲线或“尚未实现”的曲线，而您可以直接在CA证书中包括所有需要的参数，而不用定义预定义的曲线。

Curve: parameters p/a/b/G

When Microsoft implemented the functionality, that you can supply your own parameters to represent an elliptic curve, that’s when the vulnerability CVE 2020–0601 got introduced into Windows 10.

当Microsoft实施该功能时，您可以提供自己的参数来表示椭圆曲线，这就是Windows 10中引入了漏洞CVE 2020–0601的时候。

证书用法 (Certificate Usages)

Before we can investigate how to exploit CVE 2020–0601, we need to first talk a little about how certificates are used in the real world. We are going to look at one way of using certificates to enforce trust, and that is when requesting websites.

在研究如何利用CVE 2020–0601之前，我们需要首先谈谈证书在现实世界中的使用方式。 我们将研究一种使用证书来加强信任的方法，那就是在请求网站时。

Windows 10 provides a library applications can use to verify certificates. This library is called crypt32.dll and it is here the vulnerability was discovered. Any windows application — such as web browsers, file transfer tools or email clients — that rely on this library, to verify cryptographic signatures, may be affected by CVE 2020–0601.

Windows 10提供了一个库应用程序可以用来验证证书的库。 该库称为crypt32.dll ，在这里发现了漏洞。 CVE 2020–0601可能会依赖该库来验证密码签名的任何Windows应用程序(例如Web浏览器，文件传输工具或电子邮件客户端)都可能受到影响。

A majority of trusted sites on the internet have their own signed certificate. This is used to verify that, when we request something on the internet, we get it from the actual place we requested it from. It’s to prevent things like man-in-the-middle attacks, fake websites etc.

互联网上的大多数受信任站点都有自己的签名证书。 这用于验证当我们在Internet上请求某项内容时，是否从请求的实际位置获得了该内容。 这是为了防止中间人攻击，假冒网站等行为。

Let’s say we would like to make a connection to youtube.com. As we request to connect to their website, they will first send over their own certificate (that is signed by some CA). Then they will also send over the root CA that signed their certificate (the certificate that vouches that they are who they claim to be).

假设我们要与youtube.com建立连接。 当我们请求连接到他们的网站时，他们将首先发送自己的证书(由某些CA签名)。 然后，他们还将发送签署证书的根CA(证明自己是谁的证书)。

The browser will first verify the signature using the crypt32 library provided by Windows. Then the same library will check against an internal registry that contains many predefined trusted root CA’s, that the CA certificate youtube.com sent us is from someone whom Windows trusts.

浏览器将首先使用Windows提供的crypt32库来验证签名。 然后，同一库将检查内部注册表，该注册表包含许多预定义的受信任的根CA，即youtube.com向我们发送的CA证书来自Windows信任的人。

If all verifications go well, a secure connection is established and for future requests, crypt32 in Windows will cache the sent root CA so that it can speed up subsequent requests.

如果所有验证都顺利进行，则将建立安全连接，并且对于将来的请求，Windows中的crypt32将缓存已发送的根CA，以便加快后续请求的速度。

It is here, after caching, that a vulnerability exists that lets an attacker produce a malicious CA certificate that in turn will be trusted by Windows.

在缓存之后，这里就是一个漏洞，攻击者可以利用该漏洞生成一个恶意的CA证书，而该证书又将被Windows信任。

漏洞 (The Vulnerability)

If we investigate how crypt32 in Windows verifies CA certificates in its cache, it goes through all cached certificates and checks if the public key in the provided CA certificate matches any of the cached CA certificates public key.

如果我们调查Windows中的crypt32如何验证其缓存中的CA证书，它将遍历所有缓存的证书并检查提供的CA证书中的公钥是否与任何缓存的CA证书公钥匹配。

What it on the other hand doesn’t do is verifying that both certificates are using the same type of curve. If we manage to guess the curve and the private key, we can successfully produce a fake CA certificate that we can use to sign other certificates and it is game over.

另一方面，它没有做的是验证两个证书都使用相同类型的曲线。 如果我们设法猜测曲线和私钥，则可以成功生成一个伪造的CA证书，该证书可用于对其他证书进行签名，并且已经结束了。

But before we can produce a fake CA certificate we need to know a bit more about Elliptic Curve cryptology.

但是在产生伪造的CA证书之前，我们需要进一步了解椭圆曲线密码学。

椭圆曲线基础 (Elliptic Curve Basics)

So, what is Elliptic curve cryptography, or ECC for short? It a type of cryptology in a category called asymmetric cryptology. In asymmetric cryptology you have a Public Key and Private Key. The public key can be exposed publicly, and anyone can use it to encrypt things. But the private key is the only thing that can decrypt whatever was encrypted with that particular public key.

那么，什么是椭圆曲线密码术或简称ECC？ 它是非对称密码学类别中的一种密码学。 在非对称密码学中，您具有公共密钥和私有密钥 。 公钥可以公开公开，任何人都可以使用它来加密事物。 但是私有密钥是唯一可以解密使用该特定公共密钥加密的内容的东西。

It’s very common that you share and store the public key widely across the Internet so that if someone needs to communicate encrypted with you, they can use your public key and then only you with the matching private key will be able to decrypt the message (Quite good right?).

通常，您广泛地在Internet上共享和存储公共密钥，这样，如果某人需要与您进行加密通信，他们就可以使用您的公共密钥，然后只有具有匹配私钥的您才能解密邮件(非常好吧？)。

Well we talked a bit before about a set of predefined elliptic curves that you can choose from when generating a CA certificate. These curves are built up by a set of predefined values called P, a, b etc. If we define these values in a specific formula, we get an elliptic curve.

好吧，我们之前谈到了一组预定义的椭圆曲线，您可以在生成CA证书时从中选择。 这些曲线由一组称为P ， a，b等的预定义值建立。 如果在特定公式中定义这些值，则会得到椭圆曲线。

To start generating a public and private key from this curve we first need to define a starting point on the curve, we can call this starting point G (the generator). From this starting point we then start jumping around on the graph “n” number of times.

要开始从此曲线生成公共和私有密钥，我们首先需要在曲线上定义一个起点，我们可以将此起点称为G (生成器)。 从这个起点开始，我们开始在图表“ n”上跳来跳去的次数。

I’m not going to explain how we jump around on the curve because it’s quite complicated and there is an entire wiki page describing just this so we will leave that out for now. But what you should know is that by jumping around millions, or even billions of times on the curve will result in a series of dots (when you remove the curve) and this will end up as a very large factor. Let’s call this factor “x”. In the end we end up with a simple formula x * G (starting point multiplied by our factor).

我不会解释我们如何在曲线上跳动，因为它非常复杂，并且整个Wiki页面都对此进行了描述，因此我们暂时将其省略。 但是您应该知道的是，通过在曲线上跳跃数百万甚至数十亿次将导致一系列点(当您删除曲线时)，并且最终将成为很大的因素。 我们将此因子称为“ x” 。 最后，我们得到一个简单的公式x * G (起点乘以我们的系数) 。

This formula will be equal something so let’s add that to, so we end up with something like:

这个公式等于什么，所以我们加一下，最后得到这样的东西：

Where G is our starting point on the graph, x is the result of us jumping around, and the product is Q.

其中G是图中的起点， x是我们跳来跳去的结果，乘积是Q。

When defined, x in this formula is our private key and Q our public key. And as mentioned before our public key we can send to anyone, but how we got the result (x and G) is our “secret sauce” that no one can know anything about.

定义后，此公式中的x是我们的私钥 ，Q是我们的公钥 。 正如我们在公开密钥之前提到的，我们可以发送给任何人，但是我们如何获得结果(x和G)是我们的“秘密调味料”，没人知道。

Trying to derive the key by flipping the formula is what is known as the Discrete Logarithm Problem and is known to be a very difficult problem so that is not a possibility when trying to reverse engineer the private key.

试图通过翻转公式来推导密钥是所谓的离散对数问题 并且众所周知这是一个非常困难的问题，因此在尝试对私钥进行反向工程时这是不可能的。

So, for the time being this feels pretty secure, right?

因此，暂时感觉很安全，对吧？

CVE 2020–0601 (CVE 2020–0601)

With this knowledge as a prerequisite this is where CVE 2020–0601 comes into play. Since Windows does not verify the curve provided in the certificates, we can provide these parameters and create a malicious certificate based on this simple math.

以此知识为前提，这就是CVE 2020–0601发挥作用的地方。 由于Windows不会验证证书中提供的曲线，因此我们可以提供这些参数，并基于此简单数学来创建恶意证书。

Since we can control the parameters, how about we set the private key to something like 20, or 100 or just something simple…. like the number 1?

由于我们可以控制参数，因此如何将私钥设置为20或100之类的值，或者只是简单的…。 喜欢数字1吗？

This will result in our public key being equal to our starting point on the graph, and just like that we have the two secrets parameters, just from knowing the public key!

这将导致我们的公钥等于我们在图形上的起点，就像我们拥有两个秘密参数一样，仅是从了解公钥开始！

With all this information we can now forge any Elliptic Curve certificate just by acquiring the public key. Here’s an example. We acquire a public key say 1234 and we put this into our formula:

利用所有这些信息，我们现在只需获取公共密钥就可以伪造任何椭圆曲线证书。 这是一个例子。 我们获得一个说为1234的公钥，并将其放入公式中：

And by using this information, we can then generate a valid CA certificate that we control!

通过使用此信息，我们可以生成一个我们控制的有效CA证书！

So to recap:

因此，回顾一下：

Just by acquiring the public key from any source we can then generate a fully valid malicious CA certificate that we can use to sign any other certificate. This certificate will then be trusted by Windows 10 because it will pass the check against it’s certificate cache.

只需从任何来源获取公钥，我们就可以生成完全有效的恶意CA证书，我们可以使用该证书对其他任何证书进行签名。 然后，Windows 10将信任此证书，因为它将通过对其证书缓存的检查。

Ollypwn的概念证明 (Ollypwn’s Proof Of Concept)

Oliver Lyak demonstrates this in a Github repository how to exploit the vulnerability by generating a false CA certificate and then proceeds to demonstrate how it can be used to sign other certificates, or sign code as “trusted”.

Oliver Lyak在Github存储库中演示了如何通过生成虚假的CA证书来利用此漏洞，然后继续演示如何将其用于签名其他证书或将代码签名为“受信任”。

The code below is taken from his example.

下面的代码摘自他的示例 。

require ‘openssl’# Read file provided in the first argumentraw = File.read ARGV[0]# Parse the file as a certificateca = OpenSSL::X509::Certificate.new(raw)# Extract the public keyca_key = ca.public_key# Set a private key to 1ca_key.private_key = 1# Get the group parameters that contains the curvegroup = ca_key.group# Set the generator parameters (G in our formula) to the public keygroup.set_generator(ca_key.public_key, group.order, group.cofactor)# Ensure we are sending explicit parameters and not a predefined curvegroup.asn1_flag = OpenSSL::PKey::EC::EXPLICIT_CURVE# Set our new group with our fake generator G’ = Qca_key.group = group# Save this to a file as our new CAFile.open(“spoofed_ca.key”, ‘w’) { |f| f.write ca_key.to_pem }

It first reads in a predefined CA certificate, for example the MicrosoftECCProductRootCertificateAuthority.cer which is the official certificate Microsoft uses to sign many things with.

它首先读取预定义的CA证书，例如MicrosoftECCProductRootCertificateAuthority.cer，这是Microsoft用于与许多事物进行签名的正式证书。

Then it reads out the public key from it and then defines at sets some new custom parameters, generator etc. We can see that the code explicitly sets the private key to 1 and then save it to a new spoofed CA certificate that can be used to sign code or other certificates.

然后，它会从中读取公钥，然后在集合中定义一些新的自定义参数，生成器等。我们可以看到，代码将显式地将私钥设置为1，然后将其保存到新的欺骗性CA证书中，该证书可用于签名代码或其他证书。

This newly generated certificate can be used to act like microsoft and sign other certificates. We essentially can claim that we are Microsoft and vouch for anyone. Extremely powerful.

此新生成的证书可用于像Microsoft一样操作并签署其他证书。 从本质上讲，我们可以宣称我们是Microsoft，并为任何人提供担保。 极其强大。

Ollypwn then continues to demonstrate how to sign some code as “trusted by Microsoft” and also how to generate a website certificate claiming to be issued by www.google.com and then sign this certificate with the crafted “Microsoft” certificate.

然后Ollypwn继续演示如何将某些代码签名为“ Microsoft信任”，以及如何生成声称由www.google.com颁发的网站证书，然后使用精心制作的“ Microsoft”证书对此证书进行签名。

What this all boils down to is that by exploiting CVE 2020–0601 we can claim that we are anyone, and we can vouch for anyone on the internet.

这一切都归结为，通过利用CVE 2020–0601，我们可以宣称自己是任何人，并且可以为互联网上的任何人提供担保。

This in turn can be used to pass firewalls, push fake updates containing malware to any Windows 10 machine claiming we are “Microsoft”. We can for example set up fake websites claiming that we are any of the big companies and we can also develop malicious programs that windows 10 just blindly will trust as “safe software”.

这反过来又可以用来穿过防火墙，将包含恶意软件的虚假更新推送到任何声称我们是“ Microsoft”的Windows 10计算机上。 例如，我们可以建立声称自己是任何大公司的假冒网站，还可以开发恶意程序，Windows 10只是一味地将其视为“安全软件”。

The possibilities are endless, only creativity will stop you and the hackers out there.

可能性是无止境的，只有创造力才能阻止您和黑客。

摘要 (Summary)

This has been a high-level breakdown of CVE 2020–0601 in the Microsoft crypto API that got disclosed to the world on the 14th of January 2020. This text has tried to demonstrate how a simple miss in validation can have a huge impact on the security of the Internet.

这是2020年1月14日向全世界披露的Microsoft加密API中的CVE 2020–0601的高层细分。本文试图证明简单的验证遗漏会如何对验证产生巨大影响。互联网的安全性。

This post has also tried to show how this vulnerability can be exploited to generate malicious CA certificates, that in turn can be used to circumvent a lot of security features, like firewalls, website traffic etc.

这篇文章还试图说明如何利用此漏洞来生成恶意的CA证书，进而可以用来规避许多安全功能，例如防火墙，网站流量等。

Final last word is, always patch your systems…. Always

最后的决定是，始终为您的系统打补丁……。 总是

附录 (Appendix)

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0601

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0601

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601

https://portal.msrc.microsoft.com/zh-CN/security-guidance/advisory/CVE-2020-0601

https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/

https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/

https://twitter.com/saleemrash1d/status/1217495681230954506

https://twitter.com/saleemrash1d/status/1217495681230954506

https://github.com/ollypwn/CurveBall

https://github.com/ollypwn/CurveBall

https://www.secg.org/SEC2-Ver-1.0.pdf

https://www.secg.org/SEC2-Ver-1.0.pdf