Certificate Analysis
Definition
Analyzing Public Key Infrastructure certificates to detect if they have been misconfigured or spoofed using both network traffic, certificate fields and third-party logs.
How it works
Certificate Analysis ensures that the data elements of the certificate are current and anchored in a known trust model. Certificate authorities, revocation lists, and third-party secure logs are used in the analysis. Analysis includes detection of server impersonation, phishing domains, and forged certificates.
TLS certificates are designed to expire to ensure that the cryptographic keys are forced to be changed on a regular basis. The certificates in the trust path also expire and can cause a break in the trust chain. This means that even if a server certificate is updated correctly, intermediate certificates can expire and the trust chain is not maintained. This can cause services to become unavailable.
Technique Subclasses
There are 3 techniques in this category, Certificate Analysis.
| Name | ID | Definition | Synonyms |
|---|---|---|---|
| Certificate Analysis | D3-CA | Analyzing Public Key Infrastructure certificates to detect if they have been misconfigured or spoofed using both network traffic, certificate fields and third-party logs. | |
| - Active Certificate Analysis | D3-ACA | Actively collecting PKI certificates by connecting to the server and downloading its server certificates for analysis. | |
| - Passive Certificate Analysis | D3-PCA | Collecting host certificates from network traffic or other passive sources like a certificate transparency log and analyzing them for unauthorized activity. |
References
The following references were used to develop the Certificate Analysis knowledge-base article.
(Note: the consideration of references does not imply specific functionality exists in an offering.)