How The NSA Published Vulnerability Might Work …

Overall the NSA does not have a strong track record in releasing details of zero-day threats, so when they release a crypto bug, you take notice!

This week, the NSA thus announced a major vulnerability within Window 10, and where users are advised to urgently patch their system:

“This month we addressed the vulnerability CVE-2020–0601 in the usermode cryptographic library, CRYPT32.DLL, that affects Windows 10 systems. This vulnerability is classed Important and we have not seen it used in active attacks.” reads a blog post published by Microsoft.

The vulnerability points to a problem with the validation of elliptic curve certificates, and where an attacker could recreate a private key from a trusted public key, and where the private key could be used to sign malicous software.

So let’s think about how this vulnerability could work? Overall with elliptic curve cryptography, we have a key pair, and which has a private key and a public key. The private key is used to sign programs on a system, and then the public key is used to prove the trustworthiness of the program. We then have distributable digital certificates which contain a public key, and which is paired with a private key for the trusted entity.