Compromised credentials have been APT groups’ favorite tool for accessing, propagating and maintaining access to their victims’ networks. Consequently, aware defenders mitigate this risk, by adding additional factors (MFA), so no secret is a single point of failure (SPOF). However, the systems’ most lucrative secrets, their “Golden Secrets”, are still a SPOF and abused in practice by attackers.
Golden secrets are at the heart of most current authentication systems. These secrets, such as KRBTGT for Kerberos or private key for SAML, are used to cryptographically secure the issuance of access tokens and protect their integrity. Consequently, they are also the attackers’ most lucrative targets. When a golden secret is captured, it allows attackers to issue golden access tokens in an offline manner to take full control over the system.
Recently, SUNBURST attackers were reported to use stolen private keys to create Golden SAML tokens to access victims’ Office 365 environments and a stolen DUO 2FA “akey” secret to create a golden cookie to bypass 2FA access restriction to certain applications.
In our talk, we will explain the two main issues historically preventing defenders from applying the highly effective MFA approach to Golden Secrets: backward compatibility and lack of orthogonal additional factors, and how they are solved by our solution, already battle-tested in the cryptocurrency domain.
Specifically, we will show how some recent advancements in the Cryptography field of Threshold Signatures Schemes (TSS) can “split the atom” and break golden secrets into multiple less precious secrets (“lead secrets”) in a fully backward compatible manner. The orthogonality of these secrets is assured with the solution architecture, unintuitively yet securely, requiring the deployment of some of these lead secrets on external service.
We will share an actual open-source TSS implementation and demonstrate the practical applications of it.