Could The Empire Have Been Saved by Better Encryption?
summary
I jumped at the opportunity to write this blog – as my son’s name is Luke and therefore, “Luke, I am your father”.
Let’s remember that tense moment in Garbage Compactor 3263827: after narrowly escaping Death-By-Dianoga, imminent demise again confronts Leia, Luke, Chewbacca and Han as the garbage compactor starts doing what garbage compactors do best. The young rebels frantically call C3PO and R2D2 to shut down all the compactors on the detention level – and in those gripping minutes leading to their narrow escape, even the most hyperaware geeks all totally missed evidence that the Imperial IT/IS department made some pretty bad decisions about SSL certificates.
For two decades, SSL has been the guardian of encryption and validation on a very public internet, but also within enterprises – even evil enterprises like the Death Star. And while the chronology means that SSL couldn’t have been in use a long time ago, in a galaxy far, far away, luckily the timing is fiction while SSL best practice is fact.
This little lesson’s worth the effort. Come, let me get you some SSL context:
To save his colleagues in the compactor, R2D2 got access to a Death Star control system. The Death Star’s systems believed that R2D2 was a legitimate agent of the Empire, and allowed him access. Now, let’s presume that the data exchange which ensued between system access and compactor shutdown was over an encrypted channel (a classic implementation of encryption of data in motion in a server-to-server model). Encryption wouldn’t have prevented R2D2 from doing anything – since he already had access to the network.
Had the Death Star’s systems required a digital certificate – what we now call SSL or TLS – for validation, not just encryption, the result might have been very different for not just our rebel friends, but ultimately for the Rebel Alliance and the Empire too – and for millions of Star Wars fans, in any galaxy for that matter.
After all, losing track of Death Star plans isn’t Imperial IT’s only problem. They also failed to observe best practices for usage of specific certificate types within their space station, as encryption couldn’t have prevented R2D2’s access. Only the validation function of SSL could have resolved that.
Stick with me here. Use the Force. Trust your feelings. Let go.
Effectively, R2D2 was a man-in-the-middle. Er, droid-in-the-middle. But don’t let “MITM or DITM” distract. If the Death Star’s server-to-server authentication demanded domain-validated certificates, the clever R2D2 could have easily obtained one of those since he literally was a man-in-the-middle. (Think about all the various DV authentication methods – R2 could’ve faked any of them). And upon system access, R2 just presented his DV certificate upon connecting the Death Star network and – ta da, he’s avoided any Imperial entanglements. (As I’m writing this, I realize that the Empire would likely have obtained the very first ever TLD, presumably for .ge for galactic empire – making R2’s DV cert’s Common Name to be something like r2d2.deathstar.ge)
Now, if Death Star IT/IS had configured its systems to demand organization-validated (OV) or Extended Validation (EV) certificates for server-to-server communication, R2 would have either failed to connect (by having a DV cert) or failed OV/EV verification (since he couldn’t have proven that he’s a member of the Empire).
No OV/EV = no (suitable) cert presented = this isn’t the droid you’re looking for = dead rebels.
Moreover, Imperial IT/IS would’ve been even smarter if they’d have selected any of Symantec-branded SSL certificates, which only come in OV and EV flavors – as the Symantec SSL validation and issuance infrastructures have never been compromised – since clearly the Death Star has its own breach problems.
Moral of the story: demand Symantec OV or EV certificates, even for server-to-server usage. And may the Force be with you.