Skip to Content

ATHENE Research Center: Resource Public Key Infrastructure is Broken

Experts at the National Research Center for Applied Cybersecurity say that they have found a method to break Resource Public Key Infrastructure (RPKI), a “mechanism … [that] is actually designed to prevent cybercriminals or government attackers from diverting traffic on the Internet.” The team of scientists say attackers can circumvent RPKI without being detected by network operators.

Note

  • The real problem isn’t that it fails “open” if a key cannot be found, but the fact that the majority of networks do not have RPKI configured at all.
  • As ATHENE points out, currently only 40% of address blocks have RPKI certificates and only 27% of networks are verifying RPKI certs. This attack takes advantage of the way connectivity is allowed when RPKI certs can’t be found or validated and is not effective with full participation. Google and other BGP network providers have put mitigation measures in place to deal with the issue, but faster adoption of RPKI and other MANRS (Mutually Agreed Norms for Routing Security) that The Internet Society has been recommending will be the best solution for upgrading BGP security.
  • The exploit takes advantage of RPKI allowing traffic to flow when the identifying certificate for that block cannot be found. About 40% of networks have an identifying certificate, while 27% of networks verify them. As this is a design flaw, don’t expect a rapid change to be issued to fix this issue.

Read more in

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that\'s committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we haven\'t implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you\'re currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.