Software Engineering Institute Carnegie Mellon

Into the Black Box: A Case Study in Obtaining Visibility into Commercial Software

5 Summary

Netscape’s certificate database is straightforward and easy to decode. The key database was somewhat difficult to decode because of the difficulty in obtaining information about the obsolete PFX format that is used to encrypt the private key data. This PFX specification defined the uncommon PBEWithSha1AndTripleDESCBC OID. The ability to decode the key and certificate databases stems from Netscape’s use of standards such as ASN.1 and PKCS. Knowledge of these standards allowed us to more easily interpret information within Netscape databases. While the use of Netscape’s NSS provided some information, we believe that the information provided in this document could have been determined without NSS. However, if Netscape did not use standards in the development of the databases, records, and encryption schemes, this task would have been nearly impossible.

The major lessons to be learned from this case study are the following:

  1. If you need to peer inside a product (a black box), you must know what you are looking for. In this case study deep and detailed knowledge of computer security was necessary. Without this knowledge it is doubtful that progress could have been made.
  2. For good and sufficient reasons, vendors such as Netscape will make use of standards in building their products (for example, ASN.1). Knowledge of these standards is also crucial for developers who want to peer inside a product. From a vendor’s perspective, this shows the use of standards to be a two-edged sword.
  3. A significant degree of systems expertise is needed by developers who will peer inside a product. Programs must be written, raw data dumps must be interpreted, networks "sniffed," and so forth in order to crack the puzzle. Moreover, strong problem solving skills and perseverance are needed since there is rarely just one puzzle to be cracked.

All of this tends to support the observation that building systems from commercial software product often requires more, rather than less, technical sophistication on the part of software developers.

[abstract] [chapter 1] [chapter 2] [chapter 3] [chapter 4] [chapter 5] [references] [DTIC] [PDF]