NTC PKI.
PEN-TESTER
SaifUllah
Services
Penetration Testing , Code Review
Date
June 25th, 2022
Team
Saifullah – VA&PT
Areej – Reporting
Pakistan National PKI comprises two separate PKI hierarchies for each of the Government and Commercial domains, both hierarchies are established under the Pakistan National Root CA
Breaf & idea.
The Pakistan National PKI consists of Government and Commercial hierarchies under the Pakistan National Root CA (NR-CA). The NTC, a Government Trust Services Provider, operates within the Government domain. The three-level CA hierarchy includes NR-CA as the top-level trust anchor (Level 0). At Level 1, NR-CA’s intermediate CAs segregate for Government and Commercial use cases. Level 2 houses Government and Commercial TSP CAs, incorporating NTC’s issuing CAs within the National PKI framework. This structure ensures secure accreditation and certification across diverse entities.
Result.
In my role as a security engineer, I rigorously tested the security of the Pakistan National PKI architecture and associated applications. The evaluation included the Government and Commercial hierarchies under the Pakistan National Root CA. Focusing on NR-CA’s trust anchor and intermediate CAs, I assessed the NTC’s role as a Government Trust Services Provider (TSP) within the Government domain, ensuring the confidentiality and integrity of the PKI framework. The objective was to identify and address potential security vulnerabilities, contributing to an overall improvement in the system’s security posture.
