12

The government of Kazakhstan, in order for citizens to use electronic government services (egov.kz), requires installing the NCALayer application on the computer for working with digital signatures. However, on its each launch, the application tries to install root certificates into the Windows' Trusted Root Certification Authorities store (see screenshot below).

Windows warnings about attempts to add certificates to the trusted store

Tutorials for using NCALayer state that users should click "Yes". If I click "Yes", the certificates are successfully added into certmgr.mscCurrent User\Trusted Root Certification Authorities\Certificates. Also, some outdated user manuals (en, ru) warn that adding these root certificates to browsers is mandatory.

While studying PKI, I came across the fact that if the same organization both (1) issues a root certificate (and if that root certificate is marked as trusted in the OS or in the browser) and also (2) acts as a node in the data transmission path (for example, network equipment of an Internet service provider), this effectively enables it to conduct a MITM attack or a masquerade attack. In such a case, the browser will not warn the user that the traffic may be decrypted by a third party.

Given that Mozilla Firefox and Google Chrome have their own separate root certificate stores, it seems that web traffic coming from these browsers still cannot be decrypted by the government.

Logically, it appears that a MITM attack is possible. Many people in Kazakhstan use eGov and NCALayer. Yet in the Kazakh internet segment, the Russian-speaking segment, and the Internet in general, no one states that installing these root certificates is bad or unsafe. I was unable to find information on this other than a single GitHub repository. So should I be paranoid — and if not, then why not?

Kazakhstan is known for repeated attempts to conduct MITM attacks. Even putting that aside, in this case, wouldn’t an installed root certificate indeed allow interference with citizens' traffic?

Output for the first certificate, if needed (openssl x509 -noout -text -in "1.cer"):

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            54:b3:b7:40:d4:5b:91:70:7b:ed:4a:2b:e4:1b:7b:69:f8:f6:ba:50
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = \D0\9D\D0\95\D0\93\D0\86\D0\97\D0\93\D0\86 \D0\9A\D0\A3\D3\98\D0\9B\D0\90\D0\9D\D0\94\D0\AB\D0\A0\D0\A3\D0\A8\D0\AB \D0\9E\D0\A0\D0\A2\D0\90\D0\9B\D0\AB\D2\9A (RSA), C = KZ
        Validity
            Not Before: Sep  8 10:04:54 2020 GMT
            Not After : Sep  8 10:04:54 2045 GMT
        Subject: CN = \D0\9D\D0\95\D0\93\D0\86\D0\97\D0\93\D0\86 \D0\9A\D0\A3\D3\98\D0\9B\D0\90\D0\9D\D0\94\D0\AB\D0\A0\D0\A3\D0\A8\D0\AB \D0\9E\D0\A0\D0\A2\D0\90\D0\9B\D0\AB\D2\9A (RSA), C = KZ
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:a3:77:b2:60:eb:67:ed:8a:67:e3:65:ec:44:50:
                    4d:2c:a5:6f:7f:76:56:8c:92:cd:6d:42:7e:0c:4c:
                    d3:f3:c7:d5:e2:3c:76:47:08:d3:f0:3c:6b:65:e5:
                    3f:70:9f:0d:b3:4a:30:c8:41:ac:3f:e3:2a:a9:b2:
                    f8:e7:ef:2a:e3:26:d7:c6:4a:14:f6:87:3f:a4:2a:
                    87:14:e4:5a:ee:75:e0:c6:b6:13:86:78:1a:93:1d:
                    62:e0:1a:74:5b:03:a5:f1:4c:b5:02:c6:78:e3:33:
                    5a:19:e5:8b:5c:7b:d2:17:c3:1f:eb:76:b9:af:e0:
                    f5:69:96:22:b8:7a:e0:cb:7a:5d:0c:cc:a1:40:4a:
                    c9:90:89:f0:28:27:bf:d0:2e:2f:06:27:d1:98:a7:
                    f7:55:9b:1b:69:9b:72:ae:c9:c5:2d:b3:fb:7a:e3:
                    09:33:0f:d1:d0:ec:2e:c3:38:17:e2:55:63:52:1b:
                    45:cc:8c:84:d9:20:11:ac:fe:09:81:0d:22:23:5a:
                    30:ff:43:6c:0b:19:60:95:11:1f:0d:67:fd:dc:64:
                    66:96:d1:ff:86:17:be:dc:3b:00:8f:53:2d:08:f6:
                    0f:b4:9a:fc:ba:74:68:95:8d:a8:65:05:e0:5e:99:
                    41:01:89:45:af:1a:85:c5:60:a4:cc:6a:fc:64:23:
                    17:49:f9:59:f4:c8:c2:42:01:6a:fc:98:59:c2:a0:
                    ca:d4:06:88:f5:03:d0:ad:ab:f1:17:de:7c:ba:7b:
                    71:e4:aa:ad:8f:08:ec:14:80:64:ef:c7:b5:1a:46:
                    de:d4:f6:ed:b5:53:16:c1:bc:64:61:38:d6:71:c9:
                    1c:e3:01:f8:f9:a6:99:18:97:42:d1:91:e9:b8:62:
                    5d:a4:21:db:70:13:b7:8d:67:a2:bc:94:49:b1:11:
                    f9:43:21:dc:e6:95:6b:2a:83:d1:e5:3c:f3:3c:ad:
                    f0:f8:f8:93:1d:4e:d2:88:1b:b5:0b:f9:2d:eb:3a:
                    a5:67:14:9d:8b:0e:77:be:c6:e3:f3:3b:9f:ee:13:
                    d1:bf:72:be:a9:e1:aa:cd:b0:84:2c:27:34:4f:97:
                    6d:19:ef:1f:aa:dd:cf:54:76:63:bd:bd:63:c0:80:
                    ad:a8:1f:21:cf:e7:0e:be:8c:2d:96:41:8e:9f:f1:
                    90:44:ee:1a:cc:90:8e:28:e1:23:d7:fd:98:48:58:
                    f7:45:24:a2:82:ea:43:d3:83:93:38:65:fb:63:d0:
                    ff:22:04:9a:bb:3a:92:34:e5:08:7a:34:a7:ae:97:
                    54:b2:56:ca:ba:ed:0b:48:53:3b:9c:cc:9f:b7:a9:
                    84:87:d2:56:02:86:ad:18:f6:51:49:85:b7:a8:76:
                    b1:5e:a5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier: 
                54:B3:B7:40:D4:5B:91:70:7B:ED:4A:2B:E4:1B:7B:69:F8:F6:BA:50
            X509v3 Authority Key Identifier: 
                keyid:54:B3:B7:40:D4:5B:91:70:7B:ED:4A:2B:E4:1B:7B:69:F8:F6:BA:50
                DirName:/CN=\xD0\x9D\xD0\x95\xD0\x93\xD0\x86\xD0\x97\xD0\x93\xD0\x86 \xD0\x9A\xD0\xA3\xD3\x98\xD0\x9B\xD0\x90\xD0\x9D\xD0\x94\xD0\xAB\xD0\xA0\xD0\xA3\xD0\xA8\xD0\xAB \xD0\x9E\xD0\xA0\xD0\xA2\xD0\x90\xD0\x9B\xD0\xAB\xD2\x9A (RSA)/C=KZ
                serial:54:B3:B7:40:D4:5B:91:70:7B:ED:4A:2B:E4:1B:7B:69:F8:F6:BA:50
            X509v3 Certificate Policies: 
                Policy: 1.2.398.3.1.2
                  CPS: http://root.gov.kz/cps
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        5b:bc:6f:6c:26:22:6c:3a:9f:3d:bd:b2:be:f2:a1:ec:24:1d:
        a7:3d:c0:2b:01:1b:ab:5d:e2:92:51:47:2f:99:ba:54:12:4c:
        57:9a:2f:80:b2:00:c2:b3:f4:98:13:1f:ea:75:12:1e:15:0e:
        af:dd:c8:9a:cc:38:20:b7:ec:47:d1:63:94:f5:7e:6f:a1:2c:
        aa:d0:65:c1:b0:59:15:3e:46:68:0c:7a:1e:e8:d6:1c:bb:8e:
        af:3f:17:1d:1b:34:67:bb:53:e8:36:31:93:92:40:b6:88:f0:
        2e:e4:fd:bb:f8:0d:13:d5:9f:c9:73:bc:21:dd:19:f5:52:03:
        7c:86:97:db:c3:d4:7f:dc:59:22:af:f7:41:f1:7a:e8:f9:e2:
        07:c8:75:dd:af:23:84:04:04:34:ed:cb:19:d7:3c:a0:b3:05:
        f5:1a:65:46:fb:e3:47:0f:5e:99:c1:c0:a8:d5:f9:da:88:80:
        a5:ba:c9:4b:60:5d:7f:cc:bb:07:a8:4a:18:cf:f9:1b:97:13:
        63:2c:a8:72:1f:39:ec:e6:96:64:58:87:b7:67:2d:1b:d7:d3:
        b5:10:b6:78:40:3d:9a:10:a3:6e:ac:a2:7f:38:a4:2f:17:c1:
        5c:1f:72:b0:f1:83:fa:47:44:16:b7:cc:e3:58:58:71:50:70:
        3b:5e:b8:af:4a:48:95:e1:30:34:e4:ee:8f:b5:36:75:de:9e:
        01:8f:fa:66:d7:59:5e:8b:31:cd:a5:2e:35:c8:5b:18:64:16:
        22:08:cf:ea:e7:e7:63:20:77:6f:2a:7f:e1:e3:39:ff:fe:67:
        91:7e:3a:b6:32:c2:c4:87:4b:09:eb:00:03:04:c5:c2:1e:5f:
        af:29:c8:24:30:c9:0f:44:6e:b5:7e:ec:f0:42:f3:aa:bb:c1:
        ef:fb:07:02:b7:d6:22:8e:cc:95:ec:bf:74:49:47:47:0f:5c:
        3b:98:26:2d:bd:c5:90:e6:f6:aa:06:be:29:fe:38:2a:45:c4:
        65:ed:9b:5d:f3:25:40:4b:70:21:a6:84:29:94:3c:f4:28:9a:
        48:6b:5e:d9:45:08:00:04:fd:25:a0:47:cc:ec:c5:54:e3:02:
        29:f0:ed:15:81:26:71:62:23:ab:0f:b4:96:23:51:aa:2f:99:
        c5:aa:cc:23:e2:5b:d2:16:3a:14:3f:81:aa:5e:60:ce:0f:8c:
        b6:42:d9:83:11:cf:b9:43:94:a5:3c:f8:ac:45:6a:4c:89:ef:
        a4:49:aa:9c:36:3f:12:25:23:c2:c8:6a:40:12:b3:0a:a2:bc:
        20:f5:1d:4b:fc:08:f7:11:3b:70:55:c6:aa:4a:43:47:c6:11:
        72:74:37:24:44:8b:12:18

Output for the second certificate, if needed (openssl x509 -noout -text -in "2.cer"):

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            5c:ae:24:d7:49:b2:64:80:d2:de:37:23:3c:3e:a4:51:5d:b5:5a:c7
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = \D0\9D\D0\95\D0\93\D0\86\D0\97\D0\93\D0\86 \D0\9A\D0\A3\D3\98\D0\9B\D0\90\D0\9D\D0\94\D0\AB\D0\A0\D0\A3\D0\A8\D0\AB \D0\9E\D0\A0\D0\A2\D0\90\D0\9B\D0\AB\D2\9A (RSA), C = KZ
        Validity
            Not Before: Sep 22 10:38:15 2022 GMT
            Not After : Sep  7 10:04:54 2045 GMT
        Subject: CN = \D2\B0\D0\9B\D0\A2\D0\A2\D0\AB\D2\9A \D0\9A\D0\A3\D3\98\D0\9B\D0\90\D0\9D\D0\94\D0\AB\D0\A0\D0\A3\D0\A8\D0\AB \D0\9E\D0\A0\D0\A2\D0\90\D0\9B\D0\AB\D2\9A (RSA) 2022, C = KZ
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:93:0f:57:cc:4f:2d:d1:43:52:38:50:de:bd:b2:
                    e8:be:34:30:c7:d4:36:0a:e6:d6:72:48:77:8d:20:
                    55:b4:c1:86:5b:45:4c:a9:3e:e3:ef:73:93:4c:20:
                    0a:8c:a3:25:e1:24:7f:d0:a4:f7:b8:1d:d0:0c:c8:
                    f6:94:ea:fb:b4:89:ee:5e:f9:03:b9:d3:80:01:98:
                    33:cb:d0:03:42:33:bc:40:0c:7f:15:0b:4e:8a:da:
                    99:d5:b9:c2:b8:8a:97:a7:52:d7:b7:85:cb:59:bf:
                    c2:4c:e0:5d:c8:ea:37:19:5e:1e:29:6b:ba:93:3a:
                    c1:a9:da:58:94:87:9a:38:98:e5:ca:6a:46:27:9d:
                    93:82:c8:32:27:a0:fc:f2:c8:14:6c:50:c3:09:a2:
                    09:07:fe:33:92:cd:0d:20:c3:1d:ba:ac:e1:9f:0b:
                    d5:25:98:d6:8a:c1:cf:e0:cb:8f:40:b1:f9:7b:b4:
                    50:a7:64:a1:60:62:eb:2d:d1:73:c1:ae:bf:70:8f:
                    72:6b:34:dc:36:1b:b1:ad:99:86:92:ee:92:37:4d:
                    16:8b:17:51:2b:0c:ec:fa:23:30:91:91:76:af:72:
                    58:4c:21:e0:b3:f1:1a:48:80:09:1a:0c:1e:41:22:
                    e3:7d:0a:fd:e4:0c:ce:28:5b:49:37:12:81:ab:0f:
                    b6:44:fa:29:00:c5:e1:d9:81:16:b4:b4:63:28:de:
                    5e:98:e8:6e:4b:3c:ea:9f:56:5a:ec:1d:e2:d0:66:
                    1f:cf:9f:96:dd:0b:13:4a:9a:c3:18:be:7a:c7:cb:
                    1d:d2:6c:11:e8:43:9b:e0:6b:ba:17:ad:ac:76:26:
                    56:54:f6:13:84:67:27:82:93:ec:9b:43:d8:6a:03:
                    28:40:56:50:c8:72:73:2b:7d:24:1a:b4:41:2d:72:
                    8a:c6:50:c1:d4:33:69:ee:46:d7:80:95:0e:f2:84:
                    6e:1a:6d:fc:83:1a:a6:30:80:29:ac:bc:0a:4a:10:
                    07:0a:95:77:05:b2:38:00:81:db:85:bd:96:fd:30:
                    45:27:2a:bd:73:0c:9c:bc:51:09:c6:79:f2:f3:a3:
                    0f:df:49:a4:4d:19:46:dd:a0:e8:f3:8e:90:61:cb:
                    4e:54:6d:5c:15:cc:2c:f8:0f:70:f5:62:70:93:90:
                    db:4d:53:8b:ca:ea:1c:59:70:a3:33:fb:f4:87:55:
                    8a:31:e7:f0:97:5e:6c:df:7d:f0:f0:33:ca:6a:2e:
                    99:fc:11:94:a0:86:f6:e9:6c:f2:d1:13:14:1f:ff:
                    cd:7b:cf:6f:ef:80:eb:bc:b2:50:0f:e6:be:89:f3:
                    7f:ba:3c:b3:0d:f1:83:28:4b:17:98:ca:c7:89:c9:
                    b4:c1:d1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 CRL Distribution Points: 
                Full Name:
                  URI:http://crl.root.gov.kz/rsa2020.crl
            X509v3 Subject Key Identifier: 
                DC:AE:24:D7:49:B2:64:80:D2:DE:37:23:3C:3E:A4:51:5D:B5:5A:C7
            X509v3 Authority Key Identifier: 
                keyid:54:B3:B7:40:D4:5B:91:70:7B:ED:4A:2B:E4:1B:7B:69:F8:F6:BA:50
                DirName:/CN=\xD0\x9D\xD0\x95\xD0\x93\xD0\x86\xD0\x97\xD0\x93\xD0\x86 \xD0\x9A\xD0\xA3\xD3\x98\xD0\x9B\xD0\x90\xD0\x9D\xD0\x94\xD0\xAB\xD0\xA0\xD0\xA3\xD0\xA8\xD0\xAB \xD0\x9E\xD0\xA0\xD0\xA2\xD0\x90\xD0\x9B\xD0\xAB\xD2\x9A (RSA)/C=KZ
                serial:54:B3:B7:40:D4:5B:91:70:7B:ED:4A:2B:E4:1B:7B:69:F8:F6:BA:50
            Authority Information Access: 
                CA Issuers - URI:http://root.gov.kz/cert/root_rsa_2020.cer
            X509v3 Certificate Policies: 
                Policy: 1.2.398.3.3.2
                  CPS:  http://pki.gov.kz/cps
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        16:46:6c:59:62:72:c6:70:dd:be:33:15:06:8f:fd:f0:64:59:
        55:a8:80:d5:39:be:dc:a3:3b:46:22:8b:86:47:04:27:cc:63:
        23:3b:57:7c:26:7f:3a:3c:f7:b1:71:ef:bc:3a:c3:39:5f:51:
        90:86:ca:45:6e:c2:55:b0:e0:e6:f9:ec:8f:e9:cb:aa:fb:85:
        2d:60:bb:be:0f:4c:41:b1:dd:ba:f6:fb:8f:7a:fb:50:6e:73:
        50:19:dd:de:19:39:86:05:36:bc:b6:31:e6:d6:dc:ab:ae:f2:
        c8:bb:61:8e:b3:55:88:ab:26:d3:d8:00:60:d8:c4:7d:09:88:
        0c:50:20:a8:28:49:68:be:d0:c9:8e:20:b6:f3:0f:9a:fa:b3:
        96:9e:61:94:e4:60:53:b6:ca:ef:44:65:0e:9e:47:7b:7a:c9:
        0a:ed:7e:50:a0:d7:16:0a:70:52:0a:27:3e:57:d9:94:8f:29:
        56:90:db:f7:e0:f8:35:c4:eb:67:75:c1:e8:df:65:b8:29:34:
        35:20:f0:09:b0:65:13:8b:0a:a7:0c:48:41:12:49:b7:bd:34:
        b1:0f:06:51:94:34:aa:57:7b:d1:72:07:55:3f:cd:be:bd:df:
        b5:d6:bf:67:55:2f:24:ad:be:68:20:19:8b:5f:64:4b:bf:8c:
        cc:09:fc:cd:c2:cd:b0:5e:bc:37:9f:61:ee:bc:dd:91:aa:c5:
        a8:4a:12:2b:15:49:c9:cb:38:82:36:b6:ca:c1:83:da:93:0c:
        51:e2:f5:bd:4a:61:fa:83:94:af:79:50:20:cc:00:1d:9a:35:
        60:cb:64:42:a5:0f:c8:7b:09:4e:e8:07:8a:32:b5:07:92:5b:
        21:b8:e2:15:e4:64:2b:5e:72:ea:b0:1e:c6:97:5a:4e:a2:e2:
        23:7a:06:60:e7:c9:0b:83:03:99:42:8e:f4:52:25:52:9c:3d:
        79:67:ce:a9:9f:ca:03:da:e5:84:84:5a:ca:03:69:21:81:f0:
        05:12:3f:69:d4:9a:12:18:96:af:c2:16:6b:66:13:52:fd:ef:
        30:cc:8e:29:71:17:74:a5:7e:1b:6e:84:d8:20:55:44:6b:e6:
        39:f4:c9:0c:44:ef:8b:11:bd:92:93:59:99:62:9e:fa:5f:cd:
        74:79:90:42:fa:6c:05:2b:c9:99:29:78:da:66:fd:39:df:1a:
        47:1e:b9:d4:14:f1:11:52:07:73:e5:06:ad:52:c1:1f:00:42:
        a5:39:46:c8:40:e6:00:a4:0e:09:f1:ad:5f:d1:e1:ae:2d:61:
        f0:fe:4f:95:ea:83:59:d1:30:ec:1b:d9:7f:54:27:f9:53:3c:
        88:d5:35:ae:41:01:2b:bc

About NCALayer

NCALayer is a Java-based desktop application. After installation, it is unpacked into the directory C:\Users\<username>\AppData\Roaming\NCALayer. The directory structure looks as follows:

bundles\
jre\lib\...
jre\bin\...
ncalayer-cache\...
VisualElements\...
icon.png
ncalayer.der
NCALayer.exe
ncalayer.log
ncalayer.VisualElementsManifest.xml
settings.json
unins000.dat
unins000.exe

When launching NCALayer.exe, it starts the process jre\bin\javaw.exe (version of java.exe is openjdk version "1.8.0_422"). The javaw.exe executable is signed with certificate from "BELLSOFT", which was issued by "Sectigo Public Code Signing CA R36". The process does not create any firewall rules on Windows.

Each time NCALayer starts, it checks whether both of its root certificates are present in the Trusted Root Certification Authorities store. If either one is missing, pop-up dialogs appear one after another, asking the user to add the root certificates (see the screenshot at the beginning of the question).

Government websites such as egov.kz and knp.kgd.gov.kz check whether NCALayer is running when authenticating with a digital signature. NCALayer is also used for signing data when accessing electronic government services. However, for authentication and accessing services on egov.kz, neither of the two root certificates is required (tested the latest version, NCALayer v1.4); it is sufficient that NCALayer is running and a digital signature is provided. In contrast, authentication on knp.kgd.gov.kz requires at least one of the two root certificates to be installed.

The official documentation have instructions on how to install root certificates in Windows, macOS, Linux, and into Mozilla Firefox and Google Chrome (browser instructions are not available in English) and how to make browsers trust these certificates. However, in practice I have never needed to install the certificates into browsers. Some YouTube-videos show how to install root certificates on Windows and macOS.

The NCALayers installation script for Linux, written in Bash, uses certutil, but I never run the script.

In Kazakhstan, citizens can access certain government services in special service centers equipped with public computers. So, I have no complaints if such computers can have root certificates installed.

But many people use egov.kz and NCALayer from home. They don't know that they shouldn't install the certificates. And I didn't know this until I studied the PKI.

Improve this question
New contributor
sunvis0r is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct.
5
  • 8
    I'm no expert on this, but want to clarify this sentiment: "Logically, it appears that a MITM attack is possible". It's not just possible, it's the entire point of them installing this onto your computer. So no need to be paranoid, just understand what it is they're doing so you can safely work within their rules. I worked at a company in the US which had us install their own certificates as well. Commented 2 days ago
  • 3
    @aaaaaa The fact that the certificates do not set Name Constraints means that they're definitely not putting any effort into dispelling concerns... In this case, it probably is the point, but an organization making you install a root CA is not always done to make MITM possible. Commented yesterday
  • 1
    @aaaaaa It's not necessarily the entire point of the install of the certs. They could have legitimate certificates for actual websites that track back to those certs. We can't rule out that they want those certs for MITM, but we can't infer that it is their goal. If OP can still access any site with a regular certificate without installing those root certs, it's unlikely there is (currently) any generalised MITM in operation. Commented yesterday
  • Resources disputing goverment decisions are easily blocked. In Russia, methods to circumvent blocks are outlawed, and sites disseminating them are blocked. Commented yesterday
  • 1
    Kazakhstan does this because Kazakhstan intercepts your traffic and modifies it - maybe not right now, but they can when they want to. I don't think the question nor the answer need to be very long. If you don't install the certificate, they will still intercept and modify your traffic when they want to, but your computer will know it's wrong and won't load the page. Commented 4 hours ago

3 Answers 3

Reset to default
20

Your suspicion is absolutely justified. You should be very careful installing any CA certificates into the trust store, especially when it comes from a government known for MitM attacks. While many browsers indeed have their own trust store now, other tools like curl may very well use the system's trust store. This can enable MitM attacks.

If you have to install the CA certificate, then do this in a separate virtual machine which you only use for the government services, nothing else.

Improve this answer
9
  • 1
    Won't a container such as Docker be sufficient? There's no reason for CAs to end up in kernel space. Commented 2 days ago
  • 2
    @TobySpeight: Docker on Windows runs in a virtualized environment anyway (either through Hyper-V or the Windows Subsystem for Linux), so I don't really see any benefit over a VM in this case. Commented 2 days ago
  • 1
    Oh, the OP is using Windows - missed that. But for the rest of us, a container is less overhead. Commented 2 days ago
  • 7
    @TobySpeight: There's no real need for even a Docker container. You can just use a browser that uses its own, separate certificate store (such as Mozilla Firefox), and install the certificate just in that browser. With Firefox specifically, the certificate store is inside your Firefox profile, so it's enough to use a separate profile, no need to install a separate version of Firefox. See Where does Firefox store cerificates and how to delete one? Commented 2 days ago
  • 11
    @sleske: The OP has to install a desktop application which specifically tries to install CA certificates into the system trust store, not just a browser. Commented 2 days ago
3

In addition to the question of the certificate, installing the application in the first place might be an issue. It could very well include spyware/backdoor functionality which could be used by the government or possibly abused by other malicious actors in order to snoop on your files, network communications, get access to your webcam or microphone, etc.

Moreover, the application appears to be communicating with your browser and more particularly with web applications. The communication channel between the browser/web-application and NCALayer could possibly introduce (on purpose by request of the government or not on purpose by the developers) some vulnerability which could be exploited by malicious websites to get a remote access to your computer or to other browsing sessions.

Improve this answer
2
  • Devices may come with preinstalled law-mandated software. If this is the case, one additional piece would not change much. Commented yesterday
  • I added some information about the application in the question body. Commented 18 hours ago
2

Any certificate installed into the root trust store can be used for MITM purposes. We cannot know whether the Kazakh authorities would try a repeat of the 2015 attack. However, we can investigate how it's being used now.

I've installed the NCALayer app on a throwaway VM. It installs the two root certificates, and then opens a HTTPS server on port 13579. The HTTPS server uses a certificate issued for 127.0.0.1/localhost, signed by the CA in question.

screenshot of localhost browser page

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            53:0b:49:c7:7e:92:bc:8b:8d:69:66:10:a7:d7:ac:9b:19:8b:82:2a
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=ҰЛТТЫҚ КУӘЛАНДЫРУШЫ ОРТАЛЫҚ (RSA) 2022, C=KZ
        Validity
            Not Before: May 26 06:52:17 2025 GMT
            Not After : Jun 27 06:52:17 2026 GMT
        Subject: CN=127.0.0.1, O=ҰЛТТЫҚ КУӘЛАНДЫРУШЫ ОРТАЛЫҚ, C=KZ
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a2:15:28:28:43:ae:52:d0:d4:a9:e4:06:e8:50:
                    9d:ac:66:43:93:87:ed:8f:30:a1:1d:c2:97:5c:69:
                    41:d0:ca:fa:82:d7:f4:19:6e:75:63:83:df:66:07:
                    cb:e6:a6:c3:dc:54:de:88:a2:34:73:c9:8c:22:3d:
                    9a:25:80:31:97:4d:69:b5:fc:4f:d8:63:b4:c7:36:
                    cc:92:ba:51:7f:65:73:fd:bd:81:6e:69:c0:6a:72:
                    55:b6:36:3d:ca:a2:33:ac:5a:9a:18:c5:0b:c2:ef:
                    a8:53:af:ba:be:34:3e:1d:5d:fa:0e:85:95:f2:fa:
                    d7:5d:00:a0:ca:db:36:ed:58:21:ff:ad:94:e1:2d:
                    80:ad:4d:a0:ed:9b:06:e7:db:a6:b0:b7:40:e9:e1:
                    bd:2f:26:26:13:76:fc:7f:a8:db:f1:97:e4:1f:97:
                    e0:2c:0a:d0:4c:19:4d:a7:a4:a6:9b:aa:41:b1:6a:
                    12:9d:d9:ca:4d:24:95:1a:7f:a4:9c:51:f5:5c:db:
                    85:90:88:0a:93:14:e4:50:22:c5:59:93:e3:ad:9a:
                    c2:b4:3c:da:f1:5e:c3:75:20:00:8c:10:ea:05:7a:
                    84:f6:a0:a5:9b:d4:ee:a1:d8:70:f3:a4:d5:41:9d:
                    37:57:01:3c:ae:b5:ac:00:e6:cf:07:63:51:09:02:
                    7e:95
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Subject Key Identifier: 
                D3:0B:49:C7:7E:92:BC:8B:8D:69:66:10:A7:D7:AC:9B:19:8B:82:2A
            X509v3 Authority Key Identifier: 
                DC:AE:24:D7:49:B2:64:80:D2:DE:37:23:3C:3E:A4:51:5D:B5:5A:C7
            X509v3 Subject Alternative Name: 
                DNS:localhost, DNS:127.0.0.1, IP Address:127.0.0.1
            Authority Information Access: 
                CA Issuers - URI:http://pki.gov.kz/cert/nca_rsa_2022.cer
                OCSP - URI:http://ocsp.pki.gov.kz
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        76:c0:a3:45:fb:54:9a:46:86:79:4b:69:3d:28:aa:6e:1d:17:
        5b:02:3b:22:4b:b7:0b:92:e7:12:6a:49:12:ab:ac:ad:aa:58:
        bc:04:f9:a5:d5:ab:8e:a4:e5:a5:cb:5f:b2:46:fc:b6:f8:6c:
        ee:00:9e:b5:9f:92:d7:21:fd:fd:49:d1:c7:48:37:ce:9f:fb:
        a3:f5:83:0d:9c:99:36:5f:f3:11:e6:20:c4:f1:04:71:78:52:
        9e:34:8a:5f:5e:1a:8c:ce:f7:47:42:32:5c:d0:6a:3a:4e:76:
        e1:4d:36:d3:11:ad:fe:e2:1f:f9:64:e1:af:80:02:01:b9:f2:
        d9:10:7d:24:15:1f:31:83:a9:80:8d:ca:b4:50:15:40:ba:9a:
        5b:92:20:41:ff:bb:dd:6c:d9:56:31:7c:82:4f:f2:a6:c7:23:
        e2:54:c6:b0:17:2d:a2:ca:56:a2:e8:79:9b:23:89:52:80:32:
        59:1b:1f:3c:6f:aa:83:f5:6a:c2:20:1b:3a:ff:94:67:f5:a5:
        45:f8:e1:ab:b3:08:65:d9:f0:02:e9:f5:6f:b2:04:4f:ef:24:
        ac:f1:cf:12:b2:4e:12:1a:f2:ce:6e:d5:92:40:88:4b:be:d0:
        6b:dd:b7:ef:aa:85:85:92:cc:4e:a4:15:a2:e8:0f:c4:1a:dc:
        c7:45:29:ef:26:ad:3f:e0:23:90:5d:c6:a3:9b:96:56:2c:02:
        c9:3e:3e:d9:fc:55:f6:c8:55:9d:97:1c:fa:f0:e5:fb:ee:ac:
        f2:e1:0f:9a:83:c9:93:09:6c:6a:58:6d:64:f2:50:ae:a8:5a:
        7d:7e:8f:9c:3f:63:45:42:dc:26:3c:c4:a8:01:2d:73:29:01:
        82:4a:96:d2:70:b1:ee:24:15:44:cb:a5:7d:f7:fa:a2:92:90:
        36:69:73:89:f0:1f:50:e0:18:cc:e1:19:a8:d2:36:9c:0b:af:
        cd:dc:61:6d:6c:91:41:c3:2d:2e:27:12:c7:9f:e5:10:bf:d1:
        7e:43:58:e6:1e:a9:d8:5d:f0:52:b4:7a:26:b3:b7:a0:32:2e:
        14:01:d4:52:9a:96:fa:7e:d2:f1:b0:ff:c9:a2:e3:8b:1a:a6:
        09:63:63:a1:3c:63:db:cc:d6:96:3f:8d:55:95:b5:34:6c:aa:
        ff:7f:b9:4d:2a:5f:1a:b5:af:8f:73:ea:08:55:4d:e6:3e:94:
        6a:ea:db:0a:7a:de:3b:c2:83:3f:ab:0c:8c:6b:bb:ca:3b:9d:
        3c:05:33:f6:65:16:fb:e8:62:61:10:8a:dc:e8:65:66:eb:67:
        33:c3:e8:21:5d:09:3f:27:ed:7b:41:5b:64:3e:47:8c:72:51:
        4e:a2:79:9f:cf:6d:1c:8c
-----BEGIN CERTIFICATE-----
MIIFTjCCAzagAwIBAgIUUwtJx36SvIuNaWYQp9esmxmLgiowDQYJKoZIhvcNAQEL
BQAwVzFIMEYGA1UEAww/0rDQm9Ci0KLQq9KaINCa0KPTmNCb0JDQndCU0KvQoNCj
0KjQqyDQntCg0KLQkNCb0KvSmiAoUlNBKSAyMDIyMQswCQYDVQQGEwJLWjAeFw0y
NTA1MjYwNjUyMTdaFw0yNjA2MjcwNjUyMTdaMGAxEjAQBgNVBAMMCTEyNy4wLjAu
MTE9MDsGA1UECgw00rDQm9Ci0KLQq9KaINCa0KPTmNCb0JDQndCU0KvQoNCj0KjQ
qyDQntCg0KLQkNCb0KvSmjELMAkGA1UEBhMCS1owggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCiFSgoQ65S0NSp5AboUJ2sZkOTh+2PMKEdwpdcaUHQyvqC
1/QZbnVjg99mB8vmpsPcVN6IojRzyYwiPZolgDGXTWm1/E/YY7THNsySulF/ZXP9
vYFuacBqclW2Nj3KojOsWpoYxQvC76hTr7q+ND4dXfoOhZXy+tddAKDK2zbtWCH/
rZThLYCtTaDtmwbn26awt0Dp4b0vJiYTdvx/qNvxl+Qfl+AsCtBMGU2npKabqkGx
ahKd2cpNJJUaf6ScUfVc24WQiAqTFORQIsVZk+OtmsK0PNrxXsN1IACMEOoFeoT2
oKWb1O6h2HDzpNVBnTdXATyutawA5s8HY1EJAn6VAgMBAAGjggEHMIIBAzAMBgNV
HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAd
BgNVHQ4EFgQU0wtJx36SvIuNaWYQp9esmxmLgiowHwYDVR0jBBgwFoAU3K4k10my
ZIDS3jcjPD6kUV21WscwJQYDVR0RBB4wHIIJbG9jYWxob3N0ggkxMjcuMC4wLjGH
BH8AAAEwZwYIKwYBBQUHAQEEWzBZMDMGCCsGAQUFBzAChidodHRwOi8vcGtpLmdv
di5rei9jZXJ0L25jYV9yc2FfMjAyMi5jZXIwIgYIKwYBBQUHMAGGFmh0dHA6Ly9v
Y3NwLnBraS5nb3Yua3owDQYJKoZIhvcNAQELBQADggIBAHbAo0X7VJpGhnlLaT0o
qm4dF1sCOyJLtwuS5xJqSRKrrK2qWLwE+aXVq46k5aXLX7JG/Lb4bO4AnrWfktch
/f1J0cdIN86f+6P1gw2cmTZf8xHmIMTxBHF4Up40il9eGozO90dCMlzQajpOduFN
NtMRrf7iH/lk4a+AAgG58tkQfSQVHzGDqYCNyrRQFUC6mluSIEH/u91s2VYxfIJP
8qbHI+JUxrAXLaLKVqLoeZsjiVKAMlkbHzxvqoP1asIgGzr/lGf1pUX44auzCGXZ
8ALp9W+yBE/vJKzxzxKyThIa8s5u1ZJAiEu+0Gvdt++qhYWSzE6kFaLoD8Qa3MdF
Ke8mrT/gI5BdxqObllYsAsk+Ptn8VfbIVZ2XHPrw5fvurPLhD5qDyZMJbGpYbWTy
UK6oWn1+j5w/Y0VC3CY8xKgBLXMpAYJKltJwse4kFUTLpX33+qKSkDZpc4nwH1Dg
GMzhGajSNpwLr83cYW1skUHDLS4nEsef5RC/0X5DWOYeqdhd8FK0eiazt6AyLhQB
1FKalvp+0vGw/8mi44sapgljY6E8Y9vM1pY/jVWVtTRsqv9/uU0qXxq1r49z6ghV
TeY+lGrq2wp63jvCgz+rDIxru8o7nTwFM/ZlFvvoYmEQitzoZWbrZzPD6CFdCT8n
7XtBW2Q+R4xyUU6ieZ/PbRyM
-----END CERTIFICATE-----

This is a somewhat exotic solution -- the CA has issued a certificate for localhost, and the private key for that certificate is shipped with the NCALayer app. The goal here is to have this HTTPS server trusted by browsers -- it seems that the same could have been achieved with a self-signed certificate. This is especially puzzling since there is a check in the code that the client is connecting from localhost, so only the same host is meant to have that:

code that forbids connections from non-localhost

(For fun, I found where the private key is stored -- it's in keystore.jks within ncalayer-cache/bundle5/version0.0/bundle.jar, with a password of fzWmE1HC. I have no idea what to do with it, though: because the subject of the certificate is localhost, you can only pwn yourself by using that. I guess you could mock out the NCALayer app with your own implementation, without any depending services noticing?)

And I was also able to find the line that attempts to install the root certificates -- it does indeed happen on every launch of the webserver, only conditioned on the OS type:

line that installs the root certs

Apart from that, the root cert is used by the Java app itself for self-updating: there's a manifest file at http://crl.pki.gov.kz/updates/ncalayer.der, which is a PKCS#7-signed JSON file explaining where you can download the various parts that make up the app. That one's only used by the app itself, so it still doesn't justify installing the certificate into the root store.

If you download the Linux installer from https://crl.pki.gov.kz/updates/ncalayer.sh, it is a self-extracting shell script + Java JAR file. I've decompiled that, and it seems to resemble the source code at https://github.com/pkigovkz/NCALayer. This does not prove that it's the same -- there does not seem to be any guidance regarding reproducible builds -- but it suggests that the app is open-source and thus can be reviewed. Even if not, the Java JARs that the app is made out of are not obfuscated, and can be decompiled pretty easily (this is where I got most of this info from).

The app is ultimately used for creating digital signatures from the browser. There's a sample at https://github.com/pkigovkz/NCALayerJSExample that shows how to request this: the way it works is by setting up a WebSocket-over-HTTPS connection to localhost, to the NCALayer app, and sending it the data to sign. The app then pops up a window on the desktop asking you what certificate to use (and this is as far as I've got, because I don't have a certificate that it likes, or the cryptoprovider it seems to require.)

screenshot of signing demo

The most unusual thing about this is the websocket-to-localhost approach. By comparison, CryptoPro CSP (the most popular app for doing legally-binding cryptographic signatures in Russia) uses a browser extension which injects JS objects into the browser context, and uses native messaging to talk to the OS's cryptography services. The CSP is installed much deeper into the OS -- if you use the Windows APIs for TLS, as many native apps do, then the CSP can get involved in them.

The browser extension talks to a native program that uses those same APIs, and just makes them available to the browser. It was designed this way because it predates the wide support of WebSockets (it was originally meant to work with Internet Explorer), and it was easier to do it that way; it also means that no certificates are needed for that communication. Despite this, the installer for CSP gives you an option to install the Russian government CA certs, because those are used on some websites where you'd want to use your legal digital signature, so if you installed the CSP app to interact with those sites, you'd also want the root certs.

(Disclaimer: I'm a developer at CryptoPro, though on a different product. To my knowledge, there aren't any backdoors in the app we make.)

Improve this answer
1
  • Wow, you did a great job! Commented 2 hours ago

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.