Verifying X.509 Certificate Extensions

Outlet Title

ITNG 2023 20th International Conference on Information Technology-New Generations

Document Type

Conference Proceeding

Publication Date



Covert channels are used to hide the presence of information in another medium. Attackers have used covert channels to hide the transferring of malicious files, command-and-control traffic, and more. Previous research has shown X.509 certificate extensions can be used as a covert channel. This quasi-experiment utilizes Suricata, an open-source intrusion detection system, to verify specific X.509 certificate extensions that have been used as a covert channel. Several Suricata rules were generated and tested to determine the effectiveness in detecting the presence of a covert channel. All of the generated rules had a 100% true-positive rate, though some had significant impacts on the processor utilization on the IDS. It is possible to detect X.509 covert channels with a high success rate, though detailed verification of the entire X.509 certificate with lua scripting can be extremely resource intensive and unrealistic for high-bandwidth environments.